cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf-fediz git commit: Merging SamlTokenConverter into FedizSubjectCreator given this conversion is a temp solution until OIDC starts managing the auth itself
Date Mon, 08 Feb 2016 14:13:45 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 4d9c688e1 -> 61f6c7e6e


Merging SamlTokenConverter into FedizSubjectCreator given this conversion is a temp solution
until OIDC starts managing the auth itself


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/61f6c7e6
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/61f6c7e6
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/61f6c7e6

Branch: refs/heads/master
Commit: 61f6c7e6e090c3df3bf0e64ce5d87aaf69d894e2
Parents: 4d9c688
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Feb 8 14:13:30 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Feb 8 14:13:30 2016 +0000

----------------------------------------------------------------------
 .../fediz/service/oidc/FedizSubjectCreator.java | 135 +++++++++++++++-
 .../fediz/service/oidc/SamlTokenConverter.java  | 153 -------------------
 .../src/main/webapp/WEB-INF/data-manager.xml    |   6 +-
 3 files changed, 129 insertions(+), 165 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/61f6c7e6/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
index f030f06..4502816 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
@@ -20,6 +20,11 @@ package org.apache.cxf.fediz.service.oidc;
 
 import java.security.Principal;
 
+import org.w3c.dom.Element;
+
+import org.apache.cxf.fediz.core.Claim;
+import org.apache.cxf.fediz.core.ClaimCollection;
+import org.apache.cxf.fediz.core.ClaimTypes;
 import org.apache.cxf.fediz.core.FedizPrincipal;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.oauth2.common.Client;
@@ -28,10 +33,17 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.joda.time.DateTime;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.Issuer;
+
 
 public class FedizSubjectCreator implements SubjectCreator {
 
-    private SamlTokenConverter tokenConverter = new SamlTokenConverter();
+    private String issuer;
+    private long defaultTimeToLive = 3600L;
     
     
     @Override
@@ -46,10 +58,10 @@ public class FedizSubjectCreator implements SubjectCreator {
         // In the future FedizPrincipal will likely have JWT claims already prepared,
         // with IdToken being initialized here from those claims + client id 
         
-        IdToken idToken = tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
-                                               fedizPrincipal.getName(), 
-                                               fedizPrincipal.getClaims(),
-                                               client.getClientId());
+        IdToken idToken = convertToIdToken(fedizPrincipal.getLoginToken(),
+                                           fedizPrincipal.getName(), 
+                                           fedizPrincipal.getClaims(),
+                                           client.getClientId());
         
         OidcUserSubject oidcSub = new OidcUserSubject();
         oidcSub.setLogin(fedizPrincipal.getName());
@@ -59,8 +71,117 @@ public class FedizSubjectCreator implements SubjectCreator {
         return oidcSub;
     }
     
-    public void setTokenConverter(SamlTokenConverter tokenConverter) {
-        this.tokenConverter = tokenConverter;
+    public IdToken convertToIdToken(Element samlToken, 
+            String subjectName, 
+            ClaimCollection claims,
+            String clientId) {
+        // The current SAML Assertion represents anauthentication record.
+        // It has to be translated into IdToken (JWT) so that it can be returned 
+        // to client applications participating in various OIDC flows.
+        
+        IdToken idToken = new IdToken();
+        // Subject name is provided by FedizPrincipal which is initialized from the current
SAML token 
+        idToken.setSubject(subjectName);
+        // SAML assertion audiences might be added if needed given that JWT can hold an array
of audiences
+        idToken.setAudience(clientId);
+        
+        Assertion saml2Assertion = getSaml2Assertion(samlToken);
+        if (saml2Assertion != null) {
+            // issueInstant
+            DateTime issueInstant = saml2Assertion.getIssueInstant();
+            if (issueInstant != null) {
+                idToken.setIssuedAt(issueInstant.getMillis() / 1000);
+            }
+        
+            // expiryTime
+            if (saml2Assertion.getConditions() != null) {
+                DateTime expires = saml2Assertion.getConditions().getNotOnOrAfter();
+                if (expires != null) {
+                    idToken.setExpiryTime(expires.getMillis() / 1000);
+                }
+            }
+        
+            // authInstant
+            if (!saml2Assertion.getAuthnStatements().isEmpty()) {
+                DateTime authInstant = 
+                saml2Assertion.getAuthnStatements().get(0).getAuthnInstant();
+                idToken.setAuthenticationTime(authInstant.getMillis() / 1000L);
+            }
+        }
+        // Check if default issuer, issuedAt and expiryTime values have to be set 
+        if (issuer != null) {
+            idToken.setIssuer(issuer);
+        } else if (saml2Assertion != null) {
+            Issuer assertionIssuer = saml2Assertion.getIssuer();
+            if (assertionIssuer != null) {
+                idToken.setIssuer(assertionIssuer.getValue());
+            }
+        }
+        
+        long currentTimeInSecs = System.currentTimeMillis() / 1000;
+        if (idToken.getIssuedAt() == null) {
+            idToken.setIssuedAt(currentTimeInSecs);
+        }
+        if (idToken.getExpiryTime() == null) {
+            idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive);
+        }
+        
+        // Map claims
+        if (claims != null) {
+            String firstName = null;
+            String lastName = null;
+            for (Claim c : claims) {
+                if (!(c.getValue() instanceof String)) {
+                    continue;
+                }
+                if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) {
+                    idToken.setGivenName((String)c.getValue());
+                    firstName = (String)c.getValue();
+                } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) {
+                    idToken.setFamilyName((String)c.getValue());
+                    lastName = (String)c.getValue();
+                } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) {
+                    idToken.setEmail((String)c.getValue());
+                } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) {
+                    idToken.setBirthDate((String)c.getValue());
+                } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) {
+                    idToken.setPhoneNumber((String)c.getValue());
+                } else if (ClaimTypes.GENDER.equals(c.getClaimType())) {
+                    idToken.setGender((String)c.getValue());
+                } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) {
+                    idToken.setWebsite((String)c.getValue());
+                }
+            
+            }
+            if (firstName != null && lastName != null) {
+                idToken.setName(firstName + " " + lastName);
+            }
+            
+        }
+    
+        return idToken;
+    }
+
+
+    private Assertion getSaml2Assertion(Element samlToken) {
+        // Should a null assertion lead to the exception ?
+        try {
+            SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
+            return wrapper.getSaml2();
+        } catch (WSSecurityException ex) {
+            throw new OAuthServiceException("Error converting SAML token", ex);
+        }
+    
+    }
+
+
+    public void setIdTokenIssuer(String idTokenIssuer) {
+        this.issuer = idTokenIssuer;
+    }
+    
+    
+    public void setIdTokenTimeToLive(long idTokenTimeToLive) {
+        this.defaultTimeToLive = idTokenTimeToLive;
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/61f6c7e6/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
deleted file mode 100644
index fe55736..0000000
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
+++ /dev/null
@@ -1,153 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.oidc;
-
-import org.w3c.dom.Element;
-
-import org.apache.cxf.fediz.core.Claim;
-import org.apache.cxf.fediz.core.ClaimCollection;
-import org.apache.cxf.fediz.core.ClaimTypes;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oidc.common.IdToken;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.joda.time.DateTime;
-import org.opensaml.saml.saml2.core.Assertion;
-import org.opensaml.saml.saml2.core.Issuer;
-
-
