cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbernha...@apache.org
Subject [05/12] cxf-fediz git commit: Improved Servlet Filter for Websphere
Date Fri, 20 Mar 2015 12:11:30 GMT
Improved Servlet Filter for Websphere


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ab0d1b0b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ab0d1b0b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ab0d1b0b

Branch: refs/heads/master
Commit: ab0d1b0bcca914f1a24594118e93896880f61241
Parents: 29c9253
Author: Jan Bernhardt <jbernhardt@talend.com>
Authored: Mon Mar 9 11:30:56 2015 +0100
Committer: Jan Bernhardt <jbernhardt@talend.com>
Committed: Thu Mar 19 17:26:33 2015 +0100

----------------------------------------------------------------------
 .../src/main/webapp/WEB-INF/web.xml             |  7 --
 .../was/servlet/filter/FederationFilter.java    | 98 ++++++++++++++++++++
 .../filter/SecurityContextTTLChecker.java       |  8 +-
 3 files changed, 104 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ab0d1b0b/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml b/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
index 28d2a3a..a60f3a4 100644
--- a/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
+++ b/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
@@ -6,13 +6,6 @@
     <display-name>WS Federation Simple Web Application Example</display-name>
 
     <!-- Optional: Cache the security token in Thread Local Storage -->
-	<!-- 
-    <filter>
-        <filter-name>FederationFilter</filter-name>
-        <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
-    </filter>
-	-->
-	
 	<filter>
         <filter-name>FederationFilter</filter-name>
         <filter-class>org.apache.cxf.fediz.was.servlet.filter.SecurityContextTTLChecker</filter-class>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ab0d1b0b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java
new file mode 100644
index 0000000..991fd91
--- /dev/null
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.was.servlet.filter;
+
+import java.io.IOException;
+import java.util.Hashtable;
+import java.util.Iterator;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServlet;
+
+import org.w3c.dom.Element;
+import com.ibm.websphere.security.WSSecurityException;
+import com.ibm.websphere.security.auth.WSSubject;
+
+import org.apache.cxf.fediz.core.SecurityTokenThreadLocal;
+import org.apache.cxf.fediz.core.processor.FedizResponse;
+import org.apache.cxf.fediz.was.Constants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Add security token to thread local
+ */
+public class FederationFilter extends HttpServlet implements Filter {
+    private static final Logger LOG = LoggerFactory.getLogger(FederationFilter.class);
+    private static final long serialVersionUID = 5732969318462358728L;
+
+    public FederationFilter() {
+        super();
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    /*
+     * (non-Java-doc)
+     * @see javax.servlet.Filter#doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException,
+        ServletException {
+        try {
+            Subject subject = WSSubject.getCallerSubject();
+            if (subject != null) {
+                FedizResponse fedResponse = getCachedFederationResponse(subject);
+                LOG.info("Security token found for user: {}", fedResponse.getUsername());
+                Element el = fedResponse.getToken();
+                if (el != null) {
+                    SecurityTokenThreadLocal.setToken(el);
+                    LOG.debug("Setting Security Token to SecurityTokenThreadLocal");
+                }
+            }
+            chain.doFilter(request, response);
+        } catch (WSSecurityException e) {
+            LOG.warn("No caller Subject/Principal found in request.");
+            chain.doFilter(request, response);
+        } finally {
+            SecurityTokenThreadLocal.setToken(null);
+        }
+    }
+
+    private FedizResponse getCachedFederationResponse(Subject subject) {
+        Iterator<?> i = subject.getPublicCredentials().iterator();
+        while (i.hasNext()) {
+            Object o = i.next();
+            if (o instanceof Hashtable) {
+                Map<?, ?> table = (Hashtable<?, ?>)o;
+                return (FedizResponse)table.get(Constants.SUBJECT_TOKEN_KEY);
+            }
+        }
+        return null;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ab0d1b0b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
index 43efc6b..8ad301b 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
@@ -52,9 +52,9 @@ import org.slf4j.LoggerFactory;
  * A Servlet Filter that MUST be configured to match the '/*' request scheme on each Web
Application
  * to enforce SAML assertion TimeToLive checking
  *
- * @deprecated  Not needed any longer since version 1.2.0
+ * Only needed if TAI Interceptor is not registered with option "beforeSSO=true". Otherwise
use FederationFilter
+ * instead.
  */
-@Deprecated
 public class SecurityContextTTLChecker extends HttpServlet implements Filter {
     private static final Logger LOG = LoggerFactory.getLogger(SecurityContextTTLChecker.class);
     private static final long serialVersionUID = 5732969339258858728L;
@@ -69,6 +69,7 @@ public class SecurityContextTTLChecker extends HttpServlet implements Filter
{
         super();
     }
 
+    @SuppressWarnings("deprecation")
     @Override
     public void init(ServletConfig config) throws ServletException {
         super.init(config);
@@ -80,6 +81,7 @@ public class SecurityContextTTLChecker extends HttpServlet implements Filter
{
      * (non-Java-doc)
      * @see javax.servlet.Filter#doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
      */
+    @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
         throws IOException, ServletException {
 
@@ -145,10 +147,12 @@ public class SecurityContextTTLChecker extends HttpServlet implements
Filter {
      * (non-Java-doc)
      * @see javax.servlet.Filter#destroy()
      */
+    @SuppressWarnings("deprecation")
     public void destroy() {
         FedizInterceptor.deRegisterContext(contextPath);
     }
 
+    @SuppressWarnings("deprecation")
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
         contextPath = filterConfig.getServletContext().getContextPath();


Mime
View raw message