Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9EE3E174E8 for ; Fri, 20 Mar 2015 12:11:42 +0000 (UTC) Received: (qmail 24717 invoked by uid 500); 20 Mar 2015 12:11:26 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 24630 invoked by uid 500); 20 Mar 2015 12:11:26 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 24620 invoked by uid 99); 20 Mar 2015 12:11:26 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Mar 2015 12:11:26 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 61CB6E10A2; Fri, 20 Mar 2015 12:11:26 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jbernhardt@apache.org To: commits@cxf.apache.org Date: Fri, 20 Mar 2015 12:11:26 -0000 Message-Id: <72aecfd4b1c347bb9e2c25156e717730@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [01/12] cxf-fediz git commit: Plugin refactoring: Moving common code to core RequestHandler. Repository: cxf-fediz Updated Branches: refs/heads/master 76f00d5e3 -> fe8f240fd Plugin refactoring: Moving common code to core RequestHandler. Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/0f6a65de Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/0f6a65de Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/0f6a65de Branch: refs/heads/master Commit: 0f6a65debd2143339bdbea572b35ba94b2d8c368 Parents: 76f00d5 Author: Jan Bernhardt Authored: Mon Mar 2 17:27:06 2015 +0100 Committer: Jan Bernhardt Committed: Thu Mar 19 17:26:07 2015 +0100 ---------------------------------------------------------------------- .../cxf/fediz/core/handler/LogoutHandler.java | 168 +++++++++++++++++++ .../cxf/fediz/core/handler/RequestHandler.java | 40 +++++ .../cxf/fediz/core/handler/SigninHandler.java | 103 ++++++++++++ .../core/metadata/MetadataDocumentHandler.java | 91 ++++++++++ .../core/processor/FederationProcessorImpl.java | 6 +- .../core/federation/FederationRequestTest.java | 1 + .../fediz/tomcat/FederationAuthenticator.java | 158 +++-------------- systests/tomcat7/pom.xml | 4 +- 8 files changed, 430 insertions(+), 141 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/LogoutHandler.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/LogoutHandler.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/LogoutHandler.java new file mode 100644 index 0000000..d58de21 --- /dev/null +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/LogoutHandler.java @@ -0,0 +1,168 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.fediz.core.handler; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Map; + +import javax.servlet.ServletOutputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.w3c.dom.Element; + +import org.apache.cxf.fediz.core.FederationConstants; +import org.apache.cxf.fediz.core.config.FedizContext; +import org.apache.cxf.fediz.core.processor.FedizProcessor; +import org.apache.cxf.fediz.core.processor.FedizProcessorFactory; +import org.apache.cxf.fediz.core.processor.RedirectionResponse; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class LogoutHandler implements RequestHandler { + + private static final Logger LOG = LoggerFactory.getLogger(LogoutHandler.class); + protected final FedizContext fedizConfig; + private final String servletContextPath; + private Element token; + + public LogoutHandler(FedizContext fedConfig) { + this(fedConfig, "/"); + } + + public LogoutHandler(FedizContext fedConfig, String servletContextPath) { + this.fedizConfig = fedConfig; + this.servletContextPath = servletContextPath; + } + + @Override + public boolean canHandleRequest(HttpServletRequest request) { + String wa = request.getParameter(FederationConstants.PARAM_ACTION); + if (FederationConstants.ACTION_SIGNOUT.equals(wa) || FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) { + // Default WS-Federation logout action + return true; + } + //Check for custom logout URL + String logoutUrl = fedizConfig.getLogoutURL(); + return logoutUrl != null && !logoutUrl.isEmpty() + && servletContextPath != null && request.getRequestURI().equals(servletContextPath + logoutUrl); + } + + @Override + public boolean handleRequest(HttpServletRequest request, HttpServletResponse response) { + String wa = request.getParameter(FederationConstants.PARAM_ACTION); + if (FederationConstants.ACTION_SIGNOUT.equals(wa)) { + return signout(request, response); + } else if (FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) { + return signoutCleanup(request, response); + } else { + return customLogout(request, response); + } + } + + protected boolean customLogout(HttpServletRequest request, HttpServletResponse response) { + LOG.info("Custom Logout URL was invoked."); + return signout(request, response); + } + + protected boolean signoutCleanup(HttpServletRequest request, HttpServletResponse response) { + LOG.info("SignOutCleanup request found. Terminating user session."); + request.getSession().invalidate(); + String