1 | importPackage(Packages.com.Ostermiller.util); |
---|
2 | |
---|
3 | importClass(Packages.org.ten60.netkernel.layer1.representation.MonoRepresentationImpl); |
---|
4 | importClass(Packages.com.ten60.netkernel.urii.aspect.StringAspect); |
---|
5 | importClass(Packages.org.ten60.netkernel.xml.representation.DOMXDAAspect); |
---|
6 | |
---|
7 | //java.lang.System.out.println("DBG:credentials.js:welcome"); |
---|
8 | |
---|
9 | // get the current request |
---|
10 | req = context.getThisRequest(); |
---|
11 | |
---|
12 | // create a subrequest out of the current request |
---|
13 | subreq = context.createSubRequest(); |
---|
14 | subreq.setURI(req.getArgument("uri")); |
---|
15 | |
---|
16 | cred = null; |
---|
17 | shib = null; |
---|
18 | shdr = null; |
---|
19 | |
---|
20 | // first try HTTP Basic authentication |
---|
21 | if (req.argumentExists("Authorization")) { |
---|
22 | auth = req.getArgument("Authorization"); |
---|
23 | auth = auth.replace("data:text/plain,",""); |
---|
24 | auth = java.net.URLDecoder.decode(auth,"UTF-8"); |
---|
25 | auth = auth.trim(); |
---|
26 | if (auth.startsWith("Basic ")) { |
---|
27 | // the shibboleth token password can never come by BASIC authentication |
---|
28 | if (!auth.endsWith(":shib")) { |
---|
29 | auth = auth.replace("Basic ",""); |
---|
30 | auth = Base64.decode(auth,"UTF-8"); |
---|
31 | //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"] with prefix"); |
---|
32 | auth = ""+auth; // turn the Java string into a JS string |
---|
33 | auth = auth.replace(/^[^\:\-]+-/,''); |
---|
34 | //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"] without prefix"); |
---|
35 | cred = auth; |
---|
36 | subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8")); |
---|
37 | } |
---|
38 | } |
---|
39 | } |
---|
40 | |
---|
41 | // try Shibboleth authentication fallback chain |
---|
42 | var shibHeaders = ""; |
---|
43 | var shreq = context.createSubRequest(); |
---|
44 | shreq.setURI("active:ISOcat.manage.system.config.shibboleth"); |
---|
45 | shreq.setAspectClass(DOMXDAAspect); |
---|
46 | shres = context.issueSubRequest(shreq); |
---|
47 | if (shres != null) { |
---|
48 | //java.lang.System.out.println("DBG:credentials.js:shib headers["+shres.getAspects()+"]"); |
---|
49 | if (shres.hasAspect(DOMXDAAspect)) { |
---|
50 | shres = shres.getAspect(DOMXDAAspect); |
---|
51 | //java.lang.System.out.println("DBG:credentials.js:XDA["+shres+"]"); |
---|
52 | if (shres != null) { |
---|
53 | shres = shres.getXDA(); |
---|
54 | if (shres.isTrue("/nvp/header")) { |
---|
55 | shres = shres.getText("/nvp/header",true); |
---|
56 | //java.lang.System.out.println("DBG:credentials.js:shib headers["+shres+"]"); |
---|
57 | if (shres != "") { |
---|
58 | shibHeaders = shres; |
---|
59 | } |
---|
60 | } |
---|
61 | } |
---|
62 | } |
---|
63 | } |
---|
64 | //java.lang.System.out.println("DBG:credentials.js:shib headers["+shibHeaders+"]"); |
---|
65 | shibHeaders = shibHeaders.split(" "); |
---|
66 | for (i in shibHeaders) { |
---|
67 | if ((req.argumentExists(shibHeaders[i]))) { |
---|
68 | var auth = req.getArgument(shibHeaders[i]); |
---|
69 | auth = auth.replace("data:text/plain,",""); |
---|
70 | //java.lang.System.out.println("DBG:credentials.js:principal["+shibHeaders[i]+"]["+auth+"]"); |
---|
71 | if (auth != "") { |
---|
72 | shib = auth; |
---|
73 | shdr = shibHeaders[i]; |
---|
74 | break; |
---|
75 | } |
---|
76 | } |
---|
77 | } |
---|
78 | |
---|
79 | // if no credentials and no principal yet, try Shibboleth security token authentication |
---|
80 | if ((cred == null) && (shib == null)) { |
---|
81 | if (req.argumentExists("Authorization")) { |
---|
82 | auth = req.getArgument("Authorization"); |
---|
83 | auth = auth.replace("data:text/plain,",""); |
---|
84 | auth = java.net.URLDecoder.decode(auth,"UTF-8"); |
---|
85 | auth = auth.trim(); |
---|
86 | if (auth.startsWith("Bearer ")) { |
---|
87 | tok = auth.replace("Bearer ",""); |
---|
88 | tok = ""+tok; // turn the Java string into a JS string |
---|
89 | tok = tok.replace(/^[^\:\-]+-/,''); |
---|
90 | //java.lang.System.out.println("DBG:credentials.js:token["+tok+"]"); |
---|
91 | var tokreq = context.createSubRequest(); |
---|
92 | tokreq.setURI("active:ISOcat.control.access.shib.check_token"); |
---|
93 | tokreq.addArgument("token","data:text/plain,"+tok); |
---|
94 | tokreq.setAspectClass(DOMXDAAspect); |
---|
95 | tokres = context.issueSubRequest(tokreq); |
---|
96 | if (tokres != null) { |
---|
97 | //java.lang.System.out.println("DBG:credentials.js:tokres["+tokres.getAspects()+"]"); |
---|
98 | if (tokres.hasAspect(DOMXDAAspect)) { |
---|
99 | tokres = tokres.getAspect(DOMXDAAspect); |
---|
100 | //java.lang.System.out.println("DBG:credentials.js:XDA["+tokres+"]"); |
---|
101 | if (tokres != null) { |
---|
