Changeset 2674

Timestamp:

03/11/13 10:35:08 (11 years ago)

Author:

mwindhouwer

Message:

M mod-ISOcat-control-access/control/credentials.js

• make sure we always pass the principal even when authentication went via HTTP BASIC, this is needed for the bind step
• also look for eduPersonTargetedID

M mod-ISOcat-interface-rest/etc/HTTPBridgeConfig.xml

• also pass on eduPersonTargetedID

Location:

cats/ISOcat/trunk

Files:

• mod-ISOcat-control-access/control/credentials.js (modified) (3 diffs)
• mod-ISOcat-interface-rest/etc/HTTPBridgeConfig.xml (modified) (1 diff)

cats/ISOcat/trunk/mod-ISOcat-control-access/control/credentials.js

@@ -19 +19 @@
 // first try HTTP Basic authentication
 if (req.argumentExists("Authorization")) {
-        auth = req.getArgument("Authorization");
-        auth = auth.replace("data:text/plain,","");
-        auth = java.net.URLDecoder.decode(auth,"UTF-8");
-        auth = auth.trim();
-        if (auth.startsWith("Basic ")) {
+    auth = req.getArgument("Authorization");
+    auth = auth.replace("data:text/plain,","");
+    auth = java.net.URLDecoder.decode(auth,"UTF-8");
+    auth = auth.trim();
+    if (auth.startsWith("Basic ")) {
         // the shibboleth token password can never come by BASIC authentication
         if (!auth.endsWith(":shib")) {
@@ -33 +33 @@
             //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"] without prefix");
             cred = auth;
-                subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8"));
-        }
-        }
+            subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8"));
+        }
+    }
 }
 
 // try Shibboleth EPPN authentication
 if ((req.argumentExists("eduPersonPrincipalName"))) {
-        var auth = req.getArgument("eduPersonPrincipalName");
-        auth = auth.replace("data:text/plain,","");
-        //java.lang.System.out.println("DBG:credentials.js:principal["+auth+"]");
-        if (auth != "") {
-            shib = auth;
-        }
+    var auth = req.getArgument("eduPersonPrincipalName");
+    auth = auth.replace("data:text/plain,","");
+    //java.lang.System.out.println("DBG:credentials.js:principal["+auth+"]");
+    if (auth != "") {
+        shib = auth;
+    }
+}
+
+// if no principal yet, try Shibboleth EPTID authentication
+if (shib == null) {
+    if ((req.argumentExists("eduPersonTargetedID"))) {
+        var auth = req.getArgument("eduPersonTargetedID");
+        auth = auth.replace("data:text/plain,","");
+        //java.lang.System.out.println("DBG:credentials.js:principal["+auth+"]");
+        if (auth != "") {
+            shib = auth;
+        }
+    }
 }
 
@@ -76 +88 @@
                             //java.lang.System.out.println("DBG:credentials.js:tokres["+tokres+"]");
                             if (tokres != "") {
-                                    shib = tokres;
+                                shib = tokres;
                             }
                         }
-                                        }
-                                }
-                        }
-                }
+                    }
+                }
+            }
+        }
     }
 }
 
 //java.lang.System.out.println("DBG:credentials.js:principal["+shib+"]");
+if (shib == null) {
+    subreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8"));
+}
 
 // if no credentials but the principal is known, try to resolve principal to credentials 
 if ((cred == null) && (shib != null)) {
-    subreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8"));
     // request the credentials for the principal
     var credreq = context.createSubRequest();
-        credreq.setURI("active:ISOcat.manage.access.shibboleth");
-        credreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8"));
-        credreq.setAspectClass(DOMXDAAspect);
-        auth = context.issueSubRequest(credreq);
-        if (auth != null) {
-                //java.lang.System.out.println("DBG:credentials.js:cred["+auth.getAspects()+"]");
-                if (auth.hasAspect(DOMXDAAspect)) {
-                        auth = auth.getAspect(DOMXDAAspect);
-                        //java.lang.System.out.println("DBG:credentials.js:XDA["+auth+"]");
-                        if (auth != null) {
-                                auth = auth.getXDA();
-                                if (auth.isTrue("/string")) {
-                                        auth =  auth.getText("/string",true);
-                                        //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"]");
-                                        cred = auth;
-                                        subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8"));
-                                } //else
-                                        //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no <string/> envelop");
-                        } //else
-                                //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has NULL DOMXDAAspect");
-                } //else
-                        //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no DOMXDAAspect");
+    credreq.setURI("active:ISOcat.manage.access.shibboleth");
+    credreq.addArgument("principal","data:text/plain,"+java.net.URLEncoder.encode(shib,"UTF-8"));
+    credreq.setAspectClass(DOMXDAAspect);
+    auth = context.issueSubRequest(credreq);
+    if (auth != null) {
+        //java.lang.System.out.println("DBG:credentials.js:cred["+auth.getAspects()+"]");
+        if (auth.hasAspect(DOMXDAAspect)) {
+            auth = auth.getAspect(DOMXDAAspect);
+            //java.lang.System.out.println("DBG:credentials.js:XDA["+auth+"]");
+            if (auth != null) {
+                auth = auth.getXDA();
+                if (auth.isTrue("/string")) {
+                    auth =  auth.getText("/string",true);
+                    //java.lang.System.out.println("DBG:credentials.js:auth["+auth+"]");
+                    cred = auth;
+                    subreq.addArgument("credentials","data:text/plain,"+java.net.URLEncoder.encode(cred,"UTF-8"));
+                } //else
+                    //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no <string/> envelop");
+            } //else
+                //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has NULL DOMXDAAspect");
+        } //else
+            //java.lang.System.out.println("ERR:credentials.js:cred["+cred+"] has no DOMXDAAspect");
     } //else
-                //java.lang.System.out.println("ERR:credentials.js:auth is NULL");
+        //java.lang.System.out.println("ERR:credentials.js:auth is NULL");
 }
 
