cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From owu...@apache.org
Subject svn commit: r1346157 - in /cxf/fediz/trunk/plugins: core/src/main/java/org/apache/cxf/fediz/core/ core/src/main/java/org/apache/cxf/fediz/core/config/ core/src/main/java/org/apache/cxf/fediz/core/saml/ core/src/main/resources/schemas/ core/src/test/jav...
Date Mon, 04 Jun 2012 21:16:05 GMT
Author: owulff
Date: Mon Jun  4 21:16:04 2012
New Revision: 1346157

URL: http://svn.apache.org/viewvc?rev=1346157&view=rev
Log:
Refactoring for pluggable TokenValidator processing

Modified:
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
    cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
    cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
    cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
Mon Jun  4 21:16:04 2012
@@ -26,6 +26,7 @@ import java.net.URLEncoder;
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.util.Date;
+import java.util.List;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -38,7 +39,6 @@ import org.xml.sax.SAXException;
 
 import org.apache.cxf.fediz.core.config.FederationContext;
 import org.apache.cxf.fediz.core.config.FederationProtocol;
-import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
 import org.apache.cxf.fediz.core.spi.HomeRealmCallback;
 import org.apache.cxf.fediz.core.spi.IDPCallback;
 import org.apache.cxf.fediz.core.spi.WAuthCallback;
@@ -139,64 +139,76 @@ public class FederationProcessorImpl imp
             if (currentDate.after(lifeTime.getExpires())) {
                 LOG.warn("Token already expired");
             }
-
             if (currentDate.before(lifeTime.getCreated())) {
                 LOG.warn("Token not yet valid");
-                // [TODO] Add Check clocksqew
+                // [TODO] Add Check clockskew
             }
         }
 
-        // [TODO] Exception: TokenExpiredException, TokenInvalidException,
-        // TokenCachedException
-
-        // [TODO] Flexible tokenvalidator selection, based on class list
-        SAMLTokenValidator validator = new SAMLTokenValidator();
-        TokenValidatorResponse response = validator.validateAndProcessToken(
-                rst, config);
+        // [TODO] Exception: TokenExpiredException, TokenInvalidException, TokenCachedException
+        // throw new FedizRuntimeException("Error in providing a token", ex, FedizRuntimeException.TOKEN_EXPIRED);
+        
+        TokenValidatorResponse validatorResponse = null;
+        List<TokenValidator> validators = ((FederationProtocol)config.getProtocol()).getTokenValidators();
+        for (TokenValidator validator : validators) {
+            boolean canHandle = false;
+            if (tt != null) {
+                canHandle = validator.canHandleTokenType(tt);
+            } else {
+                canHandle = validator.canHandleToken(rst);
+            }
+            if (canHandle) {
+                try {
+                    validatorResponse = validator.validateAndProcessToken(rst, config);
+                } catch (RuntimeException ex) {
+                    LOG.warn("Failed to validate token", ex);
+                    throw ex;
+                }
+                break;
+            }
+        }
 
         // Check whether token already used for signin
-        if (response.getUniqueTokenId() != null
+        if (validatorResponse.getUniqueTokenId() != null
                 && config.isDetectReplayedTokens()) {
             // Check whether token has already been processed once, prevent
             // replay attack
 
-            if (config.getTokenReplayCache().getId(response.getUniqueTokenId()) == null)
{
+            if (config.getTokenReplayCache().getId(validatorResponse.getUniqueTokenId())
== null) {
                 // not cached
                 Date expires = null;
                 if (lifeTime != null && lifeTime.getExpires() != null) {
                     expires = lifeTime.getExpires();
                 } else {
-                    expires = response.getExpires();
+                    expires = validatorResponse.getExpires();
                 }
                 if (expires != null) {
                     Date currentTime = new Date();
                     long ttl = expires.getTime() - currentTime.getTime();
-                    config.getTokenReplayCache().putId(response.getUniqueTokenId(), ttl /
1000L);
+                    config.getTokenReplayCache().putId(validatorResponse.getUniqueTokenId(),
ttl / 1000L);
                 } else {
-                    config.getTokenReplayCache().putId(response.getUniqueTokenId());
+                    config.getTokenReplayCache().putId(validatorResponse.getUniqueTokenId());
                 }
             } else {
                 LOG.error("Replay attack with token id: "
-                        + response.getUniqueTokenId());
+                        + validatorResponse.getUniqueTokenId());
                 throw new RuntimeException("Replay attack with token id: "
-                        + response.getUniqueTokenId());
+                        + validatorResponse.getUniqueTokenId());
             }
         }
 
