Mercurial > dive4elements > river

annotate gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/Response.java @ 9497:d6d5ca6d4af0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Enabled logging of saml-group-name in log-ing logfile. Some cleanup/refaktoring.
author gernotbelger
date Thu, 27 Sep 2018 17:40:39 +0200
parents 5e38e2924c07
children
rev   line source
5861
172338b1407f GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5838
diff changeset
1 /* Copyright (C) 2011, 2012, 2013 by Bundesanstalt für Gewässerkunde
172338b1407f GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5838
diff changeset
2 * Software engineering by Intevation GmbH
172338b1407f GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5838
diff changeset
3 *
5993
ea9eef426962 Removed trailing whitespace.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5948
diff changeset
4 * This file is Free Software under the GNU AGPL (>=v3)
5861
172338b1407f GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5838
diff changeset
5 * and comes with ABSOLUTELY NO WARRANTY! Check out the
5993
ea9eef426962 Removed trailing whitespace.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5948
diff changeset
6 * documentation coming with Dive4Elements River for details.
5861
172338b1407f GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5838
diff changeset
7 */
172338b1407f GWT client: Added copyright header.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5838
diff changeset
8
5835
821a02bbfb4e Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5834
diff changeset
9 package org.dive4elements.river.client.server.auth.was;
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
10
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
11 import java.io.IOException;
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
12 import java.io.InputStream;
6187
7bc35bbd8b27 Store the SAML ticket in the user object after authentication.
Bernhard Herzog <bh@intevation.de>
parents: 5993
diff changeset
13 import java.io.StringBufferInputStream;
3486
23095983c249 Implement Features handling for WAS authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents: 2981
diff changeset
14 import java.util.List;
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
15
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
16 import org.apache.commons.codec.binary.Base64InputStream;
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
17 import org.apache.http.HttpEntity;
6187
7bc35bbd8b27 Store the SAML ticket in the user object after authentication.
Bernhard Herzog <bh@intevation.de>
parents: 5993
diff changeset
18 import org.apache.http.util.EntityUtils;
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
19 import org.apache.log4j.Logger;
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
20 import org.dive4elements.artifacts.httpclient.utils.XMLUtils;
5835
821a02bbfb4e Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5834
diff changeset
21 import org.dive4elements.river.client.server.auth.Authentication;
821a02bbfb4e Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5834
diff changeset
22 import org.dive4elements.river.client.server.auth.AuthenticationException;
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
23 import org.dive4elements.river.client.server.auth.DefaultUser;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
24 import org.dive4elements.river.client.server.auth.User;
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
25 import org.dive4elements.river.client.server.auth.saml.Assertion;
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
26 import org.dive4elements.river.client.server.auth.saml.TicketValidator;
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
27 import org.dive4elements.river.client.server.auth.saml.XPathUtils;
5835
821a02bbfb4e Fixed internal java dependencies
Sascha L. Teichmann <teichmann@intevation.de>
parents: 5834
diff changeset
28 import org.dive4elements.river.client.server.features.Features;
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
29 import org.w3c.dom.Document;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
30 import org.w3c.dom.Element;
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
31
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
32 public class Response implements Authentication {
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
33
8203
238fc722f87a sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents: 6187
diff changeset
34 private static Logger log = Logger.getLogger(Response.class);
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
35
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
36 private final Element root;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
37 private final String samlTicketXML;
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
38 private Assertion assertion;
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
39 private final String password;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
40 private final Features features;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
41 private final String trustedKeyFile;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
42 private final String timeEpsilon;
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
43
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
44 public Response(final HttpEntity entity, final String password, final Features features, final String trustedKeyFile,
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
45 final String timeEpsilon) throws AuthenticationException, IOException {
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
46
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
47 if (entity == null) {
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
48 throw new ServiceException("Invalid response");
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
49 }
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
50
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
51 final String contenttype = entity.getContentType().getValue();
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
52 final String samlTicketXML = EntityUtils.toString(entity);
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
53
6187
7bc35bbd8b27 Store the SAML ticket in the user object after authentication.
