cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Some work on Logout to support SAML
Date Thu, 23 Oct 2014 11:14:36 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 62b7250d7 -> cc8c123cd


Some work on Logout to support SAML


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cc8c123c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cc8c123c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cc8c123c

Branch: refs/heads/master
Commit: cc8c123cd5515df3840a2c1f9c3e5fd7de3302c1
Parents: 62b7250
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Oct 23 12:14:13 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Oct 23 12:14:13 2014 +0100

----------------------------------------------------------------------
 .../core/processor/FederationProcessorImpl.java |  5 +-
 .../fediz/core/processor/FedizProcessor.java    |  8 ++-
 .../fediz/core/processor/SAMLProcessorImpl.java |  7 +-
 .../samlsso/DefaultSAMLPRequestBuilder.java     |  5 ++
 .../core/federation/FederationRequestTest.java  |  2 +-
 .../cxf/fediz/core/samlsso/SAMLRequestTest.java |  4 +-
 .../cxf/plugin/FedizRedirectBindingFilter.java  |  2 +-
 .../fediz/jetty/FederationAuthenticator.java    |  3 +-
 .../web/FederationLogoutSuccessHandler.java     |  2 +-
 .../fediz/tomcat/FederationAuthenticator.java   | 69 ++++++++++++--------
 10 files changed, 70 insertions(+), 37 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index ed830e6..7a4dc52 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -60,6 +60,7 @@ import org.apache.cxf.fediz.core.spi.WReqCallback;
 import org.apache.cxf.fediz.core.util.DOMUtils;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSDocInfo;
@@ -473,7 +474,9 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
     }
 
     @Override
-    public RedirectionResponse createSignOutRequest(HttpServletRequest request, FedizContext
config)
+    public RedirectionResponse createSignOutRequest(HttpServletRequest request, 
+                                                    SamlAssertionWrapper token,
+                                                    FedizContext config)
         throws ProcessingException {
 
         String redirectURL = null;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
index c6cea4e..846ebf8 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
@@ -20,21 +20,25 @@
 package org.apache.cxf.fediz.core.processor;
 
 import javax.servlet.http.HttpServletRequest;
+
 import org.w3c.dom.Document;
 import org.apache.cxf.fediz.core.config.FedizContext;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 
 
 public interface FedizProcessor {
 
-    FedizResponse processRequest(FedizRequest request, FedizContext config) throws ProcessingException;
+    FedizResponse processRequest(
+        FedizRequest request, FedizContext config
+    ) throws ProcessingException;
     
     RedirectionResponse createSignInRequest(
         HttpServletRequest request, FedizContext config
     ) throws ProcessingException;
 
     RedirectionResponse createSignOutRequest(
-        HttpServletRequest request, FedizContext config
+        HttpServletRequest request, SamlAssertionWrapper token, FedizContext config
     ) throws ProcessingException;
 
     Document getMetaData(

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index b3766e8..47634d9 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -53,6 +53,7 @@ import org.apache.cxf.fediz.core.util.DOMUtils;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.util.DOM2Writer;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.xml.security.exceptions.Base64DecodingException;
@@ -405,7 +406,9 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
     }
 
     @Override
-    public RedirectionResponse createSignOutRequest(HttpServletRequest request, FedizContext
config)
+    public RedirectionResponse createSignOutRequest(HttpServletRequest request, 
+                                                    SamlAssertionWrapper token,
+                                                    FedizContext config)
         throws ProcessingException {
         
         String redirectURL = null;
@@ -433,7 +436,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             String realm = resolveWTRealm(request, config);
             String reason = "urn:oasis:names:tc:SAML:2.0:logout:user";
             LogoutRequest logoutRequest = 
-                samlpRequestBuilder.createLogoutRequest(realm, reason, null); // TODO
+                samlpRequestBuilder.createLogoutRequest(realm, reason, token);
             
             if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
                 logoutRequest.setDestination(redirectURL);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
index 3c80e70..6ef8eb5 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
@@ -128,6 +128,11 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder
{
                     nameID = subject.getNameID();
                 }
             }
+            
+            if (nameID != null) {
+                nameID.detach();
+            }
+            
             List<AuthnStatement> authnStatements = 
                 authenticatedAssertion.getSaml2().getAuthnStatements();
             if (authnStatements != null && !authnStatements.isEmpty()) {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
index b48521b..6624f85 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
@@ -120,7 +120,7 @@ public class FederationRequestTest {
         EasyMock.replay(req);
         
         FedizProcessor wfProc = new FederationProcessorImpl();
-        RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+        RedirectionResponse response = wfProc.createSignOutRequest(req, null, config);
         
         String redirectionURL = response.getRedirectionURL();
         Assert.assertTrue(redirectionURL.startsWith(TEST_IDP_ISSUER));

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
index 06ae3a8..05c4f7a 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
@@ -211,7 +211,7 @@ public class SAMLRequestTest {
         EasyMock.replay(req);
         
         FedizProcessor wfProc = new SAMLProcessorImpl();
-        RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+        RedirectionResponse response = wfProc.createSignOutRequest(req, null, config);
         
         String redirectionURL = response.getRedirectionURL();
         String samlRequest = 
@@ -240,7 +240,7 @@ public class SAMLRequestTest {
         EasyMock.replay(req);
         
         FedizProcessor wfProc = new SAMLProcessorImpl();
-        RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+        RedirectionResponse response = wfProc.createSignOutRequest(req, null, config);
         
         String redirectionURL = response.getRedirectionURL();
         String signature = 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
index 83eb3b5..7bc417e 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
@@ -274,7 +274,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
{
                     
                     HttpServletRequest request = messageContext.getHttpServletRequest();
                     RedirectionResponse redirectionResponse = 
-                        processor.createSignOutRequest(request, fedConfig);
+                        processor.createSignOutRequest(request, null, fedConfig); //TODO
                     String redirectURL = redirectionResponse.getRedirectionURL();
                     if (redirectURL != null) {
                         ResponseBuilder response = Response.seeOther(new URI(redirectURL));

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
index e727ae1..7597c1a 100644
--- a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
+++ b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
@@ -501,7 +501,8 @@ public class FederationAuthenticator extends LoginAuthenticator {
         }
         FedizContext fedCtx = this.configurator.getFedizContext(contextName);
         try {
-            RedirectionResponse redirectionResponse = processor.createSignOutRequest(request,
fedCtx);
+            RedirectionResponse redirectionResponse = 
+                processor.createSignOutRequest(request, null, fedCtx); //TODO
             String redirectURL = redirectionResponse.getRedirectionURL();
             if (redirectURL != null) {
                 Map<String, String> headers = redirectionResponse.getHeaders();

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
index 1a2dba3..8d6c5fe 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
@@ -60,7 +60,7 @@ public class FederationLogoutSuccessHandler implements LogoutSuccessHandler
{
             FedizProcessor wfProc = 
                 FedizProcessorFactory.newFedizProcessor(fedCtx.getProtocol());
             RedirectionResponse redirectionResponse =
-                wfProc.createSignOutRequest(request, fedCtx);
+                wfProc.createSignOutRequest(request, null, fedCtx); //TODO
             String redirectURL = redirectionResponse.getRedirectionURL();
             if (redirectURL != null) {
                 Map<String, String> headers = redirectionResponse.getHeaders();

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index 9b741f1..a7e9a00 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -38,6 +38,7 @@ import javax.servlet.http.HttpSession;
 import javax.xml.bind.JAXBException;
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.Session;
 import org.apache.catalina.authenticator.Constants;
@@ -61,6 +62,8 @@ import org.apache.cxf.fediz.core.processor.FedizResponse;
 import org.apache.cxf.fediz.core.processor.RedirectionResponse;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.util.DOM2Writer;
 
 
@@ -211,30 +214,6 @@ public class FederationAuthenticator extends FormAuthenticator {
             }            
         }
 
-        //logout
-        String logoutUrl = fedConfig.getLogoutURL();
-        if (logoutUrl != null && !logoutUrl.isEmpty()) {
-            HttpSession httpSession = request.getSession(false);
-            String uri = request.getRequestURI();
-            if (httpSession != null && uri.equals(contextName + logoutUrl)) {
-                Session session = request.getSessionInternal();
-                
-                // Cleanup session
-                if (session != null) {
-                    session.removeNote(FEDERATION_NOTE);
-                    session.setPrincipal(null);
-                    request.getSession().removeAttribute(SECURITY_TOKEN);
-                }
-                httpSession.invalidate();
-
-                FedizProcessor wfProc = 
-                    FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
-                signOutRedirectToIssuer(request, response, wfProc);
-
-                return;
-            }
-        }
-
         String wa = request.getParameter(FederationConstants.PARAM_ACTION);
         if (FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) {
             if (LOG.isDebugEnabled()) {
@@ -291,6 +270,34 @@ public class FederationAuthenticator extends FormAuthenticator {
             contextName = "/";
         }
         FedizContext fedConfig = getContextConfiguration(contextName);
+        
+        //logout
+        String logoutUrl = fedConfig.getLogoutURL();
+        if (logoutUrl != null && !logoutUrl.isEmpty()) {
+            HttpSession httpSession = request.getSession(false);
+            String uri = request.getRequestURI();
+            if (httpSession != null && uri.equals(contextName + logoutUrl)) {
+                session = request.getSessionInternal();
+                
+                Element token = 
+                    (Element)request.getSession().getAttribute(SECURITY_TOKEN);
+                
+                // Cleanup session
+                if (session != null) {
+                    session.removeNote(FEDERATION_NOTE);
+                    session.setPrincipal(null);
+                    request.getSession().removeAttribute(SECURITY_TOKEN);
+                }
+                httpSession.invalidate();
+
+                FedizProcessor wfProc = 
+                    FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
+                signOutRedirectToIssuer(request, response, token, wfProc);
+
+                return false;
+            }
+        }
+
 
         // Have we already authenticated someone?
         Principal principal = request.getUserPrincipal();
@@ -677,7 +684,8 @@ public class FederationAuthenticator extends FormAuthenticator {
         }
     }
 
-    protected void signOutRedirectToIssuer(Request request, HttpServletResponse response,
FedizProcessor processor)
+    protected void signOutRedirectToIssuer(Request request, HttpServletResponse response,

+                                           Element token, FedizProcessor processor)
             throws IOException {
 
         String contextName = request.getServletContext().getContextPath();
@@ -686,7 +694,12 @@ public class FederationAuthenticator extends FormAuthenticator {
         }
         FedizContext fedCtx = this.configurator.getFedizContext(contextName);
         try {
-            RedirectionResponse redirectionResponse = processor.createSignOutRequest(request,
fedCtx);
+            SamlAssertionWrapper assertionToken = null;
+            if (token != null) {
+                assertionToken = new SamlAssertionWrapper(token);
+            }
+            RedirectionResponse redirectionResponse = 
+                processor.createSignOutRequest(request, assertionToken, fedCtx);
             String redirectURL = redirectionResponse.getRedirectionURL();
             if (redirectURL != null) {
                 Map<String, String> headers = redirectionResponse.getHeaders();
@@ -706,6 +719,10 @@ public class FederationAuthenticator extends FormAuthenticator {
             LOG.warn("Failed to create SignOutRequest: " + ex.getMessage());
             response.sendError(
                     HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+        } catch (WSSecurityException ex) {
+            LOG.warn("Failed to create SignOutRequest: " + ex.getMessage());
+            response.sendError(
+                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
         }
     }
 }


Mime
View raw message