-        // [TODO] Token, WeakReference, SoftReference???
         FederationResponse fedResponse = new FederationResponse(
-                response.getUsername(), response.getIssuer(),
-                response.getRoles(), response.getClaims(),
-                response.getAudience(),
+                validatorResponse.getUsername(), validatorResponse.getIssuer(),
+                validatorResponse.getRoles(), validatorResponse.getClaims(),
+                validatorResponse.getAudience(),
                 (lifeTime != null) ? lifeTime.getCreated() : null,
                         (lifeTime != null) ? lifeTime.getExpires() : null, rst,
-                                response.getUniqueTokenId());
+                            validatorResponse.getUniqueTokenId());
 
         return fedResponse;
     }
 
     private LifeTime processLifeTime(Element lifetimeElem) {
-        // [TODO] Get rid of WSS4J dependency
         try {
             Element createdElem = DOMUtils.getFirstChildWithName(lifetimeElem,
                     WSConstants.WSU_NS, WSConstants.CREATED_LN);
@@ -348,10 +360,6 @@ public class FederationProcessorImpl imp
         // sb.append("wfresh=jjjj");
         // }
         // if (false) {
-        // sb.append("&");
-        // sb.append("wauth=jjjj");
-        // }
-        // if (false) {
         // sb.append("&");wct
         // sb.append("wreq=jjjj");
         // }

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
Mon Jun  4 21:16:04 2012
@@ -88,6 +88,7 @@ public class FederationConfigurator {
         }
         for (FederationContext fedContext : federationContextList) {
             if (fedContext.getName().equals(contextName)) {
+                fedContext.init();
                 return fedContext;
             }
         }

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
Mon Jun  4 21:16:04 2012
@@ -45,9 +45,17 @@ public class FederationContext implement
     private boolean detectReplayedTokens = true;
     private String relativePath;
     private TokenReplayCache<String> replayCache;
+    private FederationProtocol protocol;
+    
 
     public FederationContext(ContextConfig config) {
         this.config = config;
+        
+    }
+    
+    public void init() {
+        //get validators initialized
+        getProtocol();
     }
 
     public List<String> getAudienceUris() {
@@ -64,7 +72,7 @@ public class FederationContext implement
         return trustedIssuers; 
     }
 
-
+    //[TODO] Return Keystore
     public List<TrustManager> getCertificateStores() {
         CertificateStores certStores = config.getCertificateStores();
         List<TrustManagersType> trustManagers =  certStores.getTrustManager();
@@ -79,8 +87,8 @@ public class FederationContext implement
         return config.getMaximumClockSkew();
     }
     
-    public void setMaximumClockSkew(BigInteger maximumClockSqew) {
-        config.setMaximumClockSkew(maximumClockSqew);
+    public void setMaximumClockSkew(BigInteger maximumClockSkew) {
+        config.setMaximumClockSkew(maximumClockSkew);
     }
 
     //    public TrustManager getServiceCertificate() {
@@ -88,11 +96,14 @@ public class FederationContext implement
     //    }
 
     public Protocol getProtocol() {
+        if (protocol != null) {
+            return protocol;
+        }
         ProtocolType type = config.getProtocol();
         if (type instanceof FederationProtocolType) {
-            return new FederationProtocol(type);
+            protocol = new FederationProtocol(type);
         }
-        return null;
+        return protocol;
     }
     
     @SuppressWarnings("unchecked")

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
Mon Jun  4 21:16:04 2012
@@ -23,12 +23,15 @@ import java.util.ArrayList;
 import java.util.List;
 
 import javax.security.auth.callback.CallbackHandler;
+
+import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.config.jaxb.ArgumentType;
 import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
 import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
 import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
 import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
 import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
+import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -39,9 +42,13 @@ public class FederationProtocol extends 
     private Object authenticationType;
     private Object issuer;
     private Object homeRealm;
+    private List<TokenValidator> validators = new ArrayList<TokenValidator>();
     
     public FederationProtocol(ProtocolType protocolType) {
         super(protocolType);
+        // [TODO] Flexible tokenvalidator selection, based on class list
+        SAMLTokenValidator validator = new SAMLTokenValidator();
+        validators.add(validator);
     }
 
     protected FederationProtocolType getFederationProtocol() {
@@ -229,8 +236,8 @@ public class FederationProtocol extends 
         getFederationProtocol().setClaimTypesRequested(value);
     }
 
-    public List<String> getSecurityTokenValidators() {
-        return getFederationProtocol().getSecurityTokenValidators();
+    public List<TokenValidator> getTokenValidators() {
+        return validators;
     }
 
     public String getVersion() {

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
Mon Jun  4 21:16:04 2012
@@ -45,6 +45,7 @@ import org.apache.cxf.fediz.core.config.
 import org.apache.cxf.fediz.core.saml.SamlAssertionValidator.TRUST_TYPE;
 
 import org.apache.ws.security.SAMLTokenPrincipal;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDocInfo;
 import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.WSSecurityException;
@@ -65,15 +66,23 @@ public class SAMLTokenValidator implemen
 
     private static final Logger LOG = LoggerFactory.getLogger(SAMLTokenValidator.class);
     
-    // [TODO] make sure we answer true only for cases we actually can handle
+
     @Override
     public boolean canHandleTokenType(String tokenType) {
-        return true;
+        if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML2_NS.equals(tokenType)
+            || WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML_NS.equals(tokenType))
{
+            return true;
+        }
+        return false;
     }
 
     @Override
     public boolean canHandleToken(Element token) {
-        return true;
+        String ns = token.getNamespaceURI();
+        if (WSConstants.SAML2_NS.equals(ns) || WSConstants.SAML_NS.equals(ns)) {
+            return true;
+        }
+        return false;
     }
     
     public TokenValidatorResponse validateAndProcessToken(Element token,

Modified: cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd (original)
+++ cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd Mon Jun  4 21:16:04
2012
@@ -100,7 +100,7 @@
 					<xs:element ref="request" />
 					<xs:element ref="claimTypesRequested" />
 					<xs:sequence minOccurs="1" maxOccurs="unbounded">
-						<xs:element ref="securityTokenValidators" />
+					<xs:element ref="tokenValidators" />
 					</xs:sequence>
 				</xs:sequence>
 				<!-- <xs:attribute name="roleDelimiter" type="xs:string"/> -->
@@ -158,7 +158,7 @@
 		</xs:complexType>
 	</xs:element>
 
-	<xs:element name="securityTokenValidators" type="xs:string" />
+	<xs:element name="tokenValidators" type="xs:string" />
 
 	<xs:simpleType name="optionalType">
 		<xs:restriction base="xs:boolean" />

Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
Mon Jun  4 21:16:04 2012
@@ -422,10 +422,10 @@ public class FederationProcessorTest {
     
     /**
      * Validate SAML 2 token which is not yet valid (in 30 seconds)
-     * but within the maximum clock sqew range (60 seconds)
+     * but within the maximum clock skew range (60 seconds)
      */
     @org.junit.Test
-    public void validateSAML2TokenClockSqewRange() throws Exception {
+    public void validateSAML2TokenClockSkewRange() throws Exception {
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);

Modified: cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
(original)
+++ cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
Mon Jun  4 21:16:04 2012
@@ -304,28 +304,6 @@ public class FederationAuthenticator ext
                 }
                 FederationContext fedConfig = getContextConfiguration(contextName);
 
-                // Has the callback handler returned a trusted issuer, stored in
-                // session
-//                session = request.getSessionInternal();
-//                String trustedIssuer = null;
-//
-//                //[TODO] How to cache trusted issuer from FederationProcessor?
-//                if (session != null) {
-//                    trustedIssuer = (String) session.getNote(TRUSTED_ISSUER);
-//                    if (trustedIssuer == null || trustedIssuer.length() == 0) {
-//                        trustedIssuer = ((FederationProtocolType)fedConfig.getProtocol()).getIssuer();
-//                    } else {
-//                        log.debug("Trusted issuer cached in session");
-//                        session.removeNote(TRUSTED_ISSUER);
-//                    }
-//                } else {
-//                    log.debug("request session null");
-//                }
-
-                // fedConfig.setTrustedIssuer(trustedIssuer);
-                // log.info("Trusted issuer: " + trustedIssuer);
-                //
-
                 FederationProcessor wfProc = new FederationProcessorImpl();
                 wfRes = wfProc.processRequest(wfReq, fedConfig);
                 
@@ -363,10 +341,6 @@ public class FederationAuthenticator ext
 
                 principal = new FederationPrincipalImpl(wfRes.getUsername(), roles,
                         wfRes.getClaims());
-
-                // [TODO] Cache lifetime (in session), token (in session/TLS),
-                // ?audience?
-                // [TODO] clocksqew
             }
         } else {
             LOG.error("Not supported action found in parameter wa: " + wa);



Mime
View raw message