Package org.dspace.app.rest.security

Class ShibbolethLoginFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.dspace.app.rest.security.StatelessLoginFilter
org.dspace.app.rest.security.ShibbolethLoginFilter
All Implemented Interfaces:
javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class ShibbolethLoginFilter extends StatelessLoginFilter
This class will filter Shibboleth requests to see if the user has been authenticated via Shibboleth.

The overall Shibboleth login process is as follows: 1. When Shibboleth plugin is enabled, client/UI receives Shibboleth's absolute URL in WWW-Authenticate header. See ShibAuthentication loginPageURL() method. 2. Client sends the user to that URL when they select Shibboleth authentication. 3. User logs in using Shibboleth 4. If successful, they are redirected by Shibboleth to the path where this Filter is "listening" (that path is passed to Shibboleth as a URL param in step 1) 5. This filter then intercepts the request in order to check for a valid Shibboleth login (see ShibAuthentication.authenticate()) and stores that user info in a JWT. It also saves that JWT in a *temporary* authentication cookie. 6. This filter then looks for a "redirectUrl" param (also a part of the original URL from step 1), and redirects the user to that location (after verifying it's a trusted URL). Usually this is a redirect back to the Client/UI page where the User started. 7. At that point, the client reads the JWT from the Cookie, and sends it back in a request to /api/authn/login, which triggers the server-side to destroy the Cookie and move the JWT into a Header

This Shibboleth Authentication process is tested in AuthenticationRestControllerIT.

Author:
Giuseppe Digilio (giuseppe dot digilio at 4science dot it), Tim Donohue
See Also:

  • Field Summary

    Fields inherited from class org.dspace.app.rest.security.StatelessLoginFilter

    authenticationManager, restAuthenticationService

    Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    authenticationDetailsSource, eventPublisher, messages

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    ShibbolethLoginFilter(String url, org.springframework.security.authentication.AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    org.springframework.security.core.Authentication
    attemptAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
    Attempt to authenticate the user by using Spring Security's AuthenticationManager.
    protected void
    successfulAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication auth)
    If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returned DSpaceAuthentication class (which includes all the data from the authenticated user) and add the authentication data to the response.

    Methods inherited from class org.dspace.app.rest.security.StatelessLoginFilter

    afterPropertiesSet, unsuccessfulAuthentication

    Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextRepository, setSessionAuthenticationStrategy

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • ShibbolethLoginFilter

      public ShibbolethLoginFilter(String url, org.springframework.security.authentication.AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService)

  • Method Details

    • attemptAuthentication

      public org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res) throws org.springframework.security.core.AuthenticationException
      Description copied from class: StatelessLoginFilter
      Attempt to authenticate the user by using Spring Security's AuthenticationManager. The AuthenticationManager will delegate this task to one or more AuthenticationProvider classes.

      For DSpace, our custom AuthenticationProvider is EPersonRestAuthenticationProvider, so that is the authenticate() method which is called below.

      Overrides:
      attemptAuthentication in class StatelessLoginFilter
      Parameters:
      req - current request
      res - current response
      Returns:
      a valid Spring Security Authentication object if authentication succeeds
      Throws:
      org.springframework.security.core.AuthenticationException - if authentication fails
      See Also:

    • successfulAuthentication

      protected void successfulAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication auth) throws IOException, javax.servlet.ServletException
      Description copied from class: StatelessLoginFilter
      If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returned DSpaceAuthentication class (which includes all the data from the authenticated user) and add the authentication data to the response.

      For DSpace, this is calling our JWTTokenRestAuthenticationServiceImpl in order to create a JWT based on the authentication data & send that JWT back in the response.

      Overrides:
      successfulAuthentication in class StatelessLoginFilter
      Parameters:
      req - current request
      res - response
      chain - FilterChain
      auth - Authentication object containing info about user who had a successful authentication
      Throws:
      IOException
      javax.servlet.ServletException
      See Also: