WSO2 Identity Solution, v1.5 : Java Servlet Filter Developer Guide : Part III

Introduction

This servlet filter org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyFilter can be used with a servlet based web application to provide information card and OpenID login to that application.The Part III of this guide explains how you can add OpenID support to a relying party web application, with OpenID Attribute Exchange and OpenID Provider Authentication Policy Extension. The developer should follow the steps described below in intgrating this servlet filter:

Adding OpenID Attribute Exchange support

Step 1 : Add the servlet filter to your application

Include the following entry in the web.xml file of the application:


    <filter>
        <filter-name>TokenValidator</filter-name>
        <filter-class>org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyFilter</filter-class>
        	<init-param>
	    	    <param-name> ................ </param-name>
		    <param-value> ............... </param-value>
  		</init-param>
		<init-param>
			......................
  		</init-param>
			......................
			......................
    </filter>
	
    <filter-mapping>
        <filter-name>TokenValidator</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Step 2 : Add signin page

<form name="openidsignin" id="openidsignin" method="post" action="openidsubmit.jsp">
    Enter Your OpenID Url:<input type="text" name="openIdUrl"/>
    <input type="submit" name="submit" value="Login" />
</form>

As per above scenario openidsubmit.jsp page will accept the OpenID url and will do authentication using Identity Solution's relying parting components.

Step 3 : Create OpenID authentication request[openidsubmit.jsp]

// imports
<%@page import="org.wso2.solutions.identity.openid.relyingparty.OpenIDAuthenticationRequest"%>
<%@page import="org.wso2.solutions.identity.openid.relyingparty.OpenIDConsumer"%>
<%@page import="org.wso2.solutions.identity.relyingparty.openid.OpenIDRequestType"%>
<%@page import="org.wso2.solutions.identity.relyingparty.RelyingPartyException"%>
<%@page import="org.wso2.solutions.identity.IdentityConstants"%>

<%

try
{
   OpenIDAuthenticationRequest openIDAuthRequest = null;

   openIDAuthRequest = new OpenIDAuthenticationRequest(request,response);

   openIDAuthRequest.setOpenIDUrl((String)request.getParameter("openIdUrl"));

   // you need to set an absolute url as the return url.
   // once the user authenticated successfully or failed at the OpenID
   // Provider, the browser will be redirected to this url

   openIDAuthRequest.setReturnUrl("http://myapp.com/openidcallback.jsp");

   // Use OpenID Attribute Exchange
   openIDAuthRequest.addRequestType(OpenIDRequestType.ATTRIBUTE_EXCHANGE);

   // Set the required claims - I need these claims from the OpenID
   // Provider.
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.NICK_NAME,IdentityConstants.OpenId.ExchangeAttributes.NICK_NAME_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.FULL_NAME,IdentityConstants.OpenId.ExchangeAttributes.FULL_NAME_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.EMAIL,IdentityConstants.OpenId.ExchangeAttributes.EMAIL_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.DOB,IdentityConstants.OpenId.ExchangeAttributes.DOB_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.GENDER,IdentityConstants.OpenId.ExchangeAttributes.GENDER_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.POSTAL_CODE,IdentityConstants.OpenId.ExchangeAttributes.POSTAL_CODE_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.COUNTRY,IdentityConstants.OpenId.ExchangeAttributes.COUNTRY_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.LANGUAGE,IdentityConstants.OpenId.ExchangeAttributes.LANGUAGE_NS);
   openIDAuthRequest.addRequiredClaims(IdentityConstants.OpenId.ExchangeAttributes.TIMEZONE,IdentityConstants.OpenId.ExchangeAttributes.TIMEZONE_NS);


   // Performs authentication : this will redirect you to OpenID Provider for authentication
   OpenIDConsumer.getInstance().doOpenIDAuthentication(openIDAuthRequest);

}
catch(RelyingPartyException e)
{
   // handle exceptions
   out.println(e.getMessage());
}

%>

Step 4 : Add OpenID callback page[openidcallback.jsp]

After being authenticated at the OpenID Provider, user will be redirected to this page.

// imports
<%@page import="org.wso2.solutions.identity.IdentityConstants"%>
<%@page import="org.wso2.solutions.identity.relyingparty.TokenVerifierConstants"%>
<%@page import="org.wso2.solutions.identity.openid.relyingparty.OpenIDConsumer "%>

<%

String nickname = null;
String auth = (String)request.getAttribute(TokenVerifierConstants.SERVLET_ATTR_STATE);

 if(auth != null && TokenVerifierConstants.STATE_SUCCESS.equals(auth)) {

    //user authenticated successfully at his OpenID Provider
    //let me get his nick name - which I requested.

    if (request.getAttribute(IdentityConstants.OpenId.ExchangeAttributes.NICK_NAME) != null)
    {
           nickname = request.getAttribute(IdentityConstants.OpenId.ExchangeAttributes.NICK_NAME);

