Merge branch 'master' of github.com:Yubico/yubico-shibboleth-idp-mult…

…ifactor-login-handler

README

@@ -1 +1,36 @@
 MultiFactor Login Handler for use with the Shibboleth IdP.
+
+See https://spaces.internet2.edu/display/SHIB2/Multi+Factor+Login+Handler
+( or https://spaces.internet2.edu/x/FQFvAQ ) for installation instructions.
+
+This version has been tested with Shibboleth IdP 2.2.1 and with the
+JAAS modules from yubico-validation-client 2.0-pre1-shib.
+
+What is special with this Login Handler? Two things :
+
+  1) It collects multiple authentication factors from the login servlet.
+
+     Besides the j_username and j_password collected by the regular
+     UsernamePassword login handler, we also collect
+     j_tokens[0] .. j_tokens[n].
+
+     See MultiFactorAuthLoginServlet.service().
+
+  2) We convey all these collected factors to JAAS modules by calling the
+     JAAS modules PasswordCallback.setPassword() muliple times, with
+     j_password coming last (to provide some compatibility with single-
+     factor JAAS modules).
+
+     If the JAAS module wants to get more than the first factor, it must
+     pass us a PasswordCallback capable of accumulating factors in
+     setPassword().
+
+     See MultiAuthCallbackHandler.handle().
+
+See com.yubico.jaas.MultiValuePasswordCallback for an example of a multi-
+factor capable PasswordCallback.
+
+Currently known Multi Factor JAAS modules :
+
+  com.yubico.jaas.YubikeyLoginModule	  for YubiKey OTPs
+  com.yubico.jaas.HttpOathOtpLoginModule  for OATH token validations

examples/login.jsp

@@ -0,0 +1,64 @@
+<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginContext" %>
+<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginHandler" %>
+<%@ page import="edu.internet2.middleware.shibboleth.idp.session.*" %>
+<%@ page import="edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper" %>
+<%@ page import="org.opensaml.saml2.metadata.*" %>
+
+<%
+    LoginContext loginContext = HttpServletHelper.getLoginContext(HttpServletHelper.getStorageService(application),
+                                                                  application, request);
+    Session userSession = HttpServletHelper.getUserSession(request);
+%>
+
+<html>
+
+    <head>
+        <title>Shibboleth Identity Provider - Example Login Page</title>
+    </head>
+
+	<body>
+		<img src="<%= request.getContextPath() %>/images/logo.jpg" />
+		<h1>Example Login Page</h1>
+		<p>This login page is an example and should be customized.  Refer to the 
+			<a href="https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPassLoginPage" target="_new"> documentation</a>.
+		</p>
+
+		<% if (loginContext == null) { %>
+		<p><font color="red">Error:</font> Direct access to this page is not supported.</p>
+		<% } else { %>		
+
+			<h2>Shibboleth Identity Provider Login to Service Provider <%= loginContext.getRelyingPartyId() %></h2>
+
+			<% if (request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY) != null) { %>
+			<p><font color="red">Authentication Failed</font></p>
+			<% } %>
+
+			<% if(request.getAttribute("actionUrl") != null){ %>
+			    <form action="<%=request.getAttribute("actionUrl")%>" method="post">
+			<% }else{ %>
+			    <form action="j_security_check" method="post">
+			<% } %>
+			<table>
+				<tr>
+					<td>Username:</td>
+					<td><input name="j_username" type="text" tabindex="1" /></td>
+				</tr>
+				<tr>
+					<td>Password:</td>
+					<td><input name="j_password" type="password" tabindex="2" /></td>
+				</tr>
+			        <% String s = (String) request.getAttribute("actionUrl"); if (s.contains("/MultiFactor")){ %>
+				    <tr>
+					<td>Token:</td>
+					<td><input name="j_tokens[0]" type="text" tabindex="3" /></td>
+				    </tr>
+				<% } %>
+				<tr>
+					<td colspan="2"><input type="submit" value="Login" tabindex="9" /></td>
+				</tr>
+			</table>
+			</form>
+		<%}%>
+	</body>
+
+</html>

pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.yubico.shibboleth.idp.multifactor</groupId>
   <artifactId>multifactor-login-handler</artifactId>
-  <version>0.0.1-SNAPSHOT</version>
+  <version>0.1</version>
 
   <name>MultiFactor LoginHandler</name>
 

src/main/java/com/yubico/shibboleth/idp/multifactor/MultiFactorAuthLoginHandlerBeanDefinitionParser.java

@@ -61,7 +61,7 @@
 public class MultiFactorAuthLoginHandlerBeanDefinitionParser extends AbstractLoginHandlerBeanDefinitionParser {
 
     /** Schema type. */
-    public static final QName SCHEMA_TYPE = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "MultiFactorAuth");
+    public static final QName SCHEMA_TYPE = new QName(MultiFactorAuthLoginHandlerNamespaceHandler.NAMESPACE, "MultiFactorAuth");
 
     /** Class logger. */
     private final Logger log = LoggerFactory.getLogger(MultiFactorAuthLoginHandlerBeanDefinitionParser.class);

src/main/java/com/yubico/shibboleth/idp/multifactor/MultiFactorAuthLoginHandlerNamespaceHandler.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2011 Yubico AB.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @author Fredrik Thulin <fredrik@yubico.com>
+ *
+ */
+package com.yubico.shibboleth.idp.multifactor;
+
+import edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler;
+
+public class MultiFactorAuthLoginHandlerNamespaceHandler extends BaseSpringNamespaceHandler {
+    public static final String NAMESPACE = "http://www.yubico.com/2011/shibboleth/idp";
+
+    public void init() {
+        registerBeanDefinitionParser(MultiFactorAuthLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+				     new MultiFactorAuthLoginHandlerBeanDefinitionParser());
+    }
+}

src/main/resources/META-INF/spring.handlers

@@ -0,0 +1 @@
+http\://www.yubico.com/2011/shibboleth/idp = com.yubico.shibboleth.idp.multifactor.MultiFactorAuthLoginHandlerNamespaceHandler

src/main/resources/META-INF/spring.schemas

@@ -0,0 +1 @@
+http\://www.yubico.com/2011/shibboleth/idp = schema/shibboleth-2.0-idp-multifactor-login-handler.xsd

src/main/resources/schema/shibboleth-2.0-idp-multifactor-login-handler.xsd

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.yubico.com/2011/shibboleth/idp"
+            xmlns="http://www.yubico.com/2011/shibboleth/idp"
+            xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
+            elementFormDefault="qualified">
+
+  <xsd:import namespace="urn:mace:shibboleth:2.0:idp:profile-handler"
+              schemaLocation="classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd" />
+
+  <xsd:complexType name="MultiFactorAuth">
+    <xsd:complexContent>
+      <xsd:extension base="ph:LoginHandlerType">
+	<xsd:attribute name="jaasConfigurationLocation" type="xsd:anyURI">
+	  <xsd:annotation>
+            <xsd:documentation>
+              Location of the JAAS configuration. If this attribute is used it will usually contain a file
+              URL to a configuration on the local filesystem. However, this attribute need not be used and
+              this information can be set within the VM in any manner supported by the JVM/container
+              implementation.
+	    </xsd:documentation>
+          </xsd:annotation>
+        </xsd:attribute>
+	<xsd:attribute name="authenticationServletURL" type="xsd:string">
+          <xsd:annotation>
+            <xsd:documentation>
+              The servlet context path to the com.yubico.shibboleth.idp.MultiFactorAuthLoginServlet
+              that will authenticate the user.
+	    </xsd:documentation>
+          </xsd:annotation>
+        </xsd:attribute>
+      </xsd:extension>
+    </xsd:complexContent>
+  </xsd:complexType>
+</xsd:schema>