cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: [[CXF-5885] - Validate "ActAs" tokens in the STS
Date Thu, 17 Jul 2014 10:00:31 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 10c0903e2 -> 09faa0fca


[[CXF-5885] - Validate "ActAs" tokens in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/09faa0fc
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/09faa0fc
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/09faa0fc

Branch: refs/heads/master
Commit: 09faa0fca96a93c2b943b4ce3a559ed807f37dca
Parents: 10c0903
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Jul 17 11:00:01 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Jul 17 11:00:01 2014 +0100

----------------------------------------------------------------------
 .../cxf/sts/operation/TokenIssueOperation.java  | 81 +++++++++++---------
 1 file changed, 45 insertions(+), 36 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/09faa0fc/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
index 17bf7a1..d4405d5 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
@@ -152,46 +152,15 @@ public class TokenIssueOperation extends AbstractOperation implements
IssueOpera
             // Validate OnBehalfOf token if present
             if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
                 ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
-                TokenValidatorResponse tokenResponse = validateReceivedToken(
-                        context, realm, tokenRequirements, validateTarget);
-    
-                if (tokenResponse == null) {
-                    LOG.fine("No Token Validator has been found that can handle this token");
-                } else if (validateTarget.getState().equals(STATE.INVALID)) {
-                    throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
-                } else if (validateTarget.getState().equals(STATE.VALID)) {
-                    processValidToken(providerParameters, validateTarget, tokenResponse);

-                } else {
-                    //[TODO] Add plugin for validation out-of-band
-                    // Example:
-                    // If the requestor is in the possession of a certificate (mutual ssl
handshake)
-                    // the STS trusts the token sent in OnBehalfOf element
-                }
-                
-                Principal tokenPrincipal = null;
-                Set<Principal> tokenRoles = null;
-                
-                if (tokenResponse != null) {
-                    Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
-                    if (additionalProperties != null) {
-                        providerParameters.setAdditionalProperties(additionalProperties);
-                    }
-                    tokenPrincipal = tokenResponse.getPrincipal();
-                    tokenRoles = tokenResponse.getRoles();
-                }
-                
-                // See whether OnBehalfOf is allowed or not
-                performDelegationHandling(requestParser, context,
-                                    providerParameters.getTokenRequirements().getOnBehalfOf(),
-                                    tokenPrincipal, tokenRoles);
+                handleDelegationToken(validateTarget, providerParameters, context, 
+                                      realm, tokenRequirements, requestParser);
             }
             
             // See whether ActAs is allowed or not
-            // TODO Validate ActAs
             if (providerParameters.getTokenRequirements().getActAs() != null) {
-                performDelegationHandling(requestParser, context,
-                                    providerParameters.getTokenRequirements().getActAs(),
-                                    null, null);
+                ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
+                handleDelegationToken(validateTarget, providerParameters, context, 
+                                      realm, tokenRequirements, requestParser);
             }
     
             // create token
@@ -247,6 +216,46 @@ public class TokenIssueOperation extends AbstractOperation implements
IssueOpera
             throw ex;
         }
     }
+    
+    private void handleDelegationToken(
+        ReceivedToken validateTarget,
+        TokenProviderParameters providerParameters,
+        WebServiceContext context,
+        String realm,
+        TokenRequirements tokenRequirements,
+        RequestParser requestParser
+    ) {
+        TokenValidatorResponse tokenResponse = validateReceivedToken(
+                context, realm, tokenRequirements, validateTarget);
+
+        if (tokenResponse == null) {
+            LOG.fine("No Token Validator has been found that can handle this token");
+        } else if (validateTarget.getState().equals(STATE.INVALID)) {
+            throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
+        } else if (validateTarget.getState().equals(STATE.VALID)) {
+            processValidToken(providerParameters, validateTarget, tokenResponse); 
+        } else {
+            //[TODO] Add plugin for validation out-of-band
+            // Example:
+            // If the requestor is in the possession of a certificate (mutual ssl handshake)
+            // the STS trusts the token sent in OnBehalfOf element
+        }
+        
+        Principal tokenPrincipal = null;
+        Set<Principal> tokenRoles = null;
+        
+        if (tokenResponse != null) {
+            Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
+            if (additionalProperties != null) {
+                providerParameters.setAdditionalProperties(additionalProperties);
+            }
+            tokenPrincipal = tokenResponse.getPrincipal();
+            tokenRoles = tokenResponse.getRoles();
+        }
+        
+        // See whether OnBehalfOf/ActAs is allowed or not
+        performDelegationHandling(requestParser, context, validateTarget, tokenPrincipal,
tokenRoles);
+    }
 
     private RequestSecurityTokenResponseType createResponse(
             EncryptionProperties encryptionProperties,


Mime
View raw message