    }else {

       // there can be OpenID Providers, who do not maintain a list of user
       // attributes. In such case you won't receive any value here -
       // though you requested.
    }
 }
 else
 {
  //user authentication failed at his OpenID Provider
 }
%>

Step 5 : Add the following jars to your classpath

Adding OpenID Provider Authentication Policy Extension support

Step 1 : Add the servlet filter to your application

Include the following entry in the web.xml file of the application:


    <filter>
        <filter-name>TokenValidator</filter-name>
        <filter-class>org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyFilter</filter-class>
        	<init-param>
	    	    <param-name> ................ </param-name>
		    <param-value> ............... </param-value>
  		</init-param>
		<init-param>
			......................
  		</init-param>
			......................
			......................
    </filter>
	
    <filter-mapping>
        <filter-name>TokenValidator</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Step 2 : Add signin page

<form name="openidsignin" id="openidsignin" method="post" action="openidsubmit.jsp">
    Enter Your OpenID Url:<input type="text" name="openIdUrl"/>
    <input type="submit" name="submit" value="Login" />
</form>

As per above scenario openidsubmit.jsp page will accept the OpenID url and will do authentication using Identity Solution's relying parting components.

Step 3 : Create OpenID authentication request[openidsubmit.jsp]

// imports
<%@page import="org.wso2.solutions.identity.IdentityConstants"%>
<%@page import="org.wso2.solutions.identity.relyingparty.openid.OpenIDAuthenticationRequest"%>
<%@page import="org.wso2.solutions.identity.relyingparty.openid.OpenIDConsumer"%>
<%@page import="org.wso2.solutions.identity.relyingparty.openid.AuthPolicyType"%>
<%@page import="org.wso2.solutions.identity.relyingparty.openid.OpenIDRequestType"%>
<%@page import="org.wso2.solutions.identity.relyingparty.RelyingPartyException"%>

<%

try
{
   OpenIDAuthenticationRequest openIDAuthRequest = null;

   openIDAuthRequest = new OpenIDAuthenticationRequest(request,response);

   openIDAuthRequest.setOpenIDUrl((String)request.getParameter("openIdUrl"));

   // you need to set an absolute url as the return url.
   // once the user authenticated successfully or failed at the OpenID
   // Provider, the browser will be redirected to this url

   openIDAuthRequest.setReturnUrl("http://myapp.com/openidcallback.jsp");

   // Use PAPE
   openIDAuthRequest.addRequestType(OpenIDRequestType.PAPE);

   String phishing= "true"; //In real implementation accept this from the user : (String)request.getParameter("phishing");
   String multifactor = null;//In real implementation accept this from the user : (String)request.getParameter("multifactor");
   String multifactorphysical= null; //In real implementation accept this from the user : (String)request.getParameter("multifactorphysical");


   if (phishing!= null && phishing.equalsIgnoreCase("true")) {
	  openIDAuthRequest.addAuthPolicy(AuthPolicyType.PAPE_POLICY_PHISHING_RESISTANT);
   }

   if (multifactor!= null && multifactor.equalsIgnoreCase("true")) {
	  openIDAuthRequest.addAuthPolicy(AuthPolicyType.PAPE_POLICY_MULTI_FACTOR);
   }

   if (multifactorphysical!= null && multifactorphysical.equalsIgnoreCase("true")) {
	  openIDAuthRequest.addAuthPolicy(AuthPolicyType.PAPE_POLICY_MULTI_FACTOR_PHYSICAL);
   }

   openIDAuthRequest.setMaxAuthAge(10);


   // Performs authentication : this will redirect you to OpenID Provider for authentication
   OpenIDConsumer.getInstance().doOpenIDAuthentication(openIDAuthRequest);

}
catch(RelyingPartyException e)
{
   // handle exceptions
   out.println(e.getMessage());
}

%>

Step 4 : Add OpenID callback page[openidcallback.jsp]

After being authenticated at the OpenID Provider, user will be redirected to this page.

// imports
<%@page import="org.wso2.solutions.identity.IdentityConstants"%>
<%@page import="org.wso2.solutions.identity.relyingparty.TokenVerifierConstants"%>
<%@page import="org.wso2.solutions.identity.openid.relyingparty.OpenIDConsumer "%>

<%

String authPolcies = null;
String authLevel = null;
String authAge = null;

String auth = (String)request.getAttribute(TokenVerifierConstants.SERVLET_ATTR_STATE);

 if(auth != null && TokenVerifierConstants.STATE_SUCCESS.equals(auth)) {

    //user authenticated successfully at his OpenID Provider
    //let me get PAPE related attributes.

    if (request.getAttribute("auth_policies") != null) {	
	 authPolcies = request.getAttribute("auth_policies");
    }
	
    if (request.getAttribute("nist_auth_level") != null) {
	  authLevel = request.getAttribute("nist_auth_level");
    }

    if (request.getAttribute("auth_age") != null) { 
	  authAge = request.getAttribute("auth_age")%>
    }
 }
 else
 {
  //user authentication failed at his OpenID Provider
 }
%>

Step 5 : Add the following jars to your classpath