cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: [CXF-6763] - STS requires ClaimHandler even in ClaimMapping only scenarios
Date Wed, 27 Jan 2016 11:00:48 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 7e9e23cb8 -> 60166cfee


[CXF-6763] - STS requires ClaimHandler even in ClaimMapping only scenarios


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/60166cfe
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/60166cfe
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/60166cfe

Branch: refs/heads/3.1.x-fixes
Commit: 60166cfeeb268476c697d1ada15af63719362710
Parents: 7e9e23c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Jan 27 11:00:06 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Jan 27 11:00:36 2016 +0000

----------------------------------------------------------------------
 .../apache/cxf/sts/claims/ClaimsManager.java    | 176 ++++++++++---------
 .../cxf/sts/operation/AbstractOperation.java    |  23 ---
 .../cxf/sts/operation/TokenIssueOperation.java  |   7 -
 .../sts/operation/TokenValidateOperation.java   |   5 -
 .../cxf/sts/common/CustomAttributeProvider.java |  25 +--
 .../sts/operation/IssueSamlClaimsUnitTest.java  |  52 ++++++
 6 files changed, 144 insertions(+), 144 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/60166cfe/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/ClaimsManager.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/ClaimsManager.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/ClaimsManager.java
index 505f7e3..6534394 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/ClaimsManager.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/ClaimsManager.java
@@ -145,92 +145,7 @@ public class ClaimsManager {
         if (relationship == null || relationship.getType().equals(Relationship.FED_TYPE_IDENTITY))
{
             // Federate identity. Identity already mapped.
             // Call all configured claims handlers to retrieve the required claims
-            if (claimHandlers == null || claimHandlers.size() == 0) {
-                return null;
-            }
-            Principal originalPrincipal = parameters.getPrincipal();
-            ProcessedClaimCollection returnCollection = new ProcessedClaimCollection();
-            for (ClaimsHandler handler : claimHandlers) {
-                
-                ClaimCollection supportedClaims = 
-                    filterHandlerClaims(claims, handler.getSupportedClaimTypes());
-                if (supportedClaims.isEmpty()) {
-                    continue;
-                }
-                
-                if (handler instanceof RealmSupport) {
-                    RealmSupport handlerRealmSupport = (RealmSupport)handler;
-                    // Check whether the handler supports the current realm
-                    if (handlerRealmSupport.getSupportedRealms() != null
-                            && handlerRealmSupport.getSupportedRealms().size() >
0
-                            && handlerRealmSupport.getSupportedRealms().indexOf(parameters.getRealm())
== -1) {
-                        if (LOG.isLoggable(Level.FINER)) {
-                            LOG.finer("Handler '" + handler.getClass().getName() + "' doesn't
support"
-                                    + " realm '" + parameters.getRealm()  + "'");
-                        }
-                        continue;
-                    }
-                    
-                    // If handler realm is configured and different from current realm
-                    // do an identity mapping
-                    if (handlerRealmSupport.getHandlerRealm() != null
-                            && !handlerRealmSupport.getHandlerRealm().equalsIgnoreCase(parameters.getRealm()))
{
-                        Principal targetPrincipal = null;
-                        try {
-                            if (LOG.isLoggable(Level.FINE)) {
-                                LOG.fine("Mapping user '" + parameters.getPrincipal().getName()
-                                        + "' [" + parameters.getRealm() + "] to realm '"
-                                        + handlerRealmSupport.getHandlerRealm() + "'");
-                            }
-                            targetPrincipal = doMapping(parameters.getRealm(), parameters.getPrincipal(),
-                                    handlerRealmSupport.getHandlerRealm());
-                        } catch (Exception ex) {
-                            LOG.log(Level.WARNING, "Failed to map user '" + parameters.getPrincipal().getName()
-                                    + "' [" + parameters.getRealm() + "] to realm '"
-                                    + handlerRealmSupport.getHandlerRealm() + "'", ex);
-                            throw new STSException("Failed to map user for claims handler",
-                                    STSException.REQUEST_FAILED);
-                        }
-                        
-                        if (targetPrincipal == null || targetPrincipal.getName() == null)
{
-                            LOG.log(Level.WARNING, "Null. Failed to map user '" + parameters.getPrincipal().getName()
-                                    + "' [" + parameters.getRealm() + "] to realm '"
-                                    + handlerRealmSupport.getHandlerRealm() + "'");
-                            continue;
-                        }
-                        if (LOG.isLoggable(Level.INFO)) {
-                            LOG.info("Principal '" + targetPrincipal.getName()
-                                    + "' passed to handler '" + handler.getClass().getName()
+ "'");
-                        }
-                        parameters.setPrincipal(targetPrincipal);
-                    } else {
-                        if (LOG.isLoggable(Level.FINER)) {
-                            LOG.finer("Handler '" + handler.getClass().getName() + "' doesn't
require"
-                                    + " identity mapping '" + parameters.getRealm()  + "'");
-                        }
-                        
-                    }
-                }
-                
-                ProcessedClaimCollection claimCollection = null;
-                try {
-                    claimCollection = handler.retrieveClaimValues(supportedClaims, parameters);
-                } catch (RuntimeException ex) {
-                    LOG.log(Level.INFO, "Failed retrieving claims from ClaimsHandler "
-                            + handler.getClass().getName(), ex);
-                    if (this.isStopProcessingOnException()) {
-                        throw ex;
-                    }
-                } finally {
-                    // set original principal again, otherwise wrong principal passed to
next claim handler in the list
-                    // if no mapping required or wrong source principal used for next identity
mapping
-                    parameters.setPrincipal(originalPrincipal);
-                }
-                
-                if (claimCollection != null && claimCollection.size() != 0) {
-                    returnCollection.addAll(claimCollection);
-                }
-            }
+            ProcessedClaimCollection returnCollection = handleClaims(claims, parameters);
             validateClaimValues(claims, returnCollection);
             return returnCollection;
             
