cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] cxf-fediz git commit: Refactoring IdP beans
Date Wed, 16 Mar 2016 17:03:08 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 000878303 -> ee79fdd1b


Refactoring IdP beans


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/c23f3a89
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/c23f3a89
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/c23f3a89

Branch: refs/heads/master
Commit: c23f3a8930c129f26ff7cab6a0666576e63e5ee0
Parents: 0008783
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Mar 16 13:32:49 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Mar 16 13:32:49 2016 +0000

----------------------------------------------------------------------
 .../fediz/service/idp/FederationEntryPoint.java | 152 -------------------
 .../cxf/fediz/service/idp/FedizEntryPoint.java  | 151 ++++++++++++++++++
 .../service/idp/beans/CacheSecurityToken.java   |   2 +-
 .../idp/beans/IdpTokenExpiredAction.java        |  71 +++++++++
 .../fediz/service/idp/beans/LogoutAction.java   |   2 +-
 .../idp/beans/ProcessHRDSExpressionAction.java  |  18 +--
 .../idp/beans/SigninParametersCacheAction.java  |   3 +-
 .../idp/beans/TrustedIdpProtocolAction.java     |  11 +-
 .../fediz/service/idp/beans/WfreshParser.java   | 116 --------------
 .../service/idp/beans/wsfed/WfreshParser.java   |  81 ++++++++++
 .../WEB-INF/flows/federation-signin-request.xml |   9 +-
 .../flows/federation-signin-response.xml        |   3 +-
 .../flows/federation-validate-request.xml       |   3 +-
 .../WEB-INF/flows/saml-signin-request.xml       |   8 +-
 .../src/main/webapp/WEB-INF/security-config.xml |   6 +-
 .../test/resources/realmb/security-config.xml   |   4 +-
 16 files changed, 335 insertions(+), 305 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
deleted file mode 100644
index 1a39ef2..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
+++ /dev/null
@@ -1,152 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp;
-
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.net.URL;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.cxf.fediz.core.FederationConstants;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.service.ConfigService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.InitializingBean;
-import org.springframework.context.ApplicationContext;
-import org.springframework.context.ApplicationContextAware;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.util.Assert;
-
-
-/**
- * Used by the <code>ExceptionTranslationFilter</code> to commence authentication
via the
- * WS-Federation protocol.
- * <p>
- * The user's browser will be redirected to the IDP.
- *
- */
-public class FederationEntryPoint implements AuthenticationEntryPoint,
-    InitializingBean, ApplicationContextAware {
-    
-    private static final Logger LOG = LoggerFactory.getLogger(FederationEntryPoint.class);
-    
-    private ApplicationContext appContext;
-    private ConfigService configService;
-    private String realm;
-    private Idp idpConfig;
-
-    public ConfigService getConfigService() {
-        return configService;
-    }
-
-    public void setConfigService(ConfigService configService) {
-        this.configService = configService;
-    }
-    
-    public String getRealm() {
-        return realm;
-    }
-
-    public void setRealm(String realm) {
-        this.realm = realm;
-    }
-    
-    public void afterPropertiesSet() throws Exception {
-        Assert.notNull(this.appContext, "ApplicationContext cannot be null.");
-        Assert.notNull(this.configService, "ConfigService cannot be null.");
-        Assert.notNull(this.realm, "realm cannot be null.");
-    }
-
-    public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse
response,
-            final AuthenticationException authenticationException) throws IOException, ServletException
{
-
-        idpConfig = configService.getIDP(realm);
-        Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config
service implementation");
-        
-        String redirectUrl = null;
-        String wauth = servletRequest.getParameter(FederationConstants.PARAM_AUTH_TYPE);
-        if (wauth == null) {
-            wauth = "default";
-        }
-        String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
-        if (loginUri == null) {
-            LOG.warn("wauth value '" + wauth + "' not supported");
-            response.sendError(
-                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "wauth value '" + wauth
