public abstract class AbstractPasswordIdpAuthnAdapter extends Object implements IdpAuthenticationAdapter
setOperationalMode(org.sourceid.saml20.adapter.idp.authn.AbstractPasswordIdpAuthnAdapter.Mode)
Operational Mode}.
After a successful authentication most modern browsers will resubmit HTTP basic credentials with every request. Because of this, logging out of a session that was authenticated via HTTP basic isn't really possible. This adapter simulates logout functionality with HTTP basic authentication by keeping session state and sending a 401 status code if it finds a logout flag in that session state, regardless of whether basic credentials were presented.
It is possible, however, that the session might expire, eliminating the logout flag. But then the browser sends the HTTP basic credentials with a request after the session expiration, since it appears to the server and adapter that the user is authenticated. For this reason, if subclasses of this adapter are used in HTTP basic mode, it is highly recommended that you suggest to end users that they close their browser after logout.
Developers extending this class must implement the methods defined on
ConfigurableAuthnAdapter
as appropriate.
The abstract methods getRealm()
and getAuthenticationIdentifiers(String, String)
must also
be implemented.
Optionally the getMaxUserChallengeRetries()
can be overridden to control the number of times a user
can attempt authentication.
Modifier and Type | Class and Description |
---|---|
static class |
AbstractPasswordIdpAuthnAdapter.Mode
Deprecated.
|
AUTHN_CTX_ATTRIBUTE_NAME, AUTHN_INSTANT_ATTRIBUTE_NAME, DEVICE_SHARING_TYPE_ATTRIBUTE_NAME, POLICY_ACTION_ATTRIBUTE_NAME
Constructor and Description |
---|
AbstractPasswordIdpAuthnAdapter()
Deprecated.
|
Modifier and Type | Method and Description |
---|---|
AbstractPasswordIdpAuthnAdapter.Mode |
getOperationalMode()
Deprecated.
Gets the current operational mode of the adapter.
|
boolean |
logoutAuthN(Map authnIdentifiers,
javax.servlet.http.HttpServletRequest req,
javax.servlet.http.HttpServletResponse resp,
String resumePath)
Deprecated.
This is the method that the PingFederate server will invoke during processing of a single logout
to terminate a security context for a user at the external application or authentication provider service.
|
Map |
lookupAuthN(javax.servlet.http.HttpServletRequest req,
javax.servlet.http.HttpServletResponse resp,
String entityId,
AuthnPolicy authnPolicy,
String resumeUrl)
Deprecated.
This is the method that the PingFederate server will invoke during processing of a single
sign-on transaction to lookup information about an authenticated security context or session for a user at
the external application or authentication provider service.
|
Map |
lookupAuthnBasic(javax.servlet.http.HttpServletRequest req,
javax.servlet.http.HttpServletResponse resp,
String entityId,
AuthnPolicy authnPolicy,
String resumeUrl)
Deprecated.
|
Map |
lookupAuthnForm(javax.servlet.http.HttpServletRequest req,
javax.servlet.http.HttpServletResponse resp,
String entityId,
AuthnPolicy authnPolicy,
String resumeUrl)
Deprecated.
|
void |
setOperationalMode(AbstractPasswordIdpAuthnAdapter.Mode operationalMode)
Deprecated.
Sets the current operational mode of the adapter.
|
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
getAdapterDescriptor
configure
public AbstractPasswordIdpAuthnAdapter()
public AbstractPasswordIdpAuthnAdapter.Mode getOperationalMode()
public void setOperationalMode(AbstractPasswordIdpAuthnAdapter.Mode operationalMode)
operationalMode
- the new mode.public Map lookupAuthnBasic(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String entityId, AuthnPolicy authnPolicy, String resumeUrl) throws IOException
IOException
public Map lookupAuthnForm(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String entityId, AuthnPolicy authnPolicy, String resumeUrl) throws IOException
IOException
public Map lookupAuthN(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String entityId, AuthnPolicy authnPolicy, String resumeUrl) throws IOException
IdpAuthenticationAdapter
If your implementation of this method needs to operate asynchronously, it just needs to write to the
HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server
checks to see if the response has been committed. If the response has been committed, PingFederate saves
the state it needs and discontinues processing for the current transaction. Processing of the transaction is
continued when the user agent returns to the resumePath
at the PingFederate server at which
point the server invokes this method again. This series of events will be repeated until this method
returns without committing the response. When that happens (which could be the first invocation) PingFederate
will complete the protocol transaction processing with the return result of this method.
