/*
* Copyright (c) 2005-2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.identity.authenticator.iwa.ui;
import org.apache.axis2.AxisFault;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.neethi.Policy;
import org.apache.rampart.RampartMessageData;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.core.common.AuthenticationException;
import org.wso2.carbon.core.security.AuthenticatorsConfiguration;
import org.wso2.carbon.identity.authenticator.iwa.stub.client.IWAAuthenticatorStub;
import org.wso2.carbon.identity.base.IdentityBaseUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.ui.CarbonUIUtil;
import org.wso2.carbon.ui.DefaultCarbonAuthenticator;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
public class IWAUIAuthenticator extends DefaultCarbonAuthenticator {
public static final String NEGOTIATE = "Negotiate";
public static final String NTLM = "NTLM";
protected static final Log log = LogFactory.getLog(IWAUIAuthenticator.class);
private static final int DEFAULT_PRIORITY_LEVEL = 10;
private static final String AUTHENTICATOR_NAME = "IWAUIAuthenticator";
/**
* {@inheritDoc}
*/
@Override
public boolean canHandle(HttpServletRequest request) {
if ((NEGOTIATE.equalsIgnoreCase(request.getAuthType()) || NTLM.equalsIgnoreCase(request.getAuthType())) &&
request.getRemoteUser() != null) {
if (log.isDebugEnabled()) {
log.debug("IWA request received for url: "
+ request.getRequestURL() + " Auth type:" + request.getAuthType());
}
return true;
}
return false;
}
/**
* {@inheritDoc}
*/
@Override
public int getPriority() {
AuthenticatorsConfiguration authenticatorsConfiguration = AuthenticatorsConfiguration
.getInstance();
AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration
.getAuthenticatorConfig(AUTHENTICATOR_NAME);
if (authenticatorConfig != null && authenticatorConfig.getPriority() > 0) {
return authenticatorConfig.getPriority();
}
return DEFAULT_PRIORITY_LEVEL;
}
/**
* {@inheritDoc}
*/
public String getAuthenticatorName() {
return AUTHENTICATOR_NAME;
}
/**
* {@inheritDoc}
*/
@Override
public void authenticate(HttpServletRequest request) throws AuthenticationException {
String userName = request.getRemoteUser();
userName = userName.substring(userName.indexOf("\\") + 1);
if (log.isDebugEnabled()) {
log.debug("Authenticate request received : Authtype - " + request.getAuthType() +
", User - " + userName);
}
ServletContext servletContext = request.getSession().getServletContext();
HttpSession session = request.getSession();
String backendServerURL = request.getParameter("backendURL");
if (backendServerURL == null) {
backendServerURL = CarbonUIUtil.getServerURL(servletContext, request.getSession());
}
session.setAttribute(CarbonConstants.SERVER_URL, backendServerURL);
String rememberMe = request.getParameter("rememberMe");
handleSecurity(userName, (rememberMe != null), request);
request.setAttribute("username", userName);
}
/**
* {@inheritDoc}
*/
@Override
public String doAuthentication(Object credentials, boolean isRememberMe, ServiceClient client,
HttpServletRequest request) throws AuthenticationException {
try {
String user = (String) credentials;
if (user == null) {
throw new AuthenticationException("Invalid Credentials.");
}
ServletContext servletContext = request.getSession().getServletContext();
ConfigurationContext configContext = (ConfigurationContext) servletContext
.getAttribute(CarbonConstants.CONFIGURATION_CONTEXT);
if (configContext == null) {
log.error("Configuration context is null.");
}
HttpSession session = request.getSession();
String backendServerURL = request.getParameter("backendURL");
if (backendServerURL == null) {
backendServerURL = CarbonUIUtil.getServerURL(servletContext, request.getSession());
}
// Back-end server URL is stored in the session, even if it is an incorrect one. This
// value will be displayed in the server URL text box. Usability improvement.
session.setAttribute(CarbonConstants.SERVER_URL, backendServerURL);
if (getIWAClient(request).login(user, request.getRemoteAddr())) {
setAdminCookie(session, client, null);
}
return user;
} catch (Exception e) {
throw new AuthenticationException(
"System error occured while trying to authenticate the user", e);
}
}
/**
* {@inheritDoc}
*/
@Override
public boolean isDisabled() {
AuthenticatorsConfiguration authenticatorsConfiguration = AuthenticatorsConfiguration
.getInstance();
AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration
.getAuthenticatorConfig(AUTHENTICATOR_NAME);
if (authenticatorConfig != null) {
return authenticatorConfig.isDisabled();
}
// By default we keep this disabled.
return true;
}
/**
* {@inheritDoc}
*/
protected boolean isAdminCookieSet() {
return true;
}
/**
* IWA does not need to login page for authentication. It will use the Windows logged in users
* credentials.
*/
public boolean skipLoginPage() {
return true;
}
/**
* @param request
* @return
* @throws AxisFault
*/
private IWAAuthenticatorStub getIWAClient(HttpServletRequest request)
throws AxisFault, IdentityException {
HttpSession session = request.getSession();
ServletContext servletContext = session.getServletContext();
String backendServerURL = request.getParameter("backendURL");
if (backendServerURL == null) {
backendServerURL = CarbonUIUtil.getServerURL(servletContext, request.getSession());
}
ConfigurationContext configContext = (ConfigurationContext) servletContext
.getAttribute(CarbonConstants.CONFIGURATION_CONTEXT);
String serviceEPR = backendServerURL + "IWAAuthenticator";
IWAAuthenticatorStub stub = new IWAAuthenticatorStub(configContext, serviceEPR);
ServiceClient client = stub._getServiceClient();
client.engageModule("rampart");
Policy rampartConfig = IdentityBaseUtil.getDefaultRampartConfig();
Policy signOnly = IdentityBaseUtil.getSignOnlyPolicy();
Policy mergedPolicy = signOnly.merge(rampartConfig);
Options options = client.getOptions();
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, mergedPolicy);
options.setManageSession(true);
return stub;
}
}