Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EEE5118915 for ; Fri, 13 Nov 2015 15:13:56 +0000 (UTC) Received: (qmail 77005 invoked by uid 500); 13 Nov 2015 15:13:56 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 76945 invoked by uid 500); 13 Nov 2015 15:13:56 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 76936 invoked by uid 99); 13 Nov 2015 15:13:56 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Nov 2015 15:13:56 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id ABFFCE038A; Fri, 13 Nov 2015 15:13:56 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <2a5c8befdb4d4886b186cabefdd1f7f5@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf-fediz git commit: [FEDIZ-135] Letting the sign in request to proceed Date: Fri, 13 Nov 2015 15:13:56 +0000 (UTC) Repository: cxf-fediz Updated Branches: refs/heads/master 890e2277b -> 9f05f8969 [FEDIZ-135] Letting the sign in request to proceed Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9f05f896 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9f05f896 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9f05f896 Branch: refs/heads/master Commit: 9f05f8969e9afc62d46d7be0480854a771290124 Parents: 890e227 Author: Sergey Beryozkin Authored: Fri Nov 13 15:13:42 2015 +0000 Committer: Sergey Beryozkin Committed: Fri Nov 13 15:13:42 2015 +0000 ---------------------------------------------------------------------- .../cxf/plugin/FedizRedirectBindingFilter.java | 252 +++++++++++-------- .../src/main/webapp/WEB-INF/cxf-service.xml | 1 + 2 files changed, 149 insertions(+), 104 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9f05f896/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java ---------------------------------------------------------------------- diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java index 1f1e3c8..731b24a 100644 --- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java +++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java @@ -18,6 +18,7 @@ */ package org.apache.cxf.fediz.cxf.plugin; +import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.security.cert.X509Certificate; @@ -32,6 +33,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.HttpMethod; import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.container.ContainerResponseContext; +import javax.ws.rs.container.ContainerResponseFilter; import javax.ws.rs.core.Context; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.HttpHeaders; @@ -40,6 +43,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.ResponseBuilder; import org.w3c.dom.Document; + import org.apache.cxf.fediz.core.FederationConstants; import org.apache.cxf.fediz.core.RequestState; import org.apache.cxf.fediz.core.SAMLSSOConstants; @@ -65,12 +69,15 @@ import org.apache.wss4j.common.util.DOM2Writer; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { +public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter + implements ContainerResponseFilter { private static final Logger LOG = LoggerFactory.getLogger(FedizRedirectBindingFilter.class); @Context private MessageContext messageContext; + + private boolean redirectOnInitialSignIn; public void filter(ContainerRequestContext context) { Message m = JAXRSUtils.getCurrentMessage(); @@ -107,127 +114,146 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { return; } else { if (isSignInRequired(fedConfig, params)) { - // Unauthenticated -> redirect - FedizProcessor processor = - FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol()); - - HttpServletRequest request = messageContext.getHttpServletRequest(); - try { - RedirectionResponse redirectionResponse = - processor.createSignInRequest(request, fedConfig); - String redirectURL = redirectionResponse.getRedirectionURL(); - if (redirectURL != null) { - ResponseBuilder response = Response.seeOther(new URI(redirectURL)); - Map headers = redirectionResponse.getHeaders(); - if (!headers.isEmpty()) { - for (String headerName : headers.keySet()) { - response.header(headerName, headers.get(headerName)); - } - } - - // Save the RequestState - RequestState requestState = redirectionResponse.getRequestState(); - if (requestState != null && requestState.getState() != null) { - getStateManager().setRequestState(requestState.getState(), requestState); - - String