cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbernha...@apache.org
Subject [11/12] cxf-fediz git commit: [FEDIZ-105] SAML TTL validation for Websphere
Date Fri, 20 Mar 2015 12:11:36 GMT
[FEDIZ-105] SAML TTL validation for Websphere


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/0e954ede
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/0e954ede
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/0e954ede

Branch: refs/heads/master
Commit: 0e954ede17c54b88e6cafdfde155d74a6b37bec8
Parents: 545c90a
Author: Jan Bernhardt <jbernhardt@talend.com>
Authored: Fri Mar 20 08:39:01 2015 +0100
Committer: Jan Bernhardt <jbernhardt@talend.com>
Committed: Fri Mar 20 10:13:52 2015 +0100

----------------------------------------------------------------------
 .../cxf/fediz/core/config/FedizContext.java     |  8 ++++---
 .../core/processor/FederationProcessorImpl.java | 22 +++++++++---------
 .../cxf/fediz/core/processor/FedizResponse.java |  3 ++-
 .../core/federation/FederationRequestTest.java  |  1 +
 .../cxf/fediz/was/tai/FedizInterceptor.java     | 24 ++++++++++++++------
 5 files changed, 36 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0e954ede/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
index 9e9d2ed..1084b96 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
@@ -62,7 +62,6 @@ public class FedizContext implements Closeable {
     
     private ContextConfig config;
 
-    private boolean detectExpiredTokens = true;
     private boolean detectReplayedTokens = true;
     private String relativePath;
     private ReplayCache replayCache;
@@ -74,6 +73,9 @@ public class FedizContext implements Closeable {
     
 
     public FedizContext(ContextConfig config) {
+        if (config == null) {
+            throw new IllegalArgumentException("ContextConfig cannot be null!");
+        }
         this.config = config;
         
     }
@@ -249,11 +251,11 @@ public class FedizContext implements Closeable {
 
 
     public boolean isDetectExpiredTokens() {
-        return detectExpiredTokens;
+        return config.isTokenExpirationValidation();
     }
     
     public void setDetectExpiredTokens(boolean detectExpiredTokens) {
-        this.detectExpiredTokens = detectExpiredTokens;
+        config.setTokenExpirationValidation(detectExpiredTokens);
     }
 
     

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0e954ede/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index faa7e6e..0fc6a15 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -562,17 +562,17 @@ public class FederationProcessorImpl extends AbstractFedizProcessor
{
         
         if (homeRealm == null || homeRealm.isEmpty()) {
             // Check if home realm is set in configuration
-	        Object homeRealmObj = ((FederationProtocol)config.getProtocol()).getHomeRealm();
-	        if (homeRealmObj != null) {
-	            if (homeRealmObj instanceof String) {
-	                homeRealm = (String)homeRealmObj;
-	            } else if (homeRealmObj instanceof CallbackHandler) {
-	                CallbackHandler hrCB = (CallbackHandler)homeRealmObj;
-	                HomeRealmCallback callback = new HomeRealmCallback(request);
-	                hrCB.handle(new Callback[] {callback});
-	                homeRealm = callback.getHomeRealm();
-	            }
-	        }
+            Object homeRealmObj = ((FederationProtocol)config.getProtocol()).getHomeRealm();
+            if (homeRealmObj != null) {
+                if (homeRealmObj instanceof String) {
+                    homeRealm = (String)homeRealmObj;
+                } else if (homeRealmObj instanceof CallbackHandler) {
+                    CallbackHandler hrCB = (CallbackHandler)homeRealmObj;
+                    HomeRealmCallback callback = new HomeRealmCallback(request);
+                    hrCB.handle(new Callback[] {callback});
+                    homeRealm = callback.getHomeRealm();
+                }
+            }
         }
         return homeRealm;
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0e954ede/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
index b392ad2..e1a1e01 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
@@ -51,7 +51,8 @@ public class FedizResponse implements Serializable {
     private Date tokenExpires;
 
