Created
September 30, 2016 07:26
-
-
Save johnymachine/7af105070bf540e81547f68377b291fb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package foxon.auth; | |
import java.util.List; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletResponse; | |
import com.thingworx.resources.entities.EntityServices; | |
import com.thingworx.security.authentication.AuthenticatorException; | |
import com.thingworx.security.authentication.CustomAuthenticator; | |
public class WebsealAuth extends CustomAuthenticator { | |
/** | |
* WebSeal SSO Authentication via request headers. | |
* | |
* ThingWorx - Custom Authenticators Overview: https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS244163&lang=en_US | |
* Where To Find ThingWorx Documentation (Developer Guide): https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS232833&art_lang=en&posno=1&q=developer&ProductFamily=ThingWorx%7CNRN%7CAxeda&source=search | |
* Testing extensions and SDKs outside of ThingWorx within an IDE: https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS215376&art_lang=en&posno=8&q=debug&ProductFamily=ThingWorx%7CNRN%7CAxeda&source=search | |
* Using the Eclipse IDE to debug an Extension running in ThingWorx: https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS219756&art_lang=en&posno=1&q=debug&ProductFamily=ThingWorx%7CNRN%7CAxeda&source=search | |
* | |
* @author Jan Gabriel | |
* @version 1.0 | |
*/ | |
// serialization ID | |
private static final long serialVersionUID = 5488597991840865053L; | |
private static EntityServices es = new EntityServices(); | |
private static String user; | |
private static List<String> groups; | |
public WebsealAuth() { | |
/* | |
* Constructor | |
* | |
* Called by JVM | |
* Upon importing extension into ThingWorx, a copy of this method is sent to the authentication manager so it knows there is another authenticator to challenge. | |
* When the authentication manager determines by priority that this is the right authenticator, it instantiates a new instance. | |
* Any static data for each new authenticator instance should be thread safe (final) to avoid causing deadlocks. | |
* Best to avoid putting very much logic here, even calls to get configuration or instance data (use authenticate method instead). | |
*/ | |
} | |
@Override | |
public void authenticate(HttpServletRequest httpRequest, HttpServletResponse httpRes) throws AuthenticatorException { | |
/* | |
* Authenticate | |
* | |
* This method needs to throw an Exception or else the authentication manager will never know there was an error and will always authenticate the user’s credentials. | |
* Sets setCredentials() or throws AuthenticatorException. | |
*/ | |
try { | |
// Check if user exists, if not create him with name this.user. | |
// Check if groups exist and if not add them with no permissions. | |
// Check users membership in groups by this.groups and add or remove him accordingly. | |
// Login user. | |
this.setCredentials(WebsealAuth.user); | |
} catch (Exception e) { | |
this.setRequiresChallenge(true); | |
throw new AuthenticatorException("Unable to create or login user: " + WebsealAuth.user, e); | |
} | |
} | |
@Override | |
public void issueAuthenticationChallenge(HttpServletRequest httpRequest, HttpServletResponse httpRes) | |
throws AuthenticatorException { | |
/* | |
* IssueAuthenticationChallenge | |
* | |
* This may not be used at all, or it may be used for alerting or logging. | |
* Handles logic which follows authentication fail (e.g. logging an error: _logger.error). | |
* In order to invoke this method, ensure setRequiresChallenge(true) is in authenticate method before throwing the exception. | |
* ThingworxBasicAuthenticator grabs the response and sets some headers in this method, then calling the pop-up box which requests users attempt login again. | |
* ThingworxFormAuthenticator redirects users to plain form login prompts with return statuses displayed. | |
*/ | |
// Log errors from exceptions. | |
} | |
@Override | |
public boolean matchesAuthRequest(HttpServletRequest httpRequest) throws AuthenticatorException { | |
/* | |
* MatchesAuthRequest | |
* | |
* This method determines if this authenticator is valid for the authentication request type and return true if so. | |
*/ | |
// Get authentication headers from SSO request. Header name should be configurable from Thingworx if its possible. | |
String user = httpRequest.getHeader("User"); | |
String groups = httpRequest.getHeader("Groups"); | |
// Check for missing headers. | |
if(user == null || groups == null){ | |
this.setRequiresChallenge(true); | |
throw new AuthenticatorException("Some headers are missing."); | |
} | |
// Validate headers and parse groups. | |
try { | |
// Validate and save to prop user this.user = user; | |
// Parse and validate groups this.groups = groupsArray; | |
} catch(Exception e) { | |
this.setRequiresChallenge(true); | |
throw new AuthenticatorException("Parsing error, headers malformed.", e); | |
} | |
return true; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment