cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf-fediz git commit: Update the converter to use the original assertion's time properties if available
Date Tue, 15 Dec 2015 17:21:59 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 6068e648c -> d56d64742


Update the converter to use the original assertion's time properties if available


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d56d6474
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d56d6474
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d56d6474

Branch: refs/heads/master
Commit: d56d6474227d15fac434d510bd76a85f0a2e0452
Parents: 6068e64
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Dec 15 17:21:42 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Dec 15 17:21:42 2015 +0000

----------------------------------------------------------------------
 .../fediz/service/oidc/SamlTokenConverter.java  | 93 +++++++++++++++-----
 1 file changed, 69 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d56d6474/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
index 4178017..2d0e31d 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
@@ -27,6 +27,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.joda.time.DateTime;
 import org.opensaml.saml.saml2.core.Assertion;
 import org.opensaml.saml.saml2.core.Issuer;
 
@@ -34,33 +35,69 @@ import org.opensaml.saml.saml2.core.Issuer;
 public class SamlTokenConverter {
 
     private String issuer;
+    private long defaultTimeToLive = 3600L;
     
     public IdToken convertToIdToken(Element samlToken, 
                                     String subjectName, 
                                     ClaimCollection claims,
                                     String clientId) {
+        // The current SAML Assertion represents an authentication record.
+        // It has to be translated into IdToken (JWT) so that it can be returned 
+        // to client applications participating in various OIDC flows.
+        
         IdToken idToken = new IdToken();
+        // Subject name is provided by FedizPrincipal which is initialized from the current
SAML token 
         idToken.setSubject(subjectName);
+        // SAML assertion audiences might be added if needed given that JWT can hold an array
of audiences
         idToken.setAudience(clientId);
         
-        long currentTimeInSeconds = System.currentTimeMillis() / 1000L;
-        idToken.setIssuedAt(currentTimeInSeconds);
-        idToken.setExpiryTime(currentTimeInSeconds + 60000L);
-        
-        Assertion saml2Assertion = null;
-        // Set the authInstant
-        try {
-            SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
-            saml2Assertion = wrapper.getSaml2();
-            if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty())
{
-                long authInstant = 
-                    saml2Assertion.getAuthnStatements().get(0).getAuthnInstant().getMillis();
-                idToken.setAuthenticationTime(authInstant / 1000L);
+        Assertion saml2Assertion = getSaml2Assertion(samlToken);
+        if (saml2Assertion != null) {
+            // Issuer
+            Issuer assertionIssuer = saml2Assertion.getIssuer();
+            if (assertionIssuer != null) {
+                idToken.setIssuer(assertionIssuer.getValue());
             }
-        } catch (WSSecurityException ex) {
-            throw new OAuthServiceException("Error converting SAML token", ex);
+            // issueInstant
+            DateTime issueInstant = saml2Assertion.getIssueInstant();
+            if (issueInstant != null) {
+                idToken.setIssuedAt(issueInstant.getMillis() / 1000);
+            }
+            
+            // expiryTime
+            if (saml2Assertion.getConditions() != null) {
+                DateTime expires = saml2Assertion.getConditions().getNotOnOrAfter();
+                if (expires != null) {
+                    idToken.setExpiryTime(expires.getMillis() / 1000);
+                }
+            }
+            
+            // authInstant
+            if (!saml2Assertion.getAuthnStatements().isEmpty()) {
+                DateTime authInstant = 
+                    saml2Assertion.getAuthnStatements().get(0).getAuthnInstant();
+                idToken.setAuthenticationTime(authInstant.getMillis() / 1000L);
+            }
+        }
+        // Check if default issuer, issuedAt and expiryTime values have to be set 
+        if (issuer != null) {
+            idToken.setIssuer(issuer);
+        } else if (saml2Assertion != null) {
+            Issuer assertionIssuer = saml2Assertion.getIssuer();
+            if (assertionIssuer != null) {
+                idToken.setIssuer(assertionIssuer.getValue());
+            }
+        }
+        
+        long currentTimeInSecs = System.currentTimeMillis() / 1000;
+        if (idToken.getIssuedAt() == null) {
+            idToken.setIssuedAt(currentTimeInSecs);
+        }
+        if (idToken.getExpiryTime() == null) {
+            idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive);
         }
         
+        
         // Map claims
         if (claims != null) {
             String firstName = null;
@@ -93,21 +130,29 @@ public class SamlTokenConverter {
             }
         }
         
-        if (issuer != null) {
-            idToken.setIssuer(issuer);
-        } else if (saml2Assertion != null) {
-            Issuer assertionIssuer = saml2Assertion.getIssuer();
-            if (assertionIssuer != null) {
-                idToken.setIssuer(assertionIssuer.getValue());
-            }
-        }
-        
         return idToken;
     }
 
     
+    private Assertion getSaml2Assertion(Element samlToken) {
+        // Should a null assertion lead to the exception ?
+        try {
+            SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
+            return wrapper.getSaml2();
+        } catch (WSSecurityException ex) {
+            throw new OAuthServiceException("Error converting SAML token", ex);
+        }
+        
+    }
+
+
     public void setIssuer(String issuer) {
         this.issuer = issuer;
     }
 
+
+    public void setDefaultTimeToLive(long defaultTimeToLive) {
+        this.defaultTimeToLive = defaultTimeToLive;
+    }
+
 }


Mime
View raw message