org.gatein.sso.saml.plugin.valve

Class BaseFormAuthenticator

java.lang.Object

org.apache.catalina.valves.ValveBase

org.apache.catalina.authenticator.AuthenticatorBase

org.apache.catalina.authenticator.FormAuthenticator

org.gatein.sso.saml.plugin.valve.BaseFormAuthenticator

All Implemented Interfaces:

MBeanRegistration, org.apache.catalina.Authenticator, org.apache.catalina.Contained, org.apache.catalina.Lifecycle, org.apache.catalina.Valve

Direct Known Subclasses:

AbstractSPFormAuthenticator

public abstract class BaseFormAuthenticator
extends org.apache.catalina.authenticator.FormAuthenticator

Base Class for Service Provider Form Authenticators forked from org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator and made compatible with Tomcat 8.5 since picketlink doesn't provide such a support

Field Summary

Fields

Modifier and Type	Field and Description
protected org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper	auditHelper
protected String	canonicalizationMethod
protected org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain	chain
protected Map<String,Object>	chainConfigOptions
protected Lock	chainLock A Lock for Handler operations in the chain
protected String	configFile
protected org.picketlink.identity.federation.web.util.SAMLConfigurationProvider	configProvider The user can inject a fully qualified name of a SAMLConfigurationProvider
protected boolean	enableAudit
protected String	identityURL
protected String	idpAddress
protected X509Certificate	idpCertificate If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata
protected String	issuerID
protected org.picketlink.identity.federation.core.interfaces.TrustKeyManager	keyManager
protected static org.picketlink.common.PicketLinkLogger	logger
protected org.picketlink.config.federation.PicketLinkType	picketLinkConfiguration
protected String	samlHandlerChainClass
protected boolean	saveRestoreRequest
protected String	serviceURL
protected org.picketlink.config.federation.SPType	spConfiguration
protected Timer	timer
protected int	timerInterval

Fields inherited from class org.apache.catalina.authenticator.FormAuthenticator

characterEncoding, info, landingPage

Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase

AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, lifecycle, REALM_NAME, securePagesWithPragma, SESSION_ID_BYTES, sm, sso, started

Fields inherited from class org.apache.catalina.valves.ValveBase

container, controller, domain, mserver, next, oname

Fields inherited from interface org.apache.catalina.Lifecycle

AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, DESTROY_EVENT, INIT_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT

Constructor Summary

Constructors

Constructor and Description
BaseFormAuthenticator()

Method Summary

Modifier and Type	Method and Description
protected boolean	doSupportSignature() Indicates if digital signatures/validation of SAML assertions are enabled.
protected abstract String	getBinding() Return the SAML Binding that this authenticator supports
String	getConfigFile() Get the name of the configuration file
org.picketlink.config.federation.SPType	getConfiguration() Get the SPType
String	getIdentityURL() Get the Identity URL
X509Certificate	getIdpCertificate() Get the X509Certificate of the IDP if provided via the IDP metadata file
protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType	getIDPSSODescriptor(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)
protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType	handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)
protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType	handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType entityDescriptor)
protected void	initializeHandlerChain()
protected abstract void	initKeyProvider(org.apache.catalina.Context context)
protected boolean	localAuthentication(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.tomcat.util.descriptor.web.LoginConfig loginConfig) Fall back on local authentication at the service provider side
protected void	populateChainConfig()
protected void	processConfiguration() Process the configuration from the configuration file
protected void	processIDPMetadataFile(String idpMetadataFile) Attempt to process a metadata file available locally
protected void	sendToLogoutPage(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.catalina.Session session)
void	setAuditHelper(org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper)
void	setConfigFile(String configFile) Set the name of the configuration file
void	setConfigProvider(org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider) Set an instance of the SAMLConfigurationProvider
void	setConfigProvider(String cp) Set the SAMLConfigurationProvider fqn
void	setIdpAddress(String idpAddress) If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly
void	setIssuerID(String issuerID) Set a separate issuer id
void	setLogOutPage(String logOutPage) Set the logout page
void	setSamlHandlerChainClass(String samlHandlerChainClass) Set the SAML Handler Chain Class fqn
void	setSaveRestoreRequest(boolean saveRestoreRequest) Set whether the authenticator saves/restores the request during form authentication
void	setServiceURL(String serviceURL) Set the service URL
void	setTimerInterval(String value) Set the Timer Value to reload the configuration
protected void	startPicketLink()
void	testStart()
protected boolean	validate(org.apache.catalina.connector.Request request) Perform validation os the request object

