PicketLink Federation Server Bindings for Apache Tomcat 5/6 2.1.1.Final-redhat-1

org.picketlink.identity.federation.bindings.tomcat.sp
Class BaseFormAuthenticator

java.lang.Object
  extended by org.apache.catalina.valves.ValveBase
      extended by org.apache.catalina.authenticator.AuthenticatorBase
          extended by org.apache.catalina.authenticator.FormAuthenticator
              extended by org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator
All Implemented Interfaces:
MBeanRegistration, org.apache.catalina.Authenticator, org.apache.catalina.Contained, org.apache.catalina.Lifecycle, org.apache.catalina.Valve
Direct Known Subclasses:
AbstractSPFormAuthenticator

public abstract class BaseFormAuthenticator
extends org.apache.catalina.authenticator.FormAuthenticator

Base Class for Service Provider Form Authenticators

Since:
Jun 9, 2009
Author:
Anil.Saldhana@redhat.com

Field Summary
protected  String canonicalizationMethod
           
protected  SAML2HandlerChain chain
           
protected  Map<String,Object> chainConfigOptions
           
protected  Lock chainLock
          A Lock for Handler operations in the chain
protected  String configFile
           
protected  SAMLConfigurationProvider configProvider
          The user can inject a fully qualified name of a SAMLConfigurationProvider
protected  String identityURL
           
protected  String idpAddress
           
protected  X509Certificate idpCertificate
          If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata
protected  String issuerID
           
protected  TrustKeyManager keyManager
           
protected static org.apache.log4j.Logger log
           
protected  String logOutPage
           
protected  PicketLinkType picketLinkConfiguration
           
protected  String samlHandlerChainClass
           
protected  boolean saveRestoreRequest
           
protected  String serviceURL
           
protected  SPType spConfiguration
           
protected  boolean trace
           
 
Fields inherited from class org.apache.catalina.authenticator.FormAuthenticator
characterEncoding, info, landingPage
 
Fields inherited from class org.apache.catalina.authenticator.AuthenticatorBase
AUTH_HEADER_NAME, cache, changeSessionIdOnAuthentication, context, disableProxyCaching, lifecycle, REALM_NAME, securePagesWithPragma, SESSION_ID_BYTES, sm, sso, started
 
Fields inherited from class org.apache.catalina.valves.ValveBase
container, controller, domain, mserver, next, oname
 
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, DESTROY_EVENT, INIT_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
Constructor Summary
BaseFormAuthenticator()
           
 
Method Summary
protected  boolean doSupportSignature()
           Indicates if digital signatures/validation of SAML assertions are enabled.
protected abstract  String getBinding()
          Return the SAML Binding that this authenticator supports
 String getConfigFile()
           
 SPType getConfiguration()
           
 String getIdentityURL()
          Get the Identity URL
 X509Certificate getIdpCertificate()
          Get the X509Certificate of the IDP if provided via the IDP metadata file
protected  IDPSSODescriptorType getIDPSSODescriptor(EntitiesDescriptorType entities)
           
protected  IDPSSODescriptorType handleMetadata(EntitiesDescriptorType entities)
           
protected  IDPSSODescriptorType handleMetadata(EntityDescriptorType entityDescriptor)
           
protected  void initializeHandlerChain()
           
protected abstract  void initKeyProvider(org.apache.catalina.Context context)
           
protected  boolean localAuthentication(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.catalina.deploy.LoginConfig loginConfig)
          Fall back on local authentication at the service provider side
protected  void populateChainConfig()
           
protected  void processConfiguration()
          Process the configuration from the configuration file
protected  void processIDPMetadataFile(String idpMetadataFile)
          Attempt to process a metadata file available locally
protected  void processStart()
           
protected  void register(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, Principal principal, String arg3, String arg4, String arg5)
          This method is a hack!!! Tomcat on account of Servlet3 changed their authenticator method signatures We utilize Java Reflection to identify the super register method on the first call and save it.
protected  void sendToLogoutPage(org.apache.catalina.connector.Request request, org.apache.catalina.connector.Response response, org.apache.catalina.Session session)
           
 void setConfigFile(String configFile)
           
 void setConfigProvider(String cp)
           
 void setIdpAddress(String idpAddress)
          If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly
 void setIssuerID(String issuerID)
          Set a separate issuer id
 void setLogOutPage(String logOutPage)
           
 void setSamlHandlerChainClass(String samlHandlerChainClass)
           
 void setSaveRestoreRequest(boolean saveRestoreRequest)
           
 void setServiceURL(String serviceURL)
           
 void start()
           
 void testStart()
           
protected  boolean validate(org.apache.catalina.connector.Request request)
          Perform validation os the request object
 
Methods inherited from class org.apache.catalina.authenticator.FormAuthenticator
authenticate, forwardToErrorPage, forwardToLoginPage, getCharacterEncoding, getInfo, getLandingPage, matchRequest, restoreRequest, savedRequestURL, saveRequest, setCharacterEncoding, setLandingPage
 
Methods inherited from class org.apache.catalina.authenticator.AuthenticatorBase
addLifecycleListener, associate, authenticate, findLifecycleListeners, generateSessionId, getCache, getContainer, getDisableProxyCaching, getSecurePagesWithPragma, invoke, isChangeSessionIdOnAuthentication, login, logout, reauthenticateFromSSO, register, removeLifecycleListener, setCache, setChangeSessionIdOnAuthentication, setContainer, setDisableProxyCaching, setSecurePagesWithPragma, stop, unregister
 
Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, createObjectName, event, getContainerName, getController, getDomain, getNext, getObjectName, getParentName, postDeregister, postRegister, preDeregister, preRegister, setController, setNext, setObjectName, toString
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

log

protected static org.apache.log4j.Logger log

trace

protected final boolean trace

keyManager

protected TrustKeyManager keyManager

spConfiguration

protected SPType spConfiguration

picketLinkConfiguration

protected PicketLinkType picketLinkConfiguration

serviceURL

protected String serviceURL

identityURL

protected String identityURL

issuerID

protected String issuerID

configFile

protected String configFile

idpCertificate

protected transient X509Certificate idpCertificate
If the service provider is configured with an IDP metadata file, then this certificate can be picked up from the metadata


chain

protected transient SAML2HandlerChain chain

samlHandlerChainClass

protected transient String samlHandlerChainClass

chainConfigOptions

protected Map<String,Object> chainConfigOptions

saveRestoreRequest

protected boolean saveRestoreRequest

chainLock

protected Lock chainLock
A Lock for Handler operations in the chain


canonicalizationMethod

protected String canonicalizationMethod

logOutPage

protected String logOutPage

configProvider

protected SAMLConfigurationProvider configProvider
The user can inject a fully qualified name of a SAMLConfigurationProvider


idpAddress

protected String idpAddress
Constructor Detail

BaseFormAuthenticator

public BaseFormAuthenticator()
Method Detail

setIdpAddress

public void setIdpAddress(String idpAddress)
If the request.getRemoteAddr is not exactly the IDP address that you have keyed in your deployment descriptor for keystore alias, you can set it here explicitly


getConfigFile

public String getConfigFile()

setConfigFile

public void setConfigFile(String configFile)

setSamlHandlerChainClass

public void setSamlHandlerChainClass(String samlHandlerChainClass)

setServiceURL

public void setServiceURL(String serviceURL)

setSaveRestoreRequest

public void setSaveRestoreRequest(boolean saveRestoreRequest)

setConfigProvider

public void setConfigProvider(String cp)

getConfiguration

public SPType getConfiguration()

setIssuerID

public void setIssuerID(String issuerID)
Set a separate issuer id

Parameters:
issuerID -

setLogOutPage

public void setLogOutPage(String logOutPage)

validate

protected boolean validate(org.apache.catalina.connector.Request request)
Perform validation os the request object

Parameters:
request -
Returns:
Throws:
IOException
GeneralSecurityException

start

public void start()
           throws org.apache.catalina.LifecycleException
Specified by:
start in interface org.apache.catalina.Lifecycle
Overrides:
start in class org.apache.catalina.authenticator.AuthenticatorBase
Throws:
org.apache.catalina.LifecycleException

getIdentityURL

public String getIdentityURL()
Get the Identity URL

Returns:

getIdpCertificate

public X509Certificate getIdpCertificate()
Get the X509Certificate of the IDP if provided via the IDP metadata file

Returns:
X509Certificate or null

register

protected void register(org.apache.catalina.connector.Request request,
                        org.apache.catalina.connector.Response response,
                        Principal principal,
                        String arg3,
                        String arg4,
                        String arg5)
This method is a hack!!! Tomcat on account of Servlet3 changed their authenticator method signatures We utilize Java Reflection to identify the super register method on the first call and save it. Subsquent invocations utilize the saved Method

See Also:
org.apache.catalina.authenticator.AuthenticatorBase#register(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response, java.security.Principal, java.lang.String, java.lang.String, java.lang.String)

localAuthentication

protected boolean localAuthentication(org.apache.catalina.connector.Request request,
                                      org.apache.catalina.connector.Response response,
                                      org.apache.catalina.deploy.LoginConfig loginConfig)
                               throws IOException
Fall back on local authentication at the service provider side

Parameters:
request -
response -
loginConfig -
Returns:
Throws:
IOException

getBinding

protected abstract String getBinding()
Return the SAML Binding that this authenticator supports

Returns:
See Also:
JBossSAMLURIConstants#SAML_HTTP_POST_BINDING}, JBossSAMLURIConstants#SAML_HTTP_REDIRECT_BINDING}

processIDPMetadataFile

protected void processIDPMetadataFile(String idpMetadataFile)
Attempt to process a metadata file available locally


processConfiguration

protected void processConfiguration()
Process the configuration from the configuration file


handleMetadata

protected IDPSSODescriptorType handleMetadata(EntitiesDescriptorType entities)

handleMetadata

protected IDPSSODescriptorType handleMetadata(EntityDescriptorType entityDescriptor)

getIDPSSODescriptor

protected IDPSSODescriptorType getIDPSSODescriptor(EntitiesDescriptorType entities)

initializeHandlerChain

protected void initializeHandlerChain()
                               throws ConfigurationException,
                                      ProcessingException
Throws:
ConfigurationException
ProcessingException

populateChainConfig

protected void populateChainConfig()
                            throws ConfigurationException,
                                   ProcessingException
Throws:
ConfigurationException
ProcessingException

sendToLogoutPage

protected void sendToLogoutPage(org.apache.catalina.connector.Request request,
                                org.apache.catalina.connector.Response response,
                                org.apache.catalina.Session session)
                         throws IOException,
                                javax.servlet.ServletException
Throws:
IOException
javax.servlet.ServletException

testStart

public void testStart()
               throws org.apache.catalina.LifecycleException
Throws:
org.apache.catalina.LifecycleException

processStart

protected void processStart()
                     throws org.apache.catalina.LifecycleException
Throws:
org.apache.catalina.LifecycleException

doSupportSignature

protected boolean doSupportSignature()

Indicates if digital signatures/validation of SAML assertions are enabled. Subclasses that supports signature should override this method.

Returns:

initKeyProvider

protected abstract void initKeyProvider(org.apache.catalina.Context context)
                                 throws org.apache.catalina.LifecycleException
Throws:
org.apache.catalina.LifecycleException

PicketLink Federation Server Bindings for Apache Tomcat 5/6 2.1.1.Final-redhat-1

Copyright © 2012 JBoss Inc.. All Rights Reserved.