Package org.gatein.sso.saml.plugin.valve

Class BaseFormAuthenticator

java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.valves.ValveBase
org.apache.catalina.authenticator.AuthenticatorBase
org.apache.catalina.authenticator.FormAuthenticator
org.gatein.sso.saml.plugin.valve.BaseFormAuthenticator
All Implemented Interfaces:
MBeanRegistration, javax.security.auth.message.config.RegistrationListener, org.apache.catalina.Authenticator, org.apache.catalina.Contained, org.apache.catalina.JmxEnabled, org.apache.catalina.Lifecycle, org.apache.catalina.Valve
Direct Known Subclasses:
AbstractSPFormAuthenticator
public abstract class BaseFormAuthenticator extends org.apache.catalina.authenticator.FormAuthenticator
Base Class for Service Provider Form Authenticators forked from org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator and made compatible with Tomcat 8.5 since picketlink doesn't provide such a support

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.apache.catalina.authenticator.AuthenticatorBase

    org.apache.catalina.authenticator.AuthenticatorBase.AllowCorsPreflight

    Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle

    org.apache.catalina.Lifecycle.SingleUse

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper
    auditHelper
     
    protected String
    canonicalizationMethod
     
    protected org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain
    chain
     
    protected Map<String,Object>
    chainConfigOptions
     
    protected Lock
    chainLock
    A Lock for Handler operations in the chain
    protected String
    configFile
     
    protected org.picketlink.identity.federation.web.util.SAMLConfigurationProvider
    configProvider
    The user can inject a fully qualified name of a SAMLConfigurationProvider
    protected boolean
    enableAudit
     
    protected String
    identityURL
     
    protected String
    idpAddress
     
    protected X509Certificate
    idpCertificate
    If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata
    protected String
    issuerID
     
    protected org.picketlink.identity.federation.core.interfaces.TrustKeyManager
    keyManager
     
    protected static final org.picketlink.common.PicketLinkLogger
    logger
     
    protected org.picketlink.config.federation.PicketLinkType
    picketLinkConfiguration
     
    protected String
    samlHandlerChainClass
     
    protected boolean
    saveRestoreRequest
     
    protected String
    serviceURL
     
    protected org.picketlink.config.federation.SPType
    spConfiguration
     
    protected Timer
    timer
     
    protected int
    timerInterval
     

    Fields inherited from class org.apache.catalina.authenticator.FormAuthenticator

    authenticationSessionTimeout, characterEncoding, landingPage

    Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase

    alwaysUseSession, AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, jaspicCallbackHandlerClass, REALM_NAME, securePagesWithPragma, secureRandomAlgorithm, secureRandomClass, secureRandomProvider, sendAuthInfoResponseHeaders, sessionIdGenerator, sm, sso

    Fields inherited from class org.apache.catalina.valves.ValveBase

    asyncSupported, container, containerLog, next

    Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase

    mserver

    Fields inherited from interface org.apache.catalina.Lifecycle

    AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT

  • Constructor Summary

    Constructors
    Constructor
    Description
    BaseFormAuthenticator()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected boolean
    doSupportSignature()
    Indicates if digital signatures/validation of SAML assertions are enabled.
    protected abstract String
    getBinding()
    Return the SAML Binding that this authenticator supports
    String
    getConfigFile()
    Get the name of the configuration file
    org.picketlink.config.federation.SPType
    getConfiguration()
    Get the SPType
    String
    getIdentityURL()
    Get the Identity URL
    X509Certificate
    getIdpCertificate()
    Get the X509Certificate of the IDP if provided via the IDP metadata file
    protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType
    getIDPSSODescriptor(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)
     
    protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType
    handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)
     
    protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType
    handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType entityDescriptor)
     
    protected void
    initializeHandlerChain()
     
    protected abstract void
    initKeyProvider(org.apache.catalina.Context context)
     
    protected boolean
    localAuthentication(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.tomcat.util.descriptor.web.LoginConfig loginConfig)
    Fall back on local authentication at the service provider side
    protected void
    populateChainConfig()
     
    protected void
    processConfiguration()
    Process the configuration from the configuration file
    protected void
    processIDPMetadataFile(String idpMetadataFile)
    Attempt to process a metadata file available locally
    protected void
    sendToLogoutPage(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.catalina.Session session)
     
    void
    setAuditHelper(org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper)
     