@@ -263,6 +178,95 @@ public class ClaimsManager {
         }
 
     }
+    
+    private ProcessedClaimCollection handleClaims(ClaimCollection claims, ClaimsParameters
parameters) {
+        ProcessedClaimCollection returnCollection = new ProcessedClaimCollection();
+        Principal originalPrincipal = parameters.getPrincipal();
+        
+        for (ClaimsHandler handler : claimHandlers) {
+            
+            ClaimCollection supportedClaims = 
+                filterHandlerClaims(claims, handler.getSupportedClaimTypes());
+            if (supportedClaims.isEmpty()) {
+                continue;
+            }
+            
+            if (handler instanceof RealmSupport) {
+                RealmSupport handlerRealmSupport = (RealmSupport)handler;
+                // Check whether the handler supports the current realm
+                if (handlerRealmSupport.getSupportedRealms() != null
+                        && handlerRealmSupport.getSupportedRealms().size() > 0
+                        && handlerRealmSupport.getSupportedRealms().indexOf(parameters.getRealm())
== -1) {
+                    if (LOG.isLoggable(Level.FINER)) {
+                        LOG.finer("Handler '" + handler.getClass().getName() + "' doesn't
support"
+                                + " realm '" + parameters.getRealm()  + "'");
+                    }
+                    continue;
+                }
+                
+                // If handler realm is configured and different from current realm
+                // do an identity mapping
+                if (handlerRealmSupport.getHandlerRealm() != null
+                        && !handlerRealmSupport.getHandlerRealm().equalsIgnoreCase(parameters.getRealm()))
{
+                    Principal targetPrincipal = null;
+                    try {
+                        if (LOG.isLoggable(Level.FINE)) {
+                            LOG.fine("Mapping user '" + parameters.getPrincipal().getName()
+                                    + "' [" + parameters.getRealm() + "] to realm '"
+                                    + handlerRealmSupport.getHandlerRealm() + "'");
+                        }
+                        targetPrincipal = doMapping(parameters.getRealm(), parameters.getPrincipal(),
+                                handlerRealmSupport.getHandlerRealm());
+                    } catch (Exception ex) {
+                        LOG.log(Level.WARNING, "Failed to map user '" + parameters.getPrincipal().getName()
+                                + "' [" + parameters.getRealm() + "] to realm '"
+                                + handlerRealmSupport.getHandlerRealm() + "'", ex);
+                        throw new STSException("Failed to map user for claims handler",
+                                STSException.REQUEST_FAILED);
+                    }
+                    
+                    if (targetPrincipal == null || targetPrincipal.getName() == null) {
+                        LOG.log(Level.WARNING, "Null. Failed to map user '" + parameters.getPrincipal().getName()
+                                + "' [" + parameters.getRealm() + "] to realm '"
+                                + handlerRealmSupport.getHandlerRealm() + "'");
+                        continue;
+                    }
+                    if (LOG.isLoggable(Level.INFO)) {
+                        LOG.info("Principal '" + targetPrincipal.getName()
+                                + "' passed to handler '" + handler.getClass().getName()
+ "'");
+                    }
+                    parameters.setPrincipal(targetPrincipal);
+                } else {
+                    if (LOG.isLoggable(Level.FINER)) {
+                        LOG.finer("Handler '" + handler.getClass().getName() + "' doesn't
require"
+                                + " identity mapping '" + parameters.getRealm()  + "'");
+                    }
+                    
+                }
+            }
+            
+            ProcessedClaimCollection claimCollection = null;
+            try {
+                claimCollection = handler.retrieveClaimValues(supportedClaims, parameters);
+            } catch (RuntimeException ex) {
+                LOG.log(Level.INFO, "Failed retrieving claims from ClaimsHandler "
+                        + handler.getClass().getName(), ex);
+                if (this.isStopProcessingOnException()) {
+                    throw ex;
+                }
+            } finally {
+                // set original principal again, otherwise wrong principal passed to next
claim handler in the list
+                // if no mapping required or wrong source principal used for next identity
mapping
+                parameters.setPrincipal(originalPrincipal);
+            }
+            
+            if (claimCollection != null && claimCollection.size() != 0) {
+                returnCollection.addAll(claimCollection);
+            }
+        }
+        
+        return returnCollection;
+    }
 
