Package org.nuxeo.ecm.platform.auth.saml
Class SAMLAuthenticationProvider
- java.lang.Object
-
- org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider
-
- All Implemented Interfaces:
NuxeoAuthenticationPlugin,NuxeoAuthenticationPluginLogoutExtension,LoginProviderLinkComputer
public class SAMLAuthenticationProvider extends Object implements NuxeoAuthenticationPlugin, LoginProviderLinkComputer, NuxeoAuthenticationPluginLogoutExtension
A SAML2 authentication provider.- Since:
- 6.0
-
-
Field Summary
Fields Modifier and Type Field Description protected static List<SAMLBinding>bindingsprotected org.opensaml.saml2.encryption.Decrypterdecrypterprotected static Class<? extends UserResolver>DEFAULT_USER_RESOLVER_CLASSprotected static StringDIGEST_ALGORITHMprotected static org.opensaml.xml.encryption.ChainingEncryptedKeyResolverencryptedKeyResolverstatic StringERROR_AUTHstatic StringERROR_PAGEstatic StringERROR_USERprotected KeyManagerkeyManagerprotected org.opensaml.saml2.metadata.provider.MetadataProvidermetadataProviderprotected Map<String,AbstractSAMLProfile>profilesstatic StringSAML_SESSION_KEYprotected static StringSIGNATURE_ALGORITHMprotected static StringSIGNATURE_MANDATORYprotected org.opensaml.xml.signature.SignatureTrustEnginetrustEngineprotected static Class<? extends UserResolver>USERMAPPER_USER_RESOLVER_CLASSprotected UserResolveruserResolver
-
Constructor Summary
Constructors Constructor Description SAMLAuthenticationProvider()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidaddProfile(AbstractSAMLProfile profile)StringcomputeUrl(javax.servlet.http.HttpServletRequest request, String requestedUrl)Compute Url that should be used to login via this login provider.protected Optional<String>findOrCreateNuxeoUser(UserResolver userResolver, SAMLCredential credential)protected SAMLBindinggetBinding(String bindingURI)protected SAMLBindinggetBinding(org.opensaml.ws.transport.InTransport transport)protected javax.servlet.http.CookiegetCookie(javax.servlet.http.HttpServletRequest httpRequest, String cookieName)protected org.opensaml.saml2.metadata.EntityDescriptorgetIdPDescriptor()protected KeyManagergetKeyManager()protected AbstractSAMLProfilegetProcessor(org.opensaml.common.binding.SAMLMessageContext context)protected StringgetRequestedUrl(javax.servlet.http.HttpServletRequest request)protected SAMLCredentialgetSamlCredential(javax.servlet.http.HttpServletRequest request)protected StringgetSLOUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)Returns a Logout URL to use with HTTP Redirectprotected StringgetSSOUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)Returns a Login URL to use with HTTP RedirectList<String>getUnAuthenticatedURLPrefix()Returns the list of prefix for unauthenticated URLs, typically the URLs associated to login prompt.BooleanhandleLoginPrompt(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String baseURL)Handles the Login Prompt.BooleanhandleLogout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)Handles logout operation.UserIdentificationInfohandleRetrieveIdentity(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)Retrieves user identification information from the request.protected voidinitializeMetadataProvider(Map<String,String> parameters)protected voidinitializeSecurity(Map<String,String> parameters)voidinitPlugin(Map<String,String> parameters)Initializes the Plugin from parameters set in the XML descriptor.BooleanneedLoginPrompt(javax.servlet.http.HttpServletRequest httpRequest)Defines if the authentication plugin needs to do a login prompt.protected voidpopulateLocalContext(org.opensaml.common.binding.SAMLMessageContext context, javax.servlet.http.HttpServletRequest request)protected voidremoveCookie(javax.servlet.http.HttpServletResponse httpResponse, javax.servlet.http.Cookie cookie)protected voidsendError(javax.servlet.http.HttpServletRequest req, String key)
-
-
-
Field Detail
-
ERROR_PAGE
public static final String ERROR_PAGE
- See Also:
- Constant Field Values
-
ERROR_AUTH
public static final String ERROR_AUTH
- See Also:
- Constant Field Values
-
ERROR_USER
public static final String ERROR_USER
- See Also:
- Constant Field Values
-
DEFAULT_USER_RESOLVER_CLASS
protected static final Class<? extends UserResolver> DEFAULT_USER_RESOLVER_CLASS
-
USERMAPPER_USER_RESOLVER_CLASS
protected static final Class<? extends UserResolver> USERMAPPER_USER_RESOLVER_CLASS
-
SIGNATURE_MANDATORY
protected static final String SIGNATURE_MANDATORY
- See Also:
- Constant Field Values
-
SAML_SESSION_KEY
public static final String SAML_SESSION_KEY
- See Also:
- Constant Field Values
-
bindings
protected static List<SAMLBinding> bindings
-
encryptedKeyResolver
protected static org.opensaml.xml.encryption.ChainingEncryptedKeyResolver encryptedKeyResolver
-
profiles
protected Map<String,AbstractSAMLProfile> profiles
-
userResolver
protected UserResolver userResolver
-
keyManager
protected KeyManager keyManager
-
trustEngine
protected org.opensaml.xml.signature.SignatureTrustEngine trustEngine
-
decrypter
