cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1165688 - /cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/
Date Tue, 06 Sep 2011 14:48:09 GMT
Author: sergeyb
Date: Tue Sep  6 14:48:08 2011
New Revision: 1165688

URL: http://svn.apache.org/viewvc?rev=1165688&view=rev
Log:
[CXF-3588] Adding missing code

Added:
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claim.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimMode.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
  (with props)
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
  (with props)

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claim.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claim.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claim.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claim.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.saml.authorization;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+@Target({ElementType.TYPE, ElementType.METHOD })
+@Retention(RetentionPolicy.RUNTIME)
+public @interface Claim {
+    
+    String format() default "http://schemas.xmlsoap.org/ws/2005/05/identity/claims";
+    String name() default "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
+    String[] value();
+    
+    /**
+     * If set to true then all the values of this claim have to be matched 
+     */
+    boolean matchAll() default false;
+    /**
+     * If set to ClaimMode.LAX then the match will fail only if the incoming
+     * assertion has the same name and format claim with non-matching values  
+     */
+    ClaimMode mode() default ClaimMode.STRICT;
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claim.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claim.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+
+public class ClaimBean {
+    private org.apache.cxf.rs.security.saml.assertion.Claim claim;
+    private ClaimMode claimMode;
+    private boolean matchAll;
+    
+    public ClaimBean(org.apache.cxf.rs.security.saml.assertion.Claim claim) {
+        this.claim = claim;
+    }
+    
+    public ClaimBean(org.apache.cxf.rs.security.saml.assertion.Claim claim,
+                     ClaimMode claimMode, 
+                     boolean matchAll) {
+        this.claim = claim;
+        this.claimMode = claimMode;
+        this.matchAll = matchAll;
+    }
+    
+    public org.apache.cxf.rs.security.saml.assertion.Claim getClaim() {
+        return claim;
+    }
+    
+    public boolean isMatchAll() {
+        return matchAll;
+    }
+    
+    public ClaimMode getClaimMode() {
+        return claimMode;
+    }
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimMode.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimMode.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimMode.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimMode.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+public enum ClaimMode {
+    STRICT,
+    LAX
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimMode.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimMode.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.saml.authorization;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+
+@Target({ElementType.TYPE, ElementType.METHOD })
+@Retention(RetentionPolicy.RUNTIME)
+public @interface Claims {
+    Claim[] value();
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/Claims.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,230 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.ClassHelper;
+import org.apache.cxf.frontend.MethodDispatcher;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.service.Service;
+import org.apache.cxf.service.model.BindingOperationInfo;
+
+
+public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Message>
{
+
+    private static final Logger LOG = LogUtils.getL7dLogger(ClaimsAuthorizingInterceptor.class);
+    
+    private static final Set<String> SKIP_METHODS;
+    static {
+        SKIP_METHODS = new HashSet<String>();
+        SKIP_METHODS.addAll(Arrays.asList(
+            new String[] {"wait", "notify", "notifyAll", 
+                          "equals", "toString", "hashCode"}));
+    }
+    
+    private Map<String, List<ClaimBean>> claims = new HashMap<String, List<ClaimBean>>();
+    private Map<String, String> nameAliases = Collections.emptyMap();
+    private Map<String, String> formatAliases = Collections.emptyMap();
+    
+    public ClaimsAuthorizingInterceptor() {
+        super(Phase.PRE_INVOKE);
+    }
+    
+    public void handleMessage(Message message) throws Fault {
+        SecurityContext sc = message.get(SecurityContext.class);
+        if (!(sc instanceof SAMLSecurityContext)) {
+            throw new AccessDeniedException("Security Context is unavailable or unrecognized");
+        }
+        
+        Method method = getTargetMethod(message);
+        
+        if (authorize((SAMLSecurityContext)sc, method)) {
+            return;
+        }
+        
+        throw new AccessDeniedException("Unauthorized");
+    }
+    
+    public void setClaims(Map<String, List<ClaimBean>> claimsMap) {
