cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] git commit: [[CXF-5885] - Validate "ActAs" tokens in the STS
Date Thu, 17 Jul 2014 10:11:28 GMT
[[CXF-5885] - Validate "ActAs" tokens in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0ebf9dd2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0ebf9dd2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0ebf9dd2

Branch: refs/heads/2.7.x-fixes
Commit: 0ebf9dd24d956a9a1a8865a0e77317e23e110f5e
Parents: 1bd129b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Jul 17 11:00:01 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Jul 17 11:01:12 2014 +0100

----------------------------------------------------------------------
 .../cxf/sts/operation/TokenIssueOperation.java  | 81 +++++++++++---------
 1 file changed, 45 insertions(+), 36 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/0ebf9dd2/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
index 030acae..c77c179 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
@@ -149,46 +149,15 @@ public class TokenIssueOperation extends AbstractOperation implements
IssueOpera
             // Validate OnBehalfOf token if present
             if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
                 ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
-                TokenValidatorResponse tokenResponse = validateReceivedToken(
-                        context, realm, tokenRequirements, validateTarget);
-    
-                if (tokenResponse == null) {
-                    LOG.fine("No Token Validator has been found that can handle this token");
-                } else if (validateTarget.getState().equals(STATE.INVALID)) {
-                    throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
-                } else if (validateTarget.getState().equals(STATE.VALID)) {
-                    processValidToken(providerParameters, validateTarget, tokenResponse);

-                } else {
-                    //[TODO] Add plugin for validation out-of-band
-                    // Example:
-                    // If the requestor is in the possession of a certificate (mutual ssl
handshake)
-                    // the STS trusts the token sent in OnBehalfOf element
-                }
-                
-                Principal tokenPrincipal = null;
-                Set<Principal> tokenRoles = null;
-                
-                if (tokenResponse != null) {
-                    Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
-                    if (additionalProperties != null) {
-                        providerParameters.setAdditionalProperties(additionalProperties);
-                    }
-                    tokenPrincipal = tokenResponse.getPrincipal();
-                    tokenRoles = tokenResponse.getRoles();
-                }
-                
-                // See whether OnBehalfOf is allowed or not
-                performDelegationHandling(requestParser, context,
-                                    providerParameters.getTokenRequirements().getOnBehalfOf(),
-                                    tokenPrincipal, tokenRoles);
+                handleDelegationToken(validateTarget, providerParameters, context, 
+                                      realm, tokenRequirements, requestParser);
             }
             
             // See whether ActAs is allowed or not
-            // TODO Validate ActAs
             if (providerParameters.getTokenRequirements().getActAs() != null) {
-                performDelegationHandling(requestParser, context,
-                                    providerParameters.getTokenRequirements().getActAs(),
-                                    null, null);
+                ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
+                handleDelegationToken(validateTarget, providerParameters, context, 
+                                      realm, tokenRequirements, requestParser);
             }
     
             // create token
@@ -244,6 +213,46 @@ public class TokenIssueOperation extends AbstractOperation implements
IssueOpera
             throw ex;
         }
     }
+    
+    private void handleDelegationToken(
+        ReceivedToken validateTarget,
+        TokenProviderParameters providerParameters,
+        WebServiceContext context,
+        String realm,
+        TokenRequirements tokenRequirements,
+        RequestParser requestParser
+    ) {
+        TokenValidatorResponse tokenResponse = validateReceivedToken(
+                context, realm, tokenRequirements, validateTarget);
+
+        if (tokenResponse == null) {
+            LOG.fine("No Token Validator has been found that can handle this token");
+        } else if (validateTarget.getState().equals(STATE.INVALID)) {
+            throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
+        } else if (validateTarget.getState().equals(STATE.VALID)) {
+            processValidToken(providerParameters, validateTarget, tokenResponse); 
+        } else {
+            //[TODO] Add plugin for validation out-of-band
+            // Example:
+            // If the requestor is in the possession of a certificate (mutual ssl handshake)
+            // the STS trusts the token sent in OnBehalfOf element
+        }
+        
+        Principal tokenPrincipal = null;
+        Set<Principal> tokenRoles = null;
+        
+        if (tokenResponse != null) {
+            Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
+            if (additionalProperties != null) {
+                providerParameters.setAdditionalProperties(additionalProperties);
+            }
+            tokenPrincipal = tokenResponse.getPrincipal();
+            tokenRoles = tokenResponse.getRoles();
+        }
+        
+        // See whether OnBehalfOf/ActAs is allowed or not
+        performDelegationHandling(requestParser, context, validateTarget, tokenPrincipal,
tokenRoles);
+    }
 
     private RequestSecurityTokenResponseType createResponse(
             EncryptionProperties encryptionProperties,


Mime
View raw message