Class ShibbolethLoginFilter
- All Implemented Interfaces:
jakarta.servlet.Filter,Aware,BeanNameAware,DisposableBean,InitializingBean,ApplicationEventPublisherAware,EnvironmentAware,MessageSourceAware,EnvironmentCapable,ServletContextAware
The overall Shibboleth login process is as follows:
1. When Shibboleth plugin is enabled, client/UI receives Shibboleth's absolute URL in WWW-Authenticate header.
See ShibAuthentication loginPageURL() method.
2. Client sends the user to that URL when they select Shibboleth authentication.
3. User logs in using Shibboleth
4. If successful, they are redirected by Shibboleth to the path where this Filter is "listening" (that path
is passed to Shibboleth as a URL param in step 1)
5. This filter then intercepts the request in order to check for a valid Shibboleth login (see
ShibAuthentication.authenticate()) and stores that user info in a JWT. It also saves that JWT in a *temporary*
authentication cookie.
6. This filter then looks for a "redirectUrl" param (also a part of the original URL from step 1), and redirects
the user to that location (after verifying it's a trusted URL). Usually this is a redirect back to the
Client/UI page where the User started.
7. At that point, the client reads the JWT from the Cookie, and sends it back in a request to /api/authn/login,
which triggers the server-side to destroy the Cookie and move the JWT into a Header
This Shibboleth Authentication process is tested in AuthenticationRestControllerIT.
- Author:
- Giuseppe Digilio (giuseppe dot digilio at 4science dot it), Tim Donohue
- See Also:
-
Field Summary
Fields inherited from class org.dspace.app.rest.security.StatelessLoginFilter
authenticationManager, restAuthenticationServiceFields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messagesFields inherited from class org.springframework.web.filter.GenericFilterBean
logger -
Constructor Summary
ConstructorsConstructorDescriptionShibbolethLoginFilter(String url, String httpMethod, AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService) -
Method Summary
Modifier and TypeMethodDescriptionattemptAuthentication(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) Attempt to authenticate the user by using Spring Security's AuthenticationManager.protected voidsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res, jakarta.servlet.FilterChain chain, Authentication auth) If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returnedDSpaceAuthenticationclass (which includes all the data from the authenticated user) and add the authentication data to the response.Methods inherited from class org.dspace.app.rest.security.StatelessLoginFilter
afterPropertiesSet, unsuccessfulAuthenticationMethods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextHolderStrategy, setSecurityContextRepository, setSessionAuthenticationStrategyMethods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
ShibbolethLoginFilter
public ShibbolethLoginFilter(String url, String httpMethod, AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService)
-
-
Method Details
-
attemptAuthentication
public Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws AuthenticationException Description copied from class:StatelessLoginFilterAttempt to authenticate the user by using Spring Security's AuthenticationManager. The AuthenticationManager will delegate this task to one or more AuthenticationProvider classes.For DSpace, our custom AuthenticationProvider is
EPersonRestAuthenticationProvider, so that is the authenticate() method which is called below.- Overrides:
attemptAuthenticationin classStatelessLoginFilter- Parameters:
req- current requestres- current response- Returns:
- a valid Spring Security Authentication object if authentication succeeds
- Throws:
AuthenticationException- if authentication fails- See Also:
-
successfulAuthentication
protected void successfulAuthentication(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res, jakarta.servlet.FilterChain chain, Authentication auth) throws IOException, jakarta.servlet.ServletException Description copied from class:StatelessLoginFilterIf the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returnedDSpaceAuthenticationclass (which includes all the data from the authenticated user) and add the authentication data to the response.For DSpace, this is calling our
JWTTokenRestAuthenticationServiceImplin order to create a JWT based on the authentication data & send that JWT back in the response.- Overrides:
successfulAuthenticationin classStatelessLoginFilter- Parameters:
req- current requestres- responsechain- FilterChainauth- Authentication object containing info about user who had a successful authentication- Throws:
IOExceptionjakarta.servlet.ServletException- See Also:
-