Package org.gatein.sso.saml.plugin.valve

Class BaseFormAuthenticator

  • All Implemented Interfaces:
    MBeanRegistration, javax.security.auth.message.config.RegistrationListener, org.apache.catalina.Authenticator, org.apache.catalina.Contained, org.apache.catalina.JmxEnabled, org.apache.catalina.Lifecycle, org.apache.catalina.Valve
    Direct Known Subclasses:
    AbstractSPFormAuthenticator
    public abstract class BaseFormAuthenticator
extends org.apache.catalina.authenticator.FormAuthenticator
    Base Class for Service Provider Form Authenticators forked from org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator and made compatible with Tomcat 8.5 since picketlink doesn't provide such a support

    • Nested Class Summary

      • Nested classes/interfaces inherited from class org.apache.catalina.authenticator.AuthenticatorBase

        org.apache.catalina.authenticator.AuthenticatorBase.AllowCorsPreflight

      • Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle

        org.apache.catalina.Lifecycle.SingleUse

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper  
      protected String canonicalizationMethod  
      protected org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain chain  
      protected Map<String,​Object> chainConfigOptions  
      protected Lock chainLock
      A Lock for Handler operations in the chain
      protected String configFile  
      protected org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider
      The user can inject a fully qualified name of a SAMLConfigurationProvider
      protected boolean enableAudit  
      protected String identityURL  
      protected String idpAddress  
      protected X509Certificate idpCertificate
      If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata
      protected String issuerID  
      protected org.picketlink.identity.federation.core.interfaces.TrustKeyManager keyManager  
      protected static org.picketlink.common.PicketLinkLogger logger  
      protected org.picketlink.config.federation.PicketLinkType picketLinkConfiguration  
      protected String samlHandlerChainClass  
      protected boolean saveRestoreRequest  
      protected String serviceURL  
      protected org.picketlink.config.federation.SPType spConfiguration  
      protected Timer timer  
      protected int timerInterval  

      • Fields inherited from class org.apache.catalina.authenticator.FormAuthenticator

        characterEncoding, landingPage

      • Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase

        alwaysUseSession, AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, jaspicCallbackHandlerClass, REALM_NAME, securePagesWithPragma, secureRandomAlgorithm, secureRandomClass, secureRandomProvider, sendAuthInfoResponseHeaders, sessionIdGenerator, sm, sso

      • Fields inherited from class org.apache.catalina.valves.ValveBase

        asyncSupported, container, containerLog, next

      • Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase

        mserver

      • Fields inherited from interface org.apache.catalina.Lifecycle

        AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      protected boolean doSupportSignature()
      Indicates if digital signatures/validation of SAML assertions are enabled.
      protected abstract String getBinding()
      Return the SAML Binding that this authenticator supports
      String getConfigFile()
      Get the name of the configuration file
      org.picketlink.config.federation.SPType getConfiguration()
      Get the SPType
      String getIdentityURL()
      Get the Identity URL
      X509Certificate getIdpCertificate()
      Get the X509Certificate of the IDP if provided via the IDP metadata file
      protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType getIDPSSODescriptor​(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)  
      protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata​(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)  
      protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata​(org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType entityDescriptor)  
      protected void initializeHandlerChain()  
      protected abstract void initKeyProvider​(org.apache.catalina.Context context)  
      protected boolean localAuthentication​(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.tomcat.util.descriptor.web.LoginConfig loginConfig)
      Fall back on local authentication at the service provider side
      protected void populateChainConfig()  
      protected void processConfiguration()
      Process the configuration from the configuration file
      protected void processIDPMetadataFile​(String idpMetadataFile)
      Attempt to process a metadata file available locally
      protected void sendToLogoutPage​(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.catalina.Session session)  
      void setAuditHelper​(org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper)  
      void setConfigFile​(String configFile)
      Set the name of the configuration file
      void setConfigProvider​(String cp)
      Set the SAMLConfigurationProvider fqn
      void setConfigProvider​(org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider)
      Set an instance of the SAMLConfigurationProvider
      void setIdpAddress​(String idpAddress)
      If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly
      void setIssuerID​(String issuerID)
      Set a separate issuer id
      void setLogOutPage​(String logOutPage)
      Set the logout page
      void setSamlHandlerChainClass​(String samlHandlerChainClass)
      Set the SAML Handler Chain Class fqn
      void setSaveRestoreRequest​(boolean saveRestoreRequest)
      Set whether the authenticator saves/restores the request during form authentication
      void setServiceURL​(String serviceURL)
      Set the service URL
      void setTimerInterval​(String value)
      Set the Timer Value to reload the configuration
      protected void startPicketLink()  
      void testStart()  
      protected boolean validate​(org.apache.catalina.connector.Request request)
      Perform validation os the request object

