cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1340085 - in /cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso: AbstractServiceProviderFilter.java Messages.properties RequestAssertionConsumerService.java state/ResponseState.java
Date Fri, 18 May 2012 12:54:36 GMT
Author: sergeyb
Date: Fri May 18 12:54:36 2012
New Revision: 1340085

URL: http://svn.apache.org/viewvc?rev=1340085&view=rev
Log:
Checking if ResponseState matches the current web app context and domain if any

Modified:
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
Fri May 18 12:54:36 2012
@@ -130,38 +130,60 @@ public abstract class AbstractServicePro
         Map<String, Cookie> cookies = headers.getCookies();
         
         Cookie securityContextCookie = cookies.get(SSOConstants.SECURITY_CONTEXT_TOKEN);
+        
+        ResponseState responseState = getValidResponseState(securityContextCookie, m);
+        if (responseState == null) {
+            return false;    
+        }
+        
+        Cookie relayStateCookie = cookies.get(SSOConstants.RELAY_STATE);
+        if (relayStateCookie == null) {
+            reportError("MISSING_RELAY_COOKIE");
+            return false;
+        }
+        String originalRelayState = responseState.getRelayState();
+        if (!originalRelayState.equals(relayStateCookie.getValue())) {
+            // perhaps the response state should also be removed
+            reportError("INVALID_RELAY_STATE");
+            return false;
+        }
+        //TODO: use ResponseState to set up a proper SecurityContext 
+        //      on the current message
+        return true;
+    }
+    
+    protected ResponseState getValidResponseState(Cookie securityContextCookie, 
+                                                  Message m) {
         if (securityContextCookie == null) {
             // most likely it means that the user has not been offered
             // a chance to get logged on yet, though it might be that the browser
             // has removed an expired cookie from its cache; warning is too noisy in the
             // former case
             reportTrace("MISSING_RESPONSE_STATE");
-            return false;
+            return null;
         }
         String contextKey = securityContextCookie.getValue();
+        
         ResponseState responseState = getStateProvider().getResponseState(contextKey);
+        
         if (responseState == null) {
             reportError("MISSING_RESPONSE_STATE");
-            return false;
+            return null;
         }
         if (isStateExpired(responseState.getCreatedAt(), responseState.getExpiresAt())) {
             reportError("EXPIRED_RESPONSE_STATE");
             getStateProvider().removeResponseState(contextKey);
-            return false;
+            return null;
         }
-        Cookie relayStateCookie = cookies.get(SSOConstants.RELAY_STATE);
-        if (relayStateCookie == null) {
-            reportError("MISSING_RELAY_COOKIE");
-            return false;
-        }
-        String originalRelayState = responseState.getRelayState();
-        if (!originalRelayState.equals(relayStateCookie.getValue())) {
-            reportError("INVALID_RELAY_STATE");
-            return false;
+        String webAppContext = getWebAppContext(m);
+        if (webAppDomain != null && !webAppDomain.equals(responseState.getWebAppDomain())
+            || responseState.getWebAppContext() == null
+            || !webAppContext.equals(responseState.getWebAppContext())) {
+            getStateProvider().removeResponseState(contextKey);
+            reportError("INVALID_RESPONSE_STATE");
+            return null;
         }
-        //TODO: use ResponseState to set up a proper SecurityContext 
-        //      on the current message
-        return true;
+        return responseState;
     }
     
     protected String deflateEncodeAuthnRequest(Element authnRequestElement)
@@ -189,13 +211,7 @@ public abstract class AbstractServicePro
         SamlRequestInfo info = new SamlRequestInfo();
         info.setSamlRequest(authnRequestEncoded);
         
-        String webAppContext = null;
-        if (addEndpointAddressToContext) {
-            webAppContext = new UriInfoImpl(m).getBaseUri().getRawPath();
-        } else {
-            String httpBasePath = (String)m.get("http.base.path");
-            webAppContext = URI.create(httpBasePath).getRawPath();
-        }
+        String webAppContext = getWebAppContext(m);
         String originalRequestURI = new UriInfoImpl(m).getRequestUri().toString();
         
         RequestState requestState = new RequestState(originalRequestURI,
@@ -247,6 +263,15 @@ public abstract class AbstractServicePro
         }
     }
 
+    private String getWebAppContext(Message m) {
+        if (addEndpointAddressToContext) {
+            return new UriInfoImpl(m).getBaseUri().getRawPath();
+        } else {
+            String httpBasePath = (String)m.get("http.base.path");
+            return URI.create(httpBasePath).getRawPath();
+        }
+    }
+    
     public String getWebAppDomain() {
         return webAppDomain;
     }

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
Fri May 18 12:54:36 2012
@@ -26,6 +26,7 @@ MISSING_SAML_RESPONSE=SamlResponse param
 INVALID_SAML_RESPONSE=SamlResponse parameter is invalid
 MISSING_ASSERTION_SERVICE_URL=RequestAssertionConsumerService URI is not set
 MISSING_RESPONSE_STATE=Response State is not available
+INVALID_RESPONSE_STATE=Response State is invalid
 EXPIRED_RESPONSE_STATE=Response State has expired
 MISSING_RELAY_STATE=RelayState is missing
 MISSING_RELAY_COOKIE=RelayState cookie is not available

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Fri May 18 12:54:36 2012
@@ -38,7 +38,6 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
@@ -101,53 +100,28 @@ public class RequestAssertionConsumerSer
     @Produces(MediaType.APPLICATION_FORM_URLENCODED)
     public Response processSamlResponse(@FormParam(SSOConstants.SAML_RESPONSE) String encodedSamlResponse,
                                         @FormParam(SSOConstants.RELAY_STATE) String relayState)
{
-        RequestState requestState = processRelayState(relayState);
-        URI targetURI = getTargetURI(requestState.getTargetAddress());
-        
-        org.opensaml.saml2.core.Response samlResponse = 
-            readSAMLResponse(true, encodedSamlResponse);
-
-        // Validate the Response
-        validateSamlResponseProtocol(samlResponse);
-        SSOValidatorResponse validatorResponse = 
-            validateSamlSSOResponse(true, samlResponse, requestState);
-        
-        // Set the security context
-        String securityContextKey = UUID.randomUUID().toString();
-        
-        long currentTime = System.currentTimeMillis();
-        Date notOnOrAfter = validatorResponse.getSessionNotOnOrAfter();
-        long expiresAt = 0;
-        if (notOnOrAfter != null) {
-            expiresAt = notOnOrAfter.getTime();
-        }
-        ResponseState responseState = 
-            new ResponseState(relayState, currentTime, expiresAt);
-        getStateProvider().setResponseState(securityContextKey, responseState);
-        
-        String contextCookie = createCookie(SSOConstants.SECURITY_CONTEXT_TOKEN,
-                                            securityContextKey,
-                                            requestState.getWebAppContext(),
-                                            requestState.getWebAppDomain());
-        
-        // Finally, redirect to the service provider endpoint
-        return Response.seeOther(targetURI).header("Set-Cookie", contextCookie).build();
+        return doProcessSamlResponse(encodedSamlResponse, relayState);
         
     }
     
     @GET
     public Response getSamlResponse(@QueryParam(SSOConstants.SAML_RESPONSE) String encodedSamlResponse,
                                     @QueryParam(SSOConstants.RELAY_STATE) String relayState)
{
+        return doProcessSamlResponse(encodedSamlResponse, relayState);
+    }
+    
+    protected Response doProcessSamlResponse(String encodedSamlResponse,
+                                          String relayState) {
         RequestState requestState = processRelayState(relayState);
         URI targetURI = getTargetURI(requestState.getTargetAddress());
         
         org.opensaml.saml2.core.Response samlResponse = 
-            readSAMLResponse(false, encodedSamlResponse);
+            readSAMLResponse(true, encodedSamlResponse);
 
         // Validate the Response
         validateSamlResponseProtocol(samlResponse);
         SSOValidatorResponse validatorResponse = 
-            validateSamlSSOResponse(false, samlResponse, requestState);
+            validateSamlSSOResponse(true, samlResponse, requestState);
         
         // Set the security context
         String securityContextKey = UUID.randomUUID().toString();
@@ -159,7 +133,11 @@ public class RequestAssertionConsumerSer
             expiresAt = notOnOrAfter.getTime();
         }
         ResponseState responseState = 
-            new ResponseState(relayState, currentTime, expiresAt);
+            new ResponseState(relayState, 
+                              requestState.getWebAppContext(),
+                              requestState.getWebAppDomain(),
+                              currentTime, 
+                              expiresAt);
         getStateProvider().setResponseState(securityContextKey, responseState);
         
         String contextCookie = createCookie(SSOConstants.SECURITY_CONTEXT_TOKEN,
@@ -168,8 +146,8 @@ public class RequestAssertionConsumerSer
                                             requestState.getWebAppDomain());
         
         // Finally, redirect to the service provider endpoint
-        return Response.seeOther(targetURI).header(HttpHeaders.SET_COOKIE,
-                                                   contextCookie).build();
+        return Response.seeOther(targetURI).header("Set-Cookie", contextCookie).build();
+        
     }
     
     private RequestState processRelayState(String relayState) {

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
Fri May 18 12:54:36 2012
@@ -21,11 +21,19 @@ package org.apache.cxf.rs.security.saml.
 public class ResponseState {
 
     private String relayState;
+    private String webAppContext;
+    private String webAppDomain;
     private long createdAt;
     private long expiresAt;
     
-    public ResponseState(String relayState, long createdAt, long expiresAt) {
+    public ResponseState(String relayState,
+                         String webAppContext,
+                         String webAppDomain,
+                         long createdAt, 
+                         long expiresAt) {
         this.relayState = relayState;
+        this.webAppContext = webAppContext;
+        this.webAppDomain = webAppDomain;
         this.createdAt = createdAt;
         this.expiresAt = expiresAt;
     }
@@ -41,4 +49,12 @@ public class ResponseState {
     public String getRelayState() {
         return relayState;
     }
+    
+    public String getWebAppContext() {
+        return webAppContext;
+    }
+
+    public String getWebAppDomain() {
+        return webAppDomain;
+    }
 }



Mime
View raw message