|
Index: lams_central/src/java/org/lamsfoundation/lams/web/SIFOpenIDServlet.java
===================================================================
diff -u -rab19db088359a46353cc92e806c40ff5cff818b9 -r0dcd18e28734063363b86a2683ec99c8fa1a041f
--- lams_central/src/java/org/lamsfoundation/lams/web/SIFOpenIDServlet.java (.../SIFOpenIDServlet.java) (revision ab19db088359a46353cc92e806c40ff5cff818b9)
+++ lams_central/src/java/org/lamsfoundation/lams/web/SIFOpenIDServlet.java (.../SIFOpenIDServlet.java) (revision 0dcd18e28734063363b86a2683ec99c8fa1a041f)
@@ -1,8 +1,7 @@
package org.lamsfoundation.lams.web;
import java.io.IOException;
-import java.text.ParseException;
-
+import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -24,26 +23,37 @@
import org.verisign.joid.consumer.OpenIdFilter;
import org.verisign.joid.util.UrlUtils;
+/**
+ * @author lfoxton
+ *
+ * Servlet to log user into LAMS using OpenID
+ *
+ * Accepts the openid_url param and used joid libraries to authenticate the user.
+ *
+ * If the identity provider server authenticates the user, log them in through SSO
+ *
+ */
public class SIFOpenIDServlet extends HttpServlet {
private static final long serialVersionUID = -381530224124159008L;
- private static Logger log = Logger.getLogger(SIFOpenIDServlet.class);
+ private static final Logger log = Logger.getLogger(SIFOpenIDServlet.class);
- public static String PARAM_OPENID_URL = "openid_url";
+ private static final String PARAM_OPENID_URL = "openid_url";
+ private static final String PARAM_ERROR_MSG = "errorMsg";
- public static String ERROR_NOT_ENABLED = "OpenID is not enabled for LAMS.";
- public static String ERROR_BLACKLISTED = "Your provider is not among the trusted providers, please use the portal for logging in.";
- public static String ERROR_NO_ID_PASSED = "Authentication failed, no user id was passed.";
- public static String ERROR_AUTH = "Authentication failed, there was an error during authentication, please contact the system administrator.";
- public static String ERROR_AUTH_LAMS = "Authentication failed, A user in LAMS did not exist for openid URL: ";
+ private static final String ERROR_NOT_ENABLED = "OpenID is not enabled for LAMS.";
+ private static final String ERROR_BLACKLISTED = "Your provider is not among the trusted providers, please use the portal for logging in.";
+ private static final String ERROR_NO_ID_PASSED = "Authentication failed, no user id was passed.";
+ private static final String ERROR_AUTH = "Authentication failed, there was an error during authentication, please contact the system administrator.";
+ private static final String ERROR_AUTH_LAMS = "Authentication failed, A user in LAMS did not exist for openid URL: ";
private IUserManagementService userService = null;
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-
+
setService();
-
+
// Get the user's openid url from the request
String userOpenIDURL = WebUtil.readStrParam(request, PARAM_OPENID_URL, true);
@@ -63,18 +73,8 @@
redirectToPortal(response, ERROR_NO_ID_PASSED);
} else {
- // Attempt to use openid authentication if it is a trusted
- // identity provider
- if (isTrustedIdentityProvider(userOpenIDURL)) {
- log.info("No session found for user with url: " + userOpenIDURL
- + ". Sending authentication request to identity provider.");
-
- String returnURL = UrlUtils.getBaseUrl(request) + "/OpenIDServlet";
- sendAuthenticationRequest(response, userOpenIDURL, returnURL, returnURL);
- } else {
- log.error("Identity provider not permitted: " + userOpenIDURL);
- redirectToPortal(response, ERROR_BLACKLISTED);
- }
+ String returnURL = UrlUtils.getBaseUrl(request) + "/OpenIDServlet";
+ sendAuthenticationRequest(response, userOpenIDURL, returnURL, UrlUtils.getBaseUrl(request));
}
} else {
// Login to LAMS
@@ -87,68 +87,79 @@
}
+ /**
+ * Attempt to send authentication request, if it is a trusted openid provider
+ *
+ * @param response
+ * @param userOpenIDURL
+ * @param returnTo
+ * @param trustRoot
+ * @throws IOException
+ */
