cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: More logout work for SAML SSO
Date Fri, 24 Oct 2014 14:53:16 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master cc8c123cd -> f233488c3


More logout work for SAML SSO


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f233488c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f233488c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f233488c

Branch: refs/heads/master
Commit: f233488c3ff9ec15a063862e4fa7b11c9f0b98ff
Parents: cc8c123
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Oct 24 15:52:57 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Oct 24 15:52:57 2014 +0100

----------------------------------------------------------------------
 .../cxf/fediz/core/config/SAMLProtocol.java     |  4 +-
 .../fediz/core/processor/SAMLProcessorImpl.java | 26 +++++-------
 .../src/main/resources/schemas/FedizConfig.xsd  |  2 +
 .../fediz/tomcat/FederationAuthenticator.java   | 44 ++++++++++++--------
 4 files changed, 42 insertions(+), 34 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index d5a04c5..a9736e9 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -106,5 +106,7 @@ public class SAMLProtocol extends Protocol {
         getSAMLProtocol().setDoNotEnforceKnownIssuer(doNotEnforceKnownIssuer);
     }
     
-    
+    public String getIssuerLogoutURL() {
+        return getSAMLProtocol().getIssuerLogoutURL();
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 47634d9..ed6dd31 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -418,12 +418,18 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
                 throw new IllegalStateException("Unsupported protocol");
             }
 
-            String issuerURL = resolveIssuer(request, config);
-            LOG.info("Issuer url: " + issuerURL);
-            if (issuerURL != null && issuerURL.length() > 0) {
-                redirectURL = issuerURL;
+            redirectURL = ((SAMLProtocol)config.getProtocol()).getIssuerLogoutURL();
+            if (redirectURL == null) {
+                String issuerURL = resolveIssuer(request, config);
+                LOG.info("Issuer url: " + issuerURL);
+                if (issuerURL != null && issuerURL.length() > 0) {
+                    redirectURL = issuerURL;
+                }
+            }
+            if (redirectURL == null) {
+                LOG.debug("No issuerLogoutURL or issuer parameter specified for logout");
+                throw new ProcessingException("Failed to create SignOutRequest");
             }
-            redirectURL = "http://localhost:8081/IDBUS/CXF/CXFIDP/SAML2/SLO/REDIR";
             
             SAMLPRequestBuilder samlpRequestBuilder = 
                 ((SAMLProtocol)config.getProtocol()).getSAMLPRequestBuilder();
@@ -432,7 +438,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             doc.appendChild(doc.createElement("root"));
      
             // Create the LogoutRequest
-            String requestURL = request.getRequestURL().toString();
             String realm = resolveWTRealm(request, config);
             String reason = "urn:oasis:names:tc:SAML:2.0:logout:user";
             LogoutRequest logoutRequest = 
@@ -446,14 +451,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             String logoutRequestEncoded = encodeAuthnRequest(logoutRequestElement);
             
             String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
-            RequestState requestState = new RequestState();
-            requestState.setTargetAddress(requestURL);
-            requestState.setIdpServiceAddress(redirectURL);
-            requestState.setRequestId(logoutRequest.getID());
-            requestState.setIssuerId(realm);
-            requestState.setWebAppContext(logoutRequest.getIssuer().getValue());
-            requestState.setState(relayState);
-            requestState.setCreatedAt(System.currentTimeMillis());
             
             String urlEncodedRequest = 
                 URLEncoder.encode(logoutRequestEncoded, "UTF-8");
@@ -470,7 +467,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             RedirectionResponse response = new RedirectionResponse();
             response.addHeader("Cache-Control", "no-cache, no-store");
             response.addHeader("Pragma", "no-cache");
-            response.setRequestState(requestState);
             
             redirectURL = redirectURL + "?" + sb.toString();
             response.setRedirectionURL(redirectURL);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index d26ad25..f430c91 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -113,6 +113,7 @@
 					<xs:element ref="authnRequestBuilder"/>
 					<xs:element ref="disableDeflateEncoding"/>
 					<xs:element ref="doNotEnforceKnownIssuer"/>
+					<xs:element ref="issuerLogoutURL"/>
 				</xs:sequence>
 				<xs:attribute name="version" use="required" type="xs:string" />
 			</xs:extension>
@@ -129,6 +130,7 @@
 	<xs:element name="authnRequestBuilder" type="xs:string" />
 	<xs:element name="disableDeflateEncoding" type="xs:boolean"/>
 	<xs:element name="doNotEnforceKnownIssuer" type="xs:boolean"/>
+	<xs:element name="issuerLogoutURL" type="xs:string"/>
 	
 	<xs:complexType name="protocolType" abstract="true">
 	    <xs:sequence>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index a7e9a00..4e7bae9 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -222,20 +222,7 @@ public class FederationAuthenticator extends FormAuthenticator {
             }
 
             request.getSession().invalidate();
-
-            final ServletOutputStream responseOutputStream = response.getOutputStream();
-            InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg");
-            if (inputStream == null) {
-                LOG.warn("Could not write logout.jpg");
-                return;
-            }
-            int read = 0;
-            byte[] buf = new byte[1024];
-            while ((read = inputStream.read(buf)) != -1) {
-                responseOutputStream.write(buf, 0, read);
-            }
-            inputStream.close();
-            responseOutputStream.flush();
+            handleLogout(response.getOutputStream());
 
             return;
         }
@@ -244,6 +231,21 @@ public class FederationAuthenticator extends FormAuthenticator {
 
     }
     
+    private void handleLogout(final ServletOutputStream responseOutputStream) throws IOException
{
+        InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg");
+        if (inputStream == null) {
+            LOG.warn("Could not write logout.jpg");
+            return;
+        }
+        int read = 0;
+        byte[] buf = new byte[1024];
+        while ((read = inputStream.read(buf)) != -1) {
+            responseOutputStream.write(buf, 0, read);
+        }
+        inputStream.close();
+        responseOutputStream.flush();
+    }
+    
     private String getMetadataURI(FedizContext fedConfig) {
         if (fedConfig.getProtocol().getMetadataURI() != null) {
             return fedConfig.getProtocol().getMetadataURI();
@@ -260,7 +262,7 @@ public class FederationAuthenticator extends FormAuthenticator {
     @Override
     public boolean authenticate(Request request, HttpServletResponse response,
             LoginConfig config) throws IOException {
-
+        
         LOG.debug("authenticate invoked");
         // References to objects we will need later
         Session session = null;
@@ -273,10 +275,11 @@ public class FederationAuthenticator extends FormAuthenticator {
         
         //logout
         String logoutUrl = fedConfig.getLogoutURL();
-        if (logoutUrl != null && !logoutUrl.isEmpty()) {
+        if (logoutUrl != null && !logoutUrl.isEmpty()
+            && request.getRequestURI().equals(contextName + logoutUrl)) {
             HttpSession httpSession = request.getSession(false);
-            String uri = request.getRequestURI();
-            if (httpSession != null && uri.equals(contextName + logoutUrl)) {
+            if (httpSession != null) {
+                // Here the user is already logged in
                 session = request.getSessionInternal();
                 
                 Element token = 
@@ -295,6 +298,11 @@ public class FederationAuthenticator extends FormAuthenticator {
                 signOutRedirectToIssuer(request, response, token, wfProc);
 
                 return false;
+            } else {
+                // The user is already logged out
+                handleLogout(response.getOutputStream());
+
+                return false;
             }
         }
 


Mime
View raw message