Use a ServletRequestAuthenticator to authenticate SiteMinder users

e2f9b0e1 · Greg Thomas · fe357fc1 · e2f9b0e1 · e2f9b0e1 · e2f9b0e1
Commit e2f9b0e1 authored Sep 25, 2017 by Greg Thomas
3 changed files
--- a/src/java/org/jivesoftware/admin/AuthCheckFilter.java
+++ b/src/java/org/jivesoftware/admin/AuthCheckFilter.java
@@ -33,6 +33,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

+import org.jivesoftware.util.ClassUtils;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.WebManager;
 import org.slf4j.Logger;
@@ -50,6 +51,7 @@ public class AuthCheckFilter implements Filter {

    private ServletContext context;
    private String defaultLoginPage;
+    private ServletRequestAuthenticator servletRequestAuthenticator;

    /**
     * Adds a new string that when present in the requested URL will skip
@@ -122,6 +124,20 @@ public class AuthCheckFilter implements Filter {
                excludes.add(tok);
            }
        }
+        final String servletRequestAuthenticatorClassName = getServletRequestAuthenticatorClassName();
+        if (!servletRequestAuthenticatorClassName.isEmpty()) {
+            try {
+                final Class clazz = ClassUtils.forName(servletRequestAuthenticatorClassName);
+                servletRequestAuthenticator = (ServletRequestAuthenticator) clazz.newInstance();
+            } catch (final Exception e) {
+                Log.error("Error loading ServletRequestAuthenticator: " + servletRequestAuthenticatorClassName, e);
+                servletRequestAuthenticator = null;
+            }
+        }
+    }
+
+    public static String getServletRequestAuthenticatorClassName() {
+        return JiveGlobals.getProperty("adminConsole.servlet-request-authenticator", "").trim();
    }

    @Override
@@ -147,13 +163,13 @@ public class AuthCheckFilter implements Filter {
        for (String exclude : excludes) {
            if (testURLPassesExclude(url, exclude)) {
                doExclude = true;
-                break;   
+                break;
            }
        }
        if (!doExclude) {
            WebManager manager = new WebManager();
            manager.init(request, response, request.getSession(), context);
-            if (manager.getUser() == null) {
+            if (manager.getUser() == null && (servletRequestAuthenticator == null || !servletRequestAuthenticator.authenticateRequest(request))) {
                response.sendRedirect(getRedirectURL(request, loginPage, null));
                return;
            }

--- a/src/java/org/jivesoftware/admin/ServletRequestAuthenticator.java
+++ b/src/java/org/jivesoftware/admin/ServletRequestAuthenticator.java
+package org.jivesoftware.admin;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface ServletRequestAuthenticator {
+
+    /**
+     * Attempts to authenticate an HTTP request to a page on the admin console.
+     * @param request the request to authenticate
+     * @return {@code true} if the request was successfully authenticated, otherwise {@code false}
+     */
+    boolean authenticateRequest(final HttpServletRequest request);
+
+}
--- a/src/java/org/jivesoftware/admin/SiteMinderServletRequestAuthenticator.java
+++ b/src/java/org/jivesoftware/admin/SiteMinderServletRequestAuthenticator.java
+package org.jivesoftware.admin;
+
+import org.jivesoftware.openfire.admin.AdminManager;
+import org.jivesoftware.openfire.auth.AuthToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * <p>
+ * Enables CA SiteMinder/Single Sign-On authentication to the admin console - https://www.ca.com/gb/products/ca-single-sign-on.html
+ * </p>
+ * <p>
+ * To enable, set the system property {@code adminConsole.servlet-request-authenticator} =
+ * {@code org.jivesoftware.admin.SiteMinderServletRequestAuthenticator} and restart Openfire.
+ * </p>
+ */
+public class SiteMinderServletRequestAuthenticator implements ServletRequestAuthenticator {
+
+    private static final Logger Log = LoggerFactory.getLogger(SiteMinderServletRequestAuthenticator.class);
+
+    public static boolean isEnabled() {
+        return SiteMinderServletRequestAuthenticator.class.getName().equals(AuthCheckFilter.getServletRequestAuthenticatorClassName());
+    }
+
+    @Override
+    public boolean authenticateRequest(final HttpServletRequest request) {
+        final AuthToken authToken = getSiteMinderBasedAuthToken(request);
+        if (authToken != null) {
+            // The user has been authenticated
+            request.getSession().setAttribute("jive.admin.authToken", authToken);
+            return true;
+        } else {
+            // We've not authenticated the user - do nothing
+            return false;
+        }
+    }
+
+    private AuthToken getSiteMinderBasedAuthToken(final HttpServletRequest request) {
+        final String smUser = request.getHeader("SM_USER");
+        if (smUser == null || smUser.trim().isEmpty()) {
+            // SiteMinder has not authenticated the user
+            return null;
+        }
+
+        if (!AdminManager.getInstance().isUserAdmin(smUser, true)) {
+            // The SiteMinder user is not an admin user
+            Log.warn("SiteMinder user '" + smUser + "' is not an Openfire administrator.");
+            return null;
+        }
+
+        // We've got a valid admin user, so record the login attempt
+        LoginLimitManager.getInstance().recordSuccessfulAttempt(smUser, request.getRemoteAddr());
+        // And return the auth token
+        return new AuthToken(smUser);
+    }
+}