Bernhard Herzog <bh@intevation.de>
parents: 5993
diff changeset
54 InputStream in = new StringBufferInputStream(samlTicketXML);
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
55
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
56 if (!contenttype.equals("application/vnd.ogc.se_xml")) {
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
57 // XXX: Assume base64 encoded content.
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
58 in = new Base64InputStream(in);
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
59 }
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
60
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
61 final Document doc = XMLUtils.readDocument(in);
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
62 final Element root = doc.getDocumentElement();
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
63 final String rname = root.getTagName();
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
64
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
65 if (rname != null && rname.equals("ServiceExceptionReport"))
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
66 throw new ServiceException(XPathUtils.xpathString(root, "ServiceException"));
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
67
6187
7bc35bbd8b27 Store the SAML ticket in the user object after authentication.
Bernhard Herzog <bh@intevation.de>
parents: 5993
diff changeset
68 this.samlTicketXML = samlTicketXML;
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
69 this.root = root;
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
70 this.password = password;
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
71 this.features = features;
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
72 this.trustedKeyFile = trustedKeyFile;
8839
2c8259176c46 Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents: 8525
diff changeset
73 this.timeEpsilon = timeEpsilon;
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
74 }
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
75
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
76 @Override
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
77 public boolean isSuccess() {
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
78 final String status = getStatus();
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
79 return status != null && status.equals("samlp:Success");
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
80 }
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
81
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
82 private String getStatus() {
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
83 return XPathUtils.xpathString(this.root, "./samlp:Status/samlp:StatusCode/@Value");
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
84 }
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
85
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
86 private Assertion getAssertion() {
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
87 if (this.assertion == null && this.root != null) {
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
88 try {
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
89 final int timeEps = Integer.parseInt(this.timeEpsilon);
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
90 final TicketValidator validator = new TicketValidator(this.trustedKeyFile, timeEps);
5944
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
91 this.assertion = validator.checkTicket(this.root);
d6f13dba21fe Adapt WAS Response to new SAML validation code.
Bernhard Herzog <bh@intevation.de>
parents: 5943
diff changeset
92 }
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
93 catch (final Exception e) {
8203
238fc722f87a sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents: 6187
diff changeset
94 log.error(e.getLocalizedMessage(), e);
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
95 }
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
96 }
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
97 return this.assertion;
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
98 }
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
99
2959
5ba0a6efdf3b Auth: added simple file based authentication.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 2956
diff changeset
100 @Override
2968
3e0567e02577 Extend Authentication and Response to throw additional exceptions
Bjoern Ricks <bjoern.ricks@intevation.de>
parents: 2959
diff changeset
101 public User getUser() throws AuthenticationException {
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
102 final Assertion assertion = this.getAssertion();
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
103 if (assertion == null)
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
104 throw new AuthenticationException("Response doesn't contain an assertion");
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
105
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
106 final DefaultUser user = createUser(this.password, this.samlTicketXML, assertion, this.features);
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
107
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
108 log.debug("User " + user.getName() + " with features " + user.getAllowedFeatures() + " successfully authenticated.");
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
109
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
110 return user;
2956
d7f76f197d89 Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff changeset
111 }
9497
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
112
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
113 public static DefaultUser createUser(final String password, final String samlTicketXML, final Assertion assertion, final Features features) {
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
114 final List<String> roles = assertion.getRoles();
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
115
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
116 final List<String> allowedFeatures = features.getFeatures(roles);
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
117
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
118 // We could check the validity dates of the assertion here, but
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
119 // when using this for Single-Sign-On this would lead to the
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
120 // code in GGInAFilter to re-authenticate with the password
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
121 // stored in the User object, which isn't known in the case of
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
122 // Single-Sign-On.
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
123 final boolean expired = false;
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
124
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
125 final String username = assertion.getNameID();
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
126 final String userGroup = assertion.getGroupName();
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
127
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
128 return new DefaultUser(username, password, samlTicketXML, expired, roles, allowedFeatures, userGroup);
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
129 }
d6d5ca6d4af0 Enabled logging of saml-group-name in log-ing logfile.
gernotbelger
parents: 8856
diff changeset
130 }
http://dive4elements.wald.intevation.org