Mercurial > dive4elements > river
annotate gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/Authenticator.java @ 8839:2c8259176c46
Add configurable time tolerance to SAML ticket validation.
This allows e.g. to account for time skew between the ISP and
the server this servlet is run on.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Wed, 28 Jun 2017 20:09:53 +0200 |
parents | ea9eef426962 |
children | d6d5ca6d4af0 cfc0aab9947f |
rev | line source |
---|---|
5861
172338b1407f
GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5838
diff
changeset
|
1 /* Copyright (C) 2011, 2012, 2013 by Bundesanstalt für Gewässerkunde |
172338b1407f
GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5838
diff
changeset
|
2 * Software engineering by Intevation GmbH |
172338b1407f
GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5838
diff
changeset
|
3 * |
5993
ea9eef426962
Removed trailing whitespace.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5943
diff
changeset
|
4 * This file is Free Software under the GNU AGPL (>=v3) |
5861
172338b1407f
GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5838
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! Check out the |
5993
ea9eef426962
Removed trailing whitespace.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5943
diff
changeset
|
6 * documentation coming with Dive4Elements River for details. |
5861
172338b1407f
GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5838
diff
changeset
|
7 */ |
172338b1407f
GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5838
diff
changeset
|
8 |
5835
821a02bbfb4e
Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5834
diff
changeset
|
9 package org.dive4elements.river.client.server.auth.was; |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
10 |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
11 import java.io.IOException; |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
12 import java.security.GeneralSecurityException; |
5933
1b939742629e
Pass LoginServlet's ServletContext to the Authenticators.
Bernhard Herzog <bh@intevation.de>
parents:
5861
diff
changeset
|
13 import javax.servlet.ServletContext; |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
14 |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
15 import org.apache.http.HttpEntity; |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
16 import org.apache.http.HttpResponse; |
4488
5041105d2edd
Check if response code from GGInA is 200 OK
Björn Ricks <bjoern.ricks@intevation.de>
parents:
3486
diff
changeset
|
17 import org.apache.http.StatusLine; |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
18 import org.apache.http.client.HttpClient; |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
19 import org.apache.http.conn.scheme.Scheme; |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
20 import org.apache.http.conn.ssl.SSLSocketFactory; |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
21 import org.apache.http.impl.client.DefaultHttpClient; |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
22 |
5835
821a02bbfb4e
Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5834
diff
changeset
|
23 import org.dive4elements.river.client.server.GGInATrustStrategy; |
821a02bbfb4e
Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5834
diff
changeset
|
24 import org.dive4elements.river.client.server.auth.Authentication; |
821a02bbfb4e
Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5834
diff
changeset
|
25 import org.dive4elements.river.client.server.auth.AuthenticationException; |
821a02bbfb4e
Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5834
diff
changeset
|
26 import org.dive4elements.river.client.server.features.Features; |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
27 |
3486
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
28 public class Authenticator |
5835
821a02bbfb4e
Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5834
diff
changeset
|
29 implements org.dive4elements.river.client.server.auth.Authenticator { |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
30 |
3485
71ba3cf3ec5e
Refactor Authentication to allow to pass the Freatures to the user class
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
2956
diff
changeset
|
31 @Override |
3486
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
32 public Authentication auth( |
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
33 String username, |
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
34 String password, |
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
35 String encoding, |
5933
1b939742629e
Pass LoginServlet's ServletContext to the Authenticators.
Bernhard Herzog <bh@intevation.de>
parents:
5861
diff
changeset
|
36 Features features, |
1b939742629e
Pass LoginServlet's ServletContext to the Authenticators.
Bernhard Herzog <bh@intevation.de>
parents:
5861
diff
changeset
|
37 ServletContext context |
3486
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
38 ) throws |
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
39 AuthenticationException, |
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
40 IOException |
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
41 { |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
42 try { |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
43 SSLSocketFactory sf = new SSLSocketFactory( |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
44 new GGInATrustStrategy()); |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
45 Scheme https = new Scheme("https", 443, sf); |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
46 HttpClient httpclient = new DefaultHttpClient(); |
3486
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
47 httpclient.getConnectionManager().getSchemeRegistry().register( |
23095983c249
Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
3485
diff
changeset
|
48 https); |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
49 |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
50 Request httpget = new Request("https://geoportal.bafg.de/" + |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
51 "administration/WAS", username, password, encoding); |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
52 HttpResponse response = httpclient.execute(httpget); |
4488
5041105d2edd
Check if response code from GGInA is 200 OK
Björn Ricks <bjoern.ricks@intevation.de>
parents:
3486
diff
changeset
|
53 StatusLine stline = response.getStatusLine(); |
5041105d2edd
Check if response code from GGInA is 200 OK
Björn Ricks <bjoern.ricks@intevation.de>
parents:
3486
diff
changeset
|
54 if (stline.getStatusCode() != 200) { |
5041105d2edd
Check if response code from GGInA is 200 OK
Björn Ricks <bjoern.ricks@intevation.de>
parents:
3486
diff
changeset
|
55 throw new AuthenticationException("GGInA Server Error. " + |
5041105d2edd
Check if response code from GGInA is 200 OK
Björn Ricks <bjoern.ricks@intevation.de>
parents:
3486
diff
changeset
|
56 "Statuscode: " + stline.getStatusCode() + |
5041105d2edd
Check if response code from GGInA is 200 OK
Björn Ricks <bjoern.ricks@intevation.de>
parents:
3486
diff
changeset
|
57 ". Reason: " + stline.getReasonPhrase()); |
5041105d2edd
Check if response code from GGInA is 200 OK
Björn Ricks <bjoern.ricks@intevation.de>
parents:
3486
diff
changeset
|
58 } |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
59 HttpEntity entity = response.getEntity(); |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
60 if (entity == null) { |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
61 //FIXME throw AuthenticationException |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
62 return null; |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
63 } |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
64 else { |
5943
a96350a1c160
Pass trusted key filename to Response in WAS Authenticator.
Bernhard Herzog <bh@intevation.de>
parents:
5933
diff
changeset
|
65 String trustedKey = |
a96350a1c160
Pass trusted key filename to Response in WAS Authenticator.
Bernhard Herzog <bh@intevation.de>
parents:
5933
diff
changeset
|
66 (String)context.getInitParameter("saml-trusted-public-key"); |
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
5993
diff
changeset
|
67 String timeEpsilon = context.getInitParameter( |
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
5993
diff
changeset
|
68 "saml-time-tolerance"); |
5943
a96350a1c160
Pass trusted key filename to Response in WAS Authenticator.
Bernhard Herzog <bh@intevation.de>
parents:
5933
diff
changeset
|
69 return new Response(entity, username, password, features, |
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
5993
diff
changeset
|
70 context.getRealPath(trustedKey), timeEpsilon); |
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
71 } |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
72 } |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
73 catch(GeneralSecurityException e) { |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
74 throw new AuthenticationException(e); |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
75 } |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
76 } |
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
77 } |