-public class SamlTokenConverter {
-
-    private String issuer;
-    private long defaultTimeToLive = 3600L;
-    
-    public IdToken convertToIdToken(Element samlToken, 
-                                    String subjectName, 
-                                    ClaimCollection claims,
-                                    String clientId) {
-        // The current SAML Assertion represents an authentication record.
-        // It has to be translated into IdToken (JWT) so that it can be returned 
-        // to client applications participating in various OIDC flows.
-        
-        IdToken idToken = new IdToken();
-        // Subject name is provided by FedizPrincipal which is initialized from the current
SAML token 
-        idToken.setSubject(subjectName);
-        // SAML assertion audiences might be added if needed given that JWT can hold an array
of audiences
-        idToken.setAudience(clientId);
-        
-        Assertion saml2Assertion = getSaml2Assertion(samlToken);
-        if (saml2Assertion != null) {
-            // issueInstant
-            DateTime issueInstant = saml2Assertion.getIssueInstant();
-            if (issueInstant != null) {
-                idToken.setIssuedAt(issueInstant.getMillis() / 1000);
-            }
-            
-            // expiryTime
-            if (saml2Assertion.getConditions() != null) {
-                DateTime expires = saml2Assertion.getConditions().getNotOnOrAfter();
-                if (expires != null) {
-                    idToken.setExpiryTime(expires.getMillis() / 1000);
-                }
-            }
-            
-            // authInstant
-            if (!saml2Assertion.getAuthnStatements().isEmpty()) {
-                DateTime authInstant = 
-                    saml2Assertion.getAuthnStatements().get(0).getAuthnInstant();
-                idToken.setAuthenticationTime(authInstant.getMillis() / 1000L);
-            }
-        }
-        // Check if default issuer, issuedAt and expiryTime values have to be set 
-        if (issuer != null) {
-            idToken.setIssuer(issuer);
-        } else if (saml2Assertion != null) {
-            Issuer assertionIssuer = saml2Assertion.getIssuer();
-            if (assertionIssuer != null) {
-                idToken.setIssuer(assertionIssuer.getValue());
-            }
-        }
-        
-        long currentTimeInSecs = System.currentTimeMillis() / 1000;
-        if (idToken.getIssuedAt() == null) {
-            idToken.setIssuedAt(currentTimeInSecs);
-        }
-        if (idToken.getExpiryTime() == null) {
-            idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive);
-        }
-        
-        
-        // Map claims
-        if (claims != null) {
-            String firstName = null;
-            String lastName = null;
-            for (Claim c : claims) {
-                if (!(c.getValue() instanceof String)) {
-                    continue;
-                }
-                if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) {
-                    idToken.setGivenName((String)c.getValue());
-                    firstName = (String)c.getValue();
-                } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) {
-                    idToken.setFamilyName((String)c.getValue());
-                    lastName = (String)c.getValue();
-                } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) {
-                    idToken.setEmail((String)c.getValue());
-                } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) {
-                    idToken.setBirthDate((String)c.getValue());
-                } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) {
-                    idToken.setPhoneNumber((String)c.getValue());
-                } else if (ClaimTypes.GENDER.equals(c.getClaimType())) {
-                    idToken.setGender((String)c.getValue());
-                } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) {
-                    idToken.setWebsite((String)c.getValue());
-                }
-            }
-            
-            if (firstName != null && lastName != null) {
-                idToken.setName(firstName + " " + lastName);
-            }
-        }
-        
-        return idToken;
-    }
-
-    
-    private Assertion getSaml2Assertion(Element samlToken) {
-        // Should a null assertion lead to the exception ?
-        try {
-            SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
-            return wrapper.getSaml2();
-        } catch (WSSecurityException ex) {
-            throw new OAuthServiceException("Error converting SAML token", ex);
-        }
-        
-    }
-
-
-    public void setIssuer(String issuer) {
-        this.issuer = issuer;
-    }
-
-
-    public void setDefaultTimeToLive(long defaultTimeToLive) {
-        this.defaultTimeToLive = defaultTimeToLive;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/61f6c7e6/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index d6e06af..9bd2c38 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -53,12 +53,8 @@
         -->
     </bean>
     
-    <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter">
-        <property name="issuer" value="accounts.fediz.com"/>
-    </bean>
-    
     <bean id="subjectCreator" class="org.apache.cxf.fediz.service.oidc.FedizSubjectCreator">
-        <property name="tokenConverter" ref="samlTokenConverter"/>
+        <property name="idTokenIssuer" value="accounts.fediz.com"/>
     </bean>
          
 </beans>


Mime
View raw message