cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbernha...@apache.org
Subject cxf-fediz git commit: [FEDIZ-97] Renaming (adding) plugin configuration properties. Improving Exception handling.
Date Fri, 27 Feb 2015 20:27:46 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 6732b3197 -> 978a89e25


[FEDIZ-97] Renaming (adding) plugin configuration properties. Improving Exception handling.


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/978a89e2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/978a89e2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/978a89e2

Branch: refs/heads/master
Commit: 978a89e259f620c8a3ad232d82d57aa88a80db31
Parents: 6732b31
Author: Jan Bernhardt <jbernhardt@talend.com>
Authored: Tue Feb 24 18:01:10 2015 +0100
Committer: Jan Bernhardt <jbernhardt@talend.com>
Committed: Fri Feb 27 21:25:45 2015 +0100

----------------------------------------------------------------------
 .../cxf/fediz/core/processor/FedizRequest.java  |  14 +-
 plugins/websphere/pom.xml                       |  66 +++++-
 .../websphere/src/main/assembly/assembly.xml    |  18 ++
 .../org/apache/cxf/fediz/was/Constants.java     |  23 +-
 .../was/mapper/FileBasedRoleToGroupMapper.java  |  83 ++++----
 .../filter/SecurityContextTTLChecker.java       |  12 +-
 .../cxf/fediz/was/tai/FedizInterceptor.java     | 208 ++++++++++---------
 7 files changed, 269 insertions(+), 155 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/978a89e2/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
index d86b840..66fb396 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
@@ -21,6 +21,7 @@ package org.apache.cxf.fediz.core.processor;
 
 import java.io.Serializable;
 import java.security.cert.Certificate;
+import java.util.Arrays;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -81,5 +82,16 @@ public class FedizRequest implements Serializable {
         this.requestState = requestState;
     }
 
-
+    @Override
+    public String toString() {
+        return "FedizRequest{" +
+                "action='" + action + '\'' +
+                ", responseToken='" + (responseToken == null ? null : responseToken.substring(0,15)
+ "..." ) + '\'' +
+                ", state='" + state + '\'' +
+                ", freshness='" + freshness + '\'' +
+                ", certs=" + (certs == null ? 0 : certs.length) +
+                ", request=" + request + '\'' +
+                ", requestState=" + requestState + '\'' +
+                '}';
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/978a89e2/plugins/websphere/pom.xml
----------------------------------------------------------------------
diff --git a/plugins/websphere/pom.xml b/plugins/websphere/pom.xml
index d846fad..415c1ca 100644
--- a/plugins/websphere/pom.xml
+++ b/plugins/websphere/pom.xml
@@ -23,7 +23,7 @@
     <parent>
         <groupId>org.apache.cxf.fediz</groupId>
         <artifactId>plugin</artifactId>
-        <version>1.1.0-SNAPSHOT</version>
+        <version>1.2.0-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>fediz-websphere</artifactId>
@@ -50,18 +50,50 @@
         <!--
         <dependency>
             <groupId>com.ibm.ws</groupId>
+            <artifactId>runtime</artifactId>
+            <version>7</version>
+            <scope>compile</scope>
+        </dependency>
+		<dependency>
+            <groupId>com.ibm.ws</groupId>
             <artifactId>runtime</artifactId> 
             <version>8</version>
             <type>jar</type>
             <scope>provided</scope>
         </dependency>
-        -->
-        <dependency>
-            <groupId>com.ibm.ws</groupId>
-            <artifactId>runtime</artifactId>
-            <version>7</version>
-            <scope>compile</scope>
+		-->
+		<dependency>
+			<groupId>com.ibm.websphere</groupId>
+			<artifactId>com.ibm.websphere.security</artifactId>
+			<version>1.0.3</version>
+			<type>jar</type>
+			<scope>compile</scope>
+ 		</dependency>
+		<dependency>
+			<groupId>com.ibm.ws.security</groupId>
+			<artifactId>com.ibm.ws.security.authentication.tai</artifactId>
+			<version>1.0.3</version>
+			<type>jar</type>
+			<scope>compile</scope>
+		</dependency>
+		<dependency>
+			<groupId>com.ibm.ws.security</groupId>
+			<artifactId>com.ibm.ws.security.token</artifactId>
+			<version>1.0.2</version>
+			<type>jar</type>
+			<scope>compile</scope>
+		</dependency>        
+
+		<dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <version>${slf4j.version}</version>
         </dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-log4j12</artifactId>
+			<version>${slf4j.version}</version>
+		</dependency>
     </dependencies>
     <build>
         <plugins>
@@ -92,6 +124,26 @@
                     <verbose>true</verbose>
                 </configuration>
             </plugin>
+			<plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>2.2.1</version>
+                <executions>
+                    <execution>
+                        <id>zip-file</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>attached</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>src/main/assembly/assembly.xml</descriptor>
+                            </descriptors>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
+	
 </project>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/978a89e2/plugins/websphere/src/main/assembly/assembly.xml
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/assembly/assembly.xml b/plugins/websphere/src/main/assembly/assembly.xml
new file mode 100644
index 0000000..fb0d6aa
--- /dev/null
+++ b/plugins/websphere/src/main/assembly/assembly.xml
@@ -0,0 +1,18 @@
+<assembly xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0
+http://maven.apache.org/xsd/assembly-1.1.0.xsd">
+  <id>zip-with-dependencies</id>
+  <formats>
+    <format>zip</format>
+  </formats>
+  <includeBaseDirectory>false</includeBaseDirectory>
+  <dependencySets>
+    <dependencySet>
+      <outputDirectory>/</outputDirectory>
+      <useProjectArtifact>true</useProjectArtifact>
+      <unpack>false</unpack>
+      <scope>runtime</scope>
+    </dependencySet>
+  </dependencySets>
+</assembly>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/978a89e2/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
index b6be658..00a1d33 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
@@ -27,7 +27,7 @@ public interface Constants {
     