contextCookie = - CookieUtils.createCookie(SECURITY_CONTEXT_STATE, - requestState.getState(), - request.getRequestURI(), - getWebAppDomain(), - getStateTimeToLive()); - response.header("Set-Cookie", contextCookie); - } - - context.abortWith(response.build()); - } else { - LOG.warn("Failed to create SignInRequest."); - throw ExceptionUtils.toInternalServerErrorException(null, null); - } - } catch (Exception ex) { - LOG.debug(ex.getMessage(), ex); - throw ExceptionUtils.toInternalServerErrorException(ex, null); - } + processSignInRequired(context, fedConfig); } else if (isSignInRequest(fedConfig, params)) { - String responseToken = getResponseToken(fedConfig, params); - String state = getState(fedConfig, params); + processSignInRequest(context, fedConfig, params, m); + } else { + LOG.error("SignIn parameter is incorrect or not supported"); + throw ExceptionUtils.toBadRequestException(null, null); + } + } + } + + private void processSignInRequest(ContainerRequestContext context, FedizContext fedConfig, + MultivaluedMap params, Message m) { + String responseToken = getResponseToken(fedConfig, params); + String state = getState(fedConfig, params); - if (responseToken == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("SignIn request must contain a response token from the IdP"); - } - throw ExceptionUtils.toBadRequestException(null, null); - } else { - // processSignInRequest - if (LOG.isDebugEnabled()) { - LOG.debug("Process SignIn request"); - LOG.debug("token=\n" + responseToken); - } + if (responseToken == null) { + if (LOG.isDebugEnabled()) { + LOG.debug("SignIn request must contain a response token from the IdP"); + } + throw ExceptionUtils.toBadRequestException(null, null); + } else { + // processSignInRequest + if (LOG.isDebugEnabled()) { + LOG.debug("Process SignIn request"); + LOG.debug("token=\n" + responseToken); + } - FedizResponse wfRes = - validateSignInRequest(fedConfig, params, responseToken, state); + FedizResponse wfRes = + validateSignInRequest(fedConfig, params, responseToken, state); - // Validate AudienceRestriction - List audienceURIs = fedConfig.getAudienceUris(); - HttpServletRequest request = messageContext.getHttpServletRequest(); - validateAudienceRestrictions(wfRes, audienceURIs, request); + // Validate AudienceRestriction + List audienceURIs = fedConfig.getAudienceUris(); + HttpServletRequest request = messageContext.getHttpServletRequest(); + validateAudienceRestrictions(wfRes, audienceURIs, request); - // Set the security context - String securityContextKey = UUID.randomUUID().toString(); + // Set the security context + String securityContextKey = UUID.randomUUID().toString(); - long currentTime = System.currentTimeMillis(); - Date notOnOrAfter = wfRes.getTokenExpires(); - long expiresAt = 0; - if (notOnOrAfter != null) { - expiresAt = notOnOrAfter.getTime(); - } else { - expiresAt = currentTime + getStateTimeToLive(); - } + long currentTime = System.currentTimeMillis(); + Date notOnOrAfter = wfRes.getTokenExpires(); + long expiresAt = 0; + if (notOnOrAfter != null) { + expiresAt = notOnOrAfter.getTime(); + } else { + expiresAt = currentTime + getStateTimeToLive(); + } - String webAppDomain = getWebAppDomain(); - String token = DOM2Writer.nodeToString(wfRes.getToken()); - List roles = wfRes.getRoles(); - if (roles == null || roles.size() == 0) { - roles = Collections.singletonList("Authenticated"); - } + String webAppDomain = getWebAppDomain(); + String token = DOM2Writer.nodeToString(wfRes.getToken()); + List roles = wfRes.getRoles(); + if (roles == null || roles.size() == 0) { + roles = Collections.singletonList("Authenticated"); + } - String webAppContext = getWebAppContext(m); + String webAppContext = getWebAppContext(m); + + ResponseState responseState = + new ResponseState(token, + state, + webAppContext, + webAppDomain, + currentTime, + expiresAt); + responseState.setClaims(wfRes.getClaims()); + responseState.setRoles(roles); + responseState.setIssuer(wfRes.getIssuer()); + responseState.setSubject(wfRes.getUsername()); + getStateManager().setResponseState(securityContextKey, responseState); + + long stateTimeToLive = getStateTimeToLive(); + String contextCookie = CookieUtils.createCookie(SECURITY_CONTEXT_TOKEN, + securityContextKey, + webAppContext, + webAppDomain, + stateTimeToLive); + + // Redirect with cookie set + if (isRedirectOnInitialSignIn()) { + ResponseBuilder response = + Response.seeOther(new UriInfoImpl(m).getAbsolutePath()); + response.header(HttpHeaders.SET_COOKIE, contextCookie); + + context.abortWith(response.build()); + } else { + try { + setSecurityContext(responseState, m, wfRes.getToken()); + context.setProperty(SECURITY_CONTEXT_TOKEN, contextCookie); + } catch (Exception ex) { + reportError("INVALID_RESPONSE_STATE"); + } + } + } + + } - ResponseState responseState = - new ResponseState(token, - state, - webAppContext, - webAppDomain, - currentTime, - expiresAt); - responseState.setClaims(wfRes.getClaims()); - responseState.setRoles(roles); - responseState.setIssuer(wfRes.getIssuer()); - responseState.setSubject(wfRes.getUsername()); - getStateManager().setResponseState(securityContextKey, responseState); + private void processSignInRequired(ContainerRequestContext context, FedizContext fedConfig) { + // Unauthenticated -> redirect + FedizProcessor processor = + FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol()); - long stateTimeToLive = getStateTimeToLive(); - String contextCookie = CookieUtils.createCookie(SECURITY_CONTEXT_TOKEN, - securityContextKey, - webAppContext, - webAppDomain, - stateTimeToLive); + HttpServletRequest request = messageContext.getHttpServletRequest(); + try { + RedirectionResponse redirectionResponse = + processor.createSignInRequest(request, fedConfig); + String redirectURL = redirectionResponse.getRedirectionURL(); + if (redirectURL != null) { + ResponseBuilder response = Response.seeOther(new URI(redirectURL)); + Map headers = redirectionResponse.getHeaders(); + if (!headers.isEmpty()) { + for (String headerName : headers.keySet()) { + response.header(headerName, headers.get(headerName)); + } + } - // Redirect with cookie set - ResponseBuilder response = - Response.seeOther(new UriInfoImpl(m).getAbsolutePath()); - response.header("Set-Cookie", contextCookie); + // Save the RequestState + RequestState requestState = redirectionResponse.getRequestState(); + if (requestState != null && requestState.getState() != null) { + getStateManager().setRequestState(requestState.getState(), requestState); - context.abortWith(response.build()); + String contextCookie = + CookieUtils.createCookie(SECURITY_CONTEXT_STATE, + requestState.getState(), + request.getRequestURI(), + getWebAppDomain(), + getStateTimeToLive()); + response.header(HttpHeaders.SET_COOKIE, contextCookie); } + context.abortWith(response.build()); } else { - LOG.error("SignIn parameter is incorrect or not supported"); - throw ExceptionUtils.toBadRequestException(null, null); + LOG.warn("Failed to create SignInRequest."); + throw ExceptionUtils.toInternalServerErrorException(null, null); } + } catch (Exception ex) { + LOG.debug(ex.getMessage(), ex); + throw ExceptionUtils.toInternalServerErrorException(ex, null); } + } - + private boolean isMetadataRequest(ContainerRequestContext context, FedizContext fedConfig) { String requestPath = context.getUriInfo().getPath(); // See if it is a Metadata request @@ -486,5 +512,23 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { } } } + + public boolean isRedirectOnInitialSignIn() { + return redirectOnInitialSignIn; + } + + public void setRedirectOnInitialSignIn(boolean redirectOnInitialSignIn) { + this.redirectOnInitialSignIn = redirectOnInitialSignIn; + } + + @Override + public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) + throws IOException { + String tokenContext = (String)requestContext.getProperty(SECURITY_CONTEXT_TOKEN); + if (tokenContext != null) { + responseContext.getHeaders().add(HttpHeaders.SET_COOKIE, tokenContext); + } + + } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9f05f896/systests/webapps/cxfWebapp/src/main/webapp/WEB-INF/cxf-service.xml ---------------------------------------------------------------------- diff --git a/systests/webapps/cxfWebapp/src/main/webapp/WEB-INF/cxf-service.xml b/systests/webapps/cxfWebapp/src/main/webapp/WEB-INF/cxf-service.xml index 1c3207f..036ba24 100644 --- a/systests/webapps/cxfWebapp/src/main/webapp/WEB-INF/cxf-service.xml +++ b/systests/webapps/cxfWebapp/src/main/webapp/WEB-INF/cxf-service.xml @@ -53,6 +53,7 @@ +