cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Some work on replay tokens etc.
Date Tue, 22 Jul 2014 14:55:24 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master e057f3413 -> db7b4ea76


Some work on replay tokens etc.


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/db7b4ea7
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/db7b4ea7
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/db7b4ea7

Branch: refs/heads/master
Commit: db7b4ea76b85c52b59bf0acfe8e39cb7070ff325
Parents: e057f34
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Jul 22 15:54:59 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Jul 22 15:54:59 2014 +0100

----------------------------------------------------------------------
 .../fediz/core/config/FederationProtocol.java   | 18 ------
 .../apache/cxf/fediz/core/config/Protocol.java  | 15 +++++
 .../cxf/fediz/core/metadata/MetadataWriter.java | 67 +++++++++-----------
 .../core/processor/AbstractFedizProcessor.java  | 30 +++++++++
 .../core/processor/FederationProcessorImpl.java | 34 ++--------
 .../fediz/core/processor/SAMLProcessorImpl.java | 16 +++--
 .../src/main/resources/schemas/FedizConfig.xsd  |  2 +-
 7 files changed, 93 insertions(+), 89 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
index 17d749f..4809a34 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
@@ -19,14 +19,9 @@
 
 package org.apache.cxf.fediz.core.config;
 
-import java.util.ArrayList;
-import java.util.List;
-
 import javax.security.auth.callback.CallbackHandler;
 
 import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
-import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
-import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
 import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
 import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
 import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
@@ -183,19 +178,6 @@ public class FederationProtocol extends Protocol {
         getFederationProtocol().setReply(value);
     }
 
-    public List<Claim> getClaimTypesRequested() {
-        ClaimTypesRequested claimsRequested = getFederationProtocol().getClaimTypesRequested();
-        List<Claim> claims = new ArrayList<Claim>();
-        for (ClaimType c:claimsRequested.getClaimType()) {
-            claims.add(new Claim(c));
-        }
-        return claims;
-    }
-
-    public void setClaimTypesRequested(ClaimTypesRequested value) {
-        getFederationProtocol().setClaimTypesRequested(value);
-    }
-
     public String getVersion() {
         return getFederationProtocol().getVersion();
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
index 362ae94..c9ff7ae 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
@@ -27,6 +27,8 @@ import javax.security.auth.callback.CallbackHandler;
 import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.config.jaxb.ArgumentType;
 import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
+import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
+import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
 import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
 import org.apache.cxf.fediz.core.util.ClassLoaderUtils;
 import org.slf4j.Logger;
@@ -176,4 +178,17 @@ public abstract class Protocol {
         }
     }
 
+    public List<Claim> getClaimTypesRequested() {
+        ClaimTypesRequested claimsRequested = getProtocolType().getClaimTypesRequested();
+        List<Claim> claims = new ArrayList<Claim>();
+        for (ClaimType c : claimsRequested.getClaimType()) {
+            claims.add(new Claim(c));
+        }
+        return claims;
+    }
+
+    public void setClaimTypesRequested(ClaimTypesRequested value) {
+        getProtocolType().setClaimTypesRequested(value);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index c3c97ed..f7ef25c 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -115,49 +115,43 @@ public class MetadataWriter {
             writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
             writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
 
-            if (protocol instanceof FederationProtocol) {
-                FederationProtocol fedprotocol = (FederationProtocol)protocol;
-                
-                Object realmObj = fedprotocol.getRealm();
-                String realm = null;
-                if (realmObj instanceof String) {
-                    realm = (String)realmObj;
-                } else if (realmObj instanceof CallbackHandler) {
-                    //TODO
-                    //If realm is resolved at runtime, metadata not updated
-                }
-                
-                if (!(realm == null || "".equals(realm))) {
-                    writer.writeCharacters(realm);
-                }
+            Object realmObj = protocol.getRealm();
+            String realm = null;
+            if (realmObj instanceof String) {
+                realm = (String)realmObj;
+            } else if (realmObj instanceof CallbackHandler) {
+                //TODO
+                //If realm is resolved at runtime, metadata not updated
             }
+
+            if (!(realm == null || "".equals(realm))) {
+                writer.writeCharacters(realm);
+            }
+            
             // writer.writeCharacters("http://host:port/url from config");
             writer.writeEndElement(); // Address
             writer.writeEndElement(); // EndpointReference
             writer.writeEndElement(); // TargetScope
 
-            if (protocol instanceof FederationProtocol) {
-                FederationProtocol fedprotocol = (FederationProtocol)protocol;
-                List<Claim> claims = fedprotocol.getClaimTypesRequested();
-                if (claims != null && claims.size() > 0) {
+            List<Claim> claims = protocol.getClaimTypesRequested();
+            if (claims != null && claims.size() > 0) {
 
-                    // create ClaimsType section
-                    writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS);
-                    for (Claim claim : claims) {
+                // create ClaimsType section
+                writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS);
+                for (Claim claim : claims) {
 
-                        writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS);
-                        writer.writeAttribute("Uri", claim.getType());
-                        if (claim.isOptional()) {
-                            writer.writeAttribute("Optional", "true");
-                        } else {
-                            writer.writeAttribute("Optional", "false");
-                        }
+                    writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS);
+                    writer.writeAttribute("Uri", claim.getType());
+                    if (claim.isOptional()) {
+                        writer.writeAttribute("Optional", "true");
+                    } else {
+                        writer.writeAttribute("Optional", "false");
+                    }
 
-                        writer.writeEndElement(); // ClaimType
+                    writer.writeEndElement(); // ClaimType
 
-                    }
-                    writer.writeEndElement(); // ClaimsTypeRequested
                 }
+                writer.writeEndElement(); // ClaimsTypeRequested
             }
             // create sign in endpoint section
 
@@ -165,12 +159,9 @@ public class MetadataWriter {
             writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
             writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
 
-            if (protocol instanceof FederationProtocol) {
-                FederationProtocol fedprotocol = (FederationProtocol)protocol;
-                Object issuer = fedprotocol.getIssuer();
-                if (issuer instanceof String && !"".equals(issuer)) {
-                    writer.writeCharacters((String)issuer);
-                }
+            Object issuer = protocol.getIssuer();
+            if (issuer instanceof String && !"".equals(issuer)) {
+                writer.writeCharacters((String)issuer);
             }
 
             // writer.writeCharacters("http://host:port/url Issuer from config");

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
index cceab0c..fa7e49d 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
@@ -22,6 +22,7 @@ package org.apache.cxf.fediz.core.processor;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Date;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -29,10 +30,16 @@ import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
 import org.apache.cxf.fediz.core.spi.IDPCallback;
 import org.apache.cxf.fediz.core.spi.RealmCallback;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public abstract class AbstractFedizProcessor implements FedizProcessor {
+    
+    private static final Logger LOG = LoggerFactory.getLogger(AbstractFedizProcessor.class);
 
     protected String resolveIssuer(HttpServletRequest request, FedizContext config) throws
IOException,
         UnsupportedCallbackException {
@@ -67,6 +74,29 @@ public abstract class AbstractFedizProcessor implements FedizProcessor
{
         }
         return wtRealm;
     }
+    
+    protected void testForReplayAttack(String tokenId, FedizContext config, Date expires)

+        throws ProcessingException {
+        // Check whether token already used for signin
+        if (tokenId != null && config.isDetectReplayedTokens()) {
+            // Check whether token has already been processed once, prevent
+            // replay attack
+            if (!config.getTokenReplayCache().contains(tokenId)) {
+                // not cached
+                if (expires != null) {
+                    Date currentTime = new Date();
+                    long ttl = expires.getTime() - currentTime.getTime();
+                    config.getTokenReplayCache().add(tokenId, ttl / 1000L);
+                } else {
+                    config.getTokenReplayCache().add(tokenId);
+                }
+            } else {
+                LOG.error("Replay attack with token id: " + tokenId);
+                throw new ProcessingException("Replay attack with token id: "
+                        + tokenId, TYPE.TOKEN_REPLAY);
+            }
+        }
+    }
 
     protected String extractFullContextPath(HttpServletRequest request) throws MalformedURLException
{
         String result = null;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 3bf4a93..370e1c7 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -194,40 +194,18 @@ public class FederationProcessorImpl extends AbstractFedizProcessor
{
             validateToken(rst, tt, config, request.getCerts());
 
         // Check whether token already used for signin
-        if (validatorResponse.getUniqueTokenId() != null
-                && config.isDetectReplayedTokens()) {
-            // Check whether token has already been processed once, prevent
-            // replay attack
-            if (!config.getTokenReplayCache().contains(validatorResponse.getUniqueTokenId()))
{
-                // not cached
-                Date expires = null;
-                if (lifeTime != null && lifeTime.getExpires() != null) {
-                    expires = lifeTime.getExpires();
-                } else {
-                    expires = validatorResponse.getExpires();
-                }
-                if (expires != null) {
-                    Date currentTime = new Date();
-                    long ttl = expires.getTime() - currentTime.getTime();
-                    config.getTokenReplayCache().add(validatorResponse.getUniqueTokenId(),
ttl / 1000L);
-                } else {
-                    config.getTokenReplayCache().add(validatorResponse.getUniqueTokenId());
-                }
-            } else {
-                LOG.error("Replay attack with token id: " + validatorResponse.getUniqueTokenId());
-                throw new ProcessingException("Replay attack with token id: "
-                        + validatorResponse.getUniqueTokenId(), TYPE.TOKEN_REPLAY);
-            }
+        Date expires = null;
+        if (lifeTime != null && lifeTime.getExpires() != null) {
+            expires = lifeTime.getExpires();
+        } else {
+            expires = validatorResponse.getExpires();
         }
+        testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
 
         Date created = validatorResponse.getCreated();
         if (lifeTime != null && lifeTime.getCreated() != null) {
             created = lifeTime.getCreated();
         }
-        Date expires = validatorResponse.getExpires();
-        if (lifeTime != null && lifeTime.getExpires() != null) {
-            expires = lifeTime.getExpires();
-        }
         
         FedizResponse fedResponse = new FedizResponse(
                 validatorResponse.getUsername(), validatorResponse.getIssuer(),

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index a57393d..73404d7 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -178,6 +178,10 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
         // Validate the Response
         validateSamlResponseProtocol((org.opensaml.saml2.core.Response)responseObject, config);
         
+        SSOValidatorResponse ssoValidatorResponse = 
+            validateSamlSSOResponse((org.opensaml.saml2.core.Response)responseObject, 
+                                request.getRequest(), requestState, config);
+        
         // Validate the internal assertion(s)
         TokenValidatorResponse validatorResponse = null;
         List<Element> assertions = 
@@ -210,15 +214,19 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             }
         }
         
-        validateSamlSSOResponse((org.opensaml.saml2.core.Response)responseObject, 
-                                request.getRequest(), requestState, config);
+        // Check whether token already used for signin
+        Date expires = validatorResponse.getExpires();
+        if (expires == null) {
+            expires = ssoValidatorResponse.getSessionNotOnOrAfter();
+        }
+        testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
         
         FedizResponse fedResponse = new FedizResponse(
                 validatorResponse.getUsername(), validatorResponse.getIssuer(),
                 validatorResponse.getRoles(), validatorResponse.getClaims(),
                 validatorResponse.getAudience(),
                 validatorResponse.getCreated(),
-                validatorResponse.getExpires(),
+                expires,
                 token,
                 validatorResponse.getUniqueTokenId());
 
@@ -314,7 +322,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
                                                          redirectURL,
                                                          authnRequest.getID(),
                                                          realm,
-                                                         config.getName(),
+                                                         authnRequest.getIssuer().getValue(),
                                                          webAppDomain,
                                                          System.currentTimeMillis());
             

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index 750ec31..7c7b91c 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -99,7 +99,6 @@
 					<xs:element ref="reply" />
 					<xs:element ref="request" />
 					<xs:element ref="signInQuery" />
-					<xs:element ref="claimTypesRequested" />
 					<xs:element ref="applicationServiceURL" />
 				</xs:sequence>
 				<xs:attribute name="version" use="required" type="xs:string" />
@@ -137,6 +136,7 @@
 	    <xs:sequence>
 	        <xs:element ref="roleDelimiter" />
 	        <xs:element ref="roleURI" />
+	        <xs:element ref="claimTypesRequested" />
 	        <xs:element ref="issuer" />
 	        <xs:element ref="realm" />
 	        <xs:element ref="tokenValidators" />


Mime
View raw message