Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1463740 - in /cxf/fediz/trunk/services/idp/src/main:
 java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
 webapp/WEB-INF/federation-webflow.xml webapp/WEB-INF/idp-servlet.xml
Date: Tue, 02 Apr 2013 20:24:04 -0000
To: commits@cxf.apache.org
From: owulff@apache.org
Message-Id: <20130402202404.DE9D723888CD@eris.apache.org>

Author: owulff
Date: Tue Apr  2 20:24:04 2013
New Revision: 1463740

URL: http://svn.apache.org/r1463740
Log:
Merged missing changes of pull request

Modified:
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java?rev=1463740&r1=1463739&r2=1463740&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java Tue Apr  2 20:24:04 2013
@@ -75,12 +75,15 @@ public class STSClientAction {
     protected String wsdlEndpoint;
 
     protected String appliesTo;
-
+    
     protected String tokenType;
+    
+    protected boolean useWfreshForTTL = true;
 
-    protected boolean claimsRequired = true;
+    private boolean claimsRequired = true;
+    
+    private boolean isPortSet;
     
-    protected boolean isPortSet;
 
     public String getWsdlLocation() {
         return wsdlLocation;
@@ -131,6 +134,14 @@ public class STSClientAction {
         this.claimsRequired = claimsRequired;
     }
 
+    public boolean isUseWfreshForTTL() {
+        return useWfreshForTTL;
+    }
+
+    public void setUseWfreshForTTL(boolean useWfreshForTTL) {
+        this.useWfreshForTTL = useWfreshForTTL;
+    }
+
     /**
      * @param credentials
      *            : username and password provided by user
@@ -147,18 +158,7 @@ public class STSClientAction {
         paramTokenType(sts);
         sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
 
-        if (!isPortSet) {
-            try {
-                URL url = new URL(this.wsdlLocation);
-                URL updatedUrl = new URL(url.getProtocol(), url.getHost(),
-                                         WebUtils.getHttpServletRequest(context).getLocalPort(), url.getFile());
-                
-                setSTSWsdlUrl(updatedUrl.toString());
-                LOG.info("STS WSDL URL updated to " + updatedUrl.toString());
-            } catch (MalformedURLException e) {
-                LOG.error("Invalid Url '" + this.wsdlLocation + "': "  + e.getMessage());
-            }
-        }
+        processWsdlLocation(context);
         sts.setWsdlLocation(this.wsdlLocation);
         sts.setServiceQName(new QName(
                 HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
@@ -167,7 +167,11 @@ public class STSClientAction {
                 HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
                 this.wsdlEndpoint));
 
-        if (this.claimsRequired) {
+        if (isUseWfreshForTTL()) {
+            configureTTL(sts, context);
+        }
+
+        if (isClaimsRequired()) {
             addClaims(this.appliesTo, bus, sts);
         }
 
@@ -182,6 +186,36 @@ public class STSClientAction {
         return idpToken;
     }
 
+    private void processWsdlLocation(RequestContext context) {
+        if (!isPortSet) {
+            try {
+                URL url = new URL(this.wsdlLocation);
+                URL updatedUrl = new URL(url.getProtocol(), url.getHost(),
+                                         WebUtils.getHttpServletRequest(context).getLocalPort(), url.getFile());
+                
+                setSTSWsdlUrl(updatedUrl.toString());
+                LOG.info("STS WSDL URL updated to " + updatedUrl.toString());
+            } catch (MalformedURLException e) {
+                LOG.error("Invalid Url '" + this.wsdlLocation + "': "  + e.getMessage());
+            }
+        }
+    }
+
+    /**
+     * Usage of 'wfresh' parameter, picked up from the webflow context, 
+     * like time-to-live of security token to be issued..
+     */
+    private void configureTTL(IdpSTSClient sts, RequestContext requestContext) {
+        String wfresh = (String)WebUtils.getAttributeFromExternalContext(requestContext, "wfresh");
+        if (wfresh != null) {
+            int ttl = Integer.parseInt(wfresh);
+            if (ttl > 0) {
+                sts.setTtl(ttl * 60);                    
+                sts.setEnableLifetime(true);
+            }
+        }
+    }
+
     /**
      * @param credentials
      *            {@link SecurityToken}
@@ -190,7 +224,7 @@ public class STSClientAction {
      * @return a serialized RP security token
      * @throws Exception
      */
-    public String submit(SecurityToken credentials, String wtrealm)
+    public String submit(SecurityToken credentials, String wtrealm, RequestContext context)
         throws Exception {
 
         Bus bus = BusFactory.getDefaultBus();
@@ -200,6 +234,7 @@ public class STSClientAction {
         paramTokenType(sts);
         sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
 
+        processWsdlLocation(context);
         sts.setWsdlLocation(wsdlLocation);
         sts.setServiceQName(new QName(
                 HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml?rev=1463740&r1=1463739&r2=1463740&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml Tue Apr  2 20:24:04 2013
@@ -14,41 +14,61 @@
             <set name="externalContext.sessionMap['wtrealm']" value="requestParameters.wtrealm" />
             <set name="externalContext.sessionMap['wreply']" value="requestParameters.wreply" />
             <set name="externalContext.sessionMap['wctx']" value="requestParameters.wctx" />
+            <set name="externalContext.sessionMap['wfresh']" value="requestParameters.wfresh" />
+            <set name="externalContext.sessionMap['wauth']" value="requestParameters.wauth" />
         </on-entry>
         <if test="requestParameters.wa == null" then="viewBadRequest" />
         <if test="requestParameters.wa != 'wsignin1.0' and requestParameters.wa != 'wsignout1.0' and requestParameters.wa != 'wsignoutcleanup1.0'" then="viewBadRequest" />
         <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'" then="invalidateSessionAction" />
         <if test="requestParameters.wtrealm == null or requestParameters.wtrealm.length() == 0" then="viewBadRequest" />
 
+<!--    check if IDP token exists in session -->
         <if test="externalContext.sessionMap['IDP_TOKEN'] == null" then="authenticationRequired" />
+<!--    check if IDP token is expired -->
         <if test="externalContext.sessionMap['IDP_TOKEN'].isExpired() == true" then="authenticationRequired" />
-        <if test="requestParameters.wfresh != null and requestParameters.wfresh.equals('0')" then="authenticationRequired" else="rpTokenAction" />
+<!--    check if IDP token is still valid but relying party requested new authentication -->
+        <if test="requestParameters.wfresh != null and requestParameters.wfresh.equals('0')" then="authenticationRequired" />
+<!--    check if IDP token is still valid but relying party requested new authentication via wfresh -->
+        <if test="requestParameters.wfresh != null" then="wfreshParserAction" else="rpTokenAction" />
     </decision-state>
     
+    <!-- parse wfresh parameter, provided by resource RP, overriding ttl from 'IDP_TOKEN' -->
+    <action-state id="wfreshParserAction">
+        <evaluate expression="wfreshParser.authenticationRequired(requestParameters.wfresh, externalContext.sessionMap['IDP_TOKEN'])" />
+        <transition on="true" to="authenticationRequired"/>
+        <transition on="false" to="rpTokenAction"/>
+<!--         <transition on-exception="java.lang.Throwable" to="scInternalServerError" /> -->
+<!--     wfresh invalid, ignore exception, force authentication -->
+        <transition on-exception="java.lang.Throwable" to="authenticationRequired" />
+    </action-state>
+
     <!-- select authentication support type -->
     <decision-state id="authenticationRequired">
         <on-entry>
+<!--        remove IDP token from session (if present) -->
             <set name="externalContext.sessionMap['IDP_TOKEN']" value="null" />
         </on-entry>
-        <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" />
+<!-- don't remove line commented below, stands for future use ... -->
+<!--         <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" /> -->
         <if test="flowScope['idp.authSupportType'] == 'BASIC'" then="basicAuthenticationCheck" else="viewBadRequest" />
     </decision-state>
     
     <!-- display authentication form 'signinform.jsp' (username/password credentials) -->
-    <view-state id="formAuthenticationView" view="signinform" model="usernamePasswordCredentials">
-        <var name="usernamePasswordCredentials"
-            class="org.apache.cxf.fediz.service.idp.UsernamePasswordCredentials" />
-        <binder>
-            <binding property="username" />
-            <binding property="password" />
-        </binder>
-        <on-entry>
-            <evaluate expression="externalContext.nativeResponse.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private')" />
-        </on-entry>
-        <transition on="authenticate" bind="true" validate="true" to="idpUsernamePasswordTokenAction">
-            <set name="flowScope.usernamePasswordCredentials" value="usernamePasswordCredentials" />
-        </transition>
-    </view-state>
+<!-- don't remove view-state commented below, stands for future use ... -->
+<!--     <view-state id="formAuthenticationView" view="signinform" model="usernamePasswordCredentials"> -->
+<!--         <var name="usernamePasswordCredentials" -->
+<!--             class="org.apache.cxf.fediz.service.idp.UsernamePasswordCredentials" /> -->
+<!--         <binder> -->
+<!--             <binding property="username" /> -->
+<!--             <binding property="password" /> -->
+<!--         </binder> -->
+<!--         <on-entry> -->
+<!--             <evaluate expression="externalContext.nativeResponse.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private')" /> -->
+<!--         </on-entry> -->
+<!--         <transition on="authenticate" bind="true" validate="true" to="idpUsernamePasswordTokenAction"> -->
+<!--             <set name="flowScope.usernamePasswordCredentials" value="usernamePasswordCredentials" /> -->
+<!--         </transition> -->
+<!--     </view-state> -->
 
     <!-- check basic authentication state -->
     <decision-state id="basicAuthenticationCheck">
@@ -78,7 +98,7 @@
     <!-- Receiving username/password as credentials, produce IDP security token (as SecurityToken type) and store it in session -->
     <!-- catch SoapFault in case of wrong credentials to redirect the flow -->
     <action-state id="idpUsernamePasswordTokenAction">
-        <evaluate expression="stsClientForIdpAction.submit(flowScope.usernamePasswordCredentials,flowRequestContext)"
+        <evaluate expression="stsClientForIdpAction.submit(flowScope.usernamePasswordCredentials, flowRequestContext)"
                     result="flowScope.idpToken" 
                     result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" />
         <transition on="success" to="rpTokenAction">
@@ -91,13 +111,14 @@
 
     <!-- when authentication failed, depending on the authentication support type set -->
     <decision-state id="authenticationFailedSwitch">
-        <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" />
+<!-- don't remove line commented below, stands for future use ... -->
+<!--         <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" /> -->
         <if test="flowScope['idp.authSupportType'] == 'BASIC'" then="basicAuthenticationRequested" />
     </decision-state>
     
     <!-- produce RP security token (as String type) -->
     <action-state id="rpTokenAction">
-        <evaluate expression="stsClientForRpAction.submit(externalContext.sessionMap['IDP_TOKEN'], externalContext.sessionMap['wtrealm'])" 
+        <evaluate expression="stsClientForRpAction.submit(externalContext.sessionMap['IDP_TOKEN'], externalContext.sessionMap['wtrealm'], flowRequestContext)" 
                     result="flowScope.rpToken" 
                     result-type="java.lang.String" />
         <transition to="formResponseView" />

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml?rev=1463740&r1=1463739&r2=1463740&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml Tue Apr  2 20:24:04 2013
@@ -7,7 +7,7 @@
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
        
-  <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" 
+    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" 
   		p:flowRegistry-ref="flowRegistry"
         p:order="2">
 <!--         <property name="interceptors"> -->
@@ -51,11 +51,12 @@
         <property name="wsdlEndpoint" value="TransportUT_Port"/>
         <property name="appliesTo" value="urn:fediz:idp"/>
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+        <property name="useWfreshForTTL" value="true"/>
         <property name="claimsRequired" value="true"/>
     </bean>
 
 	<bean id="stsClientForRpAction" class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
-		<property name="wsdlLocation" value="https://localhost:9443/fediz-idp-sts/STSServiceTransport?wsdl"/>
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/STSServiceTransport?wsdl"/>
 		<property name="wsdlEndpoint" value="Transport_Port"/>
 		<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
 		<property name="claimsRequired" value="true"/>
@@ -63,10 +64,11 @@
 
 	<bean id="logoutAction" class="org.apache.cxf.fediz.service.idp.beans.LogoutAction" />
 	
-	<bean id="decodeAuthorizationHeaderAction" class="org.apache.cxf.fediz.service.idp.beans.DecodeAuthorizationHeaderAction" />
-	
+    <bean id="decodeAuthorizationHeaderAction" class="org.apache.cxf.fediz.service.idp.beans.DecodeAuthorizationHeaderAction" />
+    
+    <bean id="wfreshParser" class="org.apache.cxf.fediz.service.idp.beans.WfreshParser" />
+    
 	<bean id="initialFlowSetupAction" class="org.apache.cxf.fediz.service.idp.beans.InitialFlowSetupAction" >
-<!--         <property name="authSupportType" value="FORM" /> -->
         <property name="authSupportType" value="BASIC" />
         <property name="idpName" value="LocalIDP" />
 	</bean>