-
-
Save bradleybeddoes/1fe905ffb8246b08c46b to your computer and use it in GitHub Desktop.
A quick example of a custom filter undertaking basic auth to enable ECP functionality for a Shibboleth ECP.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package aaf.vhr.idp.http; | |
import java.io.IOException; | |
import javax.servlet.Filter; | |
import javax.servlet.FilterChain; | |
import javax.servlet.FilterConfig; | |
import javax.servlet.ServletException; | |
import javax.servlet.ServletRequest; | |
import javax.servlet.ServletResponse; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletResponse; | |
import org.apache.commons.codec.Charsets; | |
import org.apache.commons.codec.binary.Base64; | |
import org.apache.commons.lang.StringUtils; | |
import org.slf4j.Logger; | |
import org.slf4j.LoggerFactory; | |
import aaf.vhr.idp.VhrBasicAuthValidator; | |
public class VhrBasicAuthFilter implements Filter { | |
private String realm; | |
private VhrBasicAuthValidator vhrBasicAuthValidator; | |
Logger log = LoggerFactory.getLogger("aaf.vhr.idp.http.VhrFilter"); | |
@Override | |
public void destroy() { | |
} | |
@Override | |
public void doFilter(ServletRequest req, ServletResponse res, | |
FilterChain chain) throws IOException, ServletException { | |
HttpServletRequest request = (HttpServletRequest) req; | |
HttpServletResponse response = (HttpServletResponse) res; | |
final String authorization = request.getHeader( "Authorization" ); | |
if(authorization != null && authorization.contains(" ")) { | |
log.info("Attempting to establish session via Basic Auth"); | |
log.debug("WWW-Authenticate: " + authorization); | |
final String[] credentials = StringUtils.split( new String( Base64.decodeBase64( authorization.substring( authorization.indexOf(" ") ) ), Charsets.UTF_8 ), ':' ); | |
if ( credentials.length == 2 ) { | |
final String login = credentials[0]; | |
final String password = credentials[1]; | |
log.info ("Located basic authentication credentials for " + login + " validating password"); | |
final String remoteUser = // Some method of authentication unique to your system which you may need to cache | |
if(remoteUser != null) { | |
log.info ("Confirmed supplied credentials for " + credentials[0]); | |
VhrRequestWrapper vhrRequestWrapper = new VhrRequestWrapper(request, remoteUser); | |
chain.doFilter(vhrRequestWrapper, response); | |
} | |
} else { | |
log.info ("Invalid Authorization header detected when attempting to setup session"); | |
} | |
} | |
response.setHeader( "WWW-Authenticate", "Basic realm=\"" + realm + "\"" ); | |
response.sendError( HttpServletResponse.SC_UNAUTHORIZED ); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package aaf.vhr.idp.http; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletRequestWrapper; | |
public class VhrRequestWrapper extends HttpServletRequestWrapper { | |
String remoteUser; | |
public VhrRequestWrapper(HttpServletRequest request, String remoteUser) { | |
super(request); | |
this.remoteUser = remoteUser; | |
} | |
@Override | |
public String getRemoteUser() { | |
return remoteUser; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- web.xml snippet for Shibboleth IdP --> | |
<filter> | |
<filter-name>VhrBasicAuthFilter</filter-name> | |
<filter-class>aaf.vhr.idp.http.VhrBasicAuthFilter</filter-class> | |
<init-param> | |
<param-name>..</param-name> | |
<param-value>...</param-value> | |
</init-param> | |
</filter> | |
<filter-mapping> | |
<filter-name>VhrBasicAuthFilter</filter-name> | |
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern> | |
</filter-mapping> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment