Mercurial > dive4elements > river
annotate gwt-client/src/main/java/org/dive4elements/river/client/server/SamlServlet.java @ 9577:ca19b7186294
Logging saml group-name in authentication log
author | gernotbelger |
---|---|
date | Tue, 13 Nov 2018 13:02:00 +0100 |
parents | d6d5ca6d4af0 |
children |
rev | line source |
---|---|
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2011, 2012, 2013 by Bundesanstalt für Gewässerkunde |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
3 * |
5993
ea9eef426962
Removed trailing whitespace.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5953
diff
changeset
|
4 * This file is Free Software under the GNU AGPL (>=v3) |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! Check out the |
5993
ea9eef426962
Removed trailing whitespace.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5953
diff
changeset
|
6 * documentation coming with Dive4Elements River for details. |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
7 */ |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
8 |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
9 package org.dive4elements.river.client.server; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
10 |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
11 import java.io.IOException; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
12 import java.io.InputStream; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
13 import java.io.StringBufferInputStream; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
14 |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
15 import javax.servlet.ServletContext; |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
16 import javax.servlet.ServletException; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
17 import javax.servlet.http.HttpServletRequest; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
18 import javax.servlet.http.HttpServletResponse; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
19 |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
20 import org.apache.commons.codec.binary.Base64InputStream; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
21 import org.apache.log4j.Logger; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
22 import org.dive4elements.river.client.server.auth.AuthenticationException; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
23 import org.dive4elements.river.client.server.auth.User; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
24 import org.dive4elements.river.client.server.auth.saml.Assertion; |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
25 import org.dive4elements.river.client.server.auth.saml.TicketValidator; |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
26 import org.dive4elements.river.client.server.auth.was.Response; |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
27 import org.dive4elements.river.client.server.features.Features; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
28 |
5953
24dc13ac8e6c
Add AuthenticationServlet, a common base class for the login servlets
Bernhard Herzog <bh@intevation.de>
parents:
5950
diff
changeset
|
29 public class SamlServlet extends AuthenticationServlet { |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
30 |
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
6187
diff
changeset
|
31 private static Logger log = Logger.getLogger(SamlServlet.class); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
32 |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
33 @Override |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
34 protected void doPost(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException { |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
35 // final String encoding = req.getCharacterEncoding(); |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
36 final String samlTicketXML = req.getParameter("saml"); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
37 |
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
6187
diff
changeset
|
38 log.debug("Processing post request"); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
39 |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
40 if (samlTicketXML == null) { |
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
6187
diff
changeset
|
41 log.debug("No saml ticket provided"); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
42 this.redirectFailure(resp, req.getContextPath()); |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
43 return; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
44 } |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
45 |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
46 try { |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
47 final User user = this.auth(samlTicketXML); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
48 if (user == null) { |
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
6187
diff
changeset
|
49 log.debug("Authentication not successful"); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
50 this.redirectFailure(resp, req.getContextPath()); |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
51 return; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
52 } |
9577
ca19b7186294
Logging saml group-name in authentication log
gernotbelger
parents:
9497
diff
changeset
|
53 |
ca19b7186294
Logging saml group-name in authentication log
gernotbelger
parents:
9497
diff
changeset
|
54 final String userGroup = user.getUserGroup(); |
ca19b7186294
Logging saml group-name in authentication log
gernotbelger
parents:
9497
diff
changeset
|
55 log.info(String.format("SAML-Authentication successfull: group = '%s'", userGroup)); |
ca19b7186294
Logging saml group-name in authentication log
gernotbelger
parents:
9497
diff
changeset
|
56 |
5953
24dc13ac8e6c
Add AuthenticationServlet, a common base class for the login servlets
Bernhard Herzog <bh@intevation.de>
parents:
5950
diff
changeset
|
57 this.performLogin(req, resp, user); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
58 } |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
59 catch (final AuthenticationException e) { |
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
6187
diff
changeset
|
60 log.error(e, e); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
61 this.redirectFailure(resp, req.getContextPath(), e); |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
62 } |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
63 } |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
64 |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
65 private User auth(final String samlTicketXML) throws AuthenticationException { |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
66 final ServletContext sc = this.getServletContext(); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
67 |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
68 Assertion assertion = null; |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
69 try { |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
70 final String keyfile = sc.getInitParameter("saml-trusted-public-key"); |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
71 final int timeEps = Integer.parseInt(sc.getInitParameter("saml-time-tolerance")); |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
72 final TicketValidator validator = new TicketValidator(sc.getRealPath(keyfile), timeEps); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
73 |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
74 final InputStream in = new StringBufferInputStream(samlTicketXML); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
75 assertion = validator.checkTicket(new Base64InputStream(in)); |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
76 } |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
77 catch (final Exception e) { |
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
6187
diff
changeset
|
78 log.error(e.getLocalizedMessage(), e); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
79 } |
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
80 |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
81 if (assertion == null) |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
82 throw new AuthenticationException("Login failed."); |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
83 |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
84 final Features features = (Features) sc.getAttribute(Features.CONTEXT_ATTRIBUTE); |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
85 |
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
86 return Response.createUser(null, samlTicketXML, assertion, features); |
5950
38d161edba77
Add SamlServlet to implement actual login via SAML Ticket.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
87 } |
9497
d6d5ca6d4af0
Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents:
8856
diff
changeset
|
88 } |