Class SunNetAuthHandler
- java.lang.Object
-
- sunlabs.brazil.handler.SunNetAuthHandler
-
- All Implemented Interfaces:
Handler
public class SunNetAuthHandler extends java.lang.Object implements Handler
All-in-one Handler for doing supplier.net style authentication.The purpose of this handler is to provide an authenticated "front end" to one or more web sites, using (hopefully) arbitrary challenge- response based authentication via a plug-in authentication interface. It can bridge disparate DNS domains by selectively mapping servers on one domain into another, based on the supplied credentials, by using the
MultiProxyHandler
.The authentication step is expected to yield a list of roles, each of which represents permission to access a specific foreign site. Once authentication is complete, and the roles are obtained, the handler keeps a set of credentials (a lease) on behalf of the user, which can be tuned at setup time for a variety of expiration conditions. Once a lease expires, re-authentication is required.
This handler starts two sets of handlers of its own, an authentication handler - responsible for doing the authentication, and one of more virtual proxy handlers - one for each possible role. In the current implementation, the authentication handler is specified and a configuration property, and the proxy handlers are all instances of
MultiProxyHandler
, one per role.Operation of the handler proceeds in the following steps:
- When the server starts, the handler is initialized.
- The template file is located and read.
- One
MultiProxyHandler
is started for each possible role - The Authentication handler is started. Its operation is defined below.
- Browser cookies are used as a reference to the user's credentials. If the cookie returned by the browser refers to a valid credential, the requested url is compared to the user's roles. If the requested URL is permitted, by matching one of the users's roles, the URL is forwarded to the proper virtual web site for delivery. Otherwise the URL is considered "not found".
- If the credentials are not valid, either because thay had expired,
were removed, or there is no browser cookie, the authentication
sequence is started, for the purpose of obtaining valid credentials.
- A browser cookie is chosen at random, and a "set-cookie" request is sent to the client (in lieu of the URL requested) along with the login template. An additional random value is created, retained by the handler on behalf of this client, and made available as a parameter to the login template.
- The next response from the client is expected to contain the information required to authenticate the client. This is normally accomplished by having the user fill out the form that is contained on the login template, and clicking the submit button.
- The client's response (e.g. query data), along with the random number generated in the previous step, are forwarded to the authentication handler.
- The authentication handler is expected to place a user id and a list of roles in the resulting request object if authentication is successful or an error message otherwise. If the authentication suceeds, the roles are entered into the lease, and the original URL processing is resumed. If instead an error is returned, the authentication sequence is repeated. The error message is may be displayed to the user if it is included as a parameter on the login template.
The login template is ordinary HTML, except contructs of the form:
<insert property=xx default=yy>
may be used to substituteRequest.props
into the template. The propertieschallenge
andMessage
are automatically set to indicate the random challange and error message (if any) from a previous attempt, respectively.The following configuration parameters are recgnized:
- prefix
- URL prefix for proxy
- authenticate
- URL for authentication page
- cookie
- name of the cookie
- roles
- list of roles
- proxy
- prefix for proxy handler
- idName
- property key for token id
- roleName
- property key for token roles
- maxIdle
- maximum idle time for token (seconds)
- maxAge
- maximum total age for token (seconds)
- maxUses
- maximum total uses for token
- exit
- prefix to exit a session
- all
- "free" directory suffixes
- template
- login template
NOTE: This handler is included for historical purposes. It should be upated to take advantage of features not available when it was first written.
- Version:
- 2.1, 02/10/01
- Author:
- Stephen Uhler
-
-
Constructor Summary
Constructors Constructor Description SunNetAuthHandler()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
init(Server server, java.lang.String prefix)
Set up all of the handlers - Secure Token Services for authentication - MultiProxyHandler for dispatching to hostsstatic java.lang.String
processTemplate(java.lang.String template, java.util.Hashtable data)
Process a template page, and send to the client.boolean
respond(Request request)
Act like a "gatekeeper".void
returnLogin(Request request, java.lang.String message)
return the login page with the appropriate message substituted in
-
-
-
Method Detail
-
init
public boolean init(Server server, java.lang.String prefix)
Set up all of the handlers - Secure Token Services for authentication - MultiProxyHandler for dispatching to hosts- Specified by:
init
in interfaceHandler
- Parameters:
server
- The HTTP server that created thisHandler
. TypicalHandler
s will useServer.props
to obtain run-time configuration information.prefix
- The handlers name. The string thisHandler
may prepend to all of the keys that it uses to extract configuration information fromServer.props
. This is set (by theServer
andChainHandler
) to help avoid configuration parameter namespace collisions.- Returns:
true
if thisHandler
initialized successfully,false
otherwise. Iffalse
is returned, thisHandler
should not be used.
-
respond
public boolean respond(Request request) throws java.io.IOException
Act like a "gatekeeper". If we have a valid browser cookie, Then dispatch to one of the proxies. If not, try to authenticate by returning the login "template", fetching the credentials, and establising a session.- Specified by:
respond
in interfaceHandler
- Parameters:
request
- TheRequest
object that represents the HTTP request.- Returns:
true
if the request was handled. A request was handled if a response was supplied to the client, typically by callingRequest.sendResponse()
orRequest.sendError
.- Throws:
java.io.IOException
- if there was an I/O error while sending the response to the client. Typically, in that case, theServer
will (try to) send an error message to the client and then close the client's connection.The
IOException
should not be used to silently ignore problems such as being unable to access some server-side resource (for example getting aFileNotFoundException
due to not being able to open a file). In that case, theHandler
's duty is to turn thatIOException
into a HTTP response indicating, in this case, that a file could not be found.
-
returnLogin
public void returnLogin(Request request, java.lang.String message)
return the login page with the appropriate message substituted in
-
processTemplate
public static java.lang.String processTemplate(java.lang.String template, java.util.Hashtable data)
Process a template page, and send to the client. This should be re-done to use the template handler. Look for html tags of the form:Also look for: and replace the tag with the value of the request property. - Parameters:
template
- The template to processdata
- The hashtable containing the data to subst
-
-