+        claims.putAll(claimsMap);
+    }
+    
+    protected Method getTargetMethod(Message m) {
+        BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
+        if (bop != null) {
+            MethodDispatcher md = (MethodDispatcher) 
+                m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
+            return md.getMethod(bop);
+        } 
+        Method method = (Method)m.get("org.apache.cxf.resource.method");
+        if (method != null) {
+            return method;
+        }
+        throw new AccessDeniedException("Method is not available : Unauthorized");
+    }
+
+    protected boolean authorize(SAMLSecurityContext sc, Method method) {
+        List<ClaimBean> list = claims.get(method.getName());
+        org.apache.cxf.rs.security.saml.assertion.Claims actualClaims = sc.getClaims();
+        
+        for (ClaimBean claimBean : list) {
+            org.apache.cxf.rs.security.saml.assertion.Claim claim =  claimBean.getClaim();
+            org.apache.cxf.rs.security.saml.assertion.Claim matchingClaim = 
+                actualClaims.findClaimByFormatAndName(claim.getNameFormat(), claim.getName());
+            if (matchingClaim == null) {
+                if (claimBean.getClaimMode() == ClaimMode.STRICT) {
+                    return false;
+                } else {
+                    continue;
+                }
+            }
+            List<String> claimValues = claim.getValues();
+            List<String> matchingClaimValues = matchingClaim.getValues();
+            if (claimBean.isMatchAll() 
+                && !matchingClaimValues.containsAll(claimValues)) {    
+                return false;
+            } else {
+                boolean matched = false;
+                for (String value : matchingClaimValues) {
+                    if (claimValues.contains(value)) {
+                        matched = true;    
+                        break;
+                    }
+                }
+                if (!matched) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+    
+    public void setSecuredObject(Object object) {
+        Class<?> cls = ClassHelper.getRealClass(object);
+        findClaims(cls);
+        if (claims.isEmpty()) {
+            LOG.warning("The claims list is empty, the service object is not protected");
+        }
+    }
+
+    protected void findClaims(Class<?> cls) {
+        if (cls == null || cls == Object.class) {
+            return;
+        }
+        List<ClaimBean> clsClaims = 
+            getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class));
+        for (Method m : cls.getMethods()) {
+            if (SKIP_METHODS.contains(m.getName())) {
+                continue;
+            }
+            List<ClaimBean> methodClaims = 
+                getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class));
+            
+            List<ClaimBean> allClaims = new ArrayList<ClaimBean>(methodClaims);
+            for (ClaimBean bean : clsClaims) {
+                if (isClaimOverridden(bean, methodClaims)) {
+                    continue;
+                }
+                allClaims.add(bean);
+            }
+            
+            claims.put(m.getName(), allClaims);
+        }
+        if (!claims.isEmpty()) {
+            return;
+        }
+        
+        findClaims(cls.getSuperclass());
+        
+        if (!claims.isEmpty()) {
+            return;
+        }
+        
+        for (Class<?> interfaceCls : cls.getInterfaces()) {
+            findClaims(interfaceCls);
+        }
+    }
+    
+    private static boolean isClaimOverridden(ClaimBean bean, List<ClaimBean> mClaims)
{
+        for (ClaimBean methodBean : mClaims) {    
+            if (bean.getClaim().getName().equals(methodBean.getClaim().getName())
+                && bean.getClaim().getNameFormat().equals(methodBean.getClaim().getNameFormat()))
{
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    private List<ClaimBean> getClaims(
+            Claims claimsAnn, Claim claimAnn) {
+        List<ClaimBean> claimsList = new ArrayList<ClaimBean>();
+        
+        List<Claim> annClaims = new ArrayList<Claim>();
+        if (claimsAnn != null) {
+            annClaims.addAll(Arrays.asList(claimsAnn.value()));
+        } else if (claimAnn != null) {
+            annClaims.add(claimAnn);
+        }
+        for (Claim ann : annClaims) {
+            org.apache.cxf.rs.security.saml.assertion.Claim claim = 
+                new org.apache.cxf.rs.security.saml.assertion.Claim();
+            
+            String claimName = ann.name();
+            if (nameAliases.containsKey(claimName)) {
+                claimName = nameAliases.get(claimName);
+            }
+            String claimFormat = ann.format();
+            if (formatAliases.containsKey(claimFormat)) {
+                claimFormat = formatAliases.get(claimFormat);
+            }
+            
+            claim.setName(claimName);
+            claim.setNameFormat(claimFormat);
+            claim.setValues(Arrays.asList(ann.value()));
+            
+            claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll()));
