Class RemoteUserAuthServlet

java.lang.Object
javax.servlet.GenericServlet
javax.servlet.http.HttpServlet
net.shibboleth.idp.authn.impl.RemoteUserAuthServlet
All Implemented Interfaces:
Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

public class RemoteUserAuthServlet
extends javax.servlet.http.HttpServlet
Extracts authentication information from the request and returns it via the IdP's external authentication interface.

Common usage allows for extraction of REMOTE_USER or a username from request attributes or headers.

More advanced features include the ability to directly consume a Subject from a request attribute (in which case it is returned sight unseen directly to the IdP as the external result) and the ability to check a header for strings containing authentication method identifiers which can be mapped back into custom Principal objects (in which case they are attached to a newly constructed Subject to return).

See Also:
Serialized Form
  • Field Details

    • serialVersionUID

      private static final long serialVersionUID
      Serial UID.
      See Also:
      Constant Field Values
    • CHECK_REMOTE_USER_PARAM

      @Nonnull @NotEmpty private static final String CHECK_REMOTE_USER_PARAM
      Init parameter controlling whether to check for REMOTE_USER.
      See Also:
      Constant Field Values
    • CHECK_ATTRIBUTES_PARAM

      @Nonnull @NotEmpty private static final String CHECK_ATTRIBUTES_PARAM
      Init parameter controlling what attributes to check.
      See Also:
      Constant Field Values
    • CHECK_HEADERS_PARAM

      @Nonnull @NotEmpty private static final String CHECK_HEADERS_PARAM
      Init parameter controlling what headers to check.
      See Also:
      Constant Field Values
    • SUBJECT_ATTRIBUTE_PARAM

      @Nonnull @NotEmpty private static final String SUBJECT_ATTRIBUTE_PARAM
      Init parameter identifying an attribute to check for a Subject.
      See Also:
      Constant Field Values
    • AUTHN_METHOD_HEADER_PARAM

      @Nonnull @NotEmpty private static final String AUTHN_METHOD_HEADER_PARAM
      Init parameter identifying a header to check for one or more authentication method strings.
      See Also:
      Constant Field Values
    • AUTHN_AUTHORITY_HEADER_PARAM

      @Nonnull @NotEmpty private static final String AUTHN_AUTHORITY_HEADER_PARAM
      Init parameter identifying a header to check for one or more proxied authenticating authority strings.
      See Also:
      Constant Field Values
    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.
    • checkRemoteUser

      private boolean checkRemoteUser
      Whether to check REMOTE_USER for an identity. Defaults to true.
    • checkAttributes

      @Nonnull @NonnullElements private Collection<String> checkAttributes
      List of request attributes to check for an identity.
    • checkHeaders

      @Nonnull @NonnullElements private Collection<String> checkHeaders
      List of request headers to check for an identity.
    • subjectAttribute

      @Nullable @NotEmpty private String subjectAttribute
      Request attribute to check for a Subject.
    • authnMethodHeader

      @Nullable @NotEmpty private String authnMethodHeader
      Header to check for authentication method strings.
    • authnAuthorityHeader

      @Nullable @NotEmpty private String authnAuthorityHeader
      Header to check for proxied authenticating authority strings.
  • Constructor Details

    • RemoteUserAuthServlet

      public RemoteUserAuthServlet()
      Constructor.
  • Method Details

    • setCheckRemoteUser

      public void setCheckRemoteUser​(boolean flag)
      Set whether to check REMOTE_USER for an identity.
      Parameters:
      flag - value to set
    • setCheckAttributes

      public void setCheckAttributes​(@Nonnull @NonnullElements Collection<String> attributes)
      Set the list of request attributes to check for an identity.
      Parameters:
      attributes - list of request attributes to check
    • setCheckHeaders

      public void setCheckHeaders​(@Nonnull @NonnullElements Collection<String> headers)
      Set the list of request headers to check for an identity.
      Parameters:
      headers - list of request headers to check
    • setSubjectAttribute

      public void setSubjectAttribute​(@Nullable @NotEmpty String attribute)
      Set the name of a request attribute to check for a Subject.
      Parameters:
      attribute - request attribute name
    • setAuthnMethodHeader

      public void setAuthnMethodHeader​(@Nullable @NotEmpty String header)
      Set the name of a request header to check for authentication method strings.
      Parameters:
      header - request header name
    • setAuthnAuthorityHeader

      public void setAuthnAuthorityHeader​(@Nullable @NotEmpty String header)
      Set the name of a request header to check for authenticating authority strings.
      Parameters:
      header - request header name
      Since:
      3.4.0
    • init

      public void init​(javax.servlet.ServletConfig config) throws javax.servlet.ServletException
      Specified by:
      init in interface javax.servlet.Servlet
      Overrides:
      init in class javax.servlet.GenericServlet
      Throws:
      javax.servlet.ServletException
    • service

      protected void service​(javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) throws javax.servlet.ServletException, IOException
      Overrides:
      service in class javax.servlet.http.HttpServlet
      Throws:
      javax.servlet.ServletException
      IOException
    • getAuthenticationFlowDescriptor

      @Nullable public AuthenticationFlowDescriptor getAuthenticationFlowDescriptor​(@Nonnull @NotEmpty String key, @Nonnull javax.servlet.http.HttpServletRequest httpRequest) throws ExternalAuthenticationException
      Get the executing AuthenticationFlowDescriptor.
      Parameters:
      key - external authentication key
      httpRequest - servlet request
      Returns:
      active descriptor, or null
      Throws:
      ExternalAuthenticationException - if unable to access the profile context
    • getPrincipal

      @Nullable public Principal getPrincipal​(@Nonnull AuthenticationFlowDescriptor descriptor, @Nonnull @NotEmpty String method)
      Locate a custom Principal matching a string, supported by the flow descriptor.
      Parameters:
      descriptor - flow descriptor
      method - method string
      Returns:
      a custom Principal or null