102 | tokres = tokres.getXDA(); |
---|
103 | if (tokres.isTrue("/string")) { |
---|
104 | tokres = tokres.getText("/string",true); |
---|
105 | //java.lang.System.out.println("DBG:credentials.js:tokres["+tokres+"]"); |
---|
106 | if (tokres != "") { |
---|
107 | shib = tokres; |
---|
108 | } |
---|
109 | } |
---|
110 | } |
---|
111 | } |
---|
112 | } |
---|
113 | } |
---|
114 | } |
---|
115 | } |
---|
116 | |
---|
117 | //java.lang.System.out.println("DBG:credentials.js:principal["+shib+"]"); |
---|
118 | if (shib != null) { |
---|
119 | subreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8")); |
---|
120 | } |
---|
121 | |
---|
122 | // if no credentials but the principal is known, try to resolve principal to credentials |
---|
123 | if ((cred == null) && (shib != null)) { |
---|
124 | // request the credentials for the principal |
---|
125 | var credreq = context.createSubRequest(); |
---|
126 | credreq.setURI("active:ISOcat.manage.access.shibboleth"); |
---|
127 | credreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8")); |
---|
128 | credreq.setAspectClass(DOMXDAAspect); |
---|
129 | auth = context.issueSubRequest(credreq); |
---|
130 | if (auth != null) { |
---|
131 | //java.lang.System.out.println("DBG:credentials.js:cred["+auth.getAspects()+"]"); |
---|
132 | if (auth.hasAspect(DOMXDAAspect)) { |
---|
133 | auth = auth.getAspect(DOMXDAAspect); |
---|
134 | //java.lang.System.out.println("DBG:credentials.js:XDA["+auth+"]"); |
---|
135 | if (auth != null) { |
---|
136 | auth = auth.getXDA(); |
---|
137 | if (auth.isTrue("/string")) { |
---|
138 | auth = auth.getText("/string",true); |
---|
139 | //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"]"); |
---|
140 | cred = auth; |
---|
141 | subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8")); |
---|
142 | } //else |
---|
143 | //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no <string/> envelop"); |
---|
144 | } //else |
---|
145 | //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has NULL DOMXDAAspect"); |
---|
146 | } //else |
---|
147 | //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no DOMXDAAspect"); |
---|
148 | } //else |
---|
149 | //java.lang.System.out.println("ERR:credentials.js:auth is NULL"); |
---|
150 | } |
---|
151 | |
---|
152 | java.lang.System.out.println("DBG:credentials.js:shiboleth principal["+shdr+"]["+shib+"]"); |
---|
153 | //java.lang.System.out.println("DBG:credentials.js:authorization credentials["+cred+"]"); |
---|
154 | |
---|
155 | for(iter = req.getArguments(); iter.hasNext(); ) { |
---|
156 | arg = iter.next(); |
---|
157 | if (arg.equals("Authorization")) { |
---|
158 | continue; |
---|
159 | } else if (shdr!=null && arg.equals(shdr)) { |
---|
160 | continue; |
---|
161 | } else if (arg.equals("principal")) { |
---|
162 | continue; |
---|
163 | } else if (arg.equals("uri")) { |
---|
164 | continue; |
---|
165 | } else if (arg.equals("operator")) { |
---|
166 | continue; |
---|
167 | } else { |
---|
168 | skipArg = false; |
---|
169 | for (i in shibHeaders) { |
---|
170 | if (arg.equals(shibHeaders[i])) { |
---|
171 | skipArg = true; |
---|
172 | break; |
---|
173 | } |
---|
174 | } |
---|
175 | if (skipArg) { |
---|
176 | continue; |
---|
177 | } |
---|
178 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]"); |
---|
179 | argURI = req.getArgument(arg); |
---|
180 | if (argURI != null) { |
---|
181 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]"); |
---|
182 | argValue = req.getArgumentValue(argURI); |
---|
183 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]["+argValue+"]"); |
---|
184 | if (argValue != null) { |
---|
185 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argValue+"] value"); |
---|
186 | subreq.addArgument(arg,argValue); |
---|
187 | //} else if (argURI.startsWith("data:text/plain,")) { |
---|
188 | // var val = java.net.URLEncoder.encode(argURI.replaceFirst("data:text/plain,",""),"UTF-8"); |
---|
189 | // val = val.replace("\+","%20");// we don't want + to escape spaces but %20, as + has a special meaning in an active URI |
---|
190 | // java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"][data:text/plain,"+val+"] encoded URI"); |
---|
191 | // subreq.addArgument(arg,"data:text/plain,"+val); |
---|
192 | } else { |
---|
193 | //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"] URI"); |
---|
194 | subreq.addArgument(arg,argURI); |
---|
195 | } |
---|
196 | }// else |
---|
197 | // java.lang.System.out.println("DBG:credentials.js:arg["+arg+"] null"); |
---|
198 | } |
---|
199 | } |
---|
200 | |
---|
201 | reply = context.issueSubRequest(subreq); |
---|
202 | |
---|
203 | //Create response, set metadata and exit |
---|
204 | response = context.createResponseFrom(reply); |
---|
205 | |
---|
206 | //java.lang.System.out.println("DBG:credentials.js:done"); |
---|