    void
    setConfigFile(String configFile)
    Set the name of the configuration file
    void
    setConfigProvider(String cp)
    Set the SAMLConfigurationProvider fqn
    void
    setConfigProvider(org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider)
    Set an instance of the SAMLConfigurationProvider
    void
    setIdpAddress(String idpAddress)
    If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly
    void
    setIssuerID(String issuerID)
    Set a separate issuer id
    void
    setLogOutPage(String logOutPage)
    Set the logout page
    void
    setSamlHandlerChainClass(String samlHandlerChainClass)
    Set the SAML Handler Chain Class fqn
    void
    setSaveRestoreRequest(boolean saveRestoreRequest)
    Set whether the authenticator saves/restores the request during form authentication
    void
    setServiceURL(String serviceURL)
    Set the service URL
    void
    setTimerInterval(String value)
    Set the Timer Value to reload the configuration
    protected void
    startPicketLink()
     
    void
    testStart()
     
    protected boolean
    validate(org.apache.catalina.connector.Request request)
    Perform validation os the request object

    Methods inherited from class org.apache.catalina.authenticator.FormAuthenticator

    doAuthenticate, forwardToErrorPage, forwardToLoginPage, getAuthenticationSessionTimeout, getAuthMethod, getCharacterEncoding, getLandingPage, isContinuationRequired, matchRequest, register, restoreRequest, savedRequestURL, saveRequest, setAuthenticationSessionTimeout, setCharacterEncoding, setLandingPage

    Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase

    allowCorsPreflightBypass, associate, authenticate, changeSessionID, checkForCachedAuthentication, doLogin, getAllowCorsPreflight, getAlwaysUseSession, getCache, getChangeSessionIdOnAuthentication, getContainer, getDisableProxyCaching, getJaspicCallbackHandlerClass, getRealmName, getSecurePagesWithPragma, getSecureRandomAlgorithm, getSecureRandomClass, getSecureRandomProvider, invoke, isPreemptiveAuthPossible, isSendAuthInfoResponseHeaders, login, logout, notify, reauthenticateFromSSO, register, setAllowCorsPreflight, setAlwaysUseSession, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setJaspicCallbackHandlerClass, setSecurePagesWithPragma, setSecureRandomAlgorithm, setSecureRandomClass, setSecureRandomProvider, setSendAuthInfoResponseHeaders, startInternal, stopInternal

    Methods inherited from class org.apache.catalina.valves.ValveBase

    backgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString

    Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase

    destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister

    Methods inherited from class org.apache.catalina.util.LifecycleBase

    addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

  • Field Details

    • logger

      protected static final org.picketlink.common.PicketLinkLogger logger

    • enableAudit

      protected boolean enableAudit

    • auditHelper

      protected org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper

    • keyManager

      protected org.picketlink.identity.federation.core.interfaces.TrustKeyManager keyManager

    • spConfiguration

      protected org.picketlink.config.federation.SPType spConfiguration

    • picketLinkConfiguration

      protected org.picketlink.config.federation.PicketLinkType picketLinkConfiguration

    • serviceURL

      protected String serviceURL

    • identityURL

      protected String identityURL

    • issuerID

      protected String issuerID

    • configFile

      protected String configFile

    • idpCertificate

      protected transient X509Certificate idpCertificate
      If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata

    • chain

      protected transient org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain chain

    • samlHandlerChainClass

      protected transient String samlHandlerChainClass

    • chainConfigOptions

      protected Map<String,Object> chainConfigOptions

    • saveRestoreRequest

      protected boolean saveRestoreRequest

    • chainLock

      protected Lock chainLock
      A Lock for Handler operations in the chain

    • canonicalizationMethod

      protected String canonicalizationMethod

    • configProvider

      protected org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider
      The user can inject a fully qualified name of a SAMLConfigurationProvider

    • timerInterval

      protected int timerInterval

    • timer

      protected Timer timer

    • idpAddress

      protected String idpAddress

  • Constructor Details

    • BaseFormAuthenticator

      public BaseFormAuthenticator()

  • Method Details

    • setIdpAddress

      public void setIdpAddress(String idpAddress)
      If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly
      Parameters:
      idpAddress - IP address of IDP

    • getConfigFile

      public String getConfigFile()
      Get the name of the configuration file
      Returns:
      SAML config file path

    • setConfigFile

      public void setConfigFile(String configFile)
      Set the name of the configuration file
      Parameters:
      configFile - set config file path

    • setSamlHandlerChainClass

      public void setSamlHandlerChainClass(String samlHandlerChainClass)
      Set the SAML Handler Chain Class fqn
      Parameters:
      samlHandlerChainClass - FQN of SAML Handler Chain

