Class SunNetAuthHandler

  • All Implemented Interfaces:
    Handler

    public class SunNetAuthHandler
    extends java.lang.Object
    implements Handler
    All-in-one Handler for doing supplier.net style authentication.

    The purpose of this handler is to provide an authenticated "front end" to one or more web sites, using (hopefully) arbitrary challenge- response based authentication via a plug-in authentication interface. It can bridge disparate DNS domains by selectively mapping servers on one domain into another, based on the supplied credentials, by using the MultiProxyHandler.

    The authentication step is expected to yield a list of roles, each of which represents permission to access a specific foreign site. Once authentication is complete, and the roles are obtained, the handler keeps a set of credentials (a lease) on behalf of the user, which can be tuned at setup time for a variety of expiration conditions. Once a lease expires, re-authentication is required.

    This handler starts two sets of handlers of its own, an authentication handler - responsible for doing the authentication, and one of more virtual proxy handlers - one for each possible role. In the current implementation, the authentication handler is specified and a configuration property, and the proxy handlers are all instances of MultiProxyHandler, one per role.

    Operation of the handler proceeds in the following steps:

    1. When the server starts, the handler is initialized.
      • The template file is located and read.
      • One MultiProxyHandler is started for each possible role
      • The Authentication handler is started. Its operation is defined below.
    2. Browser cookies are used as a reference to the user's credentials. If the cookie returned by the browser refers to a valid credential, the requested url is compared to the user's roles. If the requested URL is permitted, by matching one of the users's roles, the URL is forwarded to the proper virtual web site for delivery. Otherwise the URL is considered "not found".
    3. If the credentials are not valid, either because thay had expired, were removed, or there is no browser cookie, the authentication sequence is started, for the purpose of obtaining valid credentials.
      • A browser cookie is chosen at random, and a "set-cookie" request is sent to the client (in lieu of the URL requested) along with the login template. An additional random value is created, retained by the handler on behalf of this client, and made available as a parameter to the login template.
      • The next response from the client is expected to contain the information required to authenticate the client. This is normally accomplished by having the user fill out the form that is contained on the login template, and clicking the submit button.
      • The client's response (e.g. query data), along with the random number generated in the previous step, are forwarded to the authentication handler.
      • The authentication handler is expected to place a user id and a list of roles in the resulting request object if authentication is successful or an error message otherwise. If the authentication suceeds, the roles are entered into the lease, and the original URL processing is resumed. If instead an error is returned, the authentication sequence is repeated. The error message is may be displayed to the user if it is included as a parameter on the login template.

    The login template is ordinary HTML, except contructs of the form:

       <insert property=xx default=yy>
     
    may be used to substitute Request.props into the template. The properties challenge and Message are automatically set to indicate the random challange and error message (if any) from a previous attempt, respectively.

    The following configuration parameters are recgnized:

    prefix
    URL prefix for proxy
    authenticate
    URL for authentication page
    cookie
    name of the cookie
    roles
    list of roles
    proxy
    prefix for proxy handler
    idName
    property key for token id
    roleName
    property key for token roles
    maxIdle
    maximum idle time for token (seconds)
    maxAge
    maximum total age for token (seconds)
    maxUses
    maximum total uses for token
    exit
    prefix to exit a session
    all
    "free" directory suffixes
    template
    login template
    Currently, the "sunlabs.brazil.handler.MultiProxyHandler" class is called to do the actual proxying. (There should be a link to a sample config file for this one)

    NOTE: This handler is included for historical purposes. It should be upated to take advantage of features not available when it was first written.

    Version:
    2.1, 02/10/01
    Author:
    Stephen Uhler
    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean init​(Server server, java.lang.String prefix)
      Set up all of the handlers - Secure Token Services for authentication - MultiProxyHandler for dispatching to hosts
      static java.lang.String processTemplate​(java.lang.String template, java.util.Hashtable data)
      Process a template page, and send to the client.
      boolean respond​(Request request)
      Act like a "gatekeeper".
      void returnLogin​(Request request, java.lang.String message)
      return the login page with the appropriate message substituted in
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • SunNetAuthHandler

        public SunNetAuthHandler()
    • Method Detail

      • init

        public boolean init​(Server server,
                            java.lang.String prefix)
        Set up all of the handlers - Secure Token Services for authentication - MultiProxyHandler for dispatching to hosts
        Specified by:
        init in interface Handler
        Parameters:
        server - The HTTP server that created this Handler. Typical Handlers will use Server.props to obtain run-time configuration information.
        prefix - The handlers name. The string this Handler may prepend to all of the keys that it uses to extract configuration information from Server.props. This is set (by the Server and ChainHandler) to help avoid configuration parameter namespace collisions.
        Returns:
        true if this Handler initialized successfully, false otherwise. If false is returned, this Handler should not be used.
      • respond

        public boolean respond​(Request request)
                        throws java.io.IOException
        Act like a "gatekeeper". If we have a valid browser cookie, Then dispatch to one of the proxies. If not, try to authenticate by returning the login "template", fetching the credentials, and establising a session.
        Specified by:
        respond in interface Handler
        Parameters:
        request - The Request object that represents the HTTP request.
        Returns:
        true if the request was handled. A request was handled if a response was supplied to the client, typically by calling Request.sendResponse() or Request.sendError.
        Throws:
        java.io.IOException - if there was an I/O error while sending the response to the client. Typically, in that case, the Server will (try to) send an error message to the client and then close the client's connection.

        The IOException should not be used to silently ignore problems such as being unable to access some server-side resource (for example getting a FileNotFoundException due to not being able to open a file). In that case, the Handler's duty is to turn that IOException into a HTTP response indicating, in this case, that a file could not be found.

      • returnLogin

        public void returnLogin​(Request request,
                                java.lang.String message)
        return the login page with the appropriate message substituted in
      • processTemplate

        public static java.lang.String processTemplate​(java.lang.String template,
                                                       java.util.Hashtable data)
        Process a template page, and send to the client. This should be re-done to use the template handler. Look for html tags of the form: Also look for: and replace the tag with the value of the request property.
        Parameters:
        template - The template to process
        data - The hashtable containing the data to subst