Mercurial > dive4elements > river

view gwt-client/src/main/java/org/dive4elements/river/client/server/SamlServlet.java @ 9577:ca19b7186294

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Logging saml group-name in authentication log
author gernotbelger
date Tue, 13 Nov 2018 13:02:00 +0100
parents d6d5ca6d4af0
children
line wrap: on
line source
/* Copyright (C) 2011, 2012, 2013 by Bundesanstalt für Gewässerkunde
 * Software engineering by Intevation GmbH
 *
 * This file is Free Software under the GNU AGPL (>=v3)
 * and comes with ABSOLUTELY NO WARRANTY! Check out the
 * documentation coming with Dive4Elements River for details.
 */

package org.dive4elements.river.client.server;

import java.io.IOException;
import java.io.InputStream;
import java.io.StringBufferInputStream;

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.codec.binary.Base64InputStream;
import org.apache.log4j.Logger;
import org.dive4elements.river.client.server.auth.AuthenticationException;
import org.dive4elements.river.client.server.auth.User;
import org.dive4elements.river.client.server.auth.saml.Assertion;
import org.dive4elements.river.client.server.auth.saml.TicketValidator;
import org.dive4elements.river.client.server.auth.was.Response;
import org.dive4elements.river.client.server.features.Features;

public class SamlServlet extends AuthenticationServlet {

    private static Logger log = Logger.getLogger(SamlServlet.class);

    @Override
    protected void doPost(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
        // final String encoding = req.getCharacterEncoding();
        final String samlTicketXML = req.getParameter("saml");

        log.debug("Processing post request");

        if (samlTicketXML == null) {
            log.debug("No saml ticket provided");
            this.redirectFailure(resp, req.getContextPath());
            return;
        }

        try {
            final User user = this.auth(samlTicketXML);
            if (user == null) {
                log.debug("Authentication not successful");
                this.redirectFailure(resp, req.getContextPath());
                return;
            }

            final String userGroup = user.getUserGroup();
            log.info(String.format("SAML-Authentication successfull: group = '%s'", userGroup));

            this.performLogin(req, resp, user);
        }
        catch (final AuthenticationException e) {
            log.error(e, e);
            this.redirectFailure(resp, req.getContextPath(), e);
        }
    }

    private User auth(final String samlTicketXML) throws AuthenticationException {
        final ServletContext sc = this.getServletContext();

        Assertion assertion = null;
        try {
            final String keyfile = sc.getInitParameter("saml-trusted-public-key");
            final int timeEps = Integer.parseInt(sc.getInitParameter("saml-time-tolerance"));
            final TicketValidator validator = new TicketValidator(sc.getRealPath(keyfile), timeEps);

            final InputStream in = new StringBufferInputStream(samlTicketXML);
            assertion = validator.checkTicket(new Base64InputStream(in));
        }
        catch (final Exception e) {
            log.error(e.getLocalizedMessage(), e);
        }

        if (assertion == null)
            throw new AuthenticationException("Login failed.");

        final Features features = (Features) sc.getAttribute(Features.CONTEXT_ATTRIBUTE);

        return Response.createUser(null, samlTicketXML, assertion, features);
    }
}
http://dive4elements.wald.intevation.org