+ "' not supported");
-        }
-        redirectUrl = new StringBuilder(extractFullContextPath(servletRequest))
-            .append(loginUri).append("?").append(servletRequest.getQueryString()).toString();
-        
-        preCommence(servletRequest, response);
-        if (LOG.isInfoEnabled()) {
-            LOG.info("Redirect to " + redirectUrl);
-        }  
-        response.sendRedirect(redirectUrl);
-    }
-
-
-    /**
-     * Template method for you to do your own pre-processing before the redirect occurs.
-     *
-     * @param request the HttpServletRequest
-     * @param response the HttpServletResponse
-     */
-    protected void preCommence(final HttpServletRequest request, final HttpServletResponse
response) {
-
-    }
-
-    @Override
-    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
-        this.appContext = applicationContext;
-    }
-    
-    protected String extractFullContextPath(HttpServletRequest request) throws MalformedURLException
{
-        String result = null;
-        String contextPath = request.getContextPath();
-        String requestUrl = request.getRequestURL().toString();
-        
-        String requestPath = new URL(requestUrl).getPath();
-        // Cut request path of request url and add context path if not ROOT
-        if (requestPath != null && requestPath.length() > 0) {
-            int lastIndex = requestUrl.lastIndexOf(requestPath);
-            result = requestUrl.substring(0, lastIndex);
-        } else {
-            result = requestUrl;
-        }
-        if (contextPath != null && contextPath.length() > 0) {
-            // contextPath contains starting slash
-            result = result + contextPath;
-        }
-        if (result.charAt(result.length() - 1) != '/') {
-            result = result + "/";
-        }
-        return result;
-    }
-
-
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
new file mode 100644
index 0000000..ea594d3
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.service.ConfigService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.util.Assert;
+
+
+/**
+ * Used by the <code>ExceptionTranslationFilter</code> to commence authentication
+ * <p>
+ * The user's browser will be redirected to the IDP.
+ *
+ */
+public class FedizEntryPoint implements AuthenticationEntryPoint,
+    InitializingBean, ApplicationContextAware {
+    
+    private static final Logger LOG = LoggerFactory.getLogger(FedizEntryPoint.class);
+    
+    private ApplicationContext appContext;
+    private ConfigService configService;
+    private String realm;
+    private Idp idpConfig;
+
+    public ConfigService getConfigService() {
+        return configService;
+    }
+
+    public void setConfigService(ConfigService configService) {
+        this.configService = configService;
+    }
+    
+    public String getRealm() {
+        return realm;
+    }
+
+    public void setRealm(String realm) {
+        this.realm = realm;
+    }
+    
+    public void afterPropertiesSet() throws Exception {
+        Assert.notNull(this.appContext, "ApplicationContext cannot be null.");
+        Assert.notNull(this.configService, "ConfigService cannot be null.");
+        Assert.notNull(this.realm, "realm cannot be null.");
+    }
+
+    public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse
response,
+            final AuthenticationException authenticationException) throws IOException, ServletException
{
+
+        idpConfig = configService.getIDP(realm);
+        Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config
service implementation");
+        
+        String redirectUrl = null;
+        String wauth = servletRequest.getParameter(FederationConstants.PARAM_AUTH_TYPE);
+        if (wauth == null) {
+            wauth = "default";
+        }
+        String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
+        if (loginUri == null) {
+            LOG.warn("wauth value '" + wauth + "' not supported");
+            response.sendError(
+                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "wauth value '" + wauth
+ "' not supported");
+        }
+        redirectUrl = new StringBuilder(extractFullContextPath(servletRequest))
+            .append(loginUri).append("?").append(servletRequest.getQueryString()).toString();
+        
+        preCommence(servletRequest, response);
+        if (LOG.isInfoEnabled()) {
+            LOG.info("Redirect to " + redirectUrl);