wreply = request.getParameter(FederationConstants.PARAM_REPLY); + if (wreply != null && !wreply.isEmpty()) { + try { + LOG.debug("Redirecting user after logout to: {}", wreply); + response.sendRedirect(wreply); + } catch (IOException e) { + LOG.error("Error redirecting user after logout: {}", e.getMessage()); + } + } else { + LOG.debug("No wreply parameter was set in logout action. Returning logout image"); + writeLogoutImage(response); + } + return true; + } + + public void setToken(Element token) { + this.token = token; + } + + protected boolean signout(HttpServletRequest request, HttpServletResponse response) { + LOG.debug("SignOut request found. Redirecting to IDP..."); + //TODO make direct cleanup (session termination) optional via configuration + try { + SamlAssertionWrapper assertionToken = null; + if (token != null) { + assertionToken = new SamlAssertionWrapper(token); + } + FedizProcessor wfProc = FedizProcessorFactory.newFedizProcessor(fedizConfig.getProtocol()); + RedirectionResponse redirectionResponse = wfProc.createSignOutRequest(request, assertionToken, fedizConfig); + String redirectURL = redirectionResponse.getRedirectionURL(); + if (redirectURL != null) { + Map headers = redirectionResponse.getHeaders(); + if (!headers.isEmpty()) { + for (String headerName : headers.keySet()) { + response.addHeader(headerName, headers.get(headerName)); + } + } + response.sendRedirect(redirectURL); + return true; + } else { + LOG.warn("Failed to create SignOutRequest."); + } + } catch (Exception ex) { + LOG.warn("Failed to create SignOutRequest: " + ex.getMessage()); + try { + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest."); + } catch (IOException e) { + LOG.error("Failed to send error response: {}", e.getMessage()); + } + } + return false; + } + + protected void writeLogoutImage(HttpServletResponse response) { + InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg"); + if (inputStream == null) { + LOG.warn("Could not write logout.jpg"); + return; + } + int read = 0; + byte[] buf = new byte[1024]; + try { + response.setContentType("image/jpeg"); + ServletOutputStream responseOutputStream = response.getOutputStream(); + while ((read = inputStream.read(buf)) != -1) { + responseOutputStream.write(buf, 0, read); + } + responseOutputStream.flush(); + } catch (IOException e) { + LOG.error("Could not send logout image: {}", e.getMessage()); + } finally { + try { + inputStream.close(); + } catch (IOException e) { + // ignore + } + } + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/RequestHandler.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/RequestHandler.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/RequestHandler.java new file mode 100644 index 0000000..cc15e59 --- /dev/null +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/RequestHandler.java @@ -0,0 +1,40 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.fediz.core.handler; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +public interface RequestHandler { + + /** + * @param request Check if handler can handle this given request + * @return Returns true if handler can handle provided request, otherwise handler returns false. + */ + boolean canHandleRequest(HttpServletRequest request); + + /** + * After ensuring that this Handler can handle the given request this method will do the actual handling. + * + * @param request Request to be handled. + * @param response Response to be populated. + * @return Returns true if request handling was successful. + */ + boolean handleRequest(HttpServletRequest request, HttpServletResponse response); +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java new file mode 100644 index 0000000..e4cd349 --- /dev/null +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java @@ -0,0 +1,103 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.fediz.core.handler; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.cxf.fediz.core.FederationConstants; +import org.apache.cxf.fediz.core.SAMLSSOConstants; +import org.apache.cxf.fediz.core.config.FederationProtocol; +import org.apache.cxf.fediz.core.config.FedizContext; +import org.apache.cxf.fediz.core.config.SAMLProtocol; +import org.apache.cxf.fediz.core.exception.ProcessingException; +import org.apache.cxf.fediz.core.processor.FederationProcessorImpl; +import org.apache.cxf.fediz.core.processor.FedizProcessor; +import org.apache.cxf.fediz.core.processor.FedizRequest; +import org.apache.cxf.fediz.core.processor.FedizResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public abstract class SigninHandler implements RequestHandler { + + private static final Logger LOG = LoggerFactory.getLogger(SigninHandler.class); + protected final FedizContext fedizConfig; + + public SigninHandler(FedizContext fedConfig) { + this.fedizConfig = fedConfig; + } + + @Override + public