Package org.gatein.sso.saml.plugin.valve

Class AbstractSPFormAuthenticator

  • All Implemented Interfaces:
    MBeanRegistration, javax.security.auth.message.config.RegistrationListener, org.apache.catalina.Authenticator, org.apache.catalina.Contained, org.apache.catalina.JmxEnabled, org.apache.catalina.Lifecycle, org.apache.catalina.Valve
    Direct Known Subclasses:
    AbstractSAML11SPRedirectFormAuthenticator, ServiceProviderAuthenticator
    public abstract class AbstractSPFormAuthenticator
extends BaseFormAuthenticator
    Abstract class to be extended by Service Provider valves to handle SAML requests and responses. forked from org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator and made compatible with Tomcat 8.5 since picketlink doesn't provide such a support

    • Nested Class Summary

      • Nested classes/interfaces inherited from class org.apache.catalina.authenticator.AuthenticatorBase

        org.apache.catalina.authenticator.AuthenticatorBase.AllowCorsPreflight

      • Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle

        org.apache.catalina.Lifecycle.SingleUse

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      boolean authenticate​(org.apache.catalina.connector.Request request, javax.servlet.http.HttpServletResponse response)
      Authenticate the request
      protected boolean doAuthenticate​(org.apache.catalina.connector.Request request, javax.servlet.http.HttpServletResponse response)  
      protected String getBinding()
      Return the SAML Binding that this authenticator supports
      org.apache.catalina.Context getContext()  
      protected abstract String getContextPath()
      Subclasses need to return the context path based on the capability of their servlet api
      protected Principal getGenericPrincipal​(org.apache.catalina.connector.Request request, String username, List<String> roles)  
      protected void initKeyProvider​(org.apache.catalina.Context context)
      Initialize the KeyProvider configurations.
      protected boolean isHttpPostBinding()
      Indicates if the SP is configure with HTTP POST Binding.
      protected boolean isPOSTBindingResponse()  
      boolean restoreRequest​(org.apache.catalina.connector.Request request, org.apache.catalina.Session session)  
      protected void sendHttpPostBindingRequest​(String destination, Document samlDocument, String relayState, org.apache.catalina.connector.Response response, boolean willSendRequest)
      Sends a HTTP POST request to the IDP.
      protected void sendHttpRedirectRequest​(String destination, Document samlDocument, String relayState, org.apache.catalina.connector.Response response, boolean willSendRequest, String destinationQueryStringWithSignature)
      Sends a HTTP Redirect request to the IDP.
      protected void sendRequestToIDP​(String destination, Document samlDocument, String relayState, org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, boolean willSendRequest, String destinationQueryStringWithSignature)
      Send the request to the IDP.
      protected void startPicketLink()  

      • Methods inherited from class org.apache.catalina.authenticator.FormAuthenticator

        forwardToErrorPage, forwardToLoginPage, getAuthMethod, getCharacterEncoding, getLandingPage, isContinuationRequired, matchRequest, register, savedRequestURL, saveRequest, setCharacterEncoding, setLandingPage

      • Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase

        allowCorsPreflightBypass, associate, changeSessionID, checkForCachedAuthentication, doLogin, getAllowCorsPreflight, getAlwaysUseSession, getCache, getChangeSessionIdOnAuthentication, getContainer, getDisableProxyCaching, getJaspicCallbackHandlerClass, getRealmName, getSecurePagesWithPragma, getSecureRandomAlgorithm, getSecureRandomClass, getSecureRandomProvider, invoke, isPreemptiveAuthPossible, isSendAuthInfoResponseHeaders, login, logout, notify, reauthenticateFromSSO, register, setAllowCorsPreflight, setAlwaysUseSession, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setJaspicCallbackHandlerClass, setSecurePagesWithPragma, setSecureRandomAlgorithm, setSecureRandomClass, setSecureRandomProvider, setSendAuthInfoResponseHeaders, startInternal, stopInternal

      • Methods inherited from class org.apache.catalina.valves.ValveBase

        backgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString

      • Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase

        destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister

      • Methods inherited from class org.apache.catalina.util.LifecycleBase

        addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop

    • Field Detail

      • jbossEnv

        protected boolean jbossEnv

    • Constructor Detail

      • AbstractSPFormAuthenticator

        public AbstractSPFormAuthenticator()

    • Method Detail

      • startPicketLink

        protected void startPicketLink()
                        throws org.apache.catalina.LifecycleException
        Overrides:
        startPicketLink in class BaseFormAuthenticator
        Throws:
        org.apache.catalina.LifecycleException

      • sendRequestToIDP

        protected void sendRequestToIDP​(String destination,
                                Document samlDocument,
                                String relayState,
                                org.apache.catalina.connector.Request request,
                                org.apache.catalina.connector.Response response,
                                boolean willSendRequest,
                                String destinationQueryStringWithSignature)
                         throws org.picketlink.common.exceptions.ProcessingException,
                                org.picketlink.common.exceptions.ConfigurationException,
                                IOException

        Send the request to the IDP. Subclasses should override this method to implement how requests must be sent to the IDP.

        Parameters:
        destination - idp url
        samlDocument - request or response document
        relayState - used in SAML Workflow
        response - Apache Catalina HTTP Response
        request - Apache Catalina HTTP Request
        willSendRequest - are we sending Request or Response to IDP
        destinationQueryStringWithSignature - used only with Redirect binding and with signature enabled.
        Throws:
        org.picketlink.common.exceptions.ProcessingException - Exception to indicate a server processing error
        org.picketlink.common.exceptions.ConfigurationException - Exception indicating an issue with the configuration
        IOException - I/O exception

      • sendHttpRedirectRequest

        protected void sendHttpRedirectRequest​(String destination,
                                       Document samlDocument,
                                       String relayState,
                                       org.apache.catalina.connector.Response response,
                                       boolean willSendRequest,
                                       String destinationQueryStringWithSignature)
                                throws IOException,
                                       org.picketlink.common.exceptions.ProcessingException,
                                       org.picketlink.common.exceptions.ConfigurationException

        Sends a HTTP Redirect request to the IDP.

        Parameters:
        destination - idp url
        samlDocument - SAML request document
        relayState - used in SAML Workflow
        response - Apache Catalina HTTP Response
        willSendRequest - are we sending Request or Response to IDP
        destinationQueryStringWithSignature - used only with Redirect binding and with signature enabled.
        Throws:
        IOException - I/O exception
        UnsupportedEncodingException - when decoding SAML Message
        org.picketlink.common.exceptions.ConfigurationException - Exception indicating an issue with the configuration
        org.picketlink.common.exceptions.ProcessingException - Exception to indicate a server processing error

      • sendHttpPostBindingRequest

        protected void sendHttpPostBindingRequest​(String destination,
                                          Document samlDocument,
                                          String relayState,
                                          org.apache.catalina.connector.Response response,
                                          boolean willSendRequest)
                                   throws org.picketlink.common.exceptions.ProcessingException,
                                          IOException,
                                          org.picketlink.common.exceptions.ConfigurationException

        Sends a HTTP POST request to the IDP.

        Parameters:
        destination - idp url
        samlDocument - request or response document
        relayState - used in SAML Workflow
        response - Apache Catalina HTTP Response
        willSendRequest - are we sending Request or Response to IDP
        Throws:
        org.picketlink.common.exceptions.ProcessingException - Exception to indicate a server processing error
        org.picketlink.common.exceptions.ConfigurationException - Exception indicating an issue with the configuration
        IOException - I/O exception

      • initKeyProvider

        protected void initKeyProvider​(org.apache.catalina.Context context)
                        throws org.apache.catalina.LifecycleException

        Initialize the KeyProvider configurations. This configurations are to be used during signing and validation of SAML assertions.

        Specified by:
        initKeyProvider in class BaseFormAuthenticator
        Parameters:
        context - Apache Catalina Context
        Throws:
        org.apache.catalina.LifecycleException - any exception occurred while processing key provider

      • doAuthenticate

        protected boolean doAuthenticate​(org.apache.catalina.connector.Request request,
                                 javax.servlet.http.HttpServletResponse response)
                          throws IOException
        Overrides:
        doAuthenticate in class org.apache.catalina.authenticator.FormAuthenticator
        Throws:
        IOException

      • authenticate

        public boolean authenticate​(org.apache.catalina.connector.Request request,
                            javax.servlet.http.HttpServletResponse response)
                     throws IOException
        Authenticate the request
        Specified by:
        authenticate in interface org.apache.catalina.Authenticator
        Overrides:
        authenticate in class org.apache.catalina.authenticator.AuthenticatorBase
        Parameters:
        request - Apache Catalina Request
        response - Apache Catalina Response
        Returns:
        true if authenticated, else false
        Throws:
        IOException - any I/O exception

      • isPOSTBindingResponse

        protected boolean isPOSTBindingResponse()

      • isHttpPostBinding

        protected boolean isHttpPostBinding()

        Indicates if the SP is configure with HTTP POST Binding.

        Returns:
        true if post binding

      • getContext

        public org.apache.catalina.Context getContext()

      • restoreRequest

        public boolean restoreRequest​(org.apache.catalina.connector.Request request,
                              org.apache.catalina.Session session)
                       throws IOException
        Overrides:
        restoreRequest in class org.apache.catalina.authenticator.FormAuthenticator
        Throws:
        IOException

      • getContextPath

        protected abstract String getContextPath()
        Subclasses need to return the context path based on the capability of their servlet api
        Returns:
        Servlet Context Path

      • getGenericPrincipal

        protected Principal getGenericPrincipal​(org.apache.catalina.connector.Request request,
                                        String username,
                                        List<String> roles)