AW: IDP3/4 -> read (&write) custom session cookie for authentication

Käfer Thomas thomas.kaefer at fh-campuswien.ac.at
Mon Jun 29 07:09:33 UTC 2020


Hello Scott!

> https://wiki.shibboleth.net/confluence/display/IDP4/PredefinedBeans
> Under "Other Beans"

Sorry, I didn't see that message before writing my last mail.

So the injectable bean I need is this one:
net.shibboleth.utilities.java.support.net.ThreadLocalHttpServletRequestProxy


The other thing, about not using Annotations for wiring but doing that in xml files somewhere:
Can you give me some pointers how / where to do that in the supported way?

Thank you!
Kind regards,
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Montag, 29. Juni 2020 09:01
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hi there Scott!

Thank you for your continued support even though my organisation is not a member of the Consortium. You have been of great help to me already! 🙂

> There I found the HttpServletRequestResponseContext which I was able to use ..
>> Use the bean we provide to access that class. It's essentially the same but you're depending on things we may change.

How do I find that bean? I looked around in the packages net.shibboleth.utilities.java.support.* but I couldn't find anything that provides access to these properties of the Request or the Request instance itself:

String remoteAddress = HttpServletRequestResponseContext.getRequest().getRemoteAddr();
String userAgent = HttpServletRequestResponseContext.getRequest().getHeader("User-Agent");


And another problem: It seem Injection doesn't work in JAAS to gain access to the CookieManager. This remains null in my
Class implementing the javax.security.auth.spi.LoginModule interface:
@Autowired
@Qualifier("shibboleth.CookieManager")
CookieManager cm;

And I see no mention of it in in the logfiles.

So for now I used this to set our legacy (non-shibboleth) auth cookie after successful username+password authentication (which works 🙂):
HttpServletRequestResponseContext.getResponse().addCookie(cookie);

Could I maybe use a CredentialValidator (or something else) instead of JAAS which does support injection?
https://wiki.shibboleth.net/confluence/display/IDP4/PasswordAuthnConfiguration

Thanks a lot!
Kind regards,
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Donnerstag, 25. Juni 2020 18:57
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hello Scott!

I found a solution for this one myself, by looking around in the package of that CookieManager you gave me (net.shibboleth.utilities.java.support.net)

There I found the HttpServletRequestResponseContext which I was able to use like this:
HttpServletRequestResponseContext.getRequest().getRemoteAddr();
HttpServletRequestResponseContext.getRequest().getHeader("User-Agent");

Now I can successfully authenticate users who have this legacy auth cookie set on our domain.

My next task is to set this cookie for users who don't have it yet but can supply a valid username + password combination.
The place where I verify those at the moment is a JAAS implementation, but there I don't have access to "HttpServletRequestResponseContext" (or do I?)

Is there a way to ask Shibboleth to get the user to enter a username+password set for verification out of such a AuthFunction?

Thank you a lot!
Kind regards
Thomas Käfer
________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Donnerstag, 25. Juni 2020 18:20
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hello Scott!

> I added a mention of the proper way to handle cookies into the documentation, and that does not rely on doing it by hand.

Thank you! That helped me a lot!

So I now got this:
@Autowired
@Qualifier("shibboleth.CookieManager")
CookieManager cm;

which allowed me to read the cookie, but I also need the User-Agent and the RemoteAddress (to allow the legacy Auth Service to verify that the Cookie hasn't been transfered).
I could have gotten that from the HttpServletRequest, but I can't get from this CookieManager.

Can you give me some pointers how to get that too?

Thank you heaps!
Kind regards
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Donnerstag, 25. Juni 2020 14:30
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Dear Scott,

sorry for the long pause.

I've now written a Class like this:

public class AuthFunction implements Function<ProfileRequestContext<AuthnRequest, String>, Object> {
@Override
public Object apply(ProfileRequestContext<AuthnRequest, String> arg0) {...}
}

And made my Shibboleth IDP4 use it by having this line in the config file:
<bean id="shibboleth.authn.Function.ResultLookupStrategy" class="at.ac.fhcampuswien.campusauth.AuthFunction" />
in the file /opt/shibboleth-idp/conf/authn/function-authn-config.xml

And the line
idp.authn.flows= Function
in the file /opt/shibboleth-idp/conf/idp.properties

By returning a hard coded username in that "apply" method, I managed to get successful authentication.

The problem I have not yet solved is accessing the HttpRequest for getting & HttpResponse for setting my custom authentication cookie (for Single-Sign-On compatibility with some legacy applications that don't use shibboleth for authentification)

You said in a previous mail that I need to use injection for that. I tried:
@Autowired
org.opensaml.messaging.context.httpclient.HttpClientRequestContext h;

Which gives me this exception:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.opensaml.messaging.context.httpclient.HttpClientRequestContext' available

I also tried
@Autowired
javax.servlet.http.HttpServletRequest h;

Which gives the similar exception:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'javax.servlet.http.HttpServletRequest' available

Could you please give some more details on how to inject the HttpRequest so I can access the cookie I need?

Thank you
kind regards
Thomas Käfer

________________________________
Von: users <users-bounces at shibboleth.net> im Auftrag von Cantor, Scott <cantor.2 at osu.edu>
Gesendet: Dienstag, 28. April 2020 16:49
An: Shib Users <users at shibboleth.net>
Betreff: Re: IDP3/4 -> read (&write) custom session cookie for authentication

On 4/28/20, 9:21 AM, "users on behalf of Käfer Thomas" <users-bounces at shibboleth.net on behalf of thomas.kaefer at fh-campuswien.ac.at> wrote:

> Do you maybe have a pre-existing example of any (similar) login flow usage that I could infer how to do this from (I'd
> prefer Java to Javascript-let)..

That's just too broad a question for me to answer, all there is the source code and the documentation on writing a custom login flow [1] combined with the little bit of higher level documentation. But a function to do this is far different then a real flow. There's nothing you're intended to rely on in the IdP for the most part other than some low level objects like the servlet API, it's just supposed to do its work and return the result.

The rest is a matter of Java and Spring and whatever you're actually trying to build it to do. If you're doing REST, then you should use the HttpClient work we have, and we have documentation on wiring that up.

> Also even if I understand the concept of bean injection, I sadly have no idea of how to do this in the Shibboleth context,
> and again I couldn't find any examples using Google.

Shibboleth has nothing to do with that part, this is a Spring-based implementation, it's the Spring documentation you have to read to understand how to relate objects together. We supply or standardize the objects, it's Spring configuration that puts them together. We have documentation on that and pointers to the parts of the Spring documentation that are required reading.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP4/Authentication


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

Informationen zum Datenschutz: www.fh-campuswien.ac.at/datenschutzerklaerung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200629/db359538/attachment.htm>


More information about the users mailing list