cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: [FEDIZ-106] - Spring 2 support added
Date Fri, 04 Sep 2015 14:10:16 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 11e4fdc18 -> 88bc4bc68


[FEDIZ-106] - Spring 2 support added


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/88bc4bc6
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/88bc4bc6
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/88bc4bc6

Branch: refs/heads/master
Commit: 88bc4bc68d8df857d6ba796005ef217873266545
Parents: 11e4fdc
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Sep 4 15:09:59 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Sep 4 15:09:59 2015 +0100

----------------------------------------------------------------------
 .../authentication/ExpiredTokenException.java   |  35 ++++++
 .../web/FederationAuthenticationEntryPoint.java |  69 ------------
 .../web/FederationAuthenticationFilter.java     | 106 ++++++++++++++++++-
 .../src/main/webapp/WEB-INF/cxf-transport.xml   |   4 +-
 4 files changed, 141 insertions(+), 73 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/88bc4bc6/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/authentication/ExpiredTokenException.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/authentication/ExpiredTokenException.java
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/authentication/ExpiredTokenException.java
new file mode 100644
index 0000000..42e23fe
--- /dev/null
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/authentication/ExpiredTokenException.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.spring.authentication;
+
+import org.springframework.security.AuthenticationException;
+
+/**
+ * To be called when a token has expired
+ */
+public class ExpiredTokenException extends AuthenticationException {
+    
+    private static final long serialVersionUID = 7639463618762010981L;
+    
+    public ExpiredTokenException(String errorMessage) {
+        super(errorMessage);
+    }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/88bc4bc6/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
index 3fd799f..851f253 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
@@ -83,65 +83,6 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
         Assert.notNull(this.federationConfig, "FederationConfig cannot be null.");
     }
 
-    public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse
response,
-            final AuthenticationException authenticationException) throws IOException, ServletException
{
-
-        FedizContext fedContext = federationConfig.getFedizContext();
-        LOG.debug("Federation context: {}", fedContext);
-        
-        if (servletRequest.getRequestURL().indexOf(FederationConstants.METADATA_PATH_URI)
!= -1
-            || servletRequest.getRequestURL().indexOf(getMetadataURI(fedContext)) != -1)
{
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Metadata document requested");
-            }
-            response.setContentType("text/xml");
-            PrintWriter out = response.getWriter();
-            
-            FedizProcessor wfProc = 
-                FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
-            try {
-                Document metadata = wfProc.getMetaData(servletRequest, fedContext);
-                out.write(DOM2Writer.nodeToString(metadata));
-                return;
-            } catch (Exception ex) {
-                LOG.warn("Failed to get metadata document: " + ex.getMessage());
-                response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
-                return;
-            }            
-        }
-        
-        String redirectUrl = null;
-        try {
-            FedizProcessor wfProc = 
-                FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
-            RedirectionResponse redirectionResponse =
-                wfProc.createSignInRequest(servletRequest, fedContext);
-            redirectUrl = redirectionResponse.getRedirectionURL();
-            
-            if (redirectUrl == null) {
-                LOG.warn("Failed to create SignInRequest. Redirect URL null");
-                throw new ServletException("Failed to create SignInRequest. Redirect URL
null");
-            }
-            
-            Map<String, String> headers = redirectionResponse.getHeaders();
-            if (!headers.isEmpty()) {
-                for (String headerName : headers.keySet()) {
-                    response.addHeader(headerName, headers.get(headerName));
-                }
-            }
-            
-        } catch (ProcessingException ex) {
-            LOG.warn("Failed to create SignInRequest", ex);
-            throw new ServletException("Failed to create SignInRequest: " + ex.getMessage());
-        }
-        
-        preCommence(servletRequest, response);
-        if (LOG.isInfoEnabled()) {
-            LOG.info("Redirecting to IDP: " + redirectUrl);
-        }
-        response.sendRedirect(redirectUrl);
-    }
-
     private String getMetadataURI(FedizContext fedConfig) {
         if (fedConfig.getProtocol().getMetadataURI() != null) {
             return fedConfig.getProtocol().getMetadataURI();
@@ -236,14 +177,4 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
         
     }
 
-    /*
-    public void setServletContext(String servletContext) {
-        this.servletContext = servletContext;
-    }
-
-    public String getServletContext() {
-        return servletContext;
-    }
-    */
-
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/88bc4bc6/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 8449b53..972f182 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -19,7 +19,10 @@
 
 package org.apache.cxf.fediz.spring.web;
 
+import java.io.IOException;
 import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Map;
 
