shibboleth-dev - RE: [Shib-Dev] logincontext & Remote User Login Handler
Subject: Shibboleth Developers
List archive
- From: "Mahabalagiri, Datta" <>
- To: "" <>
- Subject: RE: [Shib-Dev] logincontext & Remote User Login Handler
- Date: Mon, 8 Nov 2010 10:14:46 -0800
- Accept-language: en-US
- Acceptlanguage: en-US
Isn't login context already available in RemoteUserLoginHandler?
// sc = servlet Context
LoginContext loginContext =
HttpServletHelper.getLoginContext(HttpServletHelper.getStorageService(sc),
sc, httpRequest);
_forceAuthn = loginContext.isForceAuthRequired();
In RemoteUserLoginHandler.java you could override
supportsForceAuthentication() to return true.
Datta
-----Original Message-----
From:
[mailto:]
On Behalf Of Bradley Schwoerer
Sent: Thursday, November 04, 2010 8:25 AM
To:
Subject: [Shib-Dev] logincontext & Remote User Login Handler
I am looking for feedback on how to best make some changes to the
RemoteUserLoginHandler. I want to access information about the
loginContext in the RemoteUserLoginHandler.
The use case is to be able to support two additional things with
RemoteUser authentication. The first is to allow for Relying Party
specific extensions and the second is to support force authentication.
IMHO, both can be supported by appending information onto the end of the
request string. To support force authentication it would be to append
something like /ForceReAuth at the end of the url, to look like
https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN. Likewise for
Relying Party specific support it would be to append the Base64 url
encoded string to the end like
https://login.wisc.edu/idp/Authn/RemoteUser/bXkud2lzY29uc2luLmVkdS9zaGliYm9sZXRo.
In the situation that the relying party asked for force re-auth in the
SAML token it would then result in
https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN/bXkud2lzY29uc2luLmVkdS9zaGliYm9sZXRo.
I have something that I prototyped for appending the relying party, and
just mocked up the piece for force authentication. In the
AuthenticationEngine I am setting a few attributes from the loginContext
into the httpRequest as attributes to retrieve in the
RemoteUserLoginHandler.
---
java-idp-2.1.5/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
2010-09-26 21:12:28.000000000 -0500
+++
java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
2010-10-22 15:23:19.000000000 -0500
@@ -247,6 +247,11 @@
LoginHandler loginHandler =
selectLoginHandler(possibleLoginHandlers, loginContext, idpSession);
+ httpRequest.setAttribute("WISC_FORCEAUTHN",
loginContext.isForceAuthRequired());
+ httpRequest.setAttribute("WISC_RELYINGPARTY",
loginContext.getRelyingPartyId());
+ httpRequest.setAttribute("WISC_RELYINGPARTY_BASE64",
+
Base64.encodeBytes(loginContext.getRelyingPartyId().getBytes(),
+
Base64.DONT_BREAK_LINES));
LOG.debug("Authenticating user with login handler of type
{}", loginHandler.getClass().getName());
loginContext.setAuthenticationAttempted();
loginContext.setAuthenticationEngineURL(HttpHelper.getRequestUriWithoutContext(httpRequest));
---
java-idp-2.1.5/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java
2010-09-26 21:12:28.000000000 -0500
+++
java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java
2010-11-04 10:15:23.000000000 -0500
@@ -18,9 +18,12 @@
import java.io.IOException;
+import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.util.URLBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -66,6 +69,26 @@
}
pathBuilder.append(servletURL);
+ boolean isForceAuthRequired =
httpRequest.getAttribute("WISC_FORCEAUTHN"));
+ if (isForceAuthRequired) {
+ pathBuilder.append("/ForceAuthN");
+ }
+
+ String relyingParty =
DatatypeHelper.safeTrimOrNullString((String)
httpRequest.getAttribute("WISC_RELYINGPARTY"));
+ String relyingPartyBase64 =
DatatypeHelper.safeTrimOrNullString((String)
httpRequest.getAttribute("WISC_RELYINGPARTY_BASE64"));
+ if (relyingPartyBase64 == null) {
+ log.debug("No relyingParty");
+ } else {
+ log.debug("Yes relyingParty {}", relyingParty);
+ String URLrelyingPartyBase64 =
relyingPartyBase64.replace("+", "-").replace("/", "_").replace("=","");
+ log.debug("appending {}", URLrelyingPartyBase64);
+ if (!servletURL.endsWith("/")) {
+ pathBuilder.append("/");
+ }
+ pathBuilder.append(URLrelyingPartyBase64);
+ }
+
+
URLBuilder urlBuilder = new URLBuilder();
urlBuilder.setScheme(httpRequest.getScheme());
urlBuilder.setHost(httpRequest.getServerName());
There are lots of other supporting code like configuration and clean up
for this to work, but I was mainly seeking feedback on passing the
information to the RemoteUserLoginHandler.
-Bradley Schwoerer
- [Shib-Dev] logincontext & Remote User Login Handler, Bradley Schwoerer, 11/04/2010
- RE: [Shib-Dev] logincontext & Remote User Login Handler, Mahabalagiri, Datta, 11/08/2010
Archive powered by MHonArc 2.6.16.