+        }
+        return claimsList;
+    }
+
+    public void setNameAliases(Map<String, String> nameAliases) {
+        this.nameAliases = nameAliases;
+    }
+
+    public void setFormatAliases(Map<String, String> formatAliases) {
+        this.formatAliases = formatAliases;
+    }
+
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.apache.cxf.rs.security.saml.assertion.Claim;
+import org.apache.cxf.rs.security.saml.assertion.Claims;
+import org.apache.cxf.rs.security.saml.assertion.Subject;
+import org.apache.cxf.security.SecurityContext;
+
+public class SAMLSecurityContext implements SecurityContext {
+    
+    private SubjectPrincipal p;
+    private Claims claims; 
+    private Claim rolesClaim;
+    
+    public SAMLSecurityContext(Subject subject, List<Claim> claims) {
+        this(new SubjectPrincipal(subject), new Claims(claims));
+    }
+    
+    public SAMLSecurityContext(SubjectPrincipal p, Claims claims) {
+        this(p, claims, Claim.DEFAULT_ROLE_NAME, Claim.DEFAULT_NAME_FORMAT);
+    }
+    
+    public SAMLSecurityContext(SubjectPrincipal p, 
+                               Claims cs,
+                               String roleClaimNameQualifier,
+                               String roleClaimNameFormat) {
+        this.p = p;
+        for (Claim c : cs.getClaims()) {
+            if (c.getName().equals(roleClaimNameQualifier)
+                && c.getNameFormat().equals(roleClaimNameFormat)) {
+                rolesClaim = c;
+                break;
+            }
+        }
+        this.claims = cs;
+        
+    }
+    
+    @Override
+    public Principal getUserPrincipal() {
+        return p;
+    }
+
+    @Override
+    public boolean isUserInRole(String role) {
+        if (rolesClaim == null) {
+            return false;
+        }
+        for (String r : rolesClaim.getValues()) {
+            if (r.equals(role)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    public Claims getClaims() {
+        return claims;
+    }
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SAMLSecurityContext.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+public interface SecurityContextProvider {
+    SecurityContext getSecurityContext(Message message, AssertionWrapper wrapper);
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.saml.SAMLUtils;
+import org.apache.cxf.rs.security.saml.assertion.Claim;
+import org.apache.cxf.rs.security.saml.assertion.Claims;
+import org.apache.cxf.rs.security.saml.assertion.Subject;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+public class SecurityContextProviderImpl implements SecurityContextProvider {
+
+    private static final String DEFAULT_NAME_ROLE_PROPERTY = "org.apache.cxf.saml.claims.role";
+    private static final String DEFAULT_NAMEFORMAT_PROPERTY = "org.apache.cxf.saml.claims.format";
+    
+    public SecurityContext getSecurityContext(Message message,
+            AssertionWrapper wrapper) {
+        Claims claims = getClaims(wrapper);
+        Subject subject = getSubject(message, wrapper, claims);
+        
+        String defaultName = (String)message.getContextualProperty(DEFAULT_NAME_ROLE_PROPERTY);
+        String defaultNameFormat = (String)message.getContextualProperty(DEFAULT_NAMEFORMAT_PROPERTY);
+        SecurityContext sc = new SAMLSecurityContext(new SubjectPrincipal(subject),
+                claims,
+                defaultName == null ? Claim.DEFAULT_ROLE_NAME : defaultName,
+                defaultNameFormat == null ? Claim.DEFAULT_NAME_FORMAT : defaultNameFormat);
+        return sc;
+    }
+
+    protected Claims getClaims(AssertionWrapper wrapper) {
+        return SAMLUtils.getClaims(wrapper);
+    }
+    
+    protected Subject getSubject(Message message, AssertionWrapper wrapper, Claims claims)
{
+        Subject subj = SAMLUtils.getSubject(message, wrapper);
+        setSubjectPrincipalName(subj, claims);
+        return subj;
+    }
+    
+    protected void setSubjectPrincipalName(Subject sub, Claims claims) {
+        // parse/decipher subject name id, or check attributes like 
+        // givenName, email, firstName, etc
+        
+        // this can be overidden, but consider also introducing dedicated handlers 
+    }
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java?rev=1165688&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
(added)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
Tue Sep  6 14:48:08 2011
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.saml.authorization;
+
+import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.rs.security.saml.assertion.Subject;
+
+public class SubjectPrincipal extends SimplePrincipal {
+    private Subject subject;
+    public SubjectPrincipal(Subject subject) {
+        super(subject.getAlternateName() == null ? subject.getName() : subject.getAlternateName());
+        this.subject = subject;
+    }
+    
+    public Subject getSubject() {
+        return subject;
+    }
+}

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SubjectPrincipal.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date



Mime
View raw message