     private ClaimCollection filterHandlerClaims(ClaimCollection claims,
                                                          List<URI> handlerClaimTypes)
{

http://git-wip-us.apache.org/repos/asf/cxf/blob/60166cfe/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index e47287c..e801906 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -19,7 +19,6 @@
 
 package org.apache.cxf.sts.operation;
 
-import java.net.URI;
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Date;
@@ -37,7 +36,6 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rt.security.claims.Claim;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.sts.IdentityMapper;
 import org.apache.cxf.sts.QNameConstants;
@@ -556,27 +554,6 @@ public abstract class AbstractOperation {
         }
     }
     
-    protected void checkClaimsSupport(ClaimCollection requestedClaims) {
-        if (requestedClaims != null) {
-            List<URI> unhandledClaimTypes = new ArrayList<>();
-            for (Claim requestedClaim : requestedClaims) {
-                if (!claimsManager.getSupportedClaimTypes().contains(requestedClaim.getClaimType())

-                        && !requestedClaim.isOptional()) {
-                    unhandledClaimTypes.add(requestedClaim.getClaimType());
-                }
-            }
-
-            if (unhandledClaimTypes.size() > 0) {
-                LOG.log(Level.WARNING, "The requested claim " + unhandledClaimTypes.toString()

-                        + " cannot be fulfilled by the STS.");
-                throw new STSException(
-                        "The requested claim " + unhandledClaimTypes.toString() 
-                        + " cannot be fulfilled by the STS."
-                );
-            }
-        }
-    }
-
     protected void processValidToken(TokenProviderParameters providerParameters,
             ReceivedToken validatedToken, TokenValidatorResponse tokenResponse) {
         // Map the principal (if it exists)

http://git-wip-us.apache.org/repos/asf/cxf/blob/60166cfe/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
index 7a9b57a..580abd9 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
@@ -37,7 +37,6 @@ import org.w3c.dom.Element;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.sts.QNameConstants;
 import org.apache.cxf.sts.event.STSIssueFailureEvent;
 import org.apache.cxf.sts.event.STSIssueSuccessEvent;
@@ -118,12 +117,6 @@ public class TokenIssueOperation extends AbstractOperation implements
IssueOpera
             RequestRequirements requestRequirements = parseRequest(request, context);
     
             providerParameters = createTokenProviderParameters(requestRequirements, context);
-    
-            // Check if the requested claims can be handled by the configured claim handlers
-            ClaimCollection requestedClaims = providerParameters.getRequestedPrimaryClaims();
-            checkClaimsSupport(requestedClaims);
-            requestedClaims = providerParameters.getRequestedSecondaryClaims();
-            checkClaimsSupport(requestedClaims);
             providerParameters.setClaimsManager(claimsManager);
             
             String realm = providerParameters.getRealm();

http://git-wip-us.apache.org/repos/asf/cxf/blob/60166cfe/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenValidateOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenValidateOperation.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenValidateOperation.java
index 671094e..be8f75e 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenValidateOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenValidateOperation.java
@@ -31,7 +31,6 @@ import org.w3c.dom.Element;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.sts.QNameConstants;
 import org.apache.cxf.sts.RealmParser;
 import org.apache.cxf.sts.STSConstants;
@@ -129,10 +128,6 @@ public class TokenValidateOperation extends AbstractOperation implements
Validat
                 processValidToken(providerParameters, validateTarget, tokenResponse);
                 
                 // Check if the requested claims can be handled by the configured claim handlers
-                ClaimCollection requestedClaims = providerParameters.getRequestedPrimaryClaims();
-                checkClaimsSupport(requestedClaims);
-                requestedClaims = providerParameters.getRequestedSecondaryClaims();
-                checkClaimsSupport(requestedClaims);
                 providerParameters.setClaimsManager(claimsManager);
                 
                 Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();

http://git-wip-us.apache.org/repos/asf/cxf/blob/60166cfe/services/sts/sts-core/src/test/java/org/apache/cxf/sts/common/CustomAttributeProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/common/CustomAttributeProvider.java
b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/common/CustomAttributeProvider.java
index b965b33..e3deba9 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/common/CustomAttributeProvider.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/common/CustomAttributeProvider.java
@@ -24,8 +24,7 @@ import java.util.List;
 
 import org.w3c.dom.Element;
 
