dive4elements/river: gwt-client/src/main/java/org/dive4elements/river/client/server/SamlServlet.java annotate

annotate gwt-client/src/main/java/org/dive4elements/river/client/server/SamlServlet.java @ 9577:ca19b7186294

Logging saml group-name in authentication log

author	gernotbelger
date	Tue, 13 Nov 2018 13:02:00 +0100
parents	d6d5ca6d4af0
children

rev	line source
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	1 /* Copyright (C) 2011, 2012, 2013 by Bundesanstalt für Gewässerkunde
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	2 * Software engineering by Intevation GmbH
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	3 *
5993 ea9eef426962 Removed trailing whitespace. Sascha L. Teichmann <teichmann@intevation.de> parents: 5953 diff changeset	4 * This file is Free Software under the GNU AGPL (>=v3)
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	5 * and comes with ABSOLUTELY NO WARRANTY! Check out the
5993 ea9eef426962 Removed trailing whitespace. Sascha L. Teichmann <teichmann@intevation.de> parents: 5953 diff changeset	6 * documentation coming with Dive4Elements River for details.
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	7 */
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	8
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	9 package org.dive4elements.river.client.server;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	10
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	11 import java.io.IOException;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	12 import java.io.InputStream;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	13 import java.io.StringBufferInputStream;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	14
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	15 import javax.servlet.ServletContext;
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	16 import javax.servlet.ServletException;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	17 import javax.servlet.http.HttpServletRequest;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	18 import javax.servlet.http.HttpServletResponse;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	19
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	20 import org.apache.commons.codec.binary.Base64InputStream;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	21 import org.apache.log4j.Logger;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	22 import org.dive4elements.river.client.server.auth.AuthenticationException;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	23 import org.dive4elements.river.client.server.auth.User;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	24 import org.dive4elements.river.client.server.auth.saml.Assertion;
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	25 import org.dive4elements.river.client.server.auth.saml.TicketValidator;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	26 import org.dive4elements.river.client.server.auth.was.Response;
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	27 import org.dive4elements.river.client.server.features.Features;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	28
5953 24dc13ac8e6c Add AuthenticationServlet, a common base class for the login servlets Bernhard Herzog <bh@intevation.de> parents: 5950 diff changeset	29 public class SamlServlet extends AuthenticationServlet {
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	30
8203 238fc722f87a sed 's/logger/log/g' src/*/.java Sascha L. Teichmann <teichmann@intevation.de> parents: 6187 diff changeset	31 private static Logger log = Logger.getLogger(SamlServlet.class);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	32
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	33 @Override
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	34 protected void doPost(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	35 // final String encoding = req.getCharacterEncoding();
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	36 final String samlTicketXML = req.getParameter("saml");
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	37
8203 238fc722f87a sed 's/logger/log/g' src/*/.java Sascha L. Teichmann <teichmann@intevation.de> parents: 6187 diff changeset	38 log.debug("Processing post request");
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	39
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	40 if (samlTicketXML == null) {
8203 238fc722f87a sed 's/logger/log/g' src/*/.java Sascha L. Teichmann <teichmann@intevation.de> parents: 6187 diff changeset	41 log.debug("No saml ticket provided");
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	42 this.redirectFailure(resp, req.getContextPath());
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	43 return;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	44 }
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	45
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	46 try {
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	47 final User user = this.auth(samlTicketXML);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	48 if (user == null) {
8203 238fc722f87a sed 's/logger/log/g' src/*/.java Sascha L. Teichmann <teichmann@intevation.de> parents: 6187 diff changeset	49 log.debug("Authentication not successful");
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	50 this.redirectFailure(resp, req.getContextPath());
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	51 return;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	52 }
9577 ca19b7186294 Logging saml group-name in authentication log gernotbelger parents: 9497 diff changeset	53
ca19b7186294 Logging saml group-name in authentication log gernotbelger parents: 9497 diff changeset	54 final String userGroup = user.getUserGroup();
ca19b7186294 Logging saml group-name in authentication log gernotbelger parents: 9497 diff changeset	55 log.info(String.format("SAML-Authentication successfull: group = '%s'", userGroup));
ca19b7186294 Logging saml group-name in authentication log gernotbelger parents: 9497 diff changeset	56
5953 24dc13ac8e6c Add AuthenticationServlet, a common base class for the login servlets Bernhard Herzog <bh@intevation.de> parents: 5950 diff changeset	57 this.performLogin(req, resp, user);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	58 }
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	59 catch (final AuthenticationException e) {
8203 238fc722f87a sed 's/logger/log/g' src/*/.java Sascha L. Teichmann <teichmann@intevation.de> parents: 6187 diff changeset	60 log.error(e, e);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	61 this.redirectFailure(resp, req.getContextPath(), e);
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	62 }
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	63 }
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	64
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	65 private User auth(final String samlTicketXML) throws AuthenticationException {
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	66 final ServletContext sc = this.getServletContext();
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	67
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	68 Assertion assertion = null;
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	69 try {
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	70 final String keyfile = sc.getInitParameter("saml-trusted-public-key");
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	71 final int timeEps = Integer.parseInt(sc.getInitParameter("saml-time-tolerance"));
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	72 final TicketValidator validator = new TicketValidator(sc.getRealPath(keyfile), timeEps);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	73
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	74 final InputStream in = new StringBufferInputStream(samlTicketXML);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	75 assertion = validator.checkTicket(new Base64InputStream(in));
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	76 }
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	77 catch (final Exception e) {
8203 238fc722f87a sed 's/logger/log/g' src/*/.java Sascha L. Teichmann <teichmann@intevation.de> parents: 6187 diff changeset	78 log.error(e.getLocalizedMessage(), e);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	79 }
38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	80
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	81 if (assertion == null)
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	82 throw new AuthenticationException("Login failed.");
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	83
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	84 final Features features = (Features) sc.getAttribute(Features.CONTEXT_ATTRIBUTE);
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	85
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	86 return Response.createUser(null, samlTicketXML, assertion, features);
5950 38d161edba77 Add SamlServlet to implement actual login via SAML Ticket. Bernhard Herzog <bh@intevation.de> parents: diff changeset	87 }
9497 d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile. gernotbelger parents: 8856 diff changeset	88 }

Mercurial > dive4elements > river

annotate gwt-client/src/main/java/org/dive4elements/river/client/server/SamlServlet.java @ 9577:ca19b7186294