Package org.dspace.app.rest.security

Class SamlLoginFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

org.dspace.app.rest.security.StatelessLoginFilter

org.dspace.app.rest.security.SamlLoginFilter

All Implemented Interfaces:

jakarta.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, EnvironmentAware, MessageSourceAware, EnvironmentCapable, ServletContextAware

public class SamlLoginFilter
extends StatelessLoginFilter

A filter that examines requests to see if the user has been authenticated via SAML.

The overall SAML login process is as follows:

1. When SAML authentication is enabled, the client/UI receives the URL to the active SAML relying party's authentication endpoint in the WWW-Authenticate header. See SamlAuthentication.loginPageURL(org.dspace.core.Context, HttpServletRequest, HttpServletResponse).
2. The client sends the user to that URL when they select SAML authentication.
3. The active SAML relying party sends the client to the login page at the asserting party (aka identity provider, or IdP).
4. The user logs in to the asserting party.
5. If successful, the asserting party sends the client back to the relying party's assertion consumer endpoint, along with the SAML assertion.
6. The relying party receives the SAML assertion, extracts attributes from the assertion, maps them into request attributes, and forwards the request to the path where this filter is listening.
7. This filter intercepts the request in order to check for a valid SAML login (see SamlAuthentication.authenticate(org.dspace.core.Context, String, String, String, HttpServletRequest)) and stores that user info in a JWT. It also saves that JWT in a temporary authentication cookie.
8. This filter redirects the user back to the UI (after verifying it's at a trusted URL).
9. The client reads the JWT from the cookie, and sends it back in a request to /api/authn/login, which triggers the server-side to destroy the cookie and move the JWT into a header.

Author:

Ray Lee

Field Summary

Fields inherited from class org.dspace.app.rest.security.StatelessLoginFilter

authenticationManager, restAuthenticationService

Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

authenticationDetailsSource, eventPublisher, messages

Constructor Summary

Constructors

Constructor	Description
SamlLoginFilter(String url, String httpMethod, AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService)

Method Summary

Modifier and Type	Method	Description
Authentication	attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)	Attempt to authenticate the user by using Spring Security's AuthenticationManager.
protected void	successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, Authentication auth)	If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returned DSpaceAuthentication class (which includes all the data from the authenticated user) and add the authentication data to the response.

Methods inherited from class org.dspace.app.rest.security.StatelessLoginFilter

afterPropertiesSet, unsuccessfulAuthentication

Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextHolderStrategy, setSecurityContextRepository, setSessionAuthenticationStrategy

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SamlLoginFilter

public SamlLoginFilter(String url,
 String httpMethod,
 AuthenticationManager authenticationManager,
 RestAuthenticationService restAuthenticationService)

Method Details

attemptAuthentication

public Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response)
                                     throws AuthenticationException

Description copied from class: StatelessLoginFilter

Attempt to authenticate the user by using Spring Security's AuthenticationManager. The AuthenticationManager will delegate this task to one or more AuthenticationProvider classes.

For DSpace, our custom AuthenticationProvider is EPersonRestAuthenticationProvider, so that is the authenticate() method which is called below.

Overrides:

attemptAuthentication in class StatelessLoginFilter

Parameters:

request - current request

response - current response

Returns:

a valid Spring Security Authentication object if authentication succeeds

Throws:

AuthenticationException - if authentication fails

See Also:

• EPersonRestAuthenticationProvider

successfulAuthentication

protected void successfulAuthentication(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response,
 jakarta.servlet.FilterChain chain,
 Authentication auth)
                                 throws IOException,
jakarta.servlet.ServletException

Description copied from class: StatelessLoginFilter

If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returned DSpaceAuthentication class (which includes all the data from the authenticated user) and add the authentication data to the response.

For DSpace, this is calling our JWTTokenRestAuthenticationServiceImpl in order to create a JWT based on the authentication data & send that JWT back in the response.

Overrides:

successfulAuthentication in class StatelessLoginFilter

Parameters:

request - current request

response - response

chain - FilterChain

auth - Authentication object containing info about user who had a successful authentication

Throws:

IOException

jakarta.servlet.ServletException

See Also:

• JWTTokenRestAuthenticationServiceImpl