cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf-fediz git commit: [FEDIZ-73] - More minor stuff to do with SAML SSO
Date Fri, 28 Nov 2014 14:34:43 GMT
[FEDIZ-73] - More minor stuff to do with SAML SSO


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/8d9ab43d
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/8d9ab43d
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/8d9ab43d

Branch: refs/heads/master
Commit: 8d9ab43d679c038970ce8567bb5cd4386c64d952
Parents: 74540be
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Nov 28 14:34:24 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Nov 28 14:34:24 2014 +0000

----------------------------------------------------------------------
 .../TrustedIdpSAMLProtocolHandler.java          | 64 ++++----------------
 .../idp/src/main/resources/entities-realma.xml  |  8 +--
 2 files changed, 15 insertions(+), 57 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8d9ab43d/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index e0fe66c..c9fd7d0 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -27,7 +27,6 @@ import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLEncoder;
-import java.util.Date;
 import java.util.UUID;
 import java.util.zip.DataFormatException;
 
@@ -47,7 +46,6 @@ import org.apache.cxf.fediz.service.idp.spi.TrustedIdpProtocolHandler;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
-import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
 import org.apache.cxf.rs.security.saml.sso.AuthnRequestBuilder;
 import org.apache.cxf.rs.security.saml.sso.DefaultAuthnRequestBuilder;
@@ -74,7 +72,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
     private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpSAMLProtocolHandler.class);
 
     private AuthnRequestBuilder authnRequestBuilder = new DefaultAuthnRequestBuilder();
-    private long stateTimeToLive = SSOConstants.DEFAULT_STATE_TIME;
+    // private long stateTimeToLive = SSOConstants.DEFAULT_STATE_TIME;
 
     static {
         OpenSAMLUtil.initSamlEngine();
@@ -119,15 +117,10 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
             //if (isSignRequest()) {
             //    signRequest(urlEncodedRequest, info.getRelayState(), ub);
             //}
-            // TODO String contextCookie = createCookie(SSOConstants.RELAY_STATE,
-            //                                    relayState,
-            //                                    idp.getIdpUrl().getPath(),
-            //                                    null);
 
             /*context.abortWith(Response.seeOther(ub.build())
                            .header(HttpHeaders.CACHE_CONTROL, "no-cache, no-store")
                            .header("Pragma", "no-cache") 
-                           .header(HttpHeaders.SET_COOKIE, contextCookie)
                            .build());*/
 
             return ub.build().toURL();
@@ -153,44 +146,10 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
         return Base64Utility.encode(deflatedBytes);
     }
 
-    protected String createCookie(String name, 
-                                  String value, 
-                                  String path,
-                                  String domain) { 
-
-        String contextCookie = name + "=" + value;
-        // Setting a specific path restricts the browsers
-        // to return a cookie only to the web applications
-        // listening on that specific context path
-        if (path != null) {
-            contextCookie += ";Path=" + path;
-        }
-
-        // Setting a specific domain further restricts the browsers
-        // to return a cookie only to the web applications
-        // listening on the specific context path within a particular domain
-        if (domain != null) {
-            contextCookie += ";Domain=" + domain;
-        }
-
-        // Keep the cookie across the browser restarts until it actually expires.
-        // Note that the Expires property has been deprecated but apparently is 
-        // supported better than 'max-age' property by different browsers 
-        // (Firefox, IE, etc)
-        Date expiresDate = new Date(System.currentTimeMillis() + stateTimeToLive);
-        String cookieExpires = HttpUtils.getHttpDateFormat().format(expiresDate);
-        contextCookie += ";Expires=" + cookieExpires;
-        //TODO: Consider adding an 'HttpOnly' attribute        
-
-        return contextCookie;
-    }
-
-
     @Override
     public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp)
{
 
         try {
-
             String relayState = (String) WebUtils.getAttributeFromFlowScope(context,
                                                                             SSOConstants.RELAY_STATE);
             // TODO Validate RelayState
@@ -305,7 +264,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
         try {
             SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
             protocolValidator.setKeyInfoMustBeAvailable(true); // TODO
-            protocolValidator.validateSamlResponse(samlResponse, getSignatureCrypto(), getCallbackHandler());
+            protocolValidator.validateSamlResponse(samlResponse, getSignatureCrypto(), null);
         } catch (WSSecurityException ex) {
             LOG.debug(ex.getMessage(), ex);
             throw ExceptionUtils.toBadRequestException(null, null);
@@ -316,22 +275,21 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
      * Validate the received SAML Response as per the Web SSO profile
     protected SSOValidatorResponse validateSamlSSOResponse(
         boolean postBinding,
-        org.opensaml.saml2.core.Response samlResponse
+        org.opensaml.saml2.core.Response samlResponse,
+        Idp idp, 
+        TrustedIdp trustedIdp
     ) {
         try {
             SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
-            ssoResponseValidator.setAssertionConsumerURL(
-                                                         messageContext.getUriInfo().getAbsolutePath().toString());
+            ssoResponseValidator.setAssertionConsumerURL(idp.getIdpUrl());
 
-            ssoResponseValidator.setClientAddress(
-                                                  messageContext.getHttpServletRequest().getRemoteAddr());
+            // ssoResponseValidator.setClientAddress(client_ip);
 
-            ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
-            ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
-            ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
+            ssoResponseValidator.setIssuerIDP(trustedIdp.getUrl());
+            // ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
+            ssoResponseValidator.setSpIdentifier(idp.getRealm());
             ssoResponseValidator.setEnforceAssertionsSigned(true); // TODO
-            ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer);
-            // ssoResponseValidator.setReplayCache(getReplayCache());
+            // ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer);
 
             return ssoResponseValidator.validateSamlResponse(samlResponse, postBinding);
         } catch (WSSecurityException ex) {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8d9ab43d/services/idp/src/main/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml
index 87dc70a..16f45f0 100644
--- a/services/idp/src/main/resources/entities-realma.xml
+++ b/services/idp/src/main/resources/entities-realma.xml
@@ -33,8 +33,8 @@
         <property name="useCurrentIdp" value="true" />
         <property name="certificate" value="stsKeystoreA.properties" />
         <property name="certificatePassword" value="realma" />
-        <property name="stsUrl" value="https://localhost:9443/fediz-idp-sts/REALMA" />
-        <property name="idpUrl" value="https://localhost:9443/fediz-idp/federation" />
+        <property name="stsUrl" value="https://localhost:8443/fediz-idp-sts/REALMA" />
+        <property name="idpUrl" value="https://localhost:8443/fediz-idp/federation" />
         <property name="rpSingleSignOutConfirmation" value="true"/>
         <property name="supportedProtocols">
             <util:list>
@@ -81,10 +81,10 @@
         class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
         <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
         <property name="cacheTokens" value="true" />
-        <property name="url" value="https://localhost:12443/fediz-idp-remote/federation"
/>
+        <property name="url" value="http://localhost:12345/idp/samlsso" />
         <property name="certificate" value="realmb.cert" />
         <property name="trustType" value="PEER_TRUST" />
-        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser"
/>
         <property name="federationType" value="FEDERATE_IDENTITY" />
         <property name="name" value="Realm B" />
         <property name="description" value="Realm B description" />


Mime
View raw message