Mercurial > lada > lada-server
annotate src/main/java/de/intevation/lada/util/auth/OpenIDFilter.java @ 546:b691c8697e6f openid
Implement pseudo session based on OpenID nonce
The nonce contains the date by definition so this can
be used to limit the max age of authentication responses.
This commit also contains some cleanups.
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Thu, 26 Feb 2015 15:35:13 +0100 |
parents | 8e3f57e2f4af |
children | f9f1edd30b33 |
rev | line source |
---|---|
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2015 by Bundesamt fuer Strahlenschutz |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
3 * |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU GPL (v>=3) |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! Check out |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
6 * the documentation coming with IMIS-Labordaten-Application for details. |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
7 */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
8 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
9 package de.intevation.lada.util.auth; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
10 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
11 import org.apache.log4j.Logger; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
12 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
13 import java.util.Map; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
14 import java.util.List; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
15 import java.util.LinkedHashMap; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
16 import java.net.URLDecoder; |
546
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
17 import java.util.Date; |
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
18 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
19 import java.io.IOException; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
20 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
21 import javax.servlet.Filter; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
22 import javax.servlet.FilterChain; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
23 import javax.servlet.FilterConfig; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
24 import javax.servlet.ServletContext; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
25 import javax.servlet.ServletException; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
26 import javax.servlet.ServletRequest; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
27 import javax.servlet.ServletResponse; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
28 import javax.servlet.annotation.WebFilter; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
29 import javax.servlet.http.HttpServletRequest; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
30 import javax.servlet.http.HttpServletResponse; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
31 import javax.servlet.http.HttpServletRequestWrapper; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
32 import javax.servlet.http.HttpSession; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
33 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
34 import org.openid4java.association.AssociationSessionType; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
35 import org.openid4java.association.AssociationException; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
36 import org.openid4java.consumer.ConsumerManager; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
37 import org.openid4java.consumer.ConsumerException; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
38 import org.openid4java.consumer.InMemoryConsumerAssociationStore; |
546
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
39 import org.openid4java.consumer.AbstractNonceVerifier; |
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
40 import org.openid4java.message.ParameterList; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
41 import org.openid4java.consumer.VerificationResult; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
42 import org.openid4java.discovery.DiscoveryInformation; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
43 import org.openid4java.discovery.Identifier; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
44 import org.openid4java.discovery.DiscoveryException; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
45 import org.openid4java.message.MessageException; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
46 import org.openid4java.message.AuthRequest; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
47 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
48 /** ServletFilter used for OpenID authentification. */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
49 @WebFilter("/*") |
546
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
50 public class OpenIDFilter implements Filter { |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
51 |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
52 /** TODO: get this from config. */ |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
53 /** The name of the header field used to transport OpenID parameters.*/ |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
54 private static final String OID_HEADER_FIELD= "X-OPENID-PARAMS"; |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
55 |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
56 /** The identity provider we accept here. */ |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
57 private static final String IDENTITY_PROVIDER = |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
58 "https://localhost:9443/openid/"; |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
59 |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
60 /** Where the authentication should return to the lada client. |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
61 * This could be a placeholder to be filled by the client itself and |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
62 * not validated by the server. |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
63 */ |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
64 private static final String RETURN_URL = |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
65 "http://path_to_lada_client_return_url"; |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
66 |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
67 private static final int SESSION_TIMEOUT = 1 * 60 * 60; /* one hour */ |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
68 |
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
69 private static Logger logger = Logger.getLogger(OpenIDFilter.class); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
70 |
546
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
71 /** We use the openid information as kind of session information and reuse it. |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
72 * |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
73 * Usually one would create a session for the user but this would not |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
74 * be an advantage here as we want to transport the session in a header |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
75 * anyway. |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
76 * |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
77 * A nonce will be valid as long as as the maxAge is not reached. |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
78 * This is implemented by the basis verifier. |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
79 * We only implement seed no mark that we accept nonce's multiple |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
80 * times. |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
81 */ |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
82 private class SessionNonceVerifier extends AbstractNonceVerifier { |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
83 public SessionNonceVerifier(int maxAge) { |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
84 super(maxAge); |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
85 } |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
86 |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
87 @Override |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
88 protected int seen(Date now, String opUrl, String nonce) { |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
89 return OK; |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
90 } |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
91 }; |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
92 |
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
93 private ConsumerManager manager; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
94 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
95 /* This should be moved into a map <server->discovered> |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
96 * as we currently only supporting one server this is static. */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
97 boolean discoveryDone = false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
98 private DiscoveryInformation discovered; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
99 private String authRequestURL; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
100 private boolean discoverServer() { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
101 /* Perform discovery on the configured IDENTITY_PROVIDER */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
102 List discoveries = null; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
103 try { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
104 discoveries = manager.discover(IDENTITY_PROVIDER); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
105 } catch (DiscoveryException e) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
106 logger.debug("Discovery failed: " + e.getMessage()); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
107 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
108 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
109 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
110 if (discoveries == null || discoveries.isEmpty()) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
111 logger.error( |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
112 "Failed discovery step. OpenID provider unavailable?"); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
113 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
114 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
115 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
116 /* Add association for the discovered information */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
117 discovered = manager.associate(discoveries); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
118 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
119 /* Validate the parameters. */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
120 try { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
121 AuthRequest authReq = manager.authenticate(discovered, RETURN_URL); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
122 authRequestURL = authReq.getDestinationUrl(true); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
123 } catch (MessageException e) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
124 logger.debug("Failed to create the Authentication request: " + |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
125 e.getMessage()); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
126 } catch (ConsumerException e) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
127 logger.debug("Error in consumer manager: " + |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
128 e.getMessage()); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
129 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
130 return true; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
131 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
132 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
133 /** Split up the OpenID response query provided in the header. |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
134 * |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
135 * @param responseQuery The query provided in the header field. |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
136 * @return The query as ParameterList or null on error. |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
137 */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
138 private ParameterList splitParams(String responseQuery) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
139 Map<String, String> queryMap = |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
140 new LinkedHashMap<String, String>(); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
141 final String[] pairs = responseQuery.split("&"); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
142 for (String pair : pairs) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
143 final int idx = pair.indexOf("="); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
144 if (idx <= 0) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
145 logger.debug("Invalid query."); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
146 return null; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
147 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
148 try { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
149 final String key = URLDecoder.decode( |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
150 pair.substring(0, idx), "UTF-8"); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
151 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
152 if (queryMap.containsKey(key)) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
153 logger.debug("Invalid query. Duplicate key: " + key); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
154 return null; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
155 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
156 final String value = URLDecoder.decode( |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
157 pair.substring(idx + 1), "UTF-8"); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
158 queryMap.put(key, value); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
159 } catch (java.io.UnsupportedEncodingException e) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
160 logger.error("UTF-8 unkown?!"); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
161 return null; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
162 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
163 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
164 if (queryMap.isEmpty()) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
165 logger.debug("Empty query."); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
166 return null; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
167 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
168 return new ParameterList(queryMap); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
169 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
170 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
171 private boolean checkOpenIDHeader(ServletRequest req) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
172 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
173 HttpServletRequest hReq = (HttpServletRequest) req; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
174 /* First check if the header is provided at all */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
175 String oidParamString = hReq.getHeader(OID_HEADER_FIELD); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
176 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
177 if (oidParamString == null) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
178 logger.debug("Header " + OID_HEADER_FIELD + " not provided."); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
179 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
180 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
181 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
182 /* Parse the parameters to a map for openid4j */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
183 ParameterList oidParams = splitParams(oidParamString); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
184 if (oidParams == null) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
185 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
186 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
187 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
188 /* Verify against the discovered server. */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
189 VerificationResult verification = null; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
190 try { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
191 verification = manager.verify(RETURN_URL, oidParams, discovered); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
192 } catch (MessageException e) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
193 logger.debug("Verification failed: " + e.getMessage()); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
194 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
195 } catch (DiscoveryException e) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
196 logger.debug("Verification discovery exception: " + e.getMessage()); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
197 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
198 } catch (AssociationException e) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
199 logger.debug("Verification assoc exception: " + e.getMessage()); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
200 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
201 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
202 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
203 /* See what could be verified */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
204 Identifier verified = verification.getVerifiedId(); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
205 if (verified == null) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
206 logger.debug("Failed to verify Identity information: " + |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
207 verification.getStatusMsg()); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
208 return false; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
209 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
210 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
211 logger.debug("Verified user: " + verified); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
212 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
213 return true; |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
214 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
215 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
216 @Override |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
217 public void init(FilterConfig config) |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
218 throws ServletException |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
219 { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
220 manager = new ConsumerManager(); |
546
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
221 /* We probably want to implement our own association store to keep |
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
222 * associations persistent. */ |
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
223 manager.setAssociations(new InMemoryConsumerAssociationStore()); |
546
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
224 manager.setNonceVerifier(new SessionNonceVerifier(SESSION_TIMEOUT)); |
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
225 manager.setMinAssocSessEnc(AssociationSessionType.DH_SHA256); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
226 discoveryDone = discoverServer(); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
227 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
228 |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
229 @Override |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
230 public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
231 throws IOException, ServletException |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
232 { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
233 if (!discoveryDone) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
234 discoveryDone = discoverServer(); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
235 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
236 if (discoveryDone && checkOpenIDHeader(req)) { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
237 /** Successfully authenticated. */ |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
238 chain.doFilter(req, resp); |
546
b691c8697e6f
Implement pseudo session based on OpenID nonce
Andre Heinecke <andre.heinecke@intevation.de>
parents:
545
diff
changeset
|
239 return; |
545
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
240 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
241 ((HttpServletResponse) resp).sendError(401, "{\"success\":false,\"message\":\"699\",\"data\":" + |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
242 "\"" + authRequestURL + "\",\"errors\":{},\"warnings\":{}," + |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
243 "\"readonly\":false,\"totalCount\":0}"); |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
244 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
245 @Override |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
246 public void destroy() |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
247 { |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
248 } |
8e3f57e2f4af
Change openID authentication to a filter.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
diff
changeset
|
249 }; |