Adding a Filter that plays like WSFederationAuthenticationModule and decuple the concept of session token #2

Closed
wants to merge 1 commit into from

2 participants

@woloski

You can simply add the filter to your app like this and you are set. I know you guys wanted to show some of the protocol, you can still do that by creating your own filter and follow the steps in the doc. This is another step towards make it easier.

<filter>
  <filter-name>FederationFilter</filter-name>
  <filter-class>com.microsoft.samples.federation.WSFederationFilter</filter-class>
  <init-param>
    <param-name>login-page-url</param-name>
    <param-value>login.jsp</param-value>
  </init-param>
  <init-param>
    <param-name>exclude-urls-regex</param-name>
    <param-value>/public/*</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>FederationFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

The only breaking change is that FederationLoginManager.authenticate returns a Principal and in the current code it sets the Principal in session and redirect to the "wctx". So I decoupled that. authenticate returns the principal and there is another method that will "put the principal in session". If you want to be farm-friendly you would derive from the WSFederationFilter and implement your own authenticateWithSessionToken using signed cookies.

public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        FederatedPrincipal principal = null;
        HttpServletRequest httpRequest = (HttpServletRequest) request;

        HttpServletResponse httpResponse = (HttpServletResponse) response;

        // is the request is a token?
        if (this.isSignInResponse(httpRequest)) {               
            principal = this.authenticateWithToken(httpRequest, httpResponse);
            this.writeSessionToken(httpRequest, principal);
            this.redirectToOriginalUrl(httpRequest, httpResponse);
        }

        // is principal in session?
        if (principal == null && this.sessionTokenExists(httpRequest)) {                
            principal = this.authenticateWithSessionToken(httpRequest, httpResponse);
        }

        // if not authenticated at this point, redirect to login page 
        boolean excludedUrl = httpRequest.getRequestURL().toString().contains(this.loginPage) ||  
                             (this.excludedUrlsRegex != null && 
                             !this.excludedUrlsRegex.isEmpty() &&
                             Pattern.compile(this.excludedUrlsRegex).matcher(httpRequest.getRequestURL().toString()).find());

        if (!excludedUrl && principal == null) {
            if (!FederatedConfiguration.getInstance().getEnableManualRedirect()) {
                this.redirectToIdentityProvider(httpRequest, httpResponse);
            } else {
                this.redirectToLoginPage(httpRequest, httpResponse);
            }

            return;
        }

        chain.doFilter(new FederatedHttpServletRequest(httpRequest, principal), response);      
    }

This is the method that calls the authenticate with a different signature now. This is part of the filter

protected FederatedPrincipal authenticateWithToken(HttpServletRequest request, HttpServletResponse response) throws IOException {
        String token = request.getParameter("wresult").toString();

        if (token == null) {
            response.sendError(400, "You were supposed to send a wresult parameter with a token");
        }

        FederatedLoginManager loginManager = FederatedLoginManager.fromRequest(request, null);

        try {
            FederatedPrincipal principal = loginManager.authenticate(token, response);
            return principal;
        } catch (FederationException e) {
            response.sendError(500, "Oops and error occurred validating the token.");
        }

        return null;
    }
woloski refactoring to make integration easier by simply adding wsfederationf…
…ilter to web.xml (no servlet needed)
b3b4ad3
@guangyang

@woloski Sorry for the late response. Thanks for willing to contribute. We are not doing a good job of monitoring the PRs and we will definitely improve it.

Would you still like to pursue the PR? If so, could you please send your CLA following the instructions at http://windowsazure.github.com/guidelines.html? Please also let us know the project you want to contribute to in your email.

Thanks!

@guangyang guangyang closed this May 29, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment