cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] git commit: [CXF-5684] - Flaw in token storing logic when configured to allow token renewal after expiry
Date Mon, 14 Apr 2014 14:17:51 GMT
[CXF-5684] - Flaw in token storing logic when configured to allow token renewal after expiry


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6155656f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6155656f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6155656f

Branch: refs/heads/master
Commit: 6155656f80e827b0f366c0b18dd4fb27f76330a9
Parents: 603d32a
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Apr 14 15:17:01 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Apr 14 15:17:01 2014 +0100

----------------------------------------------------------------------
 .../org/apache/cxf/sts/cache/CacheUtils.java    | 86 ++++++++++++++++++++
 .../sts/token/provider/SAMLTokenProvider.java   | 49 +++--------
 .../cxf/sts/token/renewer/SAMLTokenRenewer.java | 40 ++-------
 3 files changed, 105 insertions(+), 70 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/6155656f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/CacheUtils.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/CacheUtils.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/CacheUtils.java
new file mode 100644
index 0000000..0267d08
--- /dev/null
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/CacheUtils.java
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.sts.cache;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.Properties;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.request.Renewing;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
+
+public final class CacheUtils {
+
+    private CacheUtils() {
+        // complete
+    }
+    
+    public static SecurityToken createSecurityTokenForStorage(
+        Element token, 
+        String tokenIdentifier,
+        Date expiry,
+        Principal principal,
+        String realm,
+        Renewing renewing
+    ) {
+        SecurityToken securityToken = new SecurityToken(tokenIdentifier, null, expiry);
+        securityToken.setToken(token);
+        securityToken.setPrincipal(principal);
+
+        Properties props = new Properties();
+        securityToken.setProperties(props);
+        if (realm != null) {
+            props.setProperty(STSConstants.TOKEN_REALM, realm);
+        }
+
+        // Handle Renewing logic
+        if (renewing != null) {
+            props.put(
+                STSConstants.TOKEN_RENEWING_ALLOW, 
+                String.valueOf(renewing.isAllowRenewing())
+            );
+            props.put(
+                STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, 
+                String.valueOf(renewing.isAllowRenewingAfterExpiry())
+            );
+        } else {
+            props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW, "true");
+            props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
+        }
+        
+        return securityToken;
+    }
+    
+    public static void storeTokenInCache(
+        SecurityToken securityToken,
+        TokenStore cache,
+        byte[] signatureValue
+    ) {
+        int hash = Arrays.hashCode(signatureValue);
+        securityToken.setTokenHash(hash);
+        String identifier = Integer.toString(hash);
+        cache.add(identifier, securityToken);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6155656f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
index 6ef99f2..892c22e 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
@@ -20,12 +20,9 @@
 package org.apache.cxf.sts.token.provider;
 
 import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Properties;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -33,15 +30,14 @@ import javax.security.auth.callback.CallbackHandler;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.STSPropertiesMBean;
 import org.apache.cxf.sts.SignatureProperties;
+import org.apache.cxf.sts.cache.CacheUtils;
 import org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider;
 import org.apache.cxf.sts.request.KeyRequirements;
-import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.token.realm.SAMLRealm;
 import org.apache.cxf.ws.security.sts.provider.STSException;
@@ -130,40 +126,19 @@ public class SAMLTokenProvider implements TokenProvider {
             byte[] signatureValue = assertion.getSignatureValue();
             if (tokenParameters.getTokenStore() != null && signatureValue != null
                 && signatureValue.length > 0) {
-                Date expires = new Date();
-                long currentTime = expires.getTime();
-                expires.setTime(currentTime + (conditionsProvider.getLifetime() * 1000L));
-                
-                SecurityToken securityToken = new SecurityToken(assertion.getId(), null,
expires);
-                securityToken.setToken(token);
-                securityToken.setPrincipal(tokenParameters.getPrincipal());
-
-                Properties props = new Properties();
-                securityToken.setProperties(props);
-                if (tokenParameters.getRealm() != null) {
-                    props.setProperty(STSConstants.TOKEN_REALM, tokenParameters.getRealm());
-                }
-
-                // Handle Renewing logic
-                Renewing renewing = tokenParameters.getTokenRequirements().getRenewing();
-                if (renewing != null) {
-                    props.put(
-                        STSConstants.TOKEN_RENEWING_ALLOW, 
-                        String.valueOf(renewing.isAllowRenewing())
-                    );
-                    props.put(
-                        STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, 
-                        String.valueOf(renewing.isAllowRenewingAfterExpiry())
-                    );
+                DateTime validTill = null;
+                if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+                    validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
                 } else {
-                    props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW, "true");
-                    props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
+                    validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
                 }
-                    
-                int hash = Arrays.hashCode(signatureValue);
-                securityToken.setTokenHash(hash);
-                String identifier = Integer.toString(hash);
-                tokenParameters.getTokenStore().add(identifier, securityToken);
+                
+                SecurityToken securityToken = 
+                    CacheUtils.createSecurityTokenForStorage(token, assertion.getId(), 
+                        validTill.toDate(), tokenParameters.getPrincipal(), tokenParameters.getRealm(),
+                        tokenParameters.getTokenRequirements().getRenewing());
+                CacheUtils.storeTokenInCache(
+                    securityToken, tokenParameters.getTokenStore(), signatureValue);
             }
             
             TokenProviderResponse response = new TokenProviderResponse();

http://git-wip-us.apache.org/repos/asf/cxf/blob/6155656f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
index 8455bda..021ceb3 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
@@ -42,9 +42,9 @@ import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.STSPropertiesMBean;
 import org.apache.cxf.sts.SignatureProperties;
+import org.apache.cxf.sts.cache.CacheUtils;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.ReceivedToken.STATE;
-import org.apache.cxf.sts.request.Renewing;
 import org.apache.cxf.sts.token.provider.ConditionsProvider;
 import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
 import org.apache.cxf.sts.token.provider.TokenProviderParameters;
@@ -590,38 +590,12 @@ public class SAMLTokenRenewer implements TokenRenewer {
                 validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
             }
 
-            SecurityToken securityToken = new SecurityToken(assertion.getId(), null, validTill.toDate());
-            securityToken.setToken(assertion.getElement());
-            securityToken.setPrincipal(principal);
-            
-            Properties props = new Properties();
-            String tokenRealm = tokenParameters.getRealm();
-            if (tokenRealm != null) {
-                props.setProperty(STSConstants.TOKEN_REALM, tokenRealm);
-            }
-            
-            // Handle Renewing logic
-            Renewing renewing = tokenParameters.getTokenRequirements().getRenewing();
-            if (renewing != null) {
-                props.put(
-                    STSConstants.TOKEN_RENEWING_ALLOW, 
-                    String.valueOf(renewing.isAllowRenewing())
-                );
-                props.put(
-                    STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, 
-                    String.valueOf(renewing.isAllowRenewingAfterExpiry())
-                );
-            } else {
-                props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW, "true");
-                props.setProperty(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
-            }
-            
-            securityToken.setProperties(props);
-
-            int hash = Arrays.hashCode(signatureValue);
-            securityToken.setTokenHash(hash);
-            String identifier = Integer.toString(hash);
-            tokenStore.add(identifier, securityToken);
+            SecurityToken securityToken = 
+                CacheUtils.createSecurityTokenForStorage(assertion.getElement(), assertion.getId(),

+                    validTill.toDate(), tokenParameters.getPrincipal(), tokenParameters.getRealm(),
+                    tokenParameters.getTokenRequirements().getRenewing());
+            CacheUtils.storeTokenInCache(
+                securityToken, tokenParameters.getTokenStore(), signatureValue);
         }
     }
 


Mime
View raw message