cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject [4/6] git commit: updated refs/heads/saml-production-grade to 51a19a6
Date Thu, 28 May 2015 13:23:47 GMT
CLOUDSTACK-8457: Make SAML2UserAuthenticator validate SAML token in httprequest

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8bdf20c4
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8bdf20c4
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8bdf20c4

Branch: refs/heads/saml-production-grade
Commit: 8bdf20c4d6e89673ab41c3d3468867ec1b95b517
Parents: 73f1cba
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Authored: Thu May 28 15:11:22 2015 +0200
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Thu May 28 15:11:22 2015 +0200

----------------------------------------------------------------------
 .../cloudstack/saml/SAML2UserAuthenticator.java | 23 ++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8bdf20c4/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2UserAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2UserAuthenticator.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2UserAuthenticator.java
index 68bd81c..33ed374 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2UserAuthenticator.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2UserAuthenticator.java
@@ -24,9 +24,18 @@ import com.cloud.utils.Pair;
 import org.apache.cloudstack.utils.auth.SAMLUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.log4j.Logger;
+import org.opensaml.DefaultBootstrap;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.xml.ConfigurationException;
+import org.opensaml.xml.io.UnmarshallingException;
+import org.xml.sax.SAXException;
 
 import javax.ejb.Local;
 import javax.inject.Inject;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.FactoryConfigurationError;
+import java.io.IOException;
 import java.util.Map;
 
 @Local(value = {UserAuthenticator.class})
@@ -55,8 +64,18 @@ public class SAML2UserAuthenticator extends DefaultUserAuthenticator {
             return new Pair<Boolean, ActionOnFailedAuthentication>(false, null);
         } else {
             User user = _userDao.getUser(userAccount.getId());
-            if (user != null && SAMLUtils.checkSAMLUser(user.getUuid(), username)
&&
-                    requestParameters != null && requestParameters.containsKey(SAMLUtils.SAML_RESPONSE))
{
+            if (user != null && requestParameters != null && requestParameters.containsKey(SAMLUtils.SAML_RESPONSE))
{
+                final String samlResponse = ((String[])requestParameters.get(SAMLUtils.SAML_RESPONSE))[0];
+                Response responseObject = null;
+                try {
+                    DefaultBootstrap.bootstrap();
+                    responseObject = SAMLUtils.decodeSAMLResponse(samlResponse);
+                } catch (ConfigurationException | FactoryConfigurationError | ParserConfigurationException
| SAXException | IOException | UnmarshallingException e) {
+                    return new Pair<Boolean, ActionOnFailedAuthentication>(false, null);
+                }
+                if (!responseObject.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI))
{
+                    return new Pair<Boolean, ActionOnFailedAuthentication>(false, null);
+                }
                 return new Pair<Boolean, ActionOnFailedAuthentication>(true, null);
             }
         }


Mime
View raw message