      • Methods inherited from class org.apache.catalina.authenticator.FormAuthenticator

        doAuthenticate, forwardToErrorPage, forwardToLoginPage, getAuthMethod, getCharacterEncoding, getLandingPage, isContinuationRequired, matchRequest, register, restoreRequest, savedRequestURL, saveRequest, setCharacterEncoding, setLandingPage

      • Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase

        allowCorsPreflightBypass, associate, authenticate, changeSessionID, checkForCachedAuthentication, doLogin, getAllowCorsPreflight, getAlwaysUseSession, getCache, getChangeSessionIdOnAuthentication, getContainer, getDisableProxyCaching, getJaspicCallbackHandlerClass, getRealmName, getSecurePagesWithPragma, getSecureRandomAlgorithm, getSecureRandomClass, getSecureRandomProvider, invoke, isPreemptiveAuthPossible, isSendAuthInfoResponseHeaders, login, logout, notify, reauthenticateFromSSO, register, setAllowCorsPreflight, setAlwaysUseSession, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setJaspicCallbackHandlerClass, setSecurePagesWithPragma, setSecureRandomAlgorithm, setSecureRandomClass, setSecureRandomProvider, setSendAuthInfoResponseHeaders, startInternal, stopInternal

      • Methods inherited from class org.apache.catalina.valves.ValveBase

        backgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString

      • Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase

        destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister

      • Methods inherited from class org.apache.catalina.util.LifecycleBase

        addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop

    • Field Detail

      • logger

        protected static final org.picketlink.common.PicketLinkLogger logger

      • enableAudit

        protected boolean enableAudit

      • auditHelper

        protected org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper

      • keyManager

        protected org.picketlink.identity.federation.core.interfaces.TrustKeyManager keyManager

      • spConfiguration

        protected org.picketlink.config.federation.SPType spConfiguration

      • picketLinkConfiguration

        protected org.picketlink.config.federation.PicketLinkType picketLinkConfiguration

      • serviceURL

        protected String serviceURL

      • identityURL

        protected String identityURL

      • issuerID

        protected String issuerID

      • configFile

        protected String configFile

      • idpCertificate

        protected transient X509Certificate idpCertificate
        If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata

      • chain

        protected transient org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain chain

      • samlHandlerChainClass

        protected transient String samlHandlerChainClass

      • saveRestoreRequest

        protected boolean saveRestoreRequest

      • chainLock

        protected Lock chainLock
        A Lock for Handler operations in the chain

      • canonicalizationMethod

        protected String canonicalizationMethod

      • configProvider

        protected org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider
        The user can inject a fully qualified name of a SAMLConfigurationProvider

      • timerInterval

        protected int timerInterval

      • timer

        protected Timer timer

      • idpAddress

        protected String idpAddress

    • Constructor Detail

      • BaseFormAuthenticator

        public BaseFormAuthenticator()

    • Method Detail

      • setIdpAddress

        public void setIdpAddress​(String idpAddress)
        If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly
        Parameters:
        idpAddress - IP address of IDP

      • getConfigFile

        public String getConfigFile()
        Get the name of the configuration file
        Returns:
        SAML config file path

      • setConfigFile

        public void setConfigFile​(String configFile)
        Set the name of the configuration file
        Parameters:
        configFile - set config file path

      • setSamlHandlerChainClass

        public void setSamlHandlerChainClass​(String samlHandlerChainClass)
        Set the SAML Handler Chain Class fqn
        Parameters:
        samlHandlerChainClass - FQN of SAML Handler Chain

      • setServiceURL

        public void setServiceURL​(String serviceURL)
        Set the service URL
        Parameters:
        serviceURL - Service URL

      • setSaveRestoreRequest

        public void setSaveRestoreRequest​(boolean saveRestoreRequest)
        Set whether the authenticator saves/restores the request during form authentication
        Parameters:
        saveRestoreRequest - saves/restores the request during authentication if true

