1 | importPackage(Packages.com.Ostermiller.util); |
---|
2 | |
---|
3 | importClass(Packages.org.ten60.netkernel.layer1.representation.MonoRepresentationImpl); |
---|
4 | importClass(Packages.com.ten60.netkernel.urii.aspect.StringAspect); |
---|
5 | importClass(Packages.org.ten60.netkernel.xml.representation.DOMXDAAspect); |
---|
6 | |
---|
7 | //java.lang.System.out.println("DBG:credentials.js:welcome"); |
---|
8 | |
---|
9 | // get the current request |
---|
10 | req = context.getThisRequest(); |
---|
11 | |
---|
12 | // create a subrequest out of the current request |
---|
13 | subreq = context.createSubRequest(); |
---|
14 | subreq.setURI(req.getArgument("uri")); |
---|
15 | |
---|
16 | cred = null; |
---|
17 | shib = null; |
---|
18 | |
---|
19 | // first try HTTP Basic authentication |
---|
20 | if (req.argumentExists("Authorization")) { |
---|
21 | auth = req.getArgument("Authorization"); |
---|
22 | auth = auth.replace("data:text/plain,",""); |
---|
23 | auth = java.net.URLDecoder.decode(auth,"UTF-8"); |
---|
24 | auth = auth.trim(); |
---|
25 | if (auth.startsWith("Basic ")) { |
---|
26 | // the shibboleth token password can never come by BASIC authentication |
---|
27 | if (!auth.endsWith(":shib")) { |
---|
28 | auth = auth.replace("Basic ",""); |
---|
29 | auth = Base64.decode(auth,"UTF-8"); |
---|
30 | //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"] with prefix"); |
---|
31 | auth = ""+auth; // turn the Java string into a JS string |
---|
32 | auth = auth.replace(/^[^\:\-]+-/,''); |
---|
33 | //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"] without prefix"); |
---|
34 | cred = auth; |
---|
35 | subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8")); |
---|
36 | } |
---|
37 | } |
---|
38 | } |
---|
39 | |
---|
40 | // try Shibboleth EPPN authentication |
---|
41 | if ((req.argumentExists("eduPersonPrincipalName"))) { |
---|
42 | var auth = req.getArgument("eduPersonPrincipalName"); |
---|
43 | auth = auth.replace("data:text/plain,",""); |
---|
44 | //java.lang.System.out.println("DBG:credentials.js:principal["+auth+"]"); |
---|
45 | if (auth != "") { |
---|
46 | shib = auth; |
---|
47 | } |
---|
48 | } |
---|
49 | |
---|
50 | // if no principal yet, try Shibboleth EPTID authentication |
---|
51 | if (shib == null) { |
---|
52 | if ((req.argumentExists("eduPersonTargetedID"))) { |
---|
53 | var auth = req.getArgument("eduPersonTargetedID"); |
---|
54 | auth = auth.replace("data:text/plain,",""); |
---|
55 | //java.lang.System.out.println("DBG:credentials.js:principal["+auth+"]"); |
---|
56 | if (auth != "") { |
---|
57 | shib = auth; |
---|
58 | } |
---|
59 | } |
---|
60 | } |
---|
61 | |
---|
62 | // if no credentials and no principal yet, try Shibboleth security token authentication |
---|
63 | if ((cred == null) && (shib == null)) { |
---|
64 | if (req.argumentExists("Authorization")) { |
---|
65 | auth = req.getArgument("Authorization"); |
---|
66 | auth = auth.replace("data:text/plain,",""); |
---|
67 | auth = java.net.URLDecoder.decode(auth,"UTF-8"); |
---|
68 | auth = auth.trim(); |
---|
69 | if (auth.startsWith("Bearer ")) { |
---|
70 | tok = auth.replace("Bearer ",""); |
---|
71 | tok = ""+tok; // turn the Java string into a JS string |
---|
72 | tok = tok.replace(/^[^\:\-]+-/,''); |
---|
73 | //java.lang.System.out.println("DBG:credentials.js:token["+tok+"]"); |
---|
74 | var tokreq = context.createSubRequest(); |
---|
75 | tokreq.setURI("active:ISOcat.control.access.shib.check_token"); |
---|
76 | tokreq.addArgument("token","data:text/plain,"+tok); |
---|
77 | tokreq.setAspectClass(DOMXDAAspect); |
---|
78 | tokres = context.issueSubRequest(tokreq); |
---|
79 | if (tokres != null) { |
---|
80 | //java.lang.System.out.println("DBG:credentials.js:tokres["+tokres.getAspects()+"]"); |
---|
81 | if (tokres.hasAspect(DOMXDAAspect)) { |
---|
82 | tokres = tokres.getAspect(DOMXDAAspect); |
---|
83 | //java.lang.System.out.println("DBG:credentials.js:XDA["+tokres+"]"); |
---|
84 | if (tokres != null) { |
---|
85 | tokres = tokres.getXDA(); |
---|
86 | if (tokres.isTrue("/string")) { |
---|
87 | tokres = tokres.getText("/string",true); |
---|
88 | //java.lang.System.out.println("DBG:credentials.js:tokres["+tokres+"]"); |
---|
89 | if (tokres != "") { |
---|
90 | shib = tokres; |
---|
91 | } |
---|
92 | } |
---|
