Java > Open Source Codes > org > infoglue > cms > security > CASBasicAuthenticationModule


1 /* ===============================================================================
2  *
3  * Part of the InfoGlue Content Management Platform (www.infoglue.org)
4  *
5  * ===============================================================================
6  *
7  * Copyright (C)
8  *
9  * This program is free software; you can redistribute it and/or modify it under
10  * the terms of the GNU General Public License version 2, as published by the
11  * Free Software Foundation. See the file LICENSE.html for more information.
12  *
13  * This program is distributed in the hope that it will be useful, but WITHOUT
14  * ANY WARRANTY, including the implied warranty of MERCHANTABILITY or FITNESS
15  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License along with
18  * this program; if not, write to the Free Software Foundation, Inc. / 59 Temple
19  * Place, Suite 330 / Boston, MA 02111-1307 / USA.
20  *
21  * ===============================================================================
22  */
23
24 package org.infoglue.cms.security;
25
26 import java.net.URLEncoder ;
27 import java.security.Principal ;
28 import java.security.cert.CertificateException ;
29 import java.security.cert.X509Certificate ;
30 import java.util.List ;
31 import java.util.Map ;
32 import java.util.Properties ;
33
34 import javax.net.ssl.HostnameVerifier;
35 import javax.net.ssl.HttpsURLConnection;
36 import javax.net.ssl.SSLContext;
37 import javax.net.ssl.SSLSession;
38 import javax.net.ssl.TrustManager;
39 import javax.net.ssl.X509TrustManager;
40 import javax.servlet.FilterChain ;
41 import javax.servlet.ServletException ;
42 import javax.servlet.http.HttpServletRequest ;
43 import javax.servlet.http.HttpServletResponse ;
44 import javax.servlet.http.HttpSession ;
45
46 import org.apache.log4j.Logger;
47 import org.infoglue.cms.controllers.kernel.impl.simple.UserControllerProxy;
48 import org.infoglue.cms.exception.SystemException;
49 import org.infoglue.cms.util.CmsPropertyHandler;
50
51 import edu.yale.its.tp.cas.client.ProxyTicketValidator;
52 import edu.yale.its.tp.cas.client.Util;
53
54 /**
55  * @author Mattias Bogeblad
56  *
57  * This authentication module authenticates an user against CAS (edu.yale.its.tp.cas)
58  * which is a singe sign on service.
59  */
60
61 public class CASBasicAuthenticationModule extends AuthenticationModule//, AuthorizationModule
62 {
63     private final static Logger logger = Logger.getLogger(CASBasicAuthenticationModule.class.getName());
64
65     private String loginUrl = null;
66     private String logoutUrl = null;
67     private String invalidLoginUrl = null;
68     private String authenticatorClass = null;
69     private String authorizerClass = null;
70     private String successLoginUrl = null;
71     private String serverName = null;
72     private String casValidateUrl = null;
73     private String casServiceUrl = null;
74     private String casLogoutUrl = null;
75     private String casAuthorizedProxy = null;
76     private String casRenew = null;
77     private Properties extraProperties = null;
78     
79     /**
80      * This method handles all of the logic for checking how to handle a login.
81      */
82     
83     public String authenticateUser(HttpServletRequest request, HttpServletResponse response, FilterChain fc) throws Exception
84     {
85         String authenticatedUserName = null;
86
87         HttpSession session = ((HttpServletRequest )request).getSession();
88
89         String ticket = request.getParameter("ticket");
90         logger.info("ticket:" + ticket);
91         
92         // no ticket? abort request processing and redirect
93 if (ticket == null || ticket.equals(""))
94         {
95             if (loginUrl == null)
96             {
97                 throw new ServletException (
98                         "When InfoGlueFilter protects pages that do not receive a 'userName' " +
99                         "parameter, it needs a org.infoglue.cms.security.loginUrl " +
100                         "filter parameter");
101             }
102   
103             String requestURI = request.getRequestURI();
104             logger.info("requestURI:" + requestURI);
105
106             String redirectUrl = "";
107
108             if(requestURI.indexOf("?") > 0)
109                 redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
110             else
111                 redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
112     
113             logger.info("redirectUrl 1:" + redirectUrl);
114             response.sendRedirect(redirectUrl);
115
116             return null;
117         }
118         
119         authenticatedUserName = authenticate(ticket);
120         logger.info("authenticatedUserName:" + authenticatedUserName);
121         if(authenticatedUserName == null)
122         {
123             String requestURI = request.getRequestURI();
124             logger.info("requestURI:" + requestURI);
125     
126             String redirectUrl = "";
127     
128             if(requestURI.indexOf("?") > 0)
129                 redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