boolean canHandleRequest(HttpServletRequest request) { + return FederationConstants.ACTION_SIGNIN.equals(request.getParameter(FederationConstants.PARAM_ACTION)); + } + + @Override + public boolean handleRequest(HttpServletRequest request, HttpServletResponse response) { + if (request.getMethod().equals("POST")) { + LOG.debug("Sign-In-Response received"); + String wresult = request.getParameter(FederationConstants.PARAM_RESULT); + String wctx = request.getParameter(FederationConstants.PARAM_CONTEXT); + if (wresult != null && wctx != null) { + LOG.debug("Validating RSTR..."); + // process and validate the token + try { + processSigninRequest(request, response); + LOG.info("RSTR validated successfully"); + resumeRequest(); + return true; + } catch (ProcessingException e) { + LOG.error("RSTR validated failed."); + } + } else { + throw new RuntimeException("Missing required parameter [wctx or wresult]"); + } + } else { + throw new RuntimeException("Incorrect method GET for Sign-In-Response"); + } + return false; + } + + public abstract void resumeRequest(); + + public FedizResponse processSigninRequest(HttpServletRequest req, HttpServletResponse resp) + throws ProcessingException { + FedizRequest federationRequest = new FedizRequest(); + + String wa = req.getParameter(FederationConstants.PARAM_ACTION); + String responseToken = getResponseToken(req, fedizConfig); + + federationRequest.setAction(wa); + federationRequest.setResponseToken(responseToken); + federationRequest.setState(req.getParameter("RelayState")); + federationRequest.setRequest(req); + + FedizProcessor processor = new FederationProcessorImpl(); + return processor.processRequest(federationRequest, fedizConfig); + } + + public String getResponseToken(HttpServletRequest request, FedizContext fedConfig) { + if (fedConfig.getProtocol() instanceof FederationProtocol) { + return request.getParameter(FederationConstants.PARAM_RESULT); + } else if (fedConfig.getProtocol() instanceof SAMLProtocol) { + return request.getParameter(SAMLSSOConstants.SAML_RESPONSE); + } + return null; + } +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataDocumentHandler.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataDocumentHandler.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataDocumentHandler.java new file mode 100644 index 0000000..364bb22 --- /dev/null +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataDocumentHandler.java @@ -0,0 +1,91 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.fediz.core.metadata; + +import java.io.IOException; +import java.io.PrintWriter; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.w3c.dom.Document; + +import org.apache.cxf.fediz.core.FederationConstants; +import org.apache.cxf.fediz.core.SAMLSSOConstants; +import org.apache.cxf.fediz.core.config.FederationProtocol; +import org.apache.cxf.fediz.core.config.FedizContext; +import org.apache.cxf.fediz.core.config.SAMLProtocol; +import org.apache.cxf.fediz.core.handler.RequestHandler; +import org.apache.cxf.fediz.core.processor.FedizProcessor; +import org.apache.cxf.fediz.core.processor.FedizProcessorFactory; +import org.apache.wss4j.common.util.DOM2Writer; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class MetadataDocumentHandler implements RequestHandler { + + private static final Logger LOG = LoggerFactory.getLogger(MetadataDocumentHandler.class); + protected final FedizContext fedizConfig; + + public MetadataDocumentHandler(FedizContext fedConfig) { + this.fedizConfig = fedConfig; + } + + public static String getMetadataURI(FedizContext fedConfig) { + if (fedConfig.getProtocol().getMetadataURI() != null) { + return fedConfig.getProtocol().getMetadataURI(); + } else if (fedConfig.getProtocol() instanceof FederationProtocol) { + return FederationConstants.METADATA_PATH_URI; + } else if (fedConfig.getProtocol() instanceof SAMLProtocol) { + return SAMLSSOConstants.FEDIZ_SAML_METADATA_PATH_URI; + } + return FederationConstants.METADATA_PATH_URI; + } + + @Override + public boolean canHandleRequest(HttpServletRequest request) { + return request.getRequestURL().indexOf(MetadataDocumentHandler.getMetadataURI(fedizConfig)) != -1; + } + + @Override + public boolean handleRequest(HttpServletRequest request, HttpServletResponse response) { + LOG.debug("Metadata document requested"); + FedizProcessor wfProc = FedizProcessorFactory.newFedizProcessor(fedizConfig.getProtocol()); + PrintWriter out = null; + try { + out = response.getWriter(); + Document metadata = wfProc.getMetaData(request, fedizConfig); + out.write(DOM2Writer.nodeToString(metadata)); + response.setContentType("text/xml"); + return true; + } catch (Exception ex) { + LOG.error("Failed to get metadata document: {}", ex.getMessage()); + try { + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + } catch (IOException e) { + LOG.error("Failed