93 | } |
---|
94 | } |
---|
95 | } |
---|
96 | } |
---|
97 | } |
---|
98 | } |
---|
99 | |
---|
100 | //java.lang.System.out.println("DBG:credentials.js:principal["+shib+"]"); |
---|
101 | if (shib != null) { |
---|
102 | subreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8")); |
---|
103 | } |
---|
104 | |
---|
105 | // if no credentials but the principal is known, try to resolve principal to credentials |
---|
106 | if ((cred == null) && (shib != null)) { |
---|
107 | // request the credentials for the principal |
---|
108 | var credreq = context.createSubRequest(); |
---|
109 | credreq.setURI("active:ISOcat.manage.access.shibboleth"); |
---|
110 | credreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8")); |
---|
111 | credreq.setAspectClass(DOMXDAAspect); |
---|
112 | auth = context.issueSubRequest(credreq); |
---|
113 | if (auth != null) { |
---|
114 | //java.lang.System.out.println("DBG:credentials.js:cred["+auth.getAspects()+"]"); |
---|
115 | if (auth.hasAspect(DOMXDAAspect)) { |
---|
116 | auth = auth.getAspect(DOMXDAAspect); |
---|
117 | //java.lang.System.out.println("DBG:credentials.js:XDA["+auth+"]"); |
---|
118 | if (auth != null) { |
---|
119 | auth = auth.getXDA(); |
---|
120 | if (auth.isTrue("/string")) { |
---|
121 | auth = auth.getText("/string",true); |
---|
122 | //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"]"); |
---|
123 | cred = auth; |
---|
124 | subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8")); |
---|
125 | } //else |
---|
126 | //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no <string/> envelop"); |
---|
127 | } //else |
---|
128 | //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has NULL DOMXDAAspect"); |
---|
129 | } //else |
---|
130 | //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no DOMXDAAspect"); |
---|
131 | } //else |
---|
132 | //java.lang.System.out.println("ERR:credentials.js:auth is NULL"); |
---|
133 | } |
---|
134 | |
---|
135 | //java.lang.System.out.println("DBG:credentials.js:authorization credentials["+cred+"]"); |
---|
136 | //java.lang.System.out.println("DBG:credentials.js:shiboleth principal["+shib+"]"); |
---|
137 | |
---|
138 | for(iter = req.getArguments(); iter.hasNext(); ) { |
---|
139 | arg = iter.next(); |
---|
140 | if (arg.equals("Authorization")) { |
---|
141 | continue; |
---|
142 | } else if (arg.equals("eduPersonPrincipalName")) { |
---|
143 | continue; |
---|
144 | } else if (arg.equals("eduPersonTargetedID")) { |
---|
145 | continue; |
---|
146 | } else if (arg.equals("principal")) { |
---|
147 | continue; |
---|
148 | } else if (arg.equals("uri")) { |
---|
149 | continue; |
---|
150 | } else if (arg.equals("operator")) { |
---|
151 | continue; |
---|
152 | } else { |
---|
153 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]"); |
---|
154 | argURI = req.getArgument(arg); |
---|
155 | if (argURI != null) { |
---|
156 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]"); |
---|
157 | argValue = req.getArgumentValue(argURI); |
---|
158 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]["+argValue+"]"); |
---|
159 | if (argValue != null) { |
---|
160 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argValue+"] value"); |
---|
161 | subreq.addArgument(arg,argValue); |
---|
162 | //} else if (argURI.startsWith("data:text/plain,")) { |
---|
163 | // var val = java.net.URLEncoder.encode(argURI.replaceFirst("data:text/plain,",""),"UTF-8"); |
---|
164 | // val = val.replace("\+","%20");// we don't want + to escape spaces but %20, as + has a special meaning in an active URI |
---|
165 | // java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"][data:text/plain,"+val+"] encoded URI"); |
---|
166 | // subreq.addArgument(arg,"data:text/plain,"+val); |
---|
167 | } else { |
---|
168 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"] URI"); |
---|
169 | subreq.addArgument(arg,argURI); |
---|
170 | } |
---|
171 | }// else |
---|
172 | // java.lang.System.out.println("DBG:credentials.js:arg["+arg+"] null"); |
---|
173 | } |
---|
174 | } |
---|
175 | |
---|
176 | reply = context.issueSubRequest(subreq); |
---|
177 | |
---|
178 | //Create response, set metadata and exit |
---|
179 | response = context.createResponseFrom(reply); |
---|
180 | |
---|
181 | //java.lang.System.out.println("DBG:credentials.js:done"); |
---|