130             else
131                 redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
132         
133             logger.info("redirectUrl 2:" + redirectUrl);
134             response.sendRedirect(redirectUrl);
135     
136             return null;
137         }
138
139         //request.getSession().setAttribute("ticket", ticket);
140
141         //fc.doFilter(request, response);
142 return authenticatedUserName;
143     }
144     
145     
146     /**
147      * This method handles all of the logic for checking how to handle a login.
148      */
149     
150     public String authenticateUser(Map request) throws Exception
151     {
152         String authenticatedUserName = null;
153
154         if(request.containsKey("j_username"))
155             return (String )request.get("j_username");
156         
157         String ticket = (String )request.get("ticket");
158         logger.info("ticket:" + ticket);
159         
160         // no ticket? abort request processing and redirect
161 if (ticket == null || ticket.equals(""))
162         {
163             return null;
164         }
165         
166         authenticatedUserName = authenticate(ticket);
167         logger.info("authenticatedUserName:" + authenticatedUserName);
168
169         return authenticatedUserName;
170     }
171     
172     /**
173      * This method handles all of the logic for checking how to handle a login.
174      */
175     
176     public String getLoginDialogUrl(HttpServletRequest request, HttpServletResponse response) throws Exception
177     {
178         String url = null;
179
180         HttpSession session = ((HttpServletRequest )request).getSession();
181
182         String ticket = request.getParameter("ticket");
183         logger.info("ticket:" + ticket);
184         
185         // no ticket? abort request processing and redirect
186 if (ticket == null || ticket.equals(""))
187         {
188             if (loginUrl == null)
189             {
190                 throw new ServletException (
191                         "When InfoGlueFilter protects pages that do not receive a 'userName' " +
192                         "parameter, it needs a org.infoglue.cms.security.loginUrl " +
193                         "filter parameter");
194             }
195   
196             String requestURI = request.getRequestURI();
197             logger.info("requestURI:" + requestURI);
198             
199             String redirectUrl = "";
200
201             if(requestURI.indexOf("?") > 0)
202                 redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
203             else
204                 redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
205     
206             logger.info("redirectUrl 3:" + redirectUrl);
207
208             return redirectUrl;
209         }
210         
211         String authenticatedUserName = authenticate(ticket);
212         logger.info("authenticatedUserName:" + authenticatedUserName);
213         if(authenticatedUserName == null)
214         {
215             String requestURI = request.getRequestURI();
216             logger.info("requestURI:" + requestURI);
217     
218             String redirectUrl = "";
219     
220             if(requestURI.indexOf("?") > 0)
221                 redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
222             else
223                 redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
224         
225             logger.info("redirectUrl 4:" + redirectUrl);
226             response.sendRedirect(redirectUrl);
227     
228             return redirectUrl;
229         }
230
231         return url;
232     }
233     
234     
235     
236
237     /**
238      * This method authenticates against the infoglue extranet user database.
239      */
240     
241     private String authenticate(String ticket) throws Exception
242     {
243         boolean isAuthenticated = false;
244         
245         logger.info("ticket:" + ticket);
246         TrustManager[] trustAllCerts = new TrustManager[]
247         {
248             new X509TrustManager()
249             {
250                 public java.security.cert.X509Certificate [] getAcceptedIssuers()
251                 {
252                     return null;
253                 }
254                 
255                 public void checkClientTrusted
256                 (
257                     java.security.cert.X509Certificate [] certs, String authType) {
258                     logger.info("Checking if client is trusted...");
259                 }
260                 /*
261                 public void checkServerTrusted(X509Certificate[] certs, String authType)
262                 {
263                     logger.info("Checking if server is trusted...");
264                 }
265                 */
266                 
267                 public void checkServerTrusted(X509Certificate [] arg0, String arg1) throws CertificateException
268                 {
269                     // TODO Auto-generated method stub
270
271                 }
272             }
273         };
274
275         HostnameVerifier hv = new HostnameVerifier() {
