cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1306795 - in /cxf/trunk/services/sts/sts-core/src: main/java/org/apache/cxf/sts/request/ main/java/org/apache/cxf/sts/token/validator/ test/java/org/apache/cxf/sts/token/validator/
Date Thu, 29 Mar 2012 12:00:54 GMT
Author: coheigea
Date: Thu Mar 29 12:00:53 2012
New Revision: 1306795

URL: http://svn.apache.org/viewvc?rev=1306795&view=rev
Log:
Introducing an EXPIRED State for ReceivedTokens

Modified:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java
Thu Mar 29 12:00:53 2012
@@ -46,7 +46,7 @@ public class ReceivedToken {
     private STATE state = STATE.NONE;
     private Principal principal;
     
-    public enum STATE { VALID, INVALID, CANCELLED, NONE };
+    public enum STATE { VALID, INVALID, CANCELLED, EXPIRED, NONE };
     
     public ReceivedToken(Object receivedToken) throws STSException {
         if (receivedToken instanceof JAXBElement<?>) {

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
Thu Mar 29 12:00:53 2012
@@ -39,6 +39,7 @@ import org.apache.cxf.sts.request.Receiv
 import org.apache.cxf.sts.token.realm.CertConstraintsParser;
 import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.ws.security.SAMLTokenPrincipal;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDocInfo;
@@ -197,23 +198,6 @@ public class SAMLTokenValidator implemen
                 }
             }
            
-            DateTime validFrom = null;
-            DateTime validTill = null;
-            if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
-                validFrom = assertion.getSaml2().getConditions().getNotBefore();
-                validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
-            } else {
-                validFrom = assertion.getSaml1().getConditions().getNotBefore();
-                validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
-            }
-            if (validFrom.isAfterNow() || validTill.isBeforeNow()) {
-                LOG.log(Level.WARNING, "SAML Token condition not met");
-                if (secToken != null) {
-                    tokenParameters.getTokenStore().remove(secToken);
-                }
-                return response;
-            }
-            
             // Get the realm of the SAML token
             String tokenRealm = null;
             if (samlRealmCodec != null) {
@@ -230,6 +214,10 @@ public class SAMLTokenValidator implemen
                 }
             }
             
+            if (!validateConditions(assertion, validateTarget, secToken, tokenParameters.getTokenStore()))
{
+                return response;
+            }
+            
             // Add the AssertionWrapper to the properties, as the claims are required to
be transformed
             Map<String, Object> addProps = new HashMap<String, Object>();
             addProps.put(AssertionWrapper.class.getName(), assertion);
@@ -275,4 +263,35 @@ public class SAMLTokenValidator implemen
         }
     }
     
+    protected boolean validateConditions(
+        AssertionWrapper assertion,
+        ReceivedToken validateTarget,
+        SecurityToken secToken, 
+        TokenStore tokenStore
+    ) {
+        DateTime validFrom = null;
+        DateTime validTill = null;
+        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+            validFrom = assertion.getSaml2().getConditions().getNotBefore();
+            validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+        } else {
+            validFrom = assertion.getSaml1().getConditions().getNotBefore();
+            validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+        }
+        if (validFrom.isAfterNow()) {
+            LOG.log(Level.WARNING, "SAML Token condition not met");
+            if (secToken != null) {
+                tokenStore.remove(secToken);
+            }
+            return false;
+        } else if (validTill.isBeforeNow()) {
+            LOG.log(Level.WARNING, "SAML Token condition not met");
+            if (secToken != null) {
+                tokenStore.remove(secToken);
+            }
+            validateTarget.setState(STATE.EXPIRED);
+            return false;
+        }
+        return true;
+    }
 }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
Thu Mar 29 12:00:53 2012
@@ -105,6 +105,7 @@ public class SCTValidator implements Tok
                     return response;
                 }
                 if (token.isExpired()) {
+                    validateTarget.setState(STATE.EXPIRED);
                     LOG.fine("Token: " + identifier + " is in the cache but expired");
                     return response;
                 }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
Thu Mar 29 12:00:53 2012
@@ -169,7 +169,8 @@ public class UsernameTokenValidator impl
             if (ut.getPassword() == null) {
                 return response;
             }
-            if (secToken == null || (secToken.getAssociatedHash() != ut.hashCode())) {
+            if (secToken == null || secToken.isExpired() 
+                || (secToken.getAssociatedHash() != ut.hashCode())) {
                 Credential credential = new Credential();
                 credential.setUsernametoken(ut);
                 validator.validate(credential, requestData);

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Thu Mar 29 12:00:53 2012
@@ -233,7 +233,7 @@ public class SAMLTokenValidatorTest exte
             samlTokenValidator.validateToken(validatorParameters);
         assertTrue(validatorResponse != null);
         assertTrue(validatorResponse.getToken() != null);
-        assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
     }
     
     /**
@@ -263,7 +263,7 @@ public class SAMLTokenValidatorTest exte
             samlTokenValidator.validateToken(validatorParameters);
         assertTrue(validatorResponse != null);
         assertTrue(validatorResponse.getToken() != null);
-        assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
     }
     
     



Mime
View raw message