     String HTTP_POST_METHOD = "POST";
     //String UTF_8_ENCODING_SCHEME = "UTF-8";
-    String VERSION = "1.0.0";
+    String VERSION = "1.2.0";
     String TIMESTAMP_FORMAT = "yyyy-MM-dd'T'HH:mm:ss'Z'";
     
     String USER_REGISTRY_JNDI_NAME = "UserRegistry";
@@ -36,7 +36,28 @@ public interface Constants {
     String SUBJECT_SESSION_ATTRIBUTE_KEY = "_tai.subject";
     String SECURITY_TOKEN_SESSION_ATTRIBUTE_KEY = "fediz.security.token";
 
+    /**
+     * @deprecated Use FEDIZ_CONFIG_LOCATION instead.
+     *
+     * Using this property causes problems on Websphere 8.5. See https://issues.apache.org/jira/browse/FEDIZ-97
for more
+     * details.
+     */
+    @Deprecated
     String CONFIGURATION_FILE_PARAMETER = "config.file.location";
+    /**
+     * This constant contains the name for the property to discover the location of the fediz
configuration file.
+     */
+    String FEDIZ_CONFIG_LOCATION = "fedizConfigLocation";
+
+    /**
+     * @deprecated Use FEDIZ_ROLE_MAPPER instead.
+     */
+    @Deprecated
     String ROLE_GROUP_MAPPER = "role.group.mapper";
 
+    /**
+     * This constant contains the name for the property to discover the class-name which
should be used for role to
+     * group mappings.
+     */
+    String FEDIZ_ROLE_MAPPER = "fedizRoleMapper";
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/978a89e2/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
index 19051c4..2ab406c 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
@@ -22,13 +22,7 @@ package org.apache.cxf.fediz.was.mapper;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Properties;
+import java.util.*;
 
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
@@ -45,13 +39,31 @@ import org.slf4j.LoggerFactory;
  * Reference implementation for a Federation Claim to local WAS Group Mapper
  */
 public class FileBasedRoleToGroupMapper implements RoleToGroupMapper {
-    
-    private static final String INITIALIZATION_THREAD_NAME = "ClaimGroupMapper";
+
+    /**
+     * This constant contains the name for the property to discover the role mapping file
refresh rate. The value of
+     * this property contains the number of seconds to wait, before changes in the file are
detected and applied.
+     */
+    public static final String FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT = "fedizRoleMappingRefreshTimeout";
+    /**
+     * This constant contains the name for the property to discover the location of the role
to group mapping file.
+     */
+    public static final String FEDIZ_ROLE_MAPPING_LOCATION = "fedizRoleMappingLocation";
+
+    /**
+     * @deprecated Use FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT instead.
+     */
+    @Deprecated
     private static final String REFRESH_TIMEOUT_PARAMETER = "groups.mapping.refresh.timeout";
+    /**
+     * @deprecated Use FEDIZ_ROLE_MAPPING_LOCATION instead.
+     */
+    @Deprecated
     private static final String MAPPING_FILE_PARAMETER = "groups.mapping.file";
+    private static final String INITIALIZATION_THREAD_NAME = "ClaimGroupMapper";
 
     private static final Logger LOG = LoggerFactory.getLogger(FileBasedRoleToGroupMapper.class);
-    
+
     private String groupMappingFilename = "./mapping.xml";
     private int refreshRateMillisec = 30 * 1000;
     private boolean doLoop = true;
@@ -75,30 +87,22 @@ public class FileBasedRoleToGroupMapper implements RoleToGroupMapper {
     @Override
     public void initialize(Properties props) {
         if (props != null) {
-
-            for (Entry<Object, Object> entry : props.entrySet()) {
-                if (MAPPING_FILE_PARAMETER.equals(entry.getKey())) {
-                    String propertyValue = (String)entry.getValue();
-                    if (propertyValue != null) {
-                        groupMappingFilename = propertyValue;
-                        if (LOG.isInfoEnabled()) {
-                            LOG.info("Mapping file set to " + propertyValue);
-                        }
-                    }
-                }
-                if (REFRESH_TIMEOUT_PARAMETER.equals(entry.getKey())) {
-                    String propertyValue = (String)entry.getValue();
-                    if (propertyValue != null) {
-                        refreshRateMillisec = Integer.parseInt(propertyValue) * 1000;
-                        if (LOG.isInfoEnabled()) {
-                            LOG.info("Mapping file refresh timeout (sec) set to " + propertyValue);
-                        }
-                    }
-                }
-
+            String fileLocation = props.containsKey(FEDIZ_ROLE_MAPPING_LOCATION)
+                    ? props.getProperty(FEDIZ_ROLE_MAPPING_LOCATION)
+                    : props.getProperty(MAPPING_FILE_PARAMETER);
+            if (fileLocation != null) {
+                groupMappingFilename = fileLocation;
+                LOG.info("Mapping file set to {}", fileLocation);
+            }
+            String timeout = props.containsKey(FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT)
+                    ? props.getProperty(FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT)
+                    : props.getProperty(REFRESH_TIMEOUT_PARAMETER);
+            if (timeout != null) {
+                refreshRateMillisec = Integer.parseInt(timeout) * 1000;
+                LOG.info("Mapping file refresh timeout (sec) set to {}", timeout);
             }
-
         }
+
         // start the internal initialization thread
         Thread initializationThread = new Thread() {
             @Override
@@ -116,9 +120,7 @@ public class FileBasedRoleToGroupMapper implements RoleToGroupMapper {
         initializationThread.setName(INITIALIZATION_THREAD_NAME);
         initializationThread.setPriority(Thread.MIN_PRIORITY);
         initializationThread.start();
-        if (LOG.isInfoEnabled()) {
-            LOG.info("Mapping file refresher thread started");
-        }
+        LOG.info("Mapping file refresher thread started");
     }
 
     private void internalInit() {
@@ -158,26 +160,25 @@ public class FileBasedRoleToGroupMapper implements RoleToGroupMapper
{
     private Map<String, List<String>> loadMappingFile() throws FileNotFoundException,
JAXBException {
         InputSource input = new InputSource(new FileInputStream(groupMappingFilename));
         JAXBContext context = JAXBContext.newInstance(Mapping.class);
-        Mapping localmappings = (Mapping)context.createUnmarshaller().unmarshal(input);
+        Mapping localmappings = (Mapping) context.createUnmarshaller().unmarshal(input);
 
         Map<String, List<String>> map = new HashMap<String, List<String>>(10);
 
         Iterator<SamlToJ2EE> i = localmappings.getSamlToJ2EE().iterator();
         while (i.hasNext()) {
             SamlToJ2EE mapping = i.next();
-            LOG.debug("{} mapped to {} entries", mapping.getClaim(), mapping.getGroups().getJ2EeGroup().size());
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("{} mapped to {} entries", mapping.getClaim(), mapping.getGroups().getJ2EeGroup().size());
+            }
             map.put(mapping.getClaim(), mapping.getGroups().getJ2EeGroup());
         }
 
-        
         return map;
     }
 
     @Override
     public void cleanup() {
-        if (LOG.isInfoEnabled()) {
-            LOG.info("Stopping the mapping file refresher loop");
-        }
+        LOG.info("Stopping the mapping file refresher loop");
         doLoop = false;
     }
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/978a89e2/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
index fc08dce..7bc2abd 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
@@ -39,8 +39,8 @@ import org.w3c.dom.Element;
 import com.ibm.websphere.security.WSSecurityException;
 import com.ibm.websphere.security.auth.WSSubject;
 
-import org.apache.cxf.fediz.core.FederationResponse;
 import org.apache.cxf.fediz.core.SecurityTokenThreadLocal;
+import org.apache.cxf.fediz.core.processor.FedizResponse;
 import org.apache.cxf.fediz.was.Constants;
 import org.apache.cxf.fediz.was.tai.FedizInterceptor;
 
@@ -81,7 +81,7 @@ public class SecurityContextTTLChecker extends HttpServlet implements Filter
{
         throws IOException, ServletException {
 
         try {
-            FederationResponse fedResponse = null;
+            FedizResponse fedResponse = null;
             Subject subject = WSSubject.getCallerSubject();
             boolean validSecurityTokenFound = false;
             if (subject != null) {
@@ -115,12 +115,12 @@ public class SecurityContextTTLChecker extends HttpServlet implements
Filter {
         }
     }
 
-    private boolean checkSecurityToken(FederationResponse response) {
+    private boolean checkSecurityToken(FedizResponse response) {
         long currentTime = System.currentTimeMillis();
         return response.getTokenExpires().getTime() > currentTime;
     }
     
-    private FederationResponse getCachedFederationResponse(Subject subject) {
+    private FedizResponse getCachedFederationResponse(Subject subject) {
         Iterator<?> i = subject.getPublicCredentials().iterator();
         
         while (i.hasNext()) {
@@ -128,7 +128,7 @@ public class SecurityContextTTLChecker extends HttpServlet implements
Filter {
             if (o instanceof Hashtable) {
                 @SuppressWarnings("unchecked")
                 Map<Object, Object> table = (Hashtable<Object, Object>)o;
-                return (FederationResponse)table.get(Constants.SUBJECT_TOKEN_KEY);
+                return (FedizResponse)table.get(Constants.SUBJECT_TOKEN_KEY);
             }
         }
         return null;
@@ -145,6 +145,8 @@ public class SecurityContextTTLChecker extends HttpServlet implements
Filter {
 
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
+        contextPath = filterConfig.getServletContext().getContextPath();
+        FedizInterceptor.registerContext(contextPath);
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/978a89e2/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
index 912be51..d33f45d 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
@@ -20,15 +20,17 @@ package org.apache.cxf.fediz.was.tai;
 
 import java.io.File;
 import java.io.IOException;
-import java.net.URLEncoder;
 import java.rmi.RemoteException;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
+import java.util.Set;
 
 import javax.naming.InitialContext;
+import javax.naming.NamingException;
 import javax.security.auth.Subject;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -44,33 +46,35 @@ import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
 import com.ibm.wsspi.security.token.AttributeNameConstants;
 
 import org.apache.cxf.fediz.core.FederationConstants;
-import org.apache.cxf.fediz.core.FederationProcessor;
-import org.apache.cxf.fediz.core.FederationProcessorImpl;
-import org.apache.cxf.fediz.core.FederationRequest;
-import org.apache.cxf.fediz.core.FederationResponse;
-import org.apache.cxf.fediz.core.config.FederationConfigurator;
-import org.apache.cxf.fediz.core.config.FederationContext;
+import org.apache.cxf.fediz.core.RequestState;
+import org.apache.cxf.fediz.core.SAMLSSOConstants;
+import org.apache.cxf.fediz.core.config.FederationProtocol;
+import org.apache.cxf.fediz.core.config.FedizConfigurator;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.SAMLProtocol;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.processor.FederationProcessorImpl;
+import org.apache.cxf.fediz.core.processor.FedizProcessor;
+import org.apache.cxf.fediz.core.processor.FedizRequest;
+import org.apache.cxf.fediz.core.processor.FedizResponse;
+import org.apache.cxf.fediz.core.processor.RedirectionResponse;
 import org.apache.cxf.fediz.was.Constants;
 import org.apache.cxf.fediz.was.mapper.DefaultRoleToGroupMapper;
 import org.apache.cxf.fediz.was.mapper.RoleToGroupMapper;
 import org.apache.cxf.fediz.was.tai.exception.TAIConfigurationException;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-
 /**
- * A Trust Authentication Interceptor (TAI) that trusts a Sign-In-Response  
- * provided from a configured IP/STS and instantiates
- * the corresponding WAS Subject
+ * A Trust Authentication Interceptor (TAI) that trusts a Sign-In-Response provided from
a configured IP/STS
+ * and instantiates the corresponding WAS Subject
  */
 public class FedizInterceptor implements TrustAssociationInterceptor {
     private static final Logger LOG = LoggerFactory.getLogger(FedizInterceptor.class);
-    private static List<String> authorizedWebApps = new ArrayList<String>(15);
-    
+    private static Set<String> authorizedWebApps = new HashSet<String>(15);
+
     private String configFile;
-    private FederationConfigurator configurator;
+    private FedizConfigurator configurator;
     private RoleToGroupMapper mapper;
 
     public String getConfigFile() {
@@ -110,8 +114,7 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
     }
 
     /**
-     * Registers a WebApplication using its contextPath as a key. 
-     * This method must be called by the associated
+     * Registers a WebApplication using its contextPath as a key. This method must be called
by the associated
      * security ServletFilter instance of a secured application at initialization time
      * 
      * @param contextPath
@@ -122,10 +125,8 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
     }
 
     /**
-     * Deregister a WebApplication using its contextPath as a key. 
-     * This method must be called by the associated
-     * security ServletFilter instance of a secured application 
-     * in the #destroy() method
+     * Deregister a WebApplication using its contextPath as a key. This method must be called
by the
+     * associated security ServletFilter instance of a secured application in the #destroy()
method
      * 
      * @param contextPath
      */
@@ -146,7 +147,9 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
     public int initialize(Properties props) throws WebTrustAssociationFailedException {
         if (props != null) {
             try {
-                String roleGroupMapper = props.getProperty(Constants.ROLE_GROUP_MAPPER);
+                String roleGroupMapper = props.containsKey(Constants.FEDIZ_ROLE_MAPPER)
+                    ? props.getProperty(Constants.FEDIZ_ROLE_MAPPER)
+                    : props.getProperty(Constants.ROLE_GROUP_MAPPER);
                 if (roleGroupMapper != null && !roleGroupMapper.isEmpty()) {
                     try {
                         mapper = (RoleToGroupMapper)Class.forName(roleGroupMapper).newInstance();
@@ -163,18 +166,20 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
                     LOG.debug("Using the DefaultRoleToGroupMapper mapper class");
                 }
 
-                String configFileLocation = props.getProperty(Constants.CONFIGURATION_FILE_PARAMETER);
+                String configFileLocation = props.containsKey(Constants.FEDIZ_CONFIG_LOCATION)
+                    ? props.getProperty(Constants.FEDIZ_CONFIG_LOCATION)
+                    : props.getProperty(Constants.CONFIGURATION_FILE_PARAMETER);
                 if (configFileLocation != null) {
                     LOG.debug("Configuration file location set to {}", configFileLocation);
                     File f = new File(configFileLocation);
 
-                    configurator = new FederationConfigurator();
+                    configurator = new FedizConfigurator();
                     configurator.loadConfig(f);
 
                     LOG.debug("Federation config loaded from path: {}", configFileLocation);
                 } else {
                     throw new WebTrustAssociationFailedException("Missing required initialization
parameter "
-                                                                 + Constants.CONFIGURATION_FILE_PARAMETER);
+                                                                 + Constants.FEDIZ_CONFIG_LOCATION);
                 }
             } catch (Throwable t) {
                 LOG.warn("Failed initializing TAI", t);
@@ -184,12 +189,12 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
         return 0;
     }
 
-    private FederationContext getFederationContext(HttpServletRequest req) {
+    private FedizContext getFederationContext(HttpServletRequest req) {
         String contextPath = req.getContextPath();
         if (contextPath == null || contextPath.isEmpty()) {
             contextPath = "/";
         }
-        return configurator.getFederationContext(contextPath);
+        return configurator.getFedizContext(contextPath);
 
     }
 
@@ -201,7 +206,7 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
     @Override
     public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException
{
         LOG.debug("Request URI: {}", req.getRequestURI());
-        FederationContext context = getFederationContext(req);
+        FedizContext context = getFederationContext(req);
 
         if (context != null) {
             return true;
@@ -222,7 +227,7 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
         throws WebTrustAssociationFailedException {
 
         LOG.debug("Request URI: {}", req.getRequestURI());
-        FederationContext fedCtx = getFederationContext(req);
+        FedizContext fedCtx = getFederationContext(req);
 
         if (fedCtx == null) {
             LOG.warn("No Federation Context configured for context-path {}", req.getContextPath());
@@ -259,14 +264,17 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
             if (wresult != null && wctx != null) {
                 LOG.debug("Validating RSTR...");
                 // process and validate the token
-                FederationResponse federationResponse = processSigninRequest(req, resp);
+                FedizResponse federationResponse = processSigninRequest(req, resp);
                 LOG.info("RSTR validated successfully");
-                
+
                 HttpSession session = req.getSession(true);
                 session.setAttribute(Constants.SECURITY_TOKEN_SESSION_ATTRIBUTE_KEY, federationResponse);
-
-                LOG.info("Redirecting request to {}", wctx);
-                resp.sendRedirect(wctx);
+                RequestState requestState = (RequestState) session.getAttribute(wctx);
+                if (requestState != null && requestState.getTargetAddress() != null)
{
+                    LOG.info("Redirecting request to {}", requestState.getTargetAddress());
+                    resp.sendRedirect(requestState.getTargetAddress());
+                    session.removeAttribute(wctx);
+                }
                 return TAIResult.create(HttpServletResponse.SC_FOUND);
             } else {
                 throw new Exception("Missing required parameter [wctx or wresult]");
@@ -285,23 +293,23 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
             return TAIResult.create(HttpServletResponse.SC_FOUND);
         } else {
             LOG.debug("Session ID is {}", session.getId());
-            
-            FederationResponse federationResponse = (FederationResponse)session
+
+            FedizResponse federationResponse = (FedizResponse)session
                 .getAttribute(Constants.SECURITY_TOKEN_SESSION_ATTRIBUTE_KEY);
             if (federationResponse != null) {
                 LOG.info("Security Token found in session: {}", federationResponse.getUsername());
-                
+
                 TAIResult result = null;
                 // check that the target WebApp is properly configured for Token TTL enforcement
                 if (authorizedWebApps.contains(req.getContextPath())) {
-                    
+
                     LOG.info("Security Filter properly configured - forwarding subject");
-                    
+
                     // proceed creating the JAAS Subject
                     List<String> groupsIds = groupIdsFromTokenRoles(federationResponse);
                     Subject subject = createSubject(federationResponse, groupsIds, session.getId());
 
-                    result = TAIResult.create(HttpServletResponse.SC_OK, "ignore", subject);
+                    result = TAIResult.create(HttpServletResponse.SC_OK, federationResponse.getUsername(),
subject);
                 } else {
                     result = TAIResult.create(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                     LOG.warn("No Security Filter configured for {}", req.getContextPath());
@@ -319,39 +327,34 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
 
     protected void redirectToIdp(HttpServletRequest request, HttpServletResponse response)
         throws IOException, WebTrustAssociationFailedException {
-        FederationProcessor processor = new FederationProcessorImpl();
+        FedizProcessor processor = new FederationProcessorImpl();
 
         String contextName = request.getContextPath();
         if (contextName == null || contextName.isEmpty()) {
             contextName = "/";
         }
-        FederationContext fedCtx = getFederationContext(request);
-
-        String redirectURL = null;
-        StringBuilder sb = new StringBuilder();
+        FedizContext fedCtx = getFederationContext(request);
 
         try {
-            redirectURL = processor.createSignInRequest(request, fedCtx);
-            if (redirectURL != null) {
-                sb.append(redirectURL);
-
-            }
-            request.getQueryString();
-            if (request.getRequestURI() != null && request.getRequestURI().length()
> 0) {
-                sb.append('&').append(FederationConstants.PARAM_CONTEXT).append('=')
-                    .append(URLEncoder.encode(request.getRequestURI(), "UTF-8"));
-            }
-            if (request.getQueryString() != null && !request.getQueryString().isEmpty())
{
-                sb.append('?');
-                sb.append(URLEncoder.encode(request.getQueryString(), "UTF-8"));
-            }
-
+            RedirectionResponse redirectionResponse = processor.createSignInRequest(request,
fedCtx);
+            String redirectURL = redirectionResponse.getRedirectionURL();
             if (redirectURL != null) {
-                response.sendRedirect(sb.toString());
+                Map<String, String> headers = redirectionResponse.getHeaders();
+                if (!headers.isEmpty()) {
+                    for (String headerName : headers.keySet()) {
+                        response.addHeader(headerName, headers.get(headerName));
+                    }
+                }
+                // Save request in our session before redirect to IDP
+                RequestState requestState = redirectionResponse.getRequestState();
+                if (requestState != null) {
+                    HttpSession session = request.getSession(true);
+                    session.setAttribute(requestState.getState(), requestState);
+                }
+                response.sendRedirect(redirectURL);
             } else {
                 LOG.error("RedirectUrl is null. Failed to create SignInRequest.");
-                response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
-                                   "Failed to create SignInRequest.");
+                response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed
to create SignInRequest.");
             }
         } catch (ProcessingException ex) {
             LOG.error("Failed to create SignInRequest", ex);
@@ -360,38 +363,39 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
 
     }
 
-    private List<String> groupIdsFromTokenRoles(FederationResponse federationResponse)
throws Exception {
+    private List<String> groupIdsFromTokenRoles(FedizResponse federationResponse) throws
Exception {
         InitialContext ctx = new InitialContext();
-        UserRegistry reg = (UserRegistry)ctx.lookup(Constants.USER_REGISTRY_JNDI_NAME);
+        try {
+            UserRegistry reg = (UserRegistry)ctx.lookup(Constants.USER_REGISTRY_JNDI_NAME);
 
-        List<String> localGroups = mapper.groupsFromRoles(federationResponse.getRoles());
+            List<String> localGroups = mapper.groupsFromRoles(federationResponse.getRoles());
 
-        List<String> groupIds = new ArrayList<String>(1);
-        if (localGroups != null) {
-            LOG.debug("Converting {} group names to uids", localGroups.size());
-            for (String localGroup : localGroups) {
-                String guid = convertGroupNameToUniqueId(reg, localGroup);
-                LOG.debug("Group '{}' maps to guid: {}", localGroup, guid);
-                groupIds.add(guid);
+            List<String> groupIds = new ArrayList<String>(1);
+            if (localGroups != null) {
+                LOG.debug("Converting {} group names to uids", localGroups.size());
+                for (String localGroup : localGroups) {
+                    String guid = convertGroupNameToUniqueId(reg, localGroup);
+                    LOG.debug("Group '{}' maps to guid: {}", localGroup, guid);
+                    groupIds.add(guid);
+                }
             }
+            if (LOG.isInfoEnabled()) {
+                LOG.info("Group list: " + groupIds.toString());
+            }
+            return groupIds;
+        } catch (NamingException ex) {
+            LOG.error("User Registry could not be loaded from JNDI context.");
+            LOG.warn("No groups/roles could be mapped for user: {}", federationResponse.getUsername());
+            return new ArrayList<String>();
+        } finally {
+            ctx.close();
         }
-        if (LOG.isInfoEnabled()) {
-            LOG.info("Group list: " + groupIds.toString());
-        }
-        return groupIds;
     }
 
     /**
      * Creates the JAAS Subject so that WAS Runtime will not check the local registry
-     * 
-     * @param securityName
-     * @param uniqueid
-     * @param groups
-     * @param token
-     * @return
      */
-
-    private Subject createSubject(FederationResponse federationResponse, List<String>
groups, String cacheKey) {
+    private Subject createSubject(FedizResponse federationResponse, List<String> groups,
String cacheKey) {
         String uniqueId = "user:defaultWIMFileBasedRealm/cn=" + federationResponse.getUsername()
                           + ",o=defaultWIMFileBasedRealm";
         String completeCacheKey = uniqueId + ':' + cacheKey;
@@ -413,30 +417,34 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
         return subject;
     }
 
-    public FederationResponse processSigninRequest(HttpServletRequest req, HttpServletResponse
resp)
+    public FedizResponse processSigninRequest(HttpServletRequest req, HttpServletResponse
resp)
         throws ProcessingException {
-        FederationRequest federationRequest = new FederationRequest();
+        FedizContext fedCtx = getFederationContext(req);
+        FedizRequest federationRequest = new FedizRequest();
 
         String wa = req.getParameter(FederationConstants.PARAM_ACTION);
-        String wct = req.getParameter(FederationConstants.PARAM_CURRENT_TIME);
-        String wresult = req.getParameter(FederationConstants.PARAM_RESULT);
-
-        if (LOG.isDebugEnabled()) {
-            LOG.debug("wa=" + wa);
-            LOG.debug("wct=" + wct);
-            LOG.debug("wresult=" + wresult);
-        }
+        String responseToken = getResponseToken(req, fedCtx);
 
-        federationRequest.setWa(wa);
-        federationRequest.setWct(wct);
-        federationRequest.setWresult(wresult);
+        federationRequest.setAction(wa);
+        federationRequest.setResponseToken(responseToken);
+        federationRequest.setState(req.getParameter("RelayState"));
+        federationRequest.setRequest(req);
 
-        FederationContext fedCtx = getFederationContext(req);
+        LOG.debug("FederationRequest: {}", federationRequest);
 
-        FederationProcessor processor = new FederationProcessorImpl();
+        FedizProcessor processor = new FederationProcessorImpl();
         return processor.processRequest(federationRequest, fedCtx);
     }
 
+    private String getResponseToken(HttpServletRequest request, FedizContext fedConfig) {
+        if (fedConfig.getProtocol() instanceof FederationProtocol) {
+            return request.getParameter(FederationConstants.PARAM_RESULT);
+        } else if (fedConfig.getProtocol() instanceof SAMLProtocol) {
+            return request.getParameter(SAMLSSOConstants.SAML_RESPONSE);
+        }
+        return null;
+    }
+
     /**
      * Convenience method for converting a list of group names to their unique group IDs
      * 


Mime
View raw message