276             public boolean verify(String urlHostName, SSLSession session) {
277                 System.out.println("Warning: URL Host: "+urlHostName+" vs. "+session.getPeerHost());
278                 return true;
279             }
280         };
281          
282         HttpsURLConnection.setDefaultHostnameVerifier(hv);
283
284         SSLContext sc = SSLContext.getInstance("SSL");
285         sc.init(null, trustAllCerts, new java.security.SecureRandom ());
286         HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
287         
288         String authenticatedUserName = null;
289         
290         /* instantiate a new ProxyTicketValidator */
291         ProxyTicketValidator pv = new ProxyTicketValidator();
292         
293         /* set its parameters */
294         pv.setCasValidateUrl(casValidateUrl);
295         
296         pv.setService(URLEncoder.encode(casServiceUrl, "UTF-8"));
297
298         pv.setServiceTicket(ticket);
299
300         /*
301          * If we want to be able to acquire proxy tickets (requires callback servlet to be set up
302          * in web.xml –- see below)
303          */
304         //pv.setProxyCallbackUrl("https://gavin.adm.gu.se:9070/uPortal/CasProxyServlet");
305 //pv.setProxyCallbackUrl("http://localhost:8080/infoglueCMSAuthDev/CasProxyServlet");
306
307         /* contact CAS and validate */
308         pv.validate();
309
310         /* if we want to look at the raw response, we can use getResponse() */
311         String xmlResponse = pv.getResponse();
312         logger.info("xmlResponse:" + xmlResponse);
313         
314         /* read the response */
315         if(pv.isAuthenticationSuccesful())
316         {
317             String user = pv.getUser();
318             List proxyList = pv.getProxyList();
319             authenticatedUserName = pv.getUser();
320         }
321         else
322         {
323             String errorCode = pv.getErrorCode();
324             String errorMessage = pv.getErrorMessage();
325             /* handle the error */
326         }
327
328         /* The user is now authenticated. */
329         /* If we did set the proxy callback url, we can get proxy tickets with: */
330
331         //String proxyTicket = edu.yale.its.tp.cas.proxy.ProxyTicketReceptor.getProxyTicket(pv.getPgtIou(), casServiceUrl);
332 logger.info("proxies:\n " + pv.getProxyList());
333         
334         return authenticatedUserName;
335     }
336
337     public Principal loginUser(HttpServletRequest request, HttpServletResponse response, Map status) throws SystemException, Exception
338     {
339         Principal principal = null;
340         
341         String authenticatedUserName = getAuthenticatedUserName(request, response, status);
342         if(authenticatedUserName != null)
343         {
344             principal = UserControllerProxy.getController().getUser(authenticatedUserName);
345             if(principal == null)
346                 throw new SystemException("The CAS-authenticated user " + authenticatedUserName + " was not located in the authorization system's user database.");
347         }
348         
349         return principal;
350     }
351
352     
353     public boolean logoutUser(HttpServletRequest request, HttpServletResponse response) throws Exception
354     {
355         response.sendRedirect(this.getCasLogoutUrl() + "?service=" + this.getCasServiceUrl());
356         
357         return true;
358     }
359
360     /**
361      * Returns either the configured service or figures it out for the current
362      * request. The returned service is URL-encoded.
363      */
364     private String getService(HttpServletRequest request) throws ServletException , Exception
365     {
366         // ensure we have a server name or service name
367 if (serverName == null && casServiceUrl == null)
368             throw new ServletException ("need one of the following configuration "
369             + "parameters: edu.yale.its.tp.cas.client.filter.serviceUrl or "
370             + "edu.yale.its.tp.cas.client.filter.serverName");
371
372         // use the given string if it's provided
373 if (casServiceUrl != null && casServiceUrl.length() > 0)
374             return URLEncoder.encode(casServiceUrl, "UTF-8");
375         else
376             // otherwise, return our best guess at the service
377 return Util.getService(request, serverName);
378     }
379     
380
381     public String getAuthenticatorClass()
382     {
383         return authenticatorClass;
384     }
385
386     public void setAuthenticatorClass(String authenticatorClass)
387     {
388         this.authenticatorClass = authenticatorClass;
389     }
390
391     public String getAuthorizerClass()
392     {
393         return authorizerClass;
394     }
395
396     public void setAuthorizerClass(String authorizerClass)
397     {
398         this.authorizerClass = authorizerClass;
399     }
400
401     public String getInvalidLoginUrl()
402     {
403         return invalidLoginUrl;
404     }
405
406     public void setInvalidLoginUrl(String invalidLoginUrl)
407     {
408         this.invalidLoginUrl = invalidLoginUrl;
409     }
410