Note that if the response is committed, then PingFederate ignores the return value. Only the return value of an invocation that does not commit the response will be used.
If this adapter is implemented asynchronously, it's recommended that the user agent always returns to the
resumePath
in order to be compatible with Composite Adapter's "Sufficent" adapter chaining policy. The
Composite Adapter allows an Administrator to "chain" a selection of available adapter instances for a connection.
At runtime, adapter chaining means that SSO requests are passed sequentially through each adapter instance
specified until one or more authentication results are found for the user. If the user agent does not return
control to PingFederate for failed authentication scenarios, then the authentication chain will break and should
not be used with Composite Adapter's "Sufficient" chaining policy.
lookupAuthN
in interface IdpAuthenticationAdapter
req
- the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used
to find out more about the request like the full URL the request was made to. Accessing the HttpSession from
the request is not recommended and doing so is deprecated. Use
SessionStateSupport
as an alternative.resp
- the HttpServletResponse. The response can be used to facilitate an asynchronous interaction.
Sending a client side redirect or writing (and flushing) custom content to the response are two ways that
an invocation of this method allows for the adapter to take control of the user agent. Note that if
control of the user agent is taken in this way, then the agent must eventually be returned to the
resumePath
endpoint at the PingFederate server to complete the protocol transaction.entityId
- the entity id of the SP to whom the single sign-on will be sent.authnPolicy
- an object with values that restricts what kind of user interaction is allowed or
required during the authentication.resumeUrl
- the relative URL that the user agent needs to return to, if the implementation of this method
invocation needs to operate asynchronously. If this method operates synchronously, this parameter can
be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If
the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.IdpAuthenticationAdapter.getAdapterDescriptor()
). This map will also be passed back
to the adapter implementation on logout as the first parameter of the IdpAuthenticationAdapter.logoutAuthN(java.util.Map, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String)
method. This
enables the adapter to identify what session or security context to terminate during logout.IOException
- for any problem with I/O (typically any operation that writes to the HttpServletResponse).public boolean logoutAuthN(Map authnIdentifiers, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String resumePath) throws IOException
IdpAuthenticationAdapter
If your implementation of this method needs to operate asynchronously, it just needs to write to the
HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server
checks to see if the response has been committed. If the response has been committed, PingFederate saves
the state it needs and discontinues processing for the current transaction. Processing of the transaction is
continued when the user agent returns to the resumePath
at the PingFederate server at which
point the server invokes this method again. This series of events will be repeated until this method
returns without committing the response. When that happens (which could be the first invocation) PingFederate
will complete the protocol transaction processing with the return result of this method.
Note that if the response is committed, then PingFederate ignores the return value. Only the return value
of an invocation that does not commit the response will be used. Accessing the HttpSession from
the request is not recommended and doing so is deprecated. Use
SessionStateSupport
as an alternative.
Note on SOAP logout: If this logout is being invoked as the result of a back channel protocol request, the request, response and resumePath parameters will all be null as they have no meaning in such a context where the user agent is inaccessible.
logoutAuthN
in interface IdpAuthenticationAdapter
authnIdentifiers
- the map of authentication identifiers originally returned to the PingFederate server
by the IdpAuthenticationAdapter.lookupAuthN(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String, org.sourceid.saml20.adapter.idp.authn.AuthnPolicy, java.lang.String)
method. This enables the adapter to associate a security context or session
returned by lookupAuthN with the invocation of this logout method.req
- the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used
to find out more about the request like the full URL the request was made to.resp
- the HttpServletResponse. The response can be used to facilitate an asynchronous interaction.
Sending a client side redirect or writing (and flushing) custom content to the response are two ways that
an invocation of this method allows for the adapter to take control of the user agent. Note that if
control of the user agent is taken in this way, then the agent must eventually be returned to the
resumePath
endpoint at the PingFederate server to complete the protocol transaction.resumePath
- the relative URL that the user agent needs to return to, if the implementation of this method
invocation needs to operate asynchronously. If this method operates synchronously, this parameter can
be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If
the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.IOException
- for any problem with I/O (typically any operation that writes to the HttpServletResponse
will throw an IOException.Copyright 2019 Ping Identity Corp. All rights reserved.