Methods inherited from class org.apache.catalina.authenticator.FormAuthenticator

authenticate, forwardToErrorPage, forwardToLoginPage, getCharacterEncoding, getInfo, getLandingPage, matchRequest, restoreRequest, savedRequestURL, saveRequest, setCharacterEncoding, setLandingPage

Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase

addLifecycleListener, associate, authenticate, findLifecycleListeners, generateSessionId, getCache, getContainer, getDisableProxyCaching, getSecurePagesWithPragma, invoke, isChangeSessionIdOnAuthentication, login, logout, reauthenticateFromSSO, register, removeLifecycleListener, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setSecurePagesWithPragma, start, stop, unregister

Methods inherited from class org.apache.catalina.valves.ValveBase

backgroundProcess, createObjectName, event, getContainerName, getController, getDomain, getNext, getObjectName, getParentName, postDeregister, postRegister, preDeregister, preRegister, setController, setNext, setObjectName, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

logger

protected static final org.picketlink.common.PicketLinkLogger logger

enableAudit

protected boolean enableAudit

auditHelper

protected org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper

keyManager

protected org.picketlink.identity.federation.core.interfaces.TrustKeyManager keyManager

spConfiguration

protected org.picketlink.config.federation.SPType spConfiguration

picketLinkConfiguration

protected org.picketlink.config.federation.PicketLinkType picketLinkConfiguration

serviceURL

protected String serviceURL

identityURL

protected String identityURL

issuerID

protected String issuerID

configFile

protected String configFile

idpCertificate

protected transient X509Certificate idpCertificate

If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata

chain

protected transient org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain chain

samlHandlerChainClass

protected transient String samlHandlerChainClass

chainConfigOptions

protected Map<String,Object> chainConfigOptions

saveRestoreRequest

protected boolean saveRestoreRequest

chainLock

protected Lock chainLock

A Lock for Handler operations in the chain

canonicalizationMethod

protected String canonicalizationMethod

configProvider

protected org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider

The user can inject a fully qualified name of a SAMLConfigurationProvider

timerInterval

protected int timerInterval

timer

protected Timer timer

idpAddress

protected String idpAddress

Constructor Detail

BaseFormAuthenticator

public BaseFormAuthenticator()

Method Detail

setIdpAddress

public void setIdpAddress(String idpAddress)

If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly

Parameters:

idpAddress - IP address of IDP

getConfigFile

public String getConfigFile()

Get the name of the configuration file

Returns:

SAML config file path

setConfigFile

public void setConfigFile(String configFile)

Set the name of the configuration file

Parameters:

configFile - set config file path

setSamlHandlerChainClass

public void setSamlHandlerChainClass(String samlHandlerChainClass)

Set the SAML Handler Chain Class fqn

Parameters:

samlHandlerChainClass - FQN of SAML Handler Chain

setServiceURL

public void setServiceURL(String serviceURL)

Set the service URL

Parameters:

serviceURL - Service URL

setSaveRestoreRequest

public void setSaveRestoreRequest(boolean saveRestoreRequest)

Set whether the authenticator saves/restores the request during form authentication

Parameters:

saveRestoreRequest - saves/restores the request during authentication if true

setConfigProvider

public void setConfigProvider(String cp)

