source: cats/ISOcat/trunk/mod-ISOcat-control-access/control/credentials.js @ 5277

Last change on this file since 5277 was 5277, checked in by Menzo Windhouwer, 10 years ago

M mod-ISOcat-site*

  • keep track of revision info
  • added LREC 2014 papers

M mod-ISOcat-access-data/access/dc_check.acc
M mod-ISOcat-access-data/access/dcs_check.acc

  • some performance tracking

M mod-ISOcat-access-data/dbms/ISOcat-schema-init.sql

  • added more language tags

M mod-ISOcat-control-access/control/credentials.js

  • filter out Shibboleth credential arguments
File size: 9.0 KB
Line 
1importPackage(Packages.com.Ostermiller.util);
2
3importClass(Packages.org.ten60.netkernel.layer1.representation.MonoRepresentationImpl);
4importClass(Packages.com.ten60.netkernel.urii.aspect.StringAspect);
5importClass(Packages.org.ten60.netkernel.xml.representation.DOMXDAAspect);
6
7//java.lang.System.out.println("DBG:credentials.js:welcome");
8
9// get the current request
10req = context.getThisRequest();
11
12// create a subrequest out of the current request
13subreq = context.createSubRequest();
14subreq.setURI(req.getArgument("uri"));
15
16cred = null;
17shib = null;
18shdr = null;
19
20// first try HTTP Basic authentication
21if (req.argumentExists("Authorization")) {
22    auth = req.getArgument("Authorization");
23    auth = auth.replace("data:text/plain,","");
24    auth = java.net.URLDecoder.decode(auth,"UTF-8");
25    auth = auth.trim();
26    if (auth.startsWith("Basic ")) {
27        // the shibboleth token password can never come by BASIC authentication
28        if (!auth.endsWith(":shib")) {
29            auth = auth.replace("Basic ","");
30            auth = Base64.decode(auth,"UTF-8");
31            //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"] with prefix");
32            auth = ""+auth; // turn the Java string into a JS string
33            auth = auth.replace(/^[^\:\-]+-/,'');
34            //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"] without prefix");
35            cred = auth;
36            subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8"));
37        }
38    }
39}
40
41// try Shibboleth authentication fallback chain
42var shibHeaders = "";
43var shreq = context.createSubRequest();
44shreq.setURI("active:ISOcat.manage.system.config.shibboleth");
45shreq.setAspectClass(DOMXDAAspect);
46shres = context.issueSubRequest(shreq);
47if (shres != null) {
48    //java.lang.System.out.println("DBG:credentials.js:shib headers["+shres.getAspects()+"]");
49    if (shres.hasAspect(DOMXDAAspect)) {
50        shres = shres.getAspect(DOMXDAAspect);
51        //java.lang.System.out.println("DBG:credentials.js:XDA["+shres+"]");
52        if (shres != null) {
53            shres = shres.getXDA();
54            if (shres.isTrue("/nvp/header")) {
55                shres = shres.getText("/nvp/header",true);
56                //java.lang.System.out.println("DBG:credentials.js:shib headers["+shres+"]");
57                if (shres != "") {
58                    shibHeaders = shres;
59                }
60            }
61        }
62    }
63}
64//java.lang.System.out.println("DBG:credentials.js:shib headers["+shibHeaders+"]");
65shibHeaders = shibHeaders.split(" ");
66for (i in shibHeaders) {
67    if ((req.argumentExists(shibHeaders[i]))) {
68        var auth = req.getArgument(shibHeaders[i]);
69        auth = auth.replace("data:text/plain,","");
70        //java.lang.System.out.println("DBG:credentials.js:principal["+shibHeaders[i]+"]["+auth+"]");
71        if (auth != "") {
72            shib = auth;
73            shdr = shibHeaders[i];
74            break;
75        }
76    }
77}
78
79// if no credentials and no principal yet, try Shibboleth security token authentication
80if ((cred == null) && (shib == null)) {
81    if (req.argumentExists("Authorization")) {
82        auth = req.getArgument("Authorization");
83        auth = auth.replace("data:text/plain,","");
84        auth = java.net.URLDecoder.decode(auth,"UTF-8");
85        auth = auth.trim();
86        if (auth.startsWith("Bearer ")) {
87            tok = auth.replace("Bearer ","");
88            tok = ""+tok; // turn the Java string into a JS string
89            tok = tok.replace(/^[^\:\-]+-/,'');
90            //java.lang.System.out.println("DBG:credentials.js:token["+tok+"]");
91            var tokreq = context.createSubRequest();
92            tokreq.setURI("active:ISOcat.control.access.shib.check_token");
93            tokreq.addArgument("token","data:text/plain,"+tok);
94            tokreq.setAspectClass(DOMXDAAspect);
95            tokres = context.issueSubRequest(tokreq);
96            if (tokres != null) {
97                //java.lang.System.out.println("DBG:credentials.js:tokres["+tokres.getAspects()+"]");
98                if (tokres.hasAspect(DOMXDAAspect)) {
99                    tokres = tokres.getAspect(DOMXDAAspect);
100                    //java.lang.System.out.println("DBG:credentials.js:XDA["+tokres+"]");