to send error response: {}", e.getMessage()); + } + return false; + } finally { + if (out != null) { + out.close(); + } + } + } +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java index 40c3a93..c98486c 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java @@ -495,7 +495,10 @@ public class FederationProcessorImpl extends AbstractFedizProcessor { StringBuilder sb = new StringBuilder(); sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNOUT); - String logoutRedirectTo = config.getLogoutRedirectTo(); + String logoutRedirectTo = request.getParameter(FederationConstants.PARAM_REPLY); + if (logoutRedirectTo != null && !logoutRedirectTo.isEmpty()) { + logoutRedirectTo = config.getLogoutRedirectTo(); + } if (logoutRedirectTo != null && !logoutRedirectTo.isEmpty()) { if (logoutRedirectTo.startsWith("/")) { @@ -505,7 +508,6 @@ public class FederationProcessorImpl extends AbstractFedizProcessor { } LOG.debug("wreply=" + logoutRedirectTo); - sb.append('&').append(FederationConstants.PARAM_REPLY).append('='); sb.append(URLEncoder.encode(logoutRedirectTo, "UTF-8")); } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java index 51596a7..ebcd3a6 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java @@ -145,6 +145,7 @@ public class FederationRequestTest { FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getParameter(FederationConstants.PARAM_REPLY)).andReturn(null); EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)).times(1, 2); EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI); EasyMock.replay(req); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java ---------------------------------------------------------------------- diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java index 4e7bae9..a365235 100644 --- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java +++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java @@ -21,8 +21,6 @@ package org.apache.cxf.fediz.tomcat; import java.io.File; import java.io.IOException; -import java.io.InputStream; -import java.io.PrintWriter; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.Collections; @@ -31,14 +29,12 @@ import java.util.List; import java.util.Map; import javax.servlet.ServletException; -import javax.servlet.ServletOutputStream; import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import javax.xml.bind.JAXBException; -import org.w3c.dom.Document; import org.w3c.dom.Element; + import org.apache.catalina.LifecycleException; import org.apache.catalina.Session; import org.apache.catalina.authenticator.Constants; @@ -55,6 +51,9 @@ import org.apache.cxf.fediz.core.config.FedizConfigurator; import org.apache.cxf.fediz.core.config.FedizContext; import org.apache.cxf.fediz.core.config.SAMLProtocol; import org.apache.cxf.fediz.core.exception.ProcessingException; +import org.apache.cxf.fediz.core.handler.LogoutHandler; +import org.apache.cxf.fediz.core.handler.RequestHandler; +import org.apache.cxf.fediz.core.metadata.MetadataDocumentHandler; import org.apache.cxf.fediz.core.processor.FedizProcessor; import org.apache.cxf.fediz.core.processor.FedizProcessorFactory; import org.apache.cxf.fediz.core.processor.FedizRequest; @@ -62,9 +61,6 @@ import org.apache.cxf.fediz.core.processor.FedizResponse; import org.apache.cxf.fediz.core.processor.RedirectionResponse; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.apache.wss4j.common.util.DOM2Writer; public class FederationAuthenticator extends FormAuthenticator { @@ -192,72 +188,34 @@ public class FederationAuthenticator extends FormAuthenticator { contextName = "/"; } FedizContext fedConfig = getContextConfiguration(contextName); - - if (request.getRequestURL().indexOf(FederationConstants.METADATA_PATH_URI) != -1 - || request.getRequestURL().indexOf(getMetadataURI(fedConfig)) != -1) { - if (LOG.isInfoEnabled()) { - LOG.info("Metadata document requested"); - } - response.setContentType("text/xml"); - PrintWriter out = response.getWriter(); - - FedizProcessor wfProc = - FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol()); - try { - Document metadata = wfProc.getMetaData(request, fedConfig); - out.write(DOM2Writer.nodeToString(metadata)); - return; - } catch (Exception ex) { - LOG.error("Failed to get metadata document: " + ex.getMessage()); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); - return; - } + RequestHandler mdHandler = new MetadataDocumentHandler(fedConfig); + if (mdHandler.canHandleRequest(request)) { + mdHandler.handleRequest(request, response); + return; } - String wa = request.getParameter(FederationConstants.PARAM_ACTION); - if (FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) { - if (LOG.isDebugEnabled()) { - LOG.debug("SignOutCleanup request found"); - LOG.debug("SignOutCleanup action..."); + LogoutHandler logoutHandler = new LogoutHandler(fedConfig, contextName); + if (logoutHandler.canHandleRequest(request)) { + Element token = (Element)request.getSession().getAttribute(SECURITY_TOKEN); + logoutHandler.setToken(token); + + //TODO: Check if this internal session cleanup is really needed + Session session = request.getSessionInternal(); + // Cleanup session + if (session != null) { + session.removeNote(FEDERATION_NOTE); + session.setPrincipal(null); } - request.getSession().invalidate(); - handleLogout(response.getOutputStream()); + logoutHandler.handleRequest(request, response); return; } super.invoke(request, response); - - } - - private void handleLogout(final ServletOutputStream responseOutputStream) throws IOException { - InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg"); - if (inputStream == null) { - LOG.warn("Could not write logout.jpg"); - return; - } - int read = 0; - byte[] buf = new byte[1024]; - while ((read = inputStream.read(buf)) != -1) { - responseOutputStream.write(buf, 0, read); - } - inputStream.close(); - responseOutputStream.flush(); - } - - private String getMetadataURI(FedizContext fedConfig) { - if (fedConfig.getProtocol().getMetadataURI() != null) { - return fedConfig.getProtocol().getMetadataURI(); - } else if (fedConfig.getProtocol() instanceof FederationProtocol) { - return FederationConstants.METADATA_PATH_URI; - } else if (fedConfig.getProtocol() instanceof SAMLProtocol) { - return SAMLSSOConstants.FEDIZ_SAML_METADATA_PATH_URI; - } - - return FederationConstants.METADATA_PATH_URI; } + //CHECKSTYLE:OFF @Override public boolean authenticate(Request request, HttpServletResponse response, @@ -273,40 +231,6 @@ public class FederationAuthenticator extends FormAuthenticator { } FedizContext fedConfig = getContextConfiguration(contextName); - //logout - String logoutUrl = fedConfig.getLogoutURL(); - if (logoutUrl != null && !logoutUrl.isEmpty() - && request.getRequestURI().equals(contextName + logoutUrl)) { - HttpSession httpSession = request.getSession(false); - if (httpSession != null) { - // Here the user is already logged in - session = request.getSessionInternal(); - - Element token = - (Element)request.getSession().getAttribute(SECURITY_TOKEN); - - // Cleanup session - if (session != null) { - session.removeNote(FEDERATION_NOTE); - session.setPrincipal(null); - request.getSession().removeAttribute(SECURITY_TOKEN); - } - httpSession.invalidate(); - - FedizProcessor wfProc = - FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol()); - signOutRedirectToIssuer(request, response, token, wfProc); - - return false; - } else { - // The user is already logged out - handleLogout(response.getOutputStream()); - - return false; - } - } - - // Have we already authenticated someone? Principal principal = request.getUserPrincipal(); // String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); @@ -692,45 +616,5 @@ public class FederationAuthenticator extends FormAuthenticator { } } - protected void signOutRedirectToIssuer(Request request, HttpServletResponse response, - Element token, FedizProcessor processor) - throws IOException { - String contextName = request.getServletContext().getContextPath(); - if (contextName == null || contextName.isEmpty()) { - contextName = "/"; - } - FedizContext fedCtx = this.configurator.getFedizContext(contextName); - try { - SamlAssertionWrapper assertionToken = null; - if (token != null) { - assertionToken = new SamlAssertionWrapper(token); - } - RedirectionResponse redirectionResponse = - processor.createSignOutRequest(request, assertionToken, fedCtx); - String redirectURL = redirectionResponse.getRedirectionURL(); - if (redirectURL != null) { - Map headers = redirectionResponse.getHeaders(); - if (!headers.isEmpty()) { - for (String headerName : headers.keySet()) { - response.addHeader(headerName, headers.get(headerName)); - } - } - - response.sendRedirect(redirectURL); - } else { - LOG.warn("Failed to create SignOutRequest."); - response.sendError( - HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest."); - } - } catch (ProcessingException ex) { - LOG.warn("Failed to create SignOutRequest: " + ex.getMessage()); - response.sendError( - HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest."); - } catch (WSSecurityException ex) { - LOG.warn("Failed to create SignOutRequest: " + ex.getMessage()); - response.sendError( - HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest."); - } - } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/0f6a65de/systests/tomcat7/pom.xml ---------------------------------------------------------------------- diff --git a/systests/tomcat7/pom.xml b/systests/tomcat7/pom.xml index b96a516..c7b696b 100644 --- a/systests/tomcat7/pom.xml +++ b/systests/tomcat7/pom.xml @@ -215,8 +215,8 @@ **/integrationtests/** - -Xms512m -Xmx1024m - -XX:MaxPermSize=256m + -Xms512m -Xmx1024m -XX:MaxPermSize=256m +