cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf-fediz git commit: [FEDIZ-108] - Jetty plugin support for configurable token validation
Date Wed, 02 Sep 2015 12:11:04 GMT
[FEDIZ-108] - Jetty plugin support for configurable token validation


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/569571de
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/569571de
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/569571de

Branch: refs/heads/1.2.x-fixes
Commit: 569571dec5d28329a8fa0983e41b5a160357614d
Parents: 6caf613
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Sep 2 12:32:44 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Sep 2 13:10:54 2015 +0100

----------------------------------------------------------------------
 .../fediz/jetty/FederationAuthenticator.java    | 37 ++++++++++++++++----
 .../cxf/fediz/jetty/FederationUserIdentity.java |  8 +++--
 2 files changed, 36 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/569571de/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
index 7597c1a..10f99da 100644
--- a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
+++ b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
@@ -25,6 +25,7 @@ import java.io.InputStream;
 import java.io.PrintWriter;
 import java.io.UnsupportedEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.Date;
 import java.util.Map;
 
 import javax.servlet.ServletOutputStream;
@@ -240,7 +241,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     {
                         session=renewSession(request,response);
 
-                        FederationUserIdentity  fui = (FederationUserIdentity)user;
+                        FederationUserIdentity fui = (FederationUserIdentity)user;
                         session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
 
                         // Redirect to original request
@@ -306,11 +307,8 @@ public class FederationAuthenticator extends LoginAuthenticator {
             if (authentication != null) 
             {
                 // Has authentication been revoked?
-                if (authentication instanceof Authentication.User && 
-                    _loginService!=null &&
-                    !_loginService.validate(((Authentication.User)authentication).getUserIdentity()))
-                {
-                
+                if (authentication instanceof Authentication.User
+                    && isTokenExpired(fedConfig, ((Authentication.User)authentication).getUserIdentity()))
{
                     session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
                 }
                 else
@@ -400,6 +398,33 @@ public class FederationAuthenticator extends LoginAuthenticator {
          * catch (ServletException e) { throw new ServerAuthException(e); }
          */
     }
+    
+    private boolean isTokenExpired(FedizContext fedConfig, UserIdentity userIdentity) {
+        if (fedConfig.isDetectExpiredTokens()) {
+            try {
+                FederationUserIdentity fui = (FederationUserIdentity)userIdentity;
+                Date tokenExpires = fui.getExpiryDate();
+                if (tokenExpires == null) {
+                    LOG.debug("Token doesn't expire");
+                    return false;
+                }
+    
+                Date currentTime = new Date();
+                if (!currentTime.after(tokenExpires)) {
+                    return false;
+                } else {
+                    LOG.warn("Token already expired. Clean up and redirect");
+    
+                    return true;
+                }
+            } catch (ClassCastException ex) {
+                LOG.warn("UserIdentity must be instance of FederationUserIdentity");
+                throw new IllegalStateException("UserIdentity must be instance of FederationUserIdentity");
+            }
+        }
+        
+        return false;
+    }
 
     private boolean isSignInRequest(ServletRequest request, FedizContext fedConfig) {
         if (fedConfig.getProtocol() instanceof FederationProtocol

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/569571de/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
----------------------------------------------------------------------
diff --git a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
index 724d3a5..ffe4372 100644
--- a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
+++ b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
@@ -58,9 +58,11 @@ public class FederationUserIdentity implements UserIdentity {
             role = scope.getRoleRefMap().get(role);
         }
         
-        for (String r : this.roles) {
-            if (r.equals(role)) {
-                return true;
+        if (this.roles != null) {
+            for (String r : this.roles) {
+                if (r.equals(role)) {
+                    return true;
+                }
             }
         }
         return false;


Mime
View raw message