private void sendAuthenticationRequest(HttpServletResponse response, String userOpenIDURL, String returnTo,
String trustRoot) throws IOException {
try {
String openidRedirectURL = OpenIdFilter.joid().getAuthUrl(userOpenIDURL, returnTo, trustRoot);
- response.sendRedirect(openidRedirectURL);
+
+ // See if it is a trusted server, then redirect
+ if (isTrustedIdentityProvider(openidRedirectURL)) {
+ log.info("No session found for user with url: " + userOpenIDURL
+ + ". Sending authentication request to identity provider.");
+ response.sendRedirect(openidRedirectURL);
+ } else {
+ log.error("Identity provider not permitted: " + userOpenIDURL);
+ redirectToPortal(response, ERROR_BLACKLISTED);
+ }
} catch (OpenIdException e) {
log.error("Problem getting openid url.", e);
redirectToPortal(response, ERROR_AUTH);
- } catch (IOException e) {
+ } catch (Exception e) {
log.error("Error sending redirect request.", e);
redirectToPortal(response, ERROR_AUTH);
}
}
- private boolean isTrustedIdentityProvider(String userOpenIDURL) {
+ /**
+ * Check the identity provider url against the list of supported servers
+ *
+ * @param idpURLString
+ * @return
+ */
+ private boolean isTrustedIdentityProvider(String idpURLString) {
try {
- userOpenIDURL = removeHTTPFromString(userOpenIDURL);
- userOpenIDURL = removeTrailingSlashFromString(userOpenIDURL);
- userOpenIDURL = removeUserNameFromOpenIDURL(userOpenIDURL);
+ URL idpURL = new URL(idpURLString);
+ // Get the list of trusted servers
OpenIDConfig trustedIDPConfig = (OpenIDConfig) userService.findById(OpenIDConfig.class,
OpenIDConfig.KEY_TRUSTED_IDPS);
if (trustedIDPConfig != null) {
String[] trustedIDPs = CSVUtil.parse(trustedIDPConfig.getConfigValue());
+ // Test each against the trusted idp
for (int i = 0; i < trustedIDPs.length; i++) {
- String trustedIDP = trustedIDPs[i];
- trustedIDP = removeHTTPFromString(trustedIDP);
- trustedIDP = removeTrailingSlashFromString(trustedIDP);
-
- if (userOpenIDURL.equals(trustedIDP)) {
+ String trustedIDPStr = trustedIDPs[i];
+ URL trustedIDPURL = new URL(trustedIDPStr);
+
+ if (trustedIDPURL.getHost().equals(idpURL.getHost())) {
return true;
}
}
-
}
- } catch (ParseException e) {
- log.error("Error parsing trusted idp csv");
+ } catch (Exception e) {
+ log.error("Error parsing trusted idps");
}
-
return false;
}
- private String removeHTTPFromString(String string) {
- if (string.startsWith("http://")) {
- return string.substring(7);
- }
- return string;
- }
-
- private String removeTrailingSlashFromString(String string) {
- if (string.endsWith("/")) {
- return string.substring(0, string.length() - 1);
- }
- return string;
- }
-
- private String removeUserNameFromOpenIDURL(String string) {
- return string.substring(string.indexOf(".") + 1);
- }
-
+ /**
+ * Fetch the user via their openidurl in lams. Then log them in
+ *
+ * @param userOpenIDURL
+ * @param request
+ * @param response
+ * @throws IOException
+ */
private void loginUser(String userOpenIDURL, HttpServletRequest request, HttpServletResponse response)
throws IOException {
if (userService == null) {
@@ -176,12 +187,23 @@
}
}
+ /**
+ * Redirect back to the portal attaching the error string as a parameters
+ *
+ * @param response
+ * @param errorString
+ * @throws IOException
+ */
private void redirectToPortal(HttpServletResponse response, String errorString) throws IOException {
// Get the portal url
OpenIDConfig portalURLObject = (OpenIDConfig) userService.findById(OpenIDConfig.class,
OpenIDConfig.KEY_PORTAL_URL);
String portalURL = (portalURLObject != null) ? portalURLObject.getConfigValue() : Configuration
.get(ConfigurationKeys.SERVER_URL);
+
+ if (errorString != null && errorString.length() > 0) {
+ portalURL += "?" + PARAM_ERROR_MSG + "=" + errorString;
+ }
response.sendRedirect(portalURL);
}
@@ -193,7 +215,7 @@
}
return userService;
}
-
+
private void setService() {
if (userService == null) {
userService = (IUserManagementService) WebApplicationContextUtils.getRequiredWebApplicationContext(
|