411     public String getLoginUrl()
412     {
413         return loginUrl;
414     }
415
416     public void setLoginUrl(String loginUrl)
417     {
418         this.loginUrl = loginUrl;
419     }
420
421     public String getLogoutUrl()
422     {
423         return logoutUrl;
424     }
425
426     public void setLogoutUrl(String logoutUrl)
427     {
428         this.logoutUrl = logoutUrl;
429     }
430
431     public String getServerName()
432     {
433         return serverName;
434     }
435
436     public void setServerName(String string)
437     {
438         serverName = string;
439     }
440
441     public Properties getExtraProperties()
442     {
443         return this.extraProperties;
444     }
445
446     public void setExtraProperties(Properties properties)
447     {
448         this.extraProperties = properties;
449     }
450     
451     public String getCasRenew()
452     {
453         return casRenew;
454     }
455
456     public void setCasRenew(String casRenew)
457     {
458         this.casRenew = casRenew;
459     }
460
461     public String getCasServiceUrl()
462     {
463         return casServiceUrl;
464     }
465
466     public void setCasServiceUrl(String casServiceUrl)
467     {
468         this.casServiceUrl = casServiceUrl;
469     }
470
471     public String getCasValidateUrl()
472     {
473         return casValidateUrl;
474     }
475
476     public void setCasValidateUrl(String casValidateUrl)
477     {
478         this.casValidateUrl = casValidateUrl;
479     }
480
481     public String getCasLogoutUrl()
482     {
483         return casLogoutUrl;
484     }
485
486     public void setCasLogoutUrl(String casLogoutUrl)
487     {
488         this.casLogoutUrl = casLogoutUrl;
489     }
490
491     public String getCasAuthorizedProxy()
492     {
493         return casAuthorizedProxy;
494     }
495
496     public void setCasAuthorizedProxy(String casAuthorizedProxy)
497     {
498         this.casAuthorizedProxy = casAuthorizedProxy;
499     }
500
501     public Object getTransactionObject()
502     {
503         return null;
504     }
505
506     public void setTransactionObject(Object transactionObject)
507     {
508     }
509
510
511     /**
512      * This method handles all of the logic for checking how to handle a login.
513      */
514     
515     private String getAuthenticatedUserName(HttpServletRequest request, HttpServletResponse response, Map status) throws Exception
516     {
517         String authenticatedUserName = null;
518
519         HttpSession session = ((HttpServletRequest )request).getSession();
520
521         String ticket = request.getParameter("ticket");
522         logger.info("ticket:" + ticket);
523         
524         // no ticket? abort request processing and redirect
525 if (ticket == null || ticket.equals(""))
526         {
527             if (loginUrl == null)
528             {
529                 throw new ServletException (
530                         "When InfoGlueFilter protects pages that do not receive a 'userName' " +
531                         "parameter, it needs a org.infoglue.cms.security.loginUrl " +
532                         "filter parameter");
533             }
534   
535             String requestURI = request.getRequestURI();
536             logger.info("requestURI:" + requestURI);
537             
538             String redirectUrl = "";
539
540             if(requestURI.indexOf("?") > 0)
541                 redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
542             else
543                 redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
544     
545             logger.info("redirectUrl 6:" + redirectUrl);
546             
547             response.sendRedirect(redirectUrl);
548             status.put("redirected", new Boolean (true));
549             return null;
550         }
551         
552         authenticatedUserName = authenticate(ticket);
553         logger.info("authenticatedUserName:" + authenticatedUserName);
554         if(authenticatedUserName == null)
555         {
556             String requestURI = request.getRequestURI();
557             logger.info("requestURI:" + requestURI);
558     
559             String redirectUrl = "";
560     
561             if(requestURI.indexOf("?") > 0)
562                 redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
563             else
564                 redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : "");
565         
566             logger.info("redirectUrl 7:" + redirectUrl);
567             response.sendRedirect(redirectUrl);
568     
569             status.put("redirected", new Boolean (true));
570
571             return null;
572         }
573
574         return authenticatedUserName;
575     }
576
577
578     public String getSuccessLoginUrl()
579     {
580         return successLoginUrl;
581     }
582
583
584     public void setSuccessLoginUrl(String successLoginUrl)
585     {
586         this.successLoginUrl = successLoginUrl;
587     }
588
589 }
590

A to Z: JavaDoc & Examples

---

Daily Java News & Articles

---

Open Source Projects

---

Open Source Codes

---

Free Computer Books

---

Remove Frame

---

Popular Tags