      • setConfigProvider

        public void setConfigProvider​(String cp)
        Set the SAMLConfigurationProvider fqn
        Parameters:
        cp - fqn of a SAMLConfigurationProvider

      • setConfigProvider

        public void setConfigProvider​(org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider)
        Set an instance of the SAMLConfigurationProvider
        Parameters:
        configProvider - SAML IDP/SP config provider

      • getConfiguration

        public org.picketlink.config.federation.SPType getConfiguration()
        Get the SPType
        Returns:
        SAML SP configuration

      • setIssuerID

        public void setIssuerID​(String issuerID)
        Set a separate issuer id
        Parameters:
        issuerID - id of the issuer

      • setLogOutPage

        public void setLogOutPage​(String logOutPage)
        Set the logout page
        Parameters:
        logOutPage - logout page URL

      • setTimerInterval

        public void setTimerInterval​(String value)
        Set the Timer Value to reload the configuration
        Parameters:
        value - an integer value that represents timer value (in miliseconds)

      • validate

        protected boolean validate​(org.apache.catalina.connector.Request request)
        Perform validation os the request object
        Parameters:
        request - Apache Catalina Request
        Returns:
        true if request contains a SAML Response parameter

      • getIdentityURL

        public String getIdentityURL()
        Get the Identity URL
        Returns:
        Identity URL

      • localAuthentication

        protected boolean localAuthentication​(org.apache.catalina.connector.Request request,
                                      org.apache.catalina.connector.Response response,
                                      org.apache.tomcat.util.descriptor.web.LoginConfig loginConfig)
                               throws IOException
        Fall back on local authentication at the service provider side
        Parameters:
        request - Apache Catalina Request
        response - Apache Catalina Response
        loginConfig - Apache Catalina Login Config
        Returns:
        true if authenticated
        Throws:
        IOException - any I/O error during authentication

      • getBinding

        protected abstract String getBinding()
        Return the SAML Binding that this authenticator supports
        Returns:
        supported SAML Binding

      • processIDPMetadataFile

        protected void processIDPMetadataFile​(String idpMetadataFile)
        Attempt to process a metadata file available locally
        Parameters:
        idpMetadataFile - path of configuration file of IDP Metadata

      • processConfiguration

        protected void processConfiguration()
        Process the configuration from the configuration file

      • handleMetadata

        protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata​(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)

      • handleMetadata

        protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata​(org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType entityDescriptor)

      • getIDPSSODescriptor

        protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType getIDPSSODescriptor​(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)

      • initializeHandlerChain

        protected void initializeHandlerChain()
                               throws org.picketlink.common.exceptions.ConfigurationException,
                                      org.picketlink.common.exceptions.ProcessingException
        Throws:
        org.picketlink.common.exceptions.ConfigurationException
        org.picketlink.common.exceptions.ProcessingException

      • populateChainConfig

        protected void populateChainConfig()
                            throws org.picketlink.common.exceptions.ConfigurationException,
                                   org.picketlink.common.exceptions.ProcessingException
        Throws:
        org.picketlink.common.exceptions.ConfigurationException
        org.picketlink.common.exceptions.ProcessingException

      • sendToLogoutPage

        protected void sendToLogoutPage​(org.apache.catalina.connector.Request request,
                                org.apache.catalina.connector.Response response,
                                org.apache.catalina.Session session)
                         throws IOException,
                                javax.servlet.ServletException
        Throws:
        IOException
        javax.servlet.ServletException

      • testStart

        public void testStart()
               throws org.apache.catalina.LifecycleException
        Throws:
        org.apache.catalina.LifecycleException

      • startPicketLink

        protected void startPicketLink()
                        throws org.apache.catalina.LifecycleException
        Throws:
        org.apache.catalina.LifecycleException

      • doSupportSignature

        protected boolean doSupportSignature()

        Indicates if digital signatures/validation of SAML assertions are enabled. Subclasses that supports signature should override this method.

        Returns:
        true if SP Configuration supports signature

      • initKeyProvider

        protected abstract void initKeyProvider​(org.apache.catalina.Context context)
                                 throws org.apache.catalina.LifecycleException
        Throws:
        org.apache.catalina.LifecycleException

      • setAuditHelper

        public void setAuditHelper​(org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper)