cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbernha...@apache.org
Subject [04/12] cxf-fediz git commit: Improved Group Mapping, Renamed unreleased Constants
Date Fri, 20 Mar 2015 12:11:29 GMT
Improved Group Mapping, Renamed unreleased Constants


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/29c92536
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/29c92536
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/29c92536

Branch: refs/heads/master
Commit: 29c9253617be481a439dc0b03a0ad489c1aad96e
Parents: e615cf8
Author: Jan Bernhardt <jbernhardt@talend.com>
Authored: Fri Mar 6 19:31:32 2015 +0100
Committer: Jan Bernhardt <jbernhardt@talend.com>
Committed: Thu Mar 19 17:26:26 2015 +0100

----------------------------------------------------------------------
 plugins/websphere/pom.xml                       |  7 ++
 .../org/apache/cxf/fediz/was/Constants.java     | 17 ++++-
 .../was/mapper/DefaultRoleToGroupMapper.java    | 36 ++++++++-
 .../was/mapper/FileBasedRoleToGroupMapper.java  | 24 +++---
 .../filter/SecurityContextTTLChecker.java       |  3 +
 .../cxf/fediz/was/tai/FedizInterceptor.java     | 66 ++++++++++------
 .../mapper/DefaultRoleToGroupMapperTest.java    | 79 ++++++++++++++++++++
 7 files changed, 191 insertions(+), 41 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/29c92536/plugins/websphere/pom.xml
----------------------------------------------------------------------
diff --git a/plugins/websphere/pom.xml b/plugins/websphere/pom.xml
index 415c1ca..7fbc88c 100644
--- a/plugins/websphere/pom.xml
+++ b/plugins/websphere/pom.xml
@@ -94,6 +94,13 @@
 			<artifactId>slf4j-log4j12</artifactId>
 			<version>${slf4j.version}</version>
 		</dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
     <build>
         <plugins>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/29c92536/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
index 00a1d33..4d3bd1f 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/Constants.java
@@ -37,7 +37,7 @@ public interface Constants {
     String SECURITY_TOKEN_SESSION_ATTRIBUTE_KEY = "fediz.security.token";
 
     /**
-     * @deprecated Use FEDIZ_CONFIG_LOCATION instead.
+     * @deprecated Use PROPERTY_KEY_CONFIG_LOCATION instead.
      *
      * Using this property causes problems on Websphere 8.5. See https://issues.apache.org/jira/browse/FEDIZ-97
for more
      * details.
@@ -47,10 +47,10 @@ public interface Constants {
     /**
      * This constant contains the name for the property to discover the location of the fediz
configuration file.
      */
-    String FEDIZ_CONFIG_LOCATION = "fedizConfigLocation";
+    String PROPERTY_KEY_CONFIG_LOCATION = "fedizConfigFileLocation";
 
     /**
-     * @deprecated Use FEDIZ_ROLE_MAPPER instead.
+     * @deprecated Use PROPERTY_KEY_ROLE_MAPPER instead.
      */
     @Deprecated
     String ROLE_GROUP_MAPPER = "role.group.mapper";
@@ -59,5 +59,14 @@ public interface Constants {
      * This constant contains the name for the property to discover the class-name which
should be used for role to
      * group mappings.
      */
-    String FEDIZ_ROLE_MAPPER = "fedizRoleMapper";
+    String PROPERTY_KEY_ROLE_MAPPER = "roleMapper";
+
+    /**
+     * Usually the group name is mapped to the GroupUID by using the User Registry. In the
WAS liberty profile there
+     * is no User Registry available via JNDI, thus the GroupUID mapping needs to take place
directly in the
+     * Claim2Group Mapper. By using this interceptor property and setting the value to 'true'
the UserRegistry will
+     * not be used to get the GroupUID but instead the GroupUID needs to be provided by the
Claim2Group Mapper. The
+     * default value is set to 'false', thus the UserRegistry will be invoked.
+     */
+    String PROPERTY_KEY_DIRECT_GROUP_MAPPING = "directGroupMapping";
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/29c92536/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapper.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapper.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapper.java
index 3bd9c9b..5bbaac4 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapper.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapper.java
@@ -19,28 +19,56 @@
 
 package org.apache.cxf.fediz.was.mapper;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 /**
  *
  */
 public class DefaultRoleToGroupMapper implements RoleToGroupMapper {
 
-    
+    public static final String PROPERTY_KEY_ROLE_MAPPING_TEMPLATE = "roleMappingTemplate";
+
+    public static final String ROLE_MAPPING_PLACEHOLDER = "%roleName%";
+
+    public static final String DEFAULT_MAPPING_TEMPLATE = "group:defaultWIMFileBasedRealm/"
+                                                          + DefaultRoleToGroupMapper.ROLE_MAPPING_PLACEHOLDER;
+
+    private static final Logger LOG = LoggerFactory.getLogger(DefaultRoleToGroupMapper.class);
+
+    private String template;
+
     @Override
     public void cleanup() {
     }
 
-   
     @Override
     public List<String> groupsFromRoles(List<String> roles) {
-        return roles;
+        if (template == null || roles == null) {
+            return roles;
+        } else {
+            List<String> renamedRoles = new ArrayList<String>();
+            for (String role : roles) {
+                String renamedRole = template.replace(ROLE_MAPPING_PLACEHOLDER, role);
+                renamedRoles.add(renamedRole);
+                LOG.debug("Mapped role {} to {}", role, renamedRole);
+            }
+            return renamedRoles;
+        }
     }
 
-    
     @Override
     public void initialize(Properties properties) {
+        if (properties != null && properties.containsKey(PROPERTY_KEY_ROLE_MAPPING_TEMPLATE))
{
+            template = properties.getProperty(PROPERTY_KEY_ROLE_MAPPING_TEMPLATE);
+            LOG.info("Set RoleToGroup regex pattern: {}", template);
+        } else {
+            template = null;
+        }
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/29c92536/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
index 2ab406c..1bbd21a 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/mapper/FileBasedRoleToGroupMapper.java
@@ -22,7 +22,12 @@ package org.apache.cxf.fediz.was.mapper;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
 
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
@@ -44,22 +49,23 @@ public class FileBasedRoleToGroupMapper implements RoleToGroupMapper {
      * This constant contains the name for the property to discover the role mapping file
refresh rate. The value of
      * this property contains the number of seconds to wait, before changes in the file are
detected and applied.
      */
-    public static final String FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT = "fedizRoleMappingRefreshTimeout";
+    public static final String PROPERTY_KEY_ROLE_MAPPING_REFRESH_TIMEOUT = "roleMappingRefreshTimeout";
     /**
      * This constant contains the name for the property to discover the location of the role
to group mapping file.
      */
-    public static final String FEDIZ_ROLE_MAPPING_LOCATION = "fedizRoleMappingLocation";
+    public static final String PROPERTY_KEY_ROLE_MAPPING_LOCATION = "roleMappingLocation";
 
     /**
-     * @deprecated Use FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT instead.
+     * @deprecated Use PROPERTY_KEY_ROLE_MAPPING_REFRESH_TIMEOUT instead.
      */
     @Deprecated
     private static final String REFRESH_TIMEOUT_PARAMETER = "groups.mapping.refresh.timeout";
     /**
-     * @deprecated Use FEDIZ_ROLE_MAPPING_LOCATION instead.
+     * @deprecated Use PROPERTY_KEY_ROLE_MAPPING_LOCATION instead.
      */
     @Deprecated
     private static final String MAPPING_FILE_PARAMETER = "groups.mapping.file";
+
     private static final String INITIALIZATION_THREAD_NAME = "ClaimGroupMapper";
 
     private static final Logger LOG = LoggerFactory.getLogger(FileBasedRoleToGroupMapper.class);
@@ -87,15 +93,15 @@ public class FileBasedRoleToGroupMapper implements RoleToGroupMapper {
     @Override
     public void initialize(Properties props) {
         if (props != null) {
-            String fileLocation = props.containsKey(FEDIZ_ROLE_MAPPING_LOCATION)
-                    ? props.getProperty(FEDIZ_ROLE_MAPPING_LOCATION)
+            String fileLocation = props.containsKey(PROPERTY_KEY_ROLE_MAPPING_LOCATION)
+                    ? props.getProperty(PROPERTY_KEY_ROLE_MAPPING_LOCATION)
                     : props.getProperty(MAPPING_FILE_PARAMETER);
             if (fileLocation != null) {
                 groupMappingFilename = fileLocation;
                 LOG.info("Mapping file set to {}", fileLocation);
             }
-            String timeout = props.containsKey(FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT)
-                    ? props.getProperty(FEDIZ_ROLE_MAPPING_REFRESH_TIMEOUT)
+            String timeout = props.containsKey(PROPERTY_KEY_ROLE_MAPPING_REFRESH_TIMEOUT)
+                    ? props.getProperty(PROPERTY_KEY_ROLE_MAPPING_REFRESH_TIMEOUT)
                     : props.getProperty(REFRESH_TIMEOUT_PARAMETER);
             if (timeout != null) {
                 refreshRateMillisec = Integer.parseInt(timeout) * 1000;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/29c92536/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
index aa17e61..43efc6b 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
@@ -119,6 +119,9 @@ public class SecurityContextTTLChecker extends HttpServlet implements
Filter {
     }
 
     private boolean checkSecurityToken(FedizResponse response) {
+        if (response == null) {
+            return false;
+        }
         long currentTime = System.currentTimeMillis();
         return response.getTokenExpires().getTime() > currentTime;
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/29c92536/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
index 3a30b2e..530c0bb 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
@@ -77,6 +77,11 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
     private FedizConfigurator configurator;
     private RoleToGroupMapper mapper;
 
+    /**
+     * @see org.apache.cxf.fediz.was.Constants#PROPERTY_KEY_DIRECT_GROUP_MAPPING
+     */
+    private boolean directGrouMapping;
+
     public String getConfigFile() {
         return configFile;
     }
@@ -144,8 +149,8 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
         if (props != null) {
             try {
                 @SuppressWarnings("deprecation")
-                String roleGroupMapper = props.containsKey(Constants.FEDIZ_ROLE_MAPPER)
-                    ? props.getProperty(Constants.FEDIZ_ROLE_MAPPER)
+                String roleGroupMapper = props.containsKey(Constants.PROPERTY_KEY_ROLE_MAPPER)
+                    ? props.getProperty(Constants.PROPERTY_KEY_ROLE_MAPPER)
                     : props.getProperty(Constants.ROLE_GROUP_MAPPER);
                 if (roleGroupMapper != null && !roleGroupMapper.isEmpty()) {
                     try {
@@ -162,8 +167,8 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
                 }
 
                 @SuppressWarnings("deprecation")
-                String configFileLocation = props.containsKey(Constants.FEDIZ_CONFIG_LOCATION)
-                    ? props.getProperty(Constants.FEDIZ_CONFIG_LOCATION)
+                String configFileLocation = props.containsKey(Constants.PROPERTY_KEY_CONFIG_LOCATION)
+                    ? props.getProperty(Constants.PROPERTY_KEY_CONFIG_LOCATION)
                     : props.getProperty(Constants.CONFIGURATION_FILE_PARAMETER);
                 if (configFileLocation != null) {
                     LOG.debug("Configuration file location set to {}", configFileLocation);
@@ -175,8 +180,10 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
                     LOG.debug("Federation config loaded from path: {}", configFileLocation);
                 } else {
                     throw new WebTrustAssociationFailedException("Missing required initialization
parameter "
-                                                                 + Constants.FEDIZ_CONFIG_LOCATION);
+                                                                 + Constants.PROPERTY_KEY_CONFIG_LOCATION);
                 }
+
+                directGrouMapping = Boolean.valueOf(props.getProperty(Constants.PROPERTY_KEY_DIRECT_GROUP_MAPPING));
             } catch (Throwable t) {
                 LOG.warn("Failed initializing TAI", t);
                 return 1;
@@ -374,6 +381,9 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
     }
 
     private boolean checkSecurityToken(FedizResponse response) {
+        if (response == null) {
+            return false;
+        }
         long currentTime = System.currentTimeMillis();
         return response.getTokenExpires().getTime() > currentTime;
     }
@@ -383,29 +393,37 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
         List<String> localGroups = mapper.groupsFromRoles(federationResponse.getRoles());
         List<String> groupIds = new ArrayList<String>(localGroups.size());
 
-        InitialContext ctx = new InitialContext();
-        try {
-            UserRegistry reg = (UserRegistry)ctx.lookup(Constants.USER_REGISTRY_JNDI_NAME);
+        if (directGrouMapping) {
+            LOG.debug("Direct Group Mapping was set in interceptor. Thus UserRegistry will
not be invoked to get "
+                      + "GrouUID");
+            groupIds.addAll(localGroups);
+        } else {
+            InitialContext ctx = new InitialContext();
+            try {
+                UserRegistry reg = (UserRegistry)ctx.lookup(Constants.USER_REGISTRY_JNDI_NAME);
 
-            if (localGroups != null) {
-                LOG.debug("Converting {} group names to uids", localGroups.size());
-                for (String localGroup : localGroups) {
-                    try {
-                        String guid = convertGroupNameToUniqueId(reg, localGroup);
-                        LOG.debug("Group '{}' maps to guid: {}", localGroup, guid);
-                        groupIds.add(guid);
-                    } catch (EntryNotFoundException e) {
-                        LOG.warn("Group entry could not be found in UserRegistry: {}", localGroup);
+                if (localGroups != null) {
+                    LOG.debug("Converting {} group names to uids", localGroups.size());
+                    for (String localGroup : localGroups) {
+                        try {
+                            String guid = convertGroupNameToUniqueId(reg, localGroup);
+                            LOG.debug("Group '{}' maps to guid: {}", localGroup, guid);
+                            groupIds.add(guid);
+                        } catch (EntryNotFoundException e) {
+                            LOG.warn("Group entry '{}' could not be found in UserRegistry
for user '{}'", localGroup,
+                                     federationResponse.getUsername());
+                        }
                     }
                 }
+            } catch (NamingException ex) {
+                LOG.error("User Registry could not be loaded via JNDI context.");
+                LOG.warn("Since Group mapping failed no groups will be set for user '{}'",
federationResponse
+                    .getUsername());
+                LOG.info("To switch to direct GroupUID Mapping without UserRegistry being
involved set "
+                         + "fedizDirectGroupMapping=\"true\"  in TAI Interceptor properties.");
+            } finally {
+                ctx.close();
             }
-        } catch (NamingException ex) {
-            LOG.error("User Registry could not be loaded via JNDI context.");
-            LOG.warn("GroupIDs from mapping will be used instead of UserRegistry mapping
for user: {}",
-                     federationResponse.getUsername());
-            groupIds.addAll(localGroups);
-        } finally {
-            ctx.close();
         }
         LOG.debug("Group list: {}", groupIds);
         return groupIds;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/29c92536/plugins/websphere/src/test/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapperTest.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/test/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapperTest.java
b/plugins/websphere/src/test/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapperTest.java
new file mode 100644
index 0000000..b16ac20
--- /dev/null
+++ b/plugins/websphere/src/test/java/org/apache/cxf/fediz/was/mapper/DefaultRoleToGroupMapperTest.java
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.was.mapper;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Properties;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+/**
+ *
+ */
+public class DefaultRoleToGroupMapperTest {
+
+    @Test
+    public void testSimpleMapping() {
+        DefaultRoleToGroupMapper mapper = new DefaultRoleToGroupMapper();
+
+        List<String> result = mapper.groupsFromRoles(Arrays.asList("Role1", "Role2",
"Role3"));
+        assertNotNull(result);
+        assertEquals(3, result.size());
+        assertEquals("Role1", result.get(0));
+        assertEquals("Role3", result.get(2));
+    }
+
+    @Test
+    public void testNullMapping() {
+        DefaultRoleToGroupMapper mapper = new DefaultRoleToGroupMapper();
+
+        List<String> result = mapper.groupsFromRoles(null);
+        assertNull(result);
+    }
+
+    @Test
+    public void testEmptyMapping() {
+        DefaultRoleToGroupMapper mapper = new DefaultRoleToGroupMapper();
+
+        List<String> result = mapper.groupsFromRoles(new ArrayList<String>());
+        assertNotNull(result);
+        assertEquals(0, result.size());
+    }
+
+    @Test
+    public void testTemplateMapping() {
+        DefaultRoleToGroupMapper mapper = new DefaultRoleToGroupMapper();
+        Properties props = new Properties();
+        props.put(DefaultRoleToGroupMapper.PROPERTY_KEY_ROLE_MAPPING_TEMPLATE,
+                  DefaultRoleToGroupMapper.DEFAULT_MAPPING_TEMPLATE);
+        mapper.initialize(props);
+
+        List<String> result = mapper.groupsFromRoles(Arrays.asList("Role1", "Role2",
"Role3"));
+        assertNotNull(result);
+        assertEquals(3, result.size());
+        assertEquals("group:defaultWIMFileBasedRealm/Role1", result.get(0));
+    }
+}


Mime
View raw message