cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] git commit: Large refactor to support WS-Federation with the CXF plugin
Date Mon, 01 Sep 2014 13:14:29 GMT
Large refactor to support WS-Federation with the CXF plugin


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/7078bdc7
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/7078bdc7
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/7078bdc7

Branch: refs/heads/master
Commit: 7078bdc7f42960bf752814e5cc2924ee697e8f72
Parents: 33241a6
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Sep 1 14:14:05 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Sep 1 14:14:05 2014 +0100

----------------------------------------------------------------------
 .../org/apache/cxf/fediz/core/RequestState.java | 44 ++++++++++++--
 .../cxf/fediz/core/config/SAMLProtocol.java     | 20 -------
 .../core/processor/FederationProcessorImpl.java | 18 +++++-
 .../fediz/core/processor/SAMLProcessorImpl.java | 36 ++++--------
 .../src/main/resources/schemas/FedizConfig.xsd  |  4 --
 .../cxf/fediz/core/samlsso/SAMLRequestTest.java |  1 -
 .../plugin/AbstractServiceProviderFilter.java   | 37 ++++++++----
 .../cxf/plugin/FedizRedirectBindingFilter.java  | 62 +++++++++++++++-----
 .../fediz/cxf/plugin/state/ResponseState.java   | 10 ++--
 9 files changed, 145 insertions(+), 87 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java
index 2a54a61..cfe761f 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java
@@ -35,9 +35,9 @@ public class RequestState implements Serializable {
     private String requestId;
     private String issuerId;
     private String webAppContext;
-    private String webAppDomain;
     private long createdAt;
     private String state;
+    private String webAppDomain;
  
     public RequestState() {
         
@@ -52,16 +52,44 @@ public class RequestState implements Serializable {
                         String webAppDomain,
                         String state,
                         long createdAt) {
+        setTargetAddress(targetAddress);
+        setIdpServiceAddress(idpServiceAddress);
+        setRequestId(requestId);
+        setIssuerId(issuerId);
+        setWebAppContext(webAppContext);
+        setWebAppDomain(webAppDomain);
+        setState(state);
+        setCreatedAt(createdAt);
+    }
+
+    
+    public void setTargetAddress(String targetAddress) {
         this.targetAddress = targetAddress;
+    }
+
+    public void setIdpServiceAddress(String idpServiceAddress) {
         this.idpServiceAddress = idpServiceAddress;
+    }
+
+    public void setRequestId(String requestId) {
         this.requestId = requestId;
+    }
+
+    public void setIssuerId(String issuerId) {
         this.issuerId = issuerId;
+    }
+
+    public void setWebAppContext(String webAppContext) {
         this.webAppContext = webAppContext;
-        this.webAppDomain = webAppDomain;
-        this.state  = state;
+    }
+
+    public void setCreatedAt(long createdAt) {
         this.createdAt = createdAt;
     }
-    // CHECKSTYLE:ON
+
+    public void setState(String state) {
+        this.state = state;
+    }
 
     public String getTargetAddress() {
         return targetAddress;
@@ -86,13 +114,17 @@ public class RequestState implements Serializable {
     public String getWebAppContext() {
         return webAppContext;
     }
+    
+    public String getState() {
+        return state;
+    }
 
     public String getWebAppDomain() {
         return webAppDomain;
     }
 
-    public String getState() {
-        return state;
+    public void setWebAppDomain(String webAppDomain) {
+        this.webAppDomain = webAppDomain;
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index 377c71d..adeb1f6 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -60,26 +60,6 @@ public class SAMLProtocol extends Protocol {
         getSAMLProtocol().setSignRequest(signRequest);
     }
     
-    public String getWebAppDomain() {
-        return getSAMLProtocol().getWebAppDomain();
-    }
-    
-    public void setWebAppDomain(String webAppDomain) {
-        getSAMLProtocol().setWebAppDomain(webAppDomain);
-    }
-    
-    public long getStateTimeToLive() {
-        long ttl = getSAMLProtocol().getStateTimeToLive();
-        if (ttl > 0) {
-            return ttl;
-        }
-        return 2L * 60L * 1000L;
-    }
-    
-    public void setStateTimeToLive(long stateTimeToLive) {
-        getSAMLProtocol().setStateTimeToLive(stateTimeToLive);
-    }
-
     public AuthnRequestBuilder getAuthnRequestBuilder() {
         if (authnRequestBuilder != null) {
             return authnRequestBuilder;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index c4df1a6..a614e62 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -32,6 +32,7 @@ import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
+import java.util.UUID;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -41,6 +42,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.RequestState;
 import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.TokenValidatorRequest;
 import org.apache.cxf.fediz.core.TokenValidatorResponse;
@@ -348,6 +350,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
         throws ProcessingException {
 