    • setServiceURL

      public void setServiceURL(String serviceURL)
      Set the service URL
      Parameters:
      serviceURL - Service URL

    • setSaveRestoreRequest

      public void setSaveRestoreRequest(boolean saveRestoreRequest)
      Set whether the authenticator saves/restores the request during form authentication
      Parameters:
      saveRestoreRequest - saves/restores the request during authentication if true

    • setConfigProvider

      public void setConfigProvider(String cp)
      Set the SAMLConfigurationProvider fqn
      Parameters:
      cp - fqn of a SAMLConfigurationProvider

    • setConfigProvider

      public void setConfigProvider(org.picketlink.identity.federation.web.util.SAMLConfigurationProvider configProvider)
      Set an instance of the SAMLConfigurationProvider
      Parameters:
      configProvider - SAML IDP/SP config provider

    • getConfiguration

      public org.picketlink.config.federation.SPType getConfiguration()
      Get the SPType
      Returns:
      SAML SP configuration

    • setIssuerID

      public void setIssuerID(String issuerID)
      Set a separate issuer id
      Parameters:
      issuerID - id of the issuer

    • setLogOutPage

      public void setLogOutPage(String logOutPage)
      Set the logout page
      Parameters:
      logOutPage - logout page URL

    • setTimerInterval

      public void setTimerInterval(String value)
      Set the Timer Value to reload the configuration
      Parameters:
      value - an integer value that represents timer value (in miliseconds)

    • validate

      protected boolean validate(org.apache.catalina.connector.Request request)
      Perform validation os the request object
      Parameters:
      request - Apache Catalina Request
      Returns:
      true if request contains a SAML Response parameter

    • getIdentityURL

      public String getIdentityURL()
      Get the Identity URL
      Returns:
      Identity URL

    • getIdpCertificate

      public X509Certificate getIdpCertificate()
      Get the X509Certificate of the IDP if provided via the IDP metadata file
      Returns:
      X509Certificate or null

    • localAuthentication

      protected boolean localAuthentication(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.tomcat.util.descriptor.web.LoginConfig loginConfig) throws IOException
      Fall back on local authentication at the service provider side
      Parameters:
      request - Apache Catalina Request
      response - Apache Catalina Response
      loginConfig - Apache Catalina Login Config
      Returns:
      true if authenticated
      Throws:
      IOException - any I/O error during authentication

    • getBinding

      protected abstract String getBinding()
      Return the SAML Binding that this authenticator supports
      Returns:
      supported SAML Binding

    • processIDPMetadataFile

      protected void processIDPMetadataFile(String idpMetadataFile)
      Attempt to process a metadata file available locally
      Parameters:
      idpMetadataFile - path of configuration file of IDP Metadata

    • processConfiguration

      protected void processConfiguration()
      Process the configuration from the configuration file

    • handleMetadata

      protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)

    • handleMetadata

      protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType handleMetadata(org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType entityDescriptor)

    • getIDPSSODescriptor

      protected org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType getIDPSSODescriptor(org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType entities)

    • initializeHandlerChain

      protected void initializeHandlerChain() throws org.picketlink.common.exceptions.ConfigurationException, org.picketlink.common.exceptions.ProcessingException
      Throws:
      org.picketlink.common.exceptions.ConfigurationException
      org.picketlink.common.exceptions.ProcessingException

    • populateChainConfig

      protected void populateChainConfig() throws org.picketlink.common.exceptions.ConfigurationException, org.picketlink.common.exceptions.ProcessingException
      Throws:
      org.picketlink.common.exceptions.ConfigurationException
      org.picketlink.common.exceptions.ProcessingException

    • sendToLogoutPage

      protected void sendToLogoutPage(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.catalina.Session session) throws IOException, javax.servlet.ServletException
      Throws:
      IOException
      javax.servlet.ServletException

    • testStart

      public void testStart() throws org.apache.catalina.LifecycleException
      Throws:
      org.apache.catalina.LifecycleException

    • startPicketLink

      protected void startPicketLink() throws org.apache.catalina.LifecycleException
      Throws:
      org.apache.catalina.LifecycleException

    • doSupportSignature

      protected boolean doSupportSignature()

      Indicates if digital signatures/validation of SAML assertions are enabled. Subclasses that supports signature should override this method.

      Returns:
      true if SP Configuration supports signature

    • initKeyProvider

      protected abstract void initKeyProvider(org.apache.catalina.Context context) throws org.apache.catalina.LifecycleException
      Throws:
      org.apache.catalina.LifecycleException

    • setAuditHelper

      public void setAuditHelper(org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper auditHelper)