     //CHECKSTYLE:OFF
-    public FedizResponse(String username, String issuer, List<String> roles, List<Claim>
claims, String audience, Date created, Date expires, Element token, String uniqueTokenId)
{
+    public FedizResponse(String username, String issuer, List<String> roles, List<Claim>
claims, String audience, 
+        Date created, Date expires, Element token, String uniqueTokenId) {
         this.username = username;
         this.issuer = issuer;
         this.roles = roles;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0e954ede/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
index c9561dd..c5489d0 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
@@ -121,6 +121,7 @@ public class FederationRequestTest {
         HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
         EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM))
             .andReturn("urn:org:apache:cxf:fediz:idp:realm-A");
+        EasyMock.expect(req.getQueryString()).andReturn(null);
         EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)).times(1,
2);
         EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
         EasyMock.replay(req);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0e954ede/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
index b58125e..6d8976c 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/tai/FedizInterceptor.java
@@ -211,6 +211,12 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
         FedizContext fedCtx = getFederationContext(req);
 
         if (fedCtx != null) {
+
+            // Validate SAML token lifetime on each request?
+            if (fedCtx.isDetectExpiredTokens()) {
+                return true;
+            }
+
             // Handle Metadata Document requests
             MetadataDocumentHandler mddHandler = new MetadataDocumentHandler(fedCtx);
             if (mddHandler.canHandleRequest(req)) {
@@ -329,7 +335,7 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
                     HttpSession session = request.getSession(true);
                     RequestState requestState = (RequestState)session.getAttribute(wctx);
                     if (requestState != null && requestState.getTargetAddress() !=
null) {
-                        LOG.info("Redirecting request to {}", requestState.getTargetAddress());
+                        LOG.debug("Restore request to {}", requestState.getTargetAddress());
                         try {
                             response.sendRedirect(requestState.getTargetAddress());
                         } catch (IOException e) {
@@ -344,8 +350,7 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
             }
 
             // Check if user was authenticated previously and token is still valid
-            // TODO validate SAML TTL
-            TAIResult taiResult = checkUserAuthentication(req);
+            TAIResult taiResult = checkUserAuthentication(req, fedCtx);
             if (taiResult != null) {
                 return taiResult;
             }
@@ -360,7 +365,8 @@ public class FedizInterceptor implements TrustAssociationInterceptor {
         }
     }
 
-    private TAIResult checkUserAuthentication(HttpServletRequest req) throws WebTrustAssociationFailedException
{
+    private TAIResult checkUserAuthentication(HttpServletRequest req, FedizContext fedCtx)
+        throws WebTrustAssociationFailedException {
         TAIResult result = null;
         HttpSession session = req.getSession(false);
         if (session != null) {
@@ -368,10 +374,11 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
             FedizResponse federationResponse = (FedizResponse)session
                 .getAttribute(Constants.SECURITY_TOKEN_SESSION_ATTRIBUTE_KEY);
             if (federationResponse != null) {
-                LOG.info("Security Token found in session for user: {}", federationResponse.getUsername());
+                LOG.debug("Security Token found in session for user: {}", federationResponse.getUsername());
 
                 // validate Security Token and create User Principal
                 if (checkSecurityToken(federationResponse)) {
+                    // TODO check if there is a better way to avoid recreation of subject
each validated call
                     // proceed creating the JAAS Subject
                     List<String> groupsIds = groupIdsFromTokenRoles(federationResponse);
                     LOG.debug("Mapped group IDs: {}", groupsIds);
@@ -379,8 +386,11 @@ public class FedizInterceptor implements TrustAssociationInterceptor
{
 
                     result = TAIResult.create(HttpServletResponse.SC_OK, federationResponse.getUsername(),
subject);
                 }
-                // Cleanup session
-                session.removeAttribute(Constants.SECURITY_TOKEN_SESSION_ATTRIBUTE_KEY);
+                if (!fedCtx.isDetectExpiredTokens()) {
+                    // token is not required for TTL validation
+                    // Cleanup session
+                    session.removeAttribute(Constants.SECURITY_TOKEN_SESSION_ATTRIBUTE_KEY);
+                }
             }
         }
         return result;


Mime
View raw message