Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2B64C9562 for ; Wed, 25 Apr 2012 16:45:45 +0000 (UTC) Received: (qmail 33284 invoked by uid 500); 25 Apr 2012 16:45:45 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 33178 invoked by uid 500); 25 Apr 2012 16:45:45 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 33170 invoked by uid 99); 25 Apr 2012 16:45:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Apr 2012 16:45:44 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Apr 2012 16:45:43 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 1091023889E0; Wed, 25 Apr 2012 16:45:23 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1330409 - in /cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso: Messages.properties RequestAssertionConsumerService.java filter/AbstractServiceProviderFilter.java Date: Wed, 25 Apr 2012 16:45:22 -0000 To: commits@cxf.apache.org From: sergeyb@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120425164523.1091023889E0@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: sergeyb Date: Wed Apr 25 16:45:22 2012 New Revision: 1330409 URL: http://svn.apache.org/viewvc?rev=1330409&view=rev Log: Updating RequestAssertionConsumerService to treat RelayState as the original target URI Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties (with props) Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java Added: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties?rev=1330409&view=auto ============================================================================== --- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties (added) +++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties Wed Apr 25 16:45:22 2012 @@ -0,0 +1,24 @@ +# +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# +MISSING_RELAY_STATE=RelayState parameter is missing +INVALID_RELAY_STATE=RelayState parameter is invalid +MISSING_SAML_RESPONSE=SamlResponse parameter is missing +INVALID_SAML_RESPONSE=SamlResponse parameter is invalid \ No newline at end of file Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties ------------------------------------------------------------------------------ svn:eol-style = native Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties ------------------------------------------------------------------------------ svn:keywords = Rev Date Propchange: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties ------------------------------------------------------------------------------ svn:mime-type = text/plain Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1330409&r1=1330408&r2=1330409&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original) +++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Wed Apr 25 16:45:22 2012 @@ -21,6 +21,9 @@ package org.apache.cxf.rs.security.saml. import java.io.ByteArrayInputStream; import java.io.InputStream; import java.io.InputStreamReader; +import java.net.URI; +import java.util.ResourceBundle; +import java.util.logging.Logger; import java.util.zip.DataFormatException; import javax.ws.rs.Encoded; @@ -33,10 +36,11 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; -import javax.ws.rs.core.UriBuilder; import org.w3c.dom.Document; +import org.apache.cxf.common.i18n.BundleUtils; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.Base64Exception; import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.common.util.StringUtils; @@ -48,30 +52,39 @@ import org.opensaml.xml.XMLObject; @Path("sso") public class RequestAssertionConsumerService { + private static final Logger LOG = + LogUtils.getL7dLogger(RequestAssertionConsumerService.class); + private static final ResourceBundle BUNDLE = + BundleUtils.getBundle(RequestAssertionConsumerService.class); + private static final String SAML_RESPONSE = "SAMLResponse"; private static final String RELAY_STATE = "RelayState"; private boolean useDeflateEncoding = true; + public void setUseDeflateEncoding(boolean deflate) { + useDeflateEncoding = deflate; + } + public boolean useDeflateEncoding() { + return useDeflateEncoding; + } + @POST @Produces(MediaType.APPLICATION_FORM_URLENCODED) public Response processSamlResponse(@Encoded @FormParam(RELAY_STATE) String relayState, @Encoded @FormParam(SAML_RESPONSE) String encodedSamlResponse) { + + URI relayURI = getRelayURI(relayState); + org.opensaml.saml2.core.Response samlResponse = readSAMLResponse(encodedSamlResponse); validateSamlResponse(samlResponse); - // TODO: set the security context, - // perhaps using the cookie or adding some query parameter - // (relayState?) to the redirect URI - + // TODO: set the security context + // finally, redirect to the service provider endpoint - String responseTo = samlResponse.getInResponseTo(); - UriBuilder builder = UriBuilder.fromPath(responseTo); - // if needed: builder.queryParam("RelayState", relayState); - - return Response.seeOther(builder.build()).build(); + return Response.seeOther(relayURI).build(); } @@ -83,6 +96,7 @@ public class RequestAssertionConsumerSer private org.opensaml.saml2.core.Response readSAMLResponse(String samlResponse) { if (StringUtils.isEmpty(samlResponse)) { + reportError("MISSING_SAML_RESPONSE"); throw new WebApplicationException(400); } InputStream tokenStream = null; @@ -122,14 +136,27 @@ public class RequestAssertionConsumerSer try { protocolValidator.validateSamlResponse(samlResponse, null, null); } catch (WSSecurityException ex) { + reportError("INVALID_SAML_RESPONSE"); throw new WebApplicationException(400); } } - public void setUseDeflateEncoding(boolean deflate) { - useDeflateEncoding = deflate; + private URI getRelayURI(String relayState) { + if (relayState != null) { + try { + return URI.create(relayState); + } catch (IllegalArgumentException ex) { + reportError("INVALID_RELAY_STATE"); + } + } else { + reportError("MISSING_RELAY_STATE"); + } + throw new WebApplicationException(400); } - public boolean useDeflateEncoding() { - return useDeflateEncoding; + + private void reportError(String code) { + org.apache.cxf.common.i18n.Message errorMsg = + new org.apache.cxf.common.i18n.Message(code, BUNDLE); + LOG.warning(errorMsg.toString()); } } Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java?rev=1330409&r1=1330408&r2=1330409&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java (original) +++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java Wed Apr 25 16:45:22 2012 @@ -21,7 +21,6 @@ package org.apache.cxf.rs.security.saml. import java.io.IOException; import java.net.URLEncoder; import java.util.Collections; -import java.util.UUID; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -125,7 +124,9 @@ public abstract class AbstractServicePro SamlRequestInfo info = new SamlRequestInfo(); info.setEncodedSamlRequest(authnRequestEncoded); - info.setRelayState(UUID.randomUUID().toString()); + + String originalRequestURI = (String)m.get(Message.REQUEST_URI); + info.setRelayState(originalRequestURI); return info; }