cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf-fediz git commit: [FEDIZ-108] - Jetty plugin support for configurable token validation
Date Wed, 02 Sep 2015 11:33:36 GMT
[FEDIZ-108] - Jetty plugin support for configurable token validation


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/91e97c79
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/91e97c79
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/91e97c79

Branch: refs/heads/master
Commit: 91e97c7941725f0016986fad4e3cca0c1fd8871a
Parents: 0830b2e
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Sep 2 12:32:44 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Sep 2 12:32:44 2015 +0100

----------------------------------------------------------------------
 .../fediz/jetty8/FederationAuthenticator.java   | 37 ++++++++++++++++----
 .../fediz/jetty8/FederationUserIdentity.java    |  8 +++--
 2 files changed, 36 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/91e97c79/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
index d2f01f6..a1c650f 100644
--- a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
+++ b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
@@ -25,6 +25,7 @@ import java.io.InputStream;
 import java.io.PrintWriter;
 import java.io.UnsupportedEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.Date;
 import java.util.Map;
 
 import javax.servlet.ServletOutputStream;
@@ -240,7 +241,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     {
                         session=renewSession(request,response);
 
-                        FederationUserIdentity  fui = (FederationUserIdentity)user;
+                        FederationUserIdentity fui = (FederationUserIdentity)user;
                         session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
 
                         // Redirect to original request
@@ -306,11 +307,8 @@ public class FederationAuthenticator extends LoginAuthenticator {
             if (authentication != null) 
             {
                 // Has authentication been revoked?
-                if (authentication instanceof Authentication.User && 
-                    _loginService!=null &&
-                    !_loginService.validate(((Authentication.User)authentication).getUserIdentity()))
-                {
-                
+                if (authentication instanceof Authentication.User
+                    && isTokenExpired(fedConfig, ((Authentication.User)authentication).getUserIdentity()))
{
                     session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
                 }
                 else
@@ -400,6 +398,33 @@ public class FederationAuthenticator extends LoginAuthenticator {
          * catch (ServletException e) { throw new ServerAuthException(e); }
          */
     }
+    
+    private boolean isTokenExpired(FedizContext fedConfig, UserIdentity userIdentity) {
+        if (fedConfig.isDetectExpiredTokens()) {
+            try {
+                FederationUserIdentity fui = (FederationUserIdentity)userIdentity;
+                Date tokenExpires = fui.getExpiryDate();
+                if (tokenExpires == null) {
+                    LOG.debug("Token doesn't expire");
+                    return false;
+                }
+    
+                Date currentTime = new Date();
+                if (!currentTime.after(tokenExpires)) {
+                    return false;
+                } else {
+                    LOG.warn("Token already expired. Clean up and redirect");
+    
+                    return true;
+                }
+            } catch (ClassCastException ex) {
+                LOG.warn("UserIdentity must be instance of FederationUserIdentity");
+                throw new IllegalStateException("UserIdentity must be instance of FederationUserIdentity");
+            }
+        }
+        
+        return false;
+    }
 
     private boolean isSignInRequest(ServletRequest request, FedizContext fedConfig) {
         if (fedConfig.getProtocol() instanceof FederationProtocol

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/91e97c79/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationUserIdentity.java
----------------------------------------------------------------------
diff --git a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationUserIdentity.java
b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationUserIdentity.java
index c1e08e0..0c1f634 100644
--- a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationUserIdentity.java
+++ b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationUserIdentity.java
@@ -58,9 +58,11 @@ public class FederationUserIdentity implements UserIdentity {
             role = scope.getRoleRefMap().get(role);
         }
         
-        for (String r : this.roles) {
-            if (r.equals(role)) {
-                return true;
+        if (this.roles != null) {
+            for (String r : this.roles) {
+                if (r.equals(role)) {
+                    return true;
+                }
             }
         }
         return false;


Mime
View raw message