-import org.apache.cxf.sts.claims.ClaimsManager;
-import org.apache.cxf.sts.claims.ClaimsParameters;
+import org.apache.cxf.sts.claims.ClaimsUtils;
 import org.apache.cxf.sts.claims.ProcessedClaim;
 import org.apache.cxf.sts.claims.ProcessedClaimCollection;
 import org.apache.cxf.sts.request.ReceivedToken;
@@ -57,27 +56,7 @@ public class CustomAttributeProvider implements AttributeStatementProvider
{
         String tokenType = tokenRequirements.getTokenType();
         
         // Handle Claims
-        ClaimsManager claimsManager = providerParameters.getClaimsManager();
-        ProcessedClaimCollection retrievedClaims = new ProcessedClaimCollection();
-        if (claimsManager != null) {
-            ClaimsParameters params = new ClaimsParameters();
-            params.setAdditionalProperties(providerParameters.getAdditionalProperties());
-            params.setAppliesToAddress(providerParameters.getAppliesToAddress());
-            params.setEncryptionProperties(providerParameters.getEncryptionProperties());
-            params.setKeyRequirements(providerParameters.getKeyRequirements());
-            params.setPrincipal(providerParameters.getPrincipal());
-            params.setRealm(providerParameters.getRealm());
-            params.setStsProperties(providerParameters.getStsProperties());
-            params.setTokenRequirements(providerParameters.getTokenRequirements());
-            params.setTokenStore(providerParameters.getTokenStore());
-            params.setWebServiceContext(providerParameters.getWebServiceContext());
-            retrievedClaims = 
-                claimsManager.retrieveClaimValues(
-                    providerParameters.getRequestedPrimaryClaims(),
-                    providerParameters.getRequestedSecondaryClaims(),
-                    params
-                );
-        }
+        ProcessedClaimCollection retrievedClaims = ClaimsUtils.processClaims(providerParameters);
         
         AttributeStatementBean attrBean = new AttributeStatementBean();
         Iterator<ProcessedClaim> claimIterator = retrievedClaims.iterator();

http://git-wip-us.apache.org/repos/asf/cxf/blob/60166cfe/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlClaimsUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlClaimsUnitTest.java
b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlClaimsUnitTest.java
index 6eb6db6..d519348 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlClaimsUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlClaimsUnitTest.java
@@ -33,6 +33,7 @@ import javax.xml.namespace.QName;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.jaxws.context.WebServiceContextImpl;
 import org.apache.cxf.jaxws.context.WrappedMessageContext;
@@ -273,6 +274,57 @@ public class IssueSamlClaimsUnitTest extends org.junit.Assert {
         assertTrue(tokenString.contains("AttributeStatement"));
         assertTrue(tokenString.contains("bob@custom"));
     }
+    
+    @org.junit.Test
+    public void testIssueTokenUnknownClaim() throws Exception {
+        TokenIssueOperation issueOperation = new TokenIssueOperation();
+        
+        // Add Token Provider
+        addTokenProvider(issueOperation);
+        
+        // Add Service
+        addService(issueOperation);
+        
+        // Add STSProperties object
+        addSTSProperties(issueOperation);
+        
+        // Set the ClaimsManager
+        ClaimsManager claimsManager = new ClaimsManager();
+        ClaimsHandler claimsHandler = new CustomClaimsHandler();
+        claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler));
+        issueOperation.setClaimsManager(claimsManager);
+        
+        // Mock up a request
+        RequestSecurityTokenType request = new RequestSecurityTokenType();
+        JAXBElement<String> tokenType = 
+            new JAXBElement<String>(
+                QNameConstants.TOKEN_TYPE, String.class, WSConstants.WSS_SAML2_TOKEN_TYPE
+            );
+        request.getAny().add(tokenType);
+        
+        // Add a custom claim (unknown to the CustomClaimsHandler)
+        Element secondaryParameters = createSecondaryParameters();
+        Node claims = 
+            secondaryParameters.getElementsByTagNameNS(STSConstants.WST_NS_05_12, "Claims").item(0);
+        Element claimType = claims.getOwnerDocument().createElementNS(STSConstants.IDT_NS_05_05,
"ClaimType");
+        claimType.setAttributeNS(
+            null, "Uri", ClaimTypes.COUNTRY.toString()
+        );
+        claimType.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", STSConstants.IDT_NS_05_05);
+        claims.appendChild(claimType);
+        
+        request.getAny().add(secondaryParameters);
+        request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
+        
+        WebServiceContextImpl webServiceContext = setupMessageContext();
+        
+        try {
+            issueToken(issueOperation, request, webServiceContext);
+            fail("Failure expected on an unknown non-optional claims type");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
 
     /**
      * @param issueOperation


Mime
View raw message