101                    if (tokres != null) {
102                        tokres = tokres.getXDA();
103                        if (tokres.isTrue("/string")) {
104                            tokres =  tokres.getText("/string",true);
105                            //java.lang.System.out.println("DBG:credentials.js:tokres["+tokres+"]");
106                            if (tokres != "") {
107                                shib = tokres;
108                            }
109                        }
110                    }
111                }
112            }
113        }
114    }
115}
116
117//java.lang.System.out.println("DBG:credentials.js:principal["+shib+"]");
118if (shib != null) {
119    subreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8"));
120}
121
122// if no credentials but the principal is known, try to resolve principal to credentials
123if ((cred == null) && (shib != null)) {
124    // request the credentials for the principal
125    var credreq = context.createSubRequest();
126    credreq.setURI("active:ISOcat.manage.access.shibboleth");
127    credreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8"));
128    credreq.setAspectClass(DOMXDAAspect);
129    auth = context.issueSubRequest(credreq);
130    if (auth != null) {
131        //java.lang.System.out.println("DBG:credentials.js:cred["+auth.getAspects()+"]");
132        if (auth.hasAspect(DOMXDAAspect)) {
133            auth = auth.getAspect(DOMXDAAspect);
134            //java.lang.System.out.println("DBG:credentials.js:XDA["+auth+"]");
135            if (auth != null) {
136                auth = auth.getXDA();
137                if (auth.isTrue("/string")) {
138                    auth =  auth.getText("/string",true);
139                    //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"]");
140                    cred = auth;
141                    subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8"));
142                } //else
143                    //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no <string/> envelop");
144            } //else
145                //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has NULL DOMXDAAspect");
146        } //else
147            //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no DOMXDAAspect");
148    } //else
149        //java.lang.System.out.println("ERR:credentials.js:auth is NULL");
150}
151
152java.lang.System.out.println("DBG:credentials.js:shiboleth principal["+shdr+"]["+shib+"]");
153//java.lang.System.out.println("DBG:credentials.js:authorization credentials["+cred+"]");
154
155for(iter = req.getArguments(); iter.hasNext(); ) {
156    arg = iter.next();
157    if (arg.equals("Authorization")) {
158        continue;
159    } else if (shdr!=null && arg.equals(shdr)) {
160        continue;
161    } else if (arg.equals("principal")) {
162        continue;
163    } else if (arg.equals("uri")) {
164        continue;
165    } else if (arg.equals("operator")) {
166        continue;
167    } else {
168        skipArg = false;
169        for (i in shibHeaders) {
170            if (arg.equals(shibHeaders[i])) {
171                skipArg = true;
172                break;
173            }
174        }
175        if (skipArg) {
176            continue;
177        }
178        //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]");
179        argURI = req.getArgument(arg);
180        if (argURI != null) {
181            //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]");
182            argValue = req.getArgumentValue(argURI);
183            //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]["+argValue+"]");
184            if (argValue != null) {
185                //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argValue+"] value");
186                subreq.addArgument(arg,argValue);
187            //} else if (argURI.startsWith("data:text/plain,")) {
188            //    var val = java.net.URLEncoder.encode(argURI.replaceFirst("data:text/plain,",""),"UTF-8");
189            //    val = val.replace("\+","%20");// we don't want + to escape spaces but %20, as + has a special meaning in an active URI
190            //    java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"][data:text/plain,"+val+"] encoded URI");
191            //    subreq.addArgument(arg,"data:text/plain,"+val);
192            } else {
193                //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"] URI");
194                subreq.addArgument(arg,argURI);
195            }
196        }// else
197        //    java.lang.System.out.println("DBG:credentials.js:arg["+arg+"] null");
198    }
199}
200
201reply = context.issueSubRequest(subreq);
202
203//Create response, set metadata and exit
204response = context.createResponseFrom(reply);
205
206//java.lang.System.out.println("DBG:credentials.js:done");
Note: See TracBrowser for help on using the repository browser.