         String redirectURL = null;
+        RequestState requestState = null;
         try {
             if (!(config.getProtocol() instanceof FederationProtocol)) {
                 LOG.error("Unsupported protocol");
@@ -375,7 +378,15 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
             String signInQuery = resolveSignInQuery(request, config);
             LOG.info("SignIn Query: " + signInQuery);
             
-             
+            String wctx = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+            String requestURL = request.getRequestURL().toString();
+           
+            requestState = new RequestState();
+            requestState.setTargetAddress(requestURL);
+            requestState.setIdpServiceAddress(redirectURL);
+            requestState.setState(wctx);
+            requestState.setCreatedAt(System.currentTimeMillis());
+
             StringBuilder sb = new StringBuilder();
             sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNIN);
             
@@ -436,6 +447,10 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
             sb.append('&').append(FederationConstants.PARAM_CURRENT_TIME).append('=')
             .append(URLEncoder.encode(wct, "UTF-8"));
             
+            LOG.debug("wctx=" + wctx);
+            sb.append('&').append(FederationConstants.PARAM_CONTEXT).append('=');
+            sb.append(URLEncoder.encode(wctx, "UTF-8"));
+            
             // add signin query extensions
             if (signInQuery != null && signInQuery.length() > 0) {
                 sb.append('&').append(signInQuery);
@@ -449,6 +464,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
         
         RedirectionResponse response = new RedirectionResponse();
         response.setRedirectionURL(redirectURL);
+        response.setRequestState(requestState);
         return response;
     }
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 1546cc2..304b6cb 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -50,7 +50,6 @@ import org.apache.cxf.fediz.core.samlsso.CompressionUtils;
 import org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator;
 import org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator;
 import org.apache.cxf.fediz.core.samlsso.SSOValidatorResponse;
-import org.apache.cxf.fediz.core.util.CookieUtils;
 import org.apache.cxf.fediz.core.util.DOMUtils;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -104,9 +103,9 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
     }
     
     private RequestState processRelayState(
-        String relayState, RequestState requestState, SAMLProtocol samlProtocol
+        String relayState, RequestState requestState
     ) throws ProcessingException {
-        if (relayState.getBytes().length < 0 || relayState.getBytes().length > 80)
{
+        if (relayState.getBytes().length <= 0 || relayState.getBytes().length > 80)
{
             LOG.error("Invalid RelayState");
             throw new ProcessingException(TYPE.INVALID_REQUEST);
         }
@@ -114,11 +113,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             LOG.error("Missing Request State");
             throw new ProcessingException(TYPE.INVALID_REQUEST);
         }
-        if (CookieUtils.isStateExpired(requestState.getCreatedAt(), 0, 
-                                       samlProtocol.getStateTimeToLive())) {
-            LOG.error("EXPIRED_REQUEST_STATE");
-            throw new ProcessingException(TYPE.INVALID_REQUEST);
-        }
         return requestState;
     }
     
@@ -127,7 +121,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
         throws ProcessingException {
         SAMLProtocol protocol = (SAMLProtocol)config.getProtocol();
         RequestState requestState = 
-            processRelayState(request.getState(), request.getRequestState(), protocol);
+            processRelayState(request.getState(), request.getRequestState());
         
         InputStream tokenStream = null;
         try {
@@ -304,16 +298,15 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
             String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
             
-            String webAppDomain = ((SAMLProtocol)config.getProtocol()).getWebAppDomain();
             String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
-            RequestState requestState = new RequestState(requestURL,
-                                                         redirectURL,
-                                                         authnRequest.getID(),
-                                                         realm,
-                                                         authnRequest.getIssuer().getValue(),
-                                                         webAppDomain,
-                                                         relayState,
-                                                         System.currentTimeMillis());
+            RequestState requestState = new RequestState();
+            requestState.setTargetAddress(requestURL);
+            requestState.setIdpServiceAddress(redirectURL);
+            requestState.setRequestId(authnRequest.getID());
+            requestState.setIssuerId(realm);
+            requestState.setWebAppContext(authnRequest.getIssuer().getValue());
+            requestState.setState(relayState);
+            requestState.setCreatedAt(System.currentTimeMillis());
             
             String urlEncodedRequest = 
                 URLEncoder.encode(authnRequestEncoded, "UTF-8");
@@ -327,14 +320,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
                 sb.append("&" + SAMLSSOConstants.SIGNATURE).append('=').append(signature);
             }
             
-            String contextCookie = CookieUtils.createCookie(SAMLSSOConstants.RELAY_STATE,
-                                                relayState,
-                                                request.getRequestURI(),
-                                                webAppDomain,
-                                                ((SAMLProtocol)config.getProtocol()).getStateTimeToLive());
-            
             RedirectionResponse response = new RedirectionResponse();
-            response.addHeader("Set-Cookie", contextCookie);
             response.addHeader("Cache-Control", "no-cache, no-store");
             response.addHeader("Pragma", "no-cache");
             response.setRequestState(requestState);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index 367fbab..4d4c1f9 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -110,8 +110,6 @@
 			<xs:extension base="protocolType">
 				<xs:sequence>
 					<xs:element ref="signRequest" />
-					<xs:element ref="stateTimeToLive" />
-					<xs:element ref="webAppDomain" />
 					<xs:element ref="authnRequestBuilder"/>
 				</xs:sequence>
 				<xs:attribute name="version" use="required" type="xs:string" />
@@ -126,8 +124,6 @@
 	<xs:element name="metadataURI" type="xs:string" />
 
 	<xs:element name="signRequest" type="xs:boolean" />
-	<xs:element name="stateTimeToLive" type="xs:long" default="120000" />
-	<xs:element name="webAppDomain" type="xs:string" />
 	<xs:element name="authnRequestBuilder" type="xs:string" />
 	
 	<xs:complexType name="protocolType" abstract="true">

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
index 1f93343..3cab944 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
@@ -119,7 +119,6 @@ public class SAMLRequestTest {
         Map<String, String> headers = response.getHeaders();
         Assert.assertNotNull(headers);
         Assert.assertFalse(headers.isEmpty());
-        Assert.assertTrue(headers.containsKey("Set-Cookie"));
         Assert.assertTrue("no-cache, no-store".equals(headers.get("Cache-Control")));
         Assert.assertTrue("no-cache".equals(headers.get("Pragma")));
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
index 3468216..b63d95c 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
@@ -39,11 +39,9 @@ import javax.xml.bind.JAXBException;
 import org.w3c.dom.Element;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.i18n.BundleUtils;
-import org.apache.cxf.fediz.core.SAMLSSOConstants;
 import org.apache.cxf.fediz.core.SecurityTokenThreadLocal;
 import org.apache.cxf.fediz.core.config.FedizConfigurator;
 import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.config.SAMLProtocol;
 import org.apache.cxf.fediz.core.util.CookieUtils;
 import org.apache.cxf.fediz.cxf.plugin.state.EHCacheSPStateManager;
 import org.apache.cxf.fediz.cxf.plugin.state.ResponseState;
@@ -62,6 +60,9 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
     
     public static final String SECURITY_CONTEXT_TOKEN = 
         "org.apache.fediz.SECURITY_TOKEN";
+    public static final String SECURITY_CONTEXT_STATE = 
+        "org.apache.fediz.SECURITY_CONTEXT_STATE";
+    
     protected static final ResourceBundle BUNDLE = 
         BundleUtils.getBundle(AbstractServiceProviderFilter.class);
     private static final Logger LOG = LoggerFactory.getLogger(AbstractServiceProviderFilter.class);
@@ -72,6 +73,8 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
     private FedizConfigurator configurator;
     private String configFile;
     private SPStateManager stateManager;
+    private long stateTimeToLive = 120000;
+    private String webAppDomain;
     
     public String getConfigFile() {
         return configFile;
@@ -142,12 +145,12 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
             return false;    
         }
         
-        Cookie relayStateCookie = cookies.get(SAMLSSOConstants.RELAY_STATE);
+        Cookie relayStateCookie = cookies.get(SECURITY_CONTEXT_STATE);
         if (relayStateCookie == null) {
             reportError("MISSING_RELAY_COOKIE");
             return false;
         }
-        String originalRelayState = responseState.getRelayState();
+        String originalRelayState = responseState.getState();
         if (!originalRelayState.equals(relayStateCookie.getValue())) {
             // perhaps the response state should also be removed
             reportError("INVALID_RELAY_STATE");
@@ -190,10 +193,6 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
             return null;
         }
         String contextKey = securityContextCookie.getValue();
-        
-        FedizContext fedizConfig = getFedizContext(m);
-        
-        SAMLProtocol protocol = (SAMLProtocol)fedizConfig.getProtocol();
         ResponseState responseState = stateManager.getResponseState(contextKey);
         
         if (responseState == null) {
@@ -202,16 +201,16 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
         }
         
         if (CookieUtils.isStateExpired(responseState.getCreatedAt(), responseState.getExpiresAt(),

-                                    protocol.getStateTimeToLive())) {
+                                    getStateTimeToLive())) {
             reportError("EXPIRED_RESPONSE_STATE");
             stateManager.removeResponseState(contextKey);
             return null;
         }
         
         String webAppContext = getWebAppContext(m);
-        if (protocol.getWebAppDomain() != null 
+        if (webAppDomain != null 
             && (responseState.getWebAppDomain() == null 
-                || !protocol.getWebAppDomain().equals(responseState.getWebAppDomain()))
+                || !webAppDomain.equals(responseState.getWebAppDomain()))
                 || responseState.getWebAppContext() == null
                 || !webAppContext.equals(responseState.getWebAppContext())) {
             stateManager.removeResponseState(contextKey);
@@ -288,4 +287,20 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
     public void setStateManager(SPStateManager stateManager) {
         this.stateManager = stateManager;
     }
+
+    public String getWebAppDomain() {
+        return webAppDomain;
+    }
+
+    public void setWebAppDomain(String webAppDomain) {
+        this.webAppDomain = webAppDomain;
+    }
+
+    public long getStateTimeToLive() {
+        return stateTimeToLive;
+    }
+
+    public void setStateTimeToLive(long stateTimeToLive) {
+        this.stateTimeToLive = stateTimeToLive;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
index a10ed5d..c927588 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
@@ -44,6 +44,7 @@ import org.apache.cxf.fediz.core.config.FederationProtocol;
 import org.apache.cxf.fediz.core.config.FedizContext;
 import org.apache.cxf.fediz.core.config.SAMLProtocol;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
 import org.apache.cxf.fediz.core.processor.FedizProcessor;
 import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
 import org.apache.cxf.fediz.core.processor.FedizRequest;
@@ -108,6 +109,14 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
                         RequestState requestState = redirectionResponse.getRequestState();
                         if (requestState != null && requestState.getState() != null)
{
                             getStateManager().setRequestState(requestState.getState(), requestState);
+                        
+                            String contextCookie = 
+                                CookieUtils.createCookie(SECURITY_CONTEXT_STATE,
+                                                         requestState.getState(),
+                                                         request.getRequestURI(),
+                                                         getWebAppDomain(),
+                                                         getStateTimeToLive());
+                            response.header("Set-Cookie", contextCookie);
                         }
                         
                         context.abortWith(response.build());
@@ -117,6 +126,8 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
                     }
                 } else if (isSignInRequest(fedConfig, params)) {
                     String responseToken = getResponseToken(fedConfig, params);
+                    String state = getState(fedConfig, params);
+                    
                     if (responseToken == null) {
                         if (LOG.isDebugEnabled()) {
                             LOG.debug("SignIn request must contain a response token from
the IdP");
@@ -130,7 +141,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
                         }
 
                         FedizResponse wfRes = 
-                            validateSignInRequest(fedConfig, params, responseToken);
+                            validateSignInRequest(fedConfig, params, responseToken, state);
                         
                         // Validate AudienceRestriction
                         List<String> audienceURIs = fedConfig.getAudienceUris();
@@ -140,18 +151,16 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
                         // Set the security context
                         String securityContextKey = UUID.randomUUID().toString();
                            
-                        SAMLProtocol protocol = (SAMLProtocol)fedConfig.getProtocol();
-                        
                         long currentTime = System.currentTimeMillis();
                         Date notOnOrAfter = wfRes.getTokenExpires();
                         long expiresAt = 0;
                         if (notOnOrAfter != null) {
                             expiresAt = notOnOrAfter.getTime();
                         } else {
-                            expiresAt = currentTime + protocol.getStateTimeToLive();
+                            expiresAt = currentTime + getStateTimeToLive();
                         }
                            
-                        String webAppDomain = protocol.getWebAppDomain();
+                        String webAppDomain = getWebAppDomain();
                         String token = DOM2Writer.nodeToString(wfRes.getToken());
                         List<String> roles = wfRes.getRoles();
                         if (roles == null || roles.size() == 0) {
@@ -162,7 +171,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
                         
                         ResponseState responseState = 
                             new ResponseState(token,
-                                              params.getFirst("RelayState"), 
+                                              state, 
                                               webAppContext,
                                               webAppDomain,
                                               currentTime, 
@@ -173,7 +182,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
                         responseState.setSubject(wfRes.getUsername());
                         getStateManager().setResponseState(securityContextKey, responseState);
                            
-                        long stateTimeToLive = protocol.getStateTimeToLive();
+                        long stateTimeToLive = getStateTimeToLive();
                         String contextCookie = CookieUtils.createCookie(SECURITY_CONTEXT_TOKEN,
                                                             securityContextKey,
                                                             webAppContext,
@@ -238,20 +247,45 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
         return null;
     }
     
+    private String getState(FedizContext fedConfig, MultivaluedMap<String, String>
params) {
+        if (params != null && fedConfig.getProtocol() instanceof FederationProtocol)
{
+            return params.getFirst(FederationConstants.PARAM_CONTEXT);
+        } else if (params != null && fedConfig.getProtocol() instanceof SAMLProtocol)
{
+            return params.getFirst(SAMLSSOConstants.RELAY_STATE);
+        }
+        
+        return null;
+    }
+    
     private FedizResponse validateSignInRequest(
         FedizContext fedConfig,
         MultivaluedMap<String, String> params,
-        String responseToken
-    ) throws UnsupportedEncodingException {
+        String responseToken,
+        String state
+    ) throws UnsupportedEncodingException, ProcessingException {
         FedizRequest wfReq = new FedizRequest();
         wfReq.setAction(params.getFirst(FederationConstants.PARAM_ACTION));
         wfReq.setResponseToken(responseToken);
-        String relayState = params.getFirst("RelayState");
-        wfReq.setState(relayState);
-        if (relayState != null) {
-            wfReq.setRequestState(getStateManager().removeRequestState(relayState));
+        
+        if (state == null || state.getBytes().length <= 0) {
+            LOG.error("Invalid RelayState/WCTX");
+            throw new ProcessingException(TYPE.INVALID_REQUEST);
         }
-
+        
+        wfReq.setState(state);
+        wfReq.setRequestState(getStateManager().removeRequestState(state));
+        
+        if (wfReq.getRequestState() == null) {
+            LOG.error("Missing Request State");
+            throw new ProcessingException(TYPE.INVALID_REQUEST);
+        }
+        
+        if (CookieUtils.isStateExpired(wfReq.getRequestState().getCreatedAt(), 0, 
+                                       getStateTimeToLive())) {
+            LOG.error("EXPIRED_REQUEST_STATE");
+            throw new ProcessingException(TYPE.INVALID_REQUEST);
+        }
+        
         HttpServletRequest request = messageContext.getHttpServletRequest();
         wfReq.setRequest(request);
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java
b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java
index 22f1ced..17fa532 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java
@@ -34,7 +34,7 @@ public class ResponseState implements Serializable {
     private static final long serialVersionUID = -3247188797004342462L;
     
     private String assertion;
-    private String relayState;
+    private String state;
     private String webAppContext;
     private String webAppDomain;
     private long createdAt;
@@ -49,13 +49,13 @@ public class ResponseState implements Serializable {
     }
     
     public ResponseState(String assertion,
-                         String relayState,
+                         String state,
                          String webAppContext,
                          String webAppDomain,
                          long createdAt, 
                          long expiresAt) {
         this.assertion = assertion;
-        this.relayState = relayState;
+        this.state = state;
         this.webAppContext = webAppContext;
         this.webAppDomain = webAppDomain;
         this.createdAt = createdAt;
@@ -70,8 +70,8 @@ public class ResponseState implements Serializable {
         return expiresAt;
     }
 
-    public String getRelayState() {
-        return relayState;
+    public String getState() {
+        return state;
     }
     
     public String getWebAppContext() {


Mime
View raw message