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
@@ -27,9 +30,22 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.SAMLSSOConstants;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.processor.FedizProcessor;
+import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
 import org.apache.cxf.fediz.core.processor.FedizRequest;
+import org.apache.cxf.fediz.core.processor.RedirectionResponse;
+import org.apache.cxf.fediz.spring.FederationConfig;
+import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
+import org.apache.cxf.fediz.spring.authentication.FederationAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
+import org.springframework.security.BadCredentialsException;
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 import org.springframework.security.ui.AbstractProcessingFilter;
 import org.springframework.security.ui.FilterChainOrder;
@@ -37,6 +53,10 @@ import org.springframework.security.ui.FilterChainOrder;
 
 public class FederationAuthenticationFilter extends AbstractProcessingFilter {
     
+    private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationFilter.class);
+                                                              
+    private FederationConfig federationConfig;
+    
     public FederationAuthenticationFilter() {
         super();
     }
@@ -46,13 +66,36 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter
{
      */
     @Override
     protected boolean requiresAuthentication(final HttpServletRequest request, final HttpServletResponse
response) {
-        final boolean result = request.getRequestURI().contains(getFilterProcessesUrl());
-        
+        boolean result = request.getRequestURI().contains(getFilterProcessesUrl());
+        result |= isTokenExpired();
         if (logger.isDebugEnabled()) {
             logger.debug("requiresAuthentication = " + result);
         }
         return result;
     }
+    
+    private boolean isTokenExpired() {
+        SecurityContext context = SecurityContextHolder.getContext();
+        boolean detectExpiredTokens = 
+            federationConfig != null && federationConfig.getFedizContext().isDetectExpiredTokens();
+        if (context != null && detectExpiredTokens) {
+            Authentication authentication = context.getAuthentication();
+            if (authentication instanceof FederationAuthenticationToken) {
+                Date tokenExpires = 
+                    ((FederationAuthenticationToken)authentication).getResponse().getTokenExpires();
+                if (tokenExpires == null) {
+                    return false;
+                }
+
+                Date currentTime = new Date();
+                if (currentTime.after(tokenExpires)) {
+                    return true;
+                }
+            }
+        }
+            
+        return false;
+    }
 
     @Override
     public int getOrder() {
@@ -61,6 +104,16 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter
{
 
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException
{
+        
+        SecurityContext context = SecurityContextHolder.getContext();
+        if (context != null) {
+            Authentication authentication = context.getAuthentication();
+            if (authentication instanceof FederationAuthenticationToken) {
+                // If we reach this point then the token must be expired
+                throw new ExpiredTokenException("Token is expired");
+            }
+        }
+        
         String wa = request.getParameter(FederationConstants.PARAM_ACTION);
         String responseToken = getResponseToken(request);
         FedizRequest wfReq = new FedizRequest();
@@ -80,6 +133,48 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter
{
         return this.getAuthenticationManager().authenticate(authRequest);
     }
     
+    @Override
+    public void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse
response,
+                                             AuthenticationException authException) {
+        if (authException instanceof ExpiredTokenException) {
+            String redirectUrl = null;
+            try {
+                FedizContext fedContext = federationConfig.getFedizContext();
+                FedizProcessor wfProc = 
+                    FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
+                RedirectionResponse redirectionResponse =
+                    wfProc.createSignInRequest(request, fedContext);
+                redirectUrl = redirectionResponse.getRedirectionURL();
+                
+                if (redirectUrl == null) {
+                    LOG.warn("Failed to create SignInRequest. Redirect URL null");
+                    throw new BadCredentialsException("Failed to create SignInRequest. Redirect
URL null");
+                }
+                
+                Map<String, String> headers = redirectionResponse.getHeaders();
+                if (!headers.isEmpty()) {
+                    for (String headerName : headers.keySet()) {
+                        response.addHeader(headerName, headers.get(headerName));
+                    }
+                }
+                
+            } catch (ProcessingException ex) {
+                LOG.warn("Failed to create SignInRequest", ex);
+                throw new BadCredentialsException("Failed to create SignInRequest: " + ex.getMessage());
+            }
+            
+            if (LOG.isInfoEnabled()) {
+                LOG.info("Redirecting to IDP: " + redirectUrl);
+            }
+            try {
+                response.sendRedirect(redirectUrl);
+            } catch (IOException ex) {
+                throw new BadCredentialsException(ex.getMessage(), ex);
+            }
+        }
+        throw authException;
+    }
+    
     private String getResponseToken(ServletRequest request) {
         if (request.getParameter(FederationConstants.PARAM_RESULT) != null) {
             return request.getParameter(FederationConstants.PARAM_RESULT);
@@ -95,5 +190,12 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter
{
         return "/j_spring_fediz_security_check";
     }
 
+    public FederationConfig getFederationConfig() {
+        return federationConfig;
+    }
+
+    public void setFederationConfig(FederationConfig fedConfig) {
+        this.federationConfig = fedConfig;
+    }
 
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/88bc4bc6/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml b/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
index d3ea403..572e216 100644
--- a/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
+++ b/services/sts/src/main/webapp/WEB-INF/cxf-transport.xml
@@ -132,8 +132,8 @@
 
     <bean id="conditionsProvider"
         class="org.apache.cxf.sts.token.provider.DefaultConditionsProvider">
-        <property name="lifetime" value="1200" />
-        <property name="acceptClientLifetime" value="true" />
+        <property name="lifetime" value="5" />
+        <property name="acceptClientLifetime" value="false" />
     </bean>
 
     <util:list id="attributeStatementProvidersList">


Mime
View raw message