-java.lang.System.out.println("DBG:credentials.js:authorization credentials["+cred+"]");
-java.lang.System.out.println("DBG:credentials.js:shiboleth principal["+shib+"]");
+//java.lang.System.out.println("DBG:credentials.js:authorization credentials["+cred+"]");
+//java.lang.System.out.println("DBG:credentials.js:shiboleth principal["+shib+"]");
 
 for(iter = req.getArguments(); iter.hasNext(); ) {
-        arg = iter.next();
-        if (arg.equals("Authorization")) {
-                continue;
-        } else if (arg.equals("eduPersonPrincipalName")) {
-                continue;
-        } else if (arg.equals("principal")) {
-                continue;
-        } else if (arg.equals("uri")) {
-                continue;
-        } else if (arg.equals("operator")) {
-                continue;
-        } else {
-                //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]");
-                argURI = req.getArgument(arg);
-                if (argURI != null) {
-                        //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]");
-                        argValue = req.getArgumentValue(argURI);
-                        //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]["+argValue+"]");
-                        if (argValue != null) {
-                                //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argValue+"] value");
-                                subreq.addArgument(arg,argValue);
-                        //} else if (argURI.startsWith("data:text/plain,")) {
-                        //      var val = java.net.URLEncoder.encode(argURI.replaceFirst("data:text/plain,",""),"UTF-8");
-                        //      val = val.replace("\+","%20");// we don't want + to escape spaces but %20, as + has a special meaning in an active URI
-                        //      java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"][data:text/plain,"+val+"] encoded URI");
-                        //      subreq.addArgument(arg,"data:text/plain,"+val);
-                        } else {
-                                //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"] URI");
-                                subreq.addArgument(arg,argURI);
-                        }
-                }// else
-                //      java.lang.System.out.println("DBG:credentials.js:arg["+arg+"] null");
-        }
+    arg = iter.next();
+    if (arg.equals("Authorization")) {
+        continue;
+    } else if (arg.equals("eduPersonPrincipalName")) {
+        continue;
+    } else if (arg.equals("eduPersonTargetedID")) {
+        continue;
+    } else if (arg.equals("principal")) {
+        continue;
+    } else if (arg.equals("uri")) {
+        continue;
+    } else if (arg.equals("operator")) {
+        continue;
+    } else {
+        //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]");
+        argURI = req.getArgument(arg);
+        if (argURI != null) {
+            //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]");
+            argValue = req.getArgumentValue(argURI);
+            //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"]["+argValue+"]");
+            if (argValue != null) {
+                //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argValue+"] value");
+                subreq.addArgument(arg,argValue);
+            //} else if (argURI.startsWith("data:text/plain,")) {
+            //    var val = java.net.URLEncoder.encode(argURI.replaceFirst("data:text/plain,",""),"UTF-8");
+            //    val = val.replace("\+","%20");// we don't want + to escape spaces but %20, as + has a special meaning in an active URI
+            //    java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"][data:text/plain,"+val+"] encoded URI");
+            //    subreq.addArgument(arg,"data:text/plain,"+val);
+            } else {
+                //java.lang.System.out.println("DBG:credentials.js:arg["+arg+"]["+argURI+"] URI");
+                subreq.addArgument(arg,argURI);
+            }
+        }// else
+        //    java.lang.System.out.println("DBG:credentials.js:arg["+arg+"] null");
+    }
 }
 

cats/ISOcat/trunk/mod-ISOcat-interface-rest/etc/HTTPBridgeConfig.xml

@@ -5 +5 @@
                 <passMethod/>
                 <passCookies/>
-                <passHeaders>User-Agent X-Forwarded-For Referer Authorization Accept eduPersonPrincipalName</passHeaders>
+                <passHeaders>User-Agent X-Forwarded-For Referer Authorization Accept eduPersonPrincipalName eduPersonTargetedID</passHeaders>
                 <passRemoteHost/>
                 <passByURI/>