protected org.opensaml.saml2.encryption.Decrypter decrypter
-
metadataProvider
protected org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider
-
SIGNATURE_ALGORITHM
protected static final String SIGNATURE_ALGORITHM
- See Also:
- Constant Field Values
-
DIGEST_ALGORITHM
protected static final String DIGEST_ALGORITHM
- See Also:
- Constant Field Values
-
-
Method Detail
-
initPlugin
public void initPlugin(Map<String,String> parameters)
Description copied from interface:NuxeoAuthenticationPluginInitializes the Plugin from parameters set in the XML descriptor.- Specified by:
initPluginin interfaceNuxeoAuthenticationPlugin
-
addProfile
protected void addProfile(AbstractSAMLProfile profile)
-
initializeMetadataProvider
protected void initializeMetadataProvider(Map<String,String> parameters) throws org.opensaml.saml2.metadata.provider.MetadataProviderException
- Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException
-
getIdPDescriptor
protected org.opensaml.saml2.metadata.EntityDescriptor getIdPDescriptor() throws org.opensaml.saml2.metadata.provider.MetadataProviderException- Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException
-
getSSOUrl
protected String getSSOUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Returns a Login URL to use with HTTP Redirect
-
getRequestedUrl
protected String getRequestedUrl(javax.servlet.http.HttpServletRequest request)
-
computeUrl
public String computeUrl(javax.servlet.http.HttpServletRequest request, String requestedUrl)
Description copied from interface:LoginProviderLinkComputerCompute Url that should be used to login via this login provider. Because the url can depend onb the context, it is computed by this method rather than using a static property- Specified by:
computeUrlin interfaceLoginProviderLinkComputer
-
handleLoginPrompt
public Boolean handleLoginPrompt(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String baseURL)
Description copied from interface:NuxeoAuthenticationPluginHandles the Login Prompt.- Specified by:
handleLoginPromptin interfaceNuxeoAuthenticationPlugin- Parameters:
request- the requestresponse- the response- Returns:
- true if AuthFilter must stop execution (ie: login prompt generated a redirect), false otherwise
-
handleRetrieveIdentity
public UserIdentificationInfo handleRetrieveIdentity(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Description copied from interface:NuxeoAuthenticationPluginRetrieves user identification information from the request.- Specified by:
handleRetrieveIdentityin interfaceNuxeoAuthenticationPlugin- Parameters:
request- the requestresponse- the response
-
getProcessor
protected AbstractSAMLProfile getProcessor(org.opensaml.common.binding.SAMLMessageContext context)
-
getBinding
protected SAMLBinding getBinding(String bindingURI)
-
getBinding
protected SAMLBinding getBinding(org.opensaml.ws.transport.InTransport transport)
-
populateLocalContext
protected void populateLocalContext(org.opensaml.common.binding.SAMLMessageContext context, javax.servlet.http.HttpServletRequest request)
-
needLoginPrompt
public Boolean needLoginPrompt(javax.servlet.http.HttpServletRequest httpRequest)
Description copied from interface:NuxeoAuthenticationPluginDefines if the authentication plugin needs to do a login prompt.- Specified by:
needLoginPromptin interfaceNuxeoAuthenticationPlugin- Returns:
- true if LoginPrompt is used
-
getUnAuthenticatedURLPrefix
public List<String> getUnAuthenticatedURLPrefix()
Description copied from interface:NuxeoAuthenticationPluginReturns the list of prefix for unauthenticated URLs, typically the URLs associated to login prompt.- Specified by:
getUnAuthenticatedURLPrefixin interfaceNuxeoAuthenticationPlugin
-
getSLOUrl
protected String getSLOUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Returns a Logout URL to use with HTTP Redirect
-
getSamlCredential
protected SAMLCredential getSamlCredential(javax.servlet.http.HttpServletRequest request)
-
handleLogout
public Boolean handleLogout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Description copied from interface:NuxeoAuthenticationPluginLogoutExtensionHandles logout operation.Generic logout (killing session and Seam objects) is done by LogoutActionBean This interface must be implemented by auth plugin when the target auth system needs a specific logout procedure.
- Specified by:
handleLogoutin interfaceNuxeoAuthenticationPluginLogoutExtension- Returns:
- true if caller must stop execution (ie: logout generated a redirect), false otherwise
-
sendError
protected void sendError(javax.servlet.http.HttpServletRequest req, String key)
-
getKeyManager
protected KeyManager getKeyManager()
-
getCookie
protected javax.servlet.http.Cookie getCookie(javax.servlet.http.HttpServletRequest httpRequest, String cookieName)
-
removeCookie
protected void removeCookie(javax.servlet.http.HttpServletResponse httpResponse, javax.servlet.http.Cookie cookie)
-
findOrCreateNuxeoUser
protected Optional<String> findOrCreateNuxeoUser(UserResolver userResolver, SAMLCredential credential)
-
-