shibboleth-dev - Patch to UsernamePasswordLoginServlet.java
Subject: Shibboleth Developers
List archive
- From: John Weigel <>
- To:
- Subject: Patch to UsernamePasswordLoginServlet.java
- Date: Wed, 25 Nov 2009 16:55:40 -0600
Hi All,
The company I work for recently encountered the need to be able to send an authentication failure response back to a service provider when a user is unable to successfully login at our identity provider. This required a small change to the UsernamePasswordLoginServlet as it has no provision for breaking out of the login cycle if the user is unable to authenticate themselves. I've included the patch in this email in case you wish to incorporate it. The patch is against the latest stable release.
Index: java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/ authn/provider/UsernamePasswordLoginServlet.java
===================================================================
--- java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/ authn/provider/UsernamePasswordLoginServlet.java (revision 2905)
+++ java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/ authn/provider/UsernamePasswordLoginServlet.java (working copy)
@@ -75,6 +75,9 @@
/** HTTP request parameter containing the user's password. */
private final String passwordAttribute = "j_password";
+
+ /** HTTP request parameter containing cancel login option. */
+ private final String cancelAttribute = "cancel";
/**
{@inheritDoc}
*/
public void init(ServletConfig config) throws ServletException {
@@ -97,14 +100,19 @@
IOException {
String username = request.getParameter(usernameAttribute);
String password = request.getParameter(passwordAttribute);
+ String cancel = request.getParameter(cancelAttribute);
- if (username == null || password == null) {
+ if ((username == null || password == null) && (cancel == null)) {
redirectToLoginPage(request, response, null);
return;
}
- if (authenticateUser(request, username, password)) {
+ if (cancel != null) {
+ log.debug("Login canceled by user. Returning to authentication engine.");
+ request.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, "login canceled");
AuthenticationEngine.returnToAuthenticationEngine(request, response);
+ } else if (authenticateUser(request, username, password)) {
+ AuthenticationEngine.returnToAuthenticationEngine(request, response);
} else {
List<Pair<String, String>> queryParams = new ArrayList<Pair<String, String>>();
queryParams.add(new Pair<String, String>(failureParam, "true"));
John Weigel
Software Developer, Sunflower Broadband
- Patch to UsernamePasswordLoginServlet.java, John Weigel, 11/25/2009
Archive powered by MHonArc 2.6.16.