Set the SAMLConfigurationProvider fqn

Parameters:

cp - fqn of a SAMLConfigurationProvider

setConfigProvider

public void setConfigProvider(org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider)

Set an instance of the SAMLConfigurationProvider

Parameters:

configProvider - SAML IDP/SP config provider

getConfiguration

public org.picketlink.config.federation.SPType getConfiguration()

Get the SPType

Returns:

SAML SP configuration

setIssuerID

public void setIssuerID(String issuerID)

Set a separate issuer id

Parameters:

issuerID - id of the issuer

setLogOutPage

public void setLogOutPage(String logOutPage)

Set the logout page

Parameters:

logOutPage - logout page URL

setTimerInterval

public void setTimerInterval(String value)

Set the Timer Value to reload the configuration

Parameters:

value - an integer value that represents timer value (in miliseconds)

validate

protected boolean validate(org.apache.catalina.connector.Request request)

Perform validation os the request object

Parameters:

request - Apache Catalina Request

Returns:

true if request contains a SAML Response parameter

getIdentityURL

public String getIdentityURL()

Get the Identity URL

Returns:

Identity URL

getIdpCertificate

public X509Certificate getIdpCertificate()

Get the X509Certificate of the IDP if provided via the IDP metadata file

Returns:

X509Certificate or null

localAuthentication

protected boolean localAuthentication(org.apache.catalina.connector.Request request,
                                      org.apache.catalina.connector.Response response,
                                      org.apache.tomcat.util.descriptor.web.LoginConfig loginConfig)
                               throws IOException

Fall back on local authentication at the service provider side

Parameters:

request - Apache Catalina Request

response - Apache Catalina Response

loginConfig - Apache Catalina Login Config

Returns:

true if authenticated

Throws:

IOException - any I/O error during authentication

getBinding

protected abstract String getBinding()

Return the SAML Binding that this authenticator supports

Returns:

supported SAML Binding

processIDPMetadataFile

protected void processIDPMetadataFile(String idpMetadataFile)

Attempt to process a metadata file available locally

Parameters:

idpMetadataFile - path of configuration file of IDP Metadata

processConfiguration

protected void processConfiguration()

Process the configuration from the configuration file

handleMetadata

protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)

handleMetadata

protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType entityDescriptor)

getIDPSSODescriptor

protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType getIDPSSODescriptor(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)

initializeHandlerChain

protected void initializeHandlerChain()
                               throws org.picketlink.common.exceptions.ConfigurationException,
                                      org.picketlink.common.exceptions.ProcessingException

Throws:

org.picketlink.common.exceptions.ConfigurationException

org.picketlink.common.exceptions.ProcessingException

populateChainConfig

protected void populateChainConfig()
                            throws org.picketlink.common.exceptions.ConfigurationException,
                                   org.picketlink.common.exceptions.ProcessingException

Throws:

org.picketlink.common.exceptions.ConfigurationException

org.picketlink.common.exceptions.ProcessingException

sendToLogoutPage

protected void sendToLogoutPage(org.apache.catalina.connector.Request request,
                                org.apache.catalina.connector.Response response,
                                org.apache.catalina.Session session)
                         throws IOException,
                                javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

testStart

public void testStart()
               throws org.apache.catalina.LifecycleException

Throws:

org.apache.catalina.LifecycleException

startPicketLink

protected void startPicketLink()
                        throws org.apache.catalina.LifecycleException

Throws:

org.apache.catalina.LifecycleException

doSupportSignature

protected boolean doSupportSignature()

Indicates if digital signatures/validation of SAML assertions are enabled. Subclasses that supports signature should override this method.

Returns:

true if SP Configuration supports signature

initKeyProvider

protected abstract void initKeyProvider(org.apache.catalina.Context context)
                                 throws org.apache.catalina.LifecycleException

Throws:

org.apache.catalina.LifecycleException

setAuditHelper

public void setAuditHelper(org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper)