View Javadoc

1   /*
2    * Copyright 2006 University Corporation for Advanced Internet Development, Inc.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package edu.internet2.middleware.shibboleth.idp.authn.provider;
18  
19  import java.io.IOException;
20  import java.security.Principal;
21  import java.util.ArrayList;
22  import java.util.List;
23  import java.util.Set;
24  
25  import javax.security.auth.Subject;
26  import javax.security.auth.callback.Callback;
27  import javax.security.auth.callback.CallbackHandler;
28  import javax.security.auth.callback.NameCallback;
29  import javax.security.auth.callback.PasswordCallback;
30  import javax.security.auth.callback.UnsupportedCallbackException;
31  import javax.servlet.ServletConfig;
32  import javax.servlet.ServletException;
33  import javax.servlet.http.HttpServlet;
34  import javax.servlet.http.HttpServletRequest;
35  import javax.servlet.http.HttpServletResponse;
36  
37  import org.opensaml.xml.util.DatatypeHelper;
38  import org.opensaml.xml.util.Pair;
39  import org.slf4j.Logger;
40  import org.slf4j.LoggerFactory;
41  
42  import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
43  import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
44  import edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal;
45  
46  /**
47   * This Servlet authenticates a user via JAAS. The user's credential is always added to the returned {@link Subject} as
48   * a {@link UsernamePasswordCredential} within the subject's private credentials.
49   */
50  public class UsernamePasswordLoginServlet extends HttpServlet {
51  
52      /** Serial version UID. */
53      private static final long serialVersionUID = -572799841125956990L;
54  
55      /** Class logger. */
56      private final Logger log = LoggerFactory.getLogger(UsernamePasswordLoginServlet.class);
57  
58      /** Name of JAAS configuration used to authenticate users. */
59      private String jaasConfigName = "ShibUserPassAuth";
60  
61      /** init-param which can be passed to the servlet to override the default JAAS config. */
62      private final String jaasInitParam = "jaasConfigName";
63  
64      /** Login page name. */
65      private String loginPage = "login.jsp";
66  
67      /** init-param which can be passed to the servlet to override the default login page. */
68      private final String loginPageInitParam = "loginPage";
69  
70      /** Parameter name to indicate login failure. */
71      private final String failureParam = "loginFailed";
72  
73      /** HTTP request parameter containing the user name. */
74      private final String usernameAttribute = "j_username";
75  
76      /** HTTP request parameter containing the user's password. */
77      private final String passwordAttribute = "j_password";
78  
79      /** {@inheritDoc} */
80      public void init(ServletConfig config) throws ServletException {
81          super.init(config);
82  
83          if (getInitParameter(jaasInitParam) != null) {
84              jaasConfigName = getInitParameter(jaasInitParam);
85          }
86  
87          if (getInitParameter(loginPageInitParam) != null) {
88              loginPage = getInitParameter(loginPageInitParam);
89          }
90          if (!loginPage.startsWith("/")) {
91              loginPage = "/" + loginPage;
92          }
93      }
94  
95      /** {@inheritDoc} */
96      protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException,
97              IOException {
98          String username = request.getParameter(usernameAttribute);
99          String password = request.getParameter(passwordAttribute);
100 
101         if (username == null || password == null) {
102             redirectToLoginPage(request, response, null);
103             return;
104         }
105 
106         if (authenticateUser(request)) {
107             AuthenticationEngine.returnToAuthenticationEngine(request, response);
108         } else {
109             List<Pair<String, String>> queryParams = new ArrayList<Pair<String, String>>();
110             queryParams.add(new Pair<String, String>(failureParam, "true"));
111             redirectToLoginPage(request, response, queryParams);
112         }
113     }
114 
115     /**
116      * Sends the user to the login page.
117      * 
118      * @param request current request
119      * @param response current response
120      * @param queryParams query parameters to pass to the login page
121      */
122     protected void redirectToLoginPage(HttpServletRequest request, HttpServletResponse response,
123             List<Pair<String, String>> queryParams) {
124 
125         String requestContext = DatatypeHelper.safeTrimOrNullString(request.getContextPath());
126         if (requestContext == null) {
127             requestContext = "/";
128         }
129         request.setAttribute("actionUrl", requestContext + request.getServletPath());
130 
131         if (queryParams != null) {
132             for (Pair<String, String> param : queryParams) {
133                 request.setAttribute(param.getFirst(), param.getSecond());
134             }
135         }
136 
137         try {
138             request.getRequestDispatcher(loginPage).forward(request, response);
139             log.debug("Redirecting to login page {}", loginPage);
140         } catch (IOException ex) {
141             log.error("Unable to redirect to login page.", ex);
142         } catch (ServletException ex) {
143             log.error("Unable to redirect to login page.", ex);
144         }
145     }
146 
147     /**
148      * Authenticate a username and password against JAAS. If authentication succeeds the name of the first principal, or
149      * the username if that is empty, and the subject are placed into the request in their respective attributes.
150      * 
151      * @param request current authentication request
152      * 
153      * @return true of authentication succeeds, false if not
154      */
155     protected boolean authenticateUser(HttpServletRequest request) {
156         String username = DatatypeHelper.safeTrimOrNullString(request.getParameter(usernameAttribute));
157         String password = DatatypeHelper.safeTrimOrNullString(request.getParameter(passwordAttribute));
158 
159         try {
160             log.debug("Attempting to authenticate user {}", username);
161 
162             SimpleCallbackHandler cbh = new SimpleCallbackHandler(username, password);
163 
164             javax.security.auth.login.LoginContext jaasLoginCtx = new javax.security.auth.login.LoginContext(
165                     jaasConfigName, cbh);
166 
167             jaasLoginCtx.login();
168             log.debug("Successfully authenticated user {}", username);
169 
170             Subject loginSubject = jaasLoginCtx.getSubject();
171 
172             Set<Principal> principals = loginSubject.getPrincipals();
173             if (principals.isEmpty()) {
174                 principals.add(new UsernamePrincipal(username));
175             }
176 
177             Set<Object> publicCredentials = loginSubject.getPublicCredentials();
178 
179             Set<Object> privateCredentials = loginSubject.getPrivateCredentials();
180             privateCredentials.add(new UsernamePasswordCredential(username, password));
181 
182             Subject userSubject = new Subject(false, principals, publicCredentials, privateCredentials);
183             request.setAttribute(LoginHandler.SUBJECT_KEY, userSubject);
184 
185             return true;
186         } catch (Throwable e) {
187             log.debug("User authentication for " + username + " failed", e);
188             return false;
189         }
190     }
191 
192     /**
193      * A callback handler that provides static name and password data to a JAAS loging process.
194      * 
195      * This handler only supports {@link NameCallback} and {@link PasswordCallback}.
196      */
197     protected class SimpleCallbackHandler implements CallbackHandler {
198 
199         /** Name of the user. */
200         private String uname;
201 
202         /** User's password. */
203         private String pass;
204 
205         /**
206          * Constructor.
207          * 
208          * @param username The username
209          * @param password The password
210          */
211         public SimpleCallbackHandler(String username, String password) {
212             uname = username;
213             pass = password;
214         }
215 
216         /**
217          * Handle a callback.
218          * 
219          * @param callbacks The list of callbacks to process.
220          * 
221          * @throws UnsupportedCallbackException If callbacks has a callback other than {@link NameCallback} or
222          *             {@link PasswordCallback}.
223          */
224         public void handle(final Callback[] callbacks) throws UnsupportedCallbackException {
225 
226             if (callbacks == null || callbacks.length == 0) {
227                 return;
228             }
229 
230             for (Callback cb : callbacks) {
231                 if (cb instanceof NameCallback) {
232                     NameCallback ncb = (NameCallback) cb;
233                     ncb.setName(uname);
234                 } else if (cb instanceof PasswordCallback) {
235                     PasswordCallback pcb = (PasswordCallback) cb;
236                     pcb.setPassword(pass.toCharArray());
237                 }
238             }
239         }
240     }
241 }