+        }  
+        response.sendRedirect(redirectUrl);
+    }
+
+
+    /**
+     * Template method for you to do your own pre-processing before the redirect occurs.
+     *
+     * @param request the HttpServletRequest
+     * @param response the HttpServletResponse
+     */
+    protected void preCommence(final HttpServletRequest request, final HttpServletResponse
response) {
+
+    }
+
+    @Override
+    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
+        this.appContext = applicationContext;
+    }
+    
+    protected String extractFullContextPath(HttpServletRequest request) throws MalformedURLException
{
+        String result = null;
+        String contextPath = request.getContextPath();
+        String requestUrl = request.getRequestURL().toString();
+        
+        String requestPath = new URL(requestUrl).getPath();
+        // Cut request path of request url and add context path if not ROOT
+        if (requestPath != null && requestPath.length() > 0) {
+            int lastIndex = requestUrl.lastIndexOf(requestPath);
+            result = requestUrl.substring(0, lastIndex);
+        } else {
+            result = requestUrl;
+        }
+        if (contextPath != null && contextPath.length() > 0) {
+            // contextPath contains starting slash
+            result = result + contextPath;
+        }
+        if (result.charAt(result.length() - 1) != '/') {
+            result = result + "/";
+        }
+        return result;
+    }
+
+
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheSecurityToken.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheSecurityToken.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheSecurityToken.java
index 2cd4bc7..e219741 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheSecurityToken.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheSecurityToken.java
@@ -31,7 +31,7 @@ import org.springframework.util.Assert;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * This class is responsible to cache IDP token.
+ * This class is responsible to cache the IDP token.
  */
 @Component
 public class CacheSecurityToken {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
new file mode 100644
index 0000000..2ea9a7d
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.beans;
+
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * Check to see whether the IdP Token is expired or not
+ */
+@Component
+public class IdpTokenExpiredAction {
+
+    private static final Logger LOG = LoggerFactory
+            .getLogger(IdpTokenExpiredAction.class);
+    private boolean tokenExpirationValidation = true;
+
+    public boolean isTokenExpired(String homeRealm, RequestContext context)
+        throws Exception {
+        
+        if (tokenExpirationValidation) {
+            SecurityToken idpToken = 
+                (SecurityToken) WebUtils.getAttributeFromExternalContext(context, homeRealm);
+            if (idpToken == null) {
+                return true;
+            }
+            
+            if (idpToken.isExpired()) {
+                LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] is expired.");
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public boolean isTokenExpirationValidation() {
+        return tokenExpirationValidation;
+    }
+
+    /**
+     * Set whether the token validation (e.g. lifetime) shall be performed on every request
(true) or only 
+     * once at initial authentication (false). The default is "true" (note that the plugins
default for this
+     * configuration option is "true").
+     * @param tokenExpirationValidation Whether to perform token expiration validation per
request
+     */
+    public void setTokenExpirationValidation(boolean tokenExpirationValidation) {
+        this.tokenExpirationValidation = tokenExpirationValidation;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
index b17de18..ae90757 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
@@ -28,7 +28,7 @@ import org.springframework.stereotype.Component;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * This class is responsible to clear security context and invalidate IDP session.
+ * This class is responsible to clear security context and invalidate the IDP session.
  */
 @Component
 public class LogoutAction {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
index 088af6c..351f88c 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
@@ -20,7 +20,6 @@ package org.apache.cxf.fediz.service.idp.beans;
 
 import javax.servlet.http.Cookie;
 
-import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.service.idp.domain.Idp;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
 import org.slf4j.Logger;
@@ -45,12 +44,12 @@ public class ProcessHRDSExpressionAction {
     @Autowired
     private HomeRealmReminder homeRealmReminder;
 
-    public String submit(RequestContext context) {
+    public String submit(RequestContext context, String homeRealm) {
         // Check if home realm is known already
-        Cookie whrCookie = homeRealmReminder.readCookie(context);
-        if (whrCookie != null) {
-            LOG.debug("WHR Cookie set: {}", whrCookie);
-            return whrCookie.getValue();
+        Cookie homeRealmCookie = homeRealmReminder.readCookie(context);
+        if (homeRealmCookie != null) {
+            LOG.debug("Home Realm Cookie set: {}", homeRealmCookie);
+            return homeRealmCookie.getValue();
         }
 
         // Check if custom HRDS is defined
@@ -66,9 +65,8 @@ public class ProcessHRDSExpressionAction {
             return result;
         }
 
-        // Return whr parameter unchanged
-        String whr = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM);
-        LOG.debug("No custom homeRealm handling, using whr parameter as provided in request:
{}", whr);
-        return whr;
+        // Return home realm parameter unchanged
+        LOG.debug("No custom homeRealm handling, using home realm parameter as provided in
request: {}", homeRealm);
+        return homeRealm;
     }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 0b3288e..99b36e6 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -121,10 +121,9 @@ public class SigninParametersCacheAction {
 
     public void storeRPConfigInSession(RequestContext context) throws ProcessingException
{
 
-        String whr = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM);
         String wtrealm = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_TREALM);
         Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, IdpConstants.IDP_CONFIG);
-        if (whr == null || wtrealm == null || idpConfig == null) {
+        if (wtrealm == null || idpConfig == null) {
             return;
         }       
         

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
index 67838b5..9ea2de2 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
@@ -20,7 +20,6 @@ package org.apache.cxf.fediz.service.idp.beans;
 
 import java.net.URL;
 
-import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.service.idp.domain.Idp;
 import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
 import org.apache.cxf.fediz.service.idp.protocols.ProtocolController;
@@ -35,7 +34,7 @@ import org.springframework.stereotype.Component;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * This class is responsible to clear security context and invalidate IDP session.
+ * This class is responsible to map the sign in request/response when calling a trusted third
party IdP
  */
 @Component
 public class TrustedIdpProtocolAction {
@@ -49,9 +48,7 @@ public class TrustedIdpProtocolAction {
     @Qualifier("trustedIdpProtocolControllerImpl")
     private ProtocolController<TrustedIdpProtocolHandler> trustedIdpProtocolHandlers;
     
-    public String mapSignInRequest(RequestContext requestContext) {
-        String trustedIdpRealm = 
-            requestContext.getFlowScope().getString(FederationConstants.PARAM_HOME_REALM);
+    public String mapSignInRequest(RequestContext requestContext, String trustedIdpRealm)
{
         LOG.info("Prepare redirect to Trusted IDP '{}'", trustedIdpRealm);
         
         Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(requestContext, IDP_CONFIG);
@@ -75,9 +72,7 @@ public class TrustedIdpProtocolAction {
         return redirectUrl.toString();
     }
     
-    public SecurityToken mapSignInResponse(RequestContext requestContext) {
-        String trustedIdpRealm = 
-            requestContext.getFlowScope().getString(FederationConstants.PARAM_HOME_REALM);
+    public SecurityToken mapSignInResponse(RequestContext requestContext, String trustedIdpRealm)
{
         LOG.info("Prepare validate SignInResponse of Trusted IDP '{}'", trustedIdpRealm);
         
         Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(requestContext, IDP_CONFIG);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
deleted file mode 100644
index 792b4fd..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import java.util.Date;
-
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * This class is responsible to parse 'wfresh' parameter 
- */
-@Component
-public class WfreshParser {
-
-    private static final Logger LOG = LoggerFactory
-            .getLogger(WfreshParser.class);
-    private boolean tokenExpirationValidation = true;
-
-    public boolean authenticationRequired(String wfresh, String whr, RequestContext context)
-        throws Exception {
-        
-        if (checkIsIdpTokenExpired(whr, context)) {
-            return true;
-        }
-
-        if (wfresh == null || wfresh.trim().isEmpty()) {
-            return false;
-        }
-
-        long ttl;
-        try {
-            ttl = Long.parseLong(wfresh.trim());
-        } catch (Exception e) {
-            LOG.info("wfresh value '" + wfresh + "' is invalid.");
-            return false;
-        }
-        if (ttl == 0) {
-            return true;
-        }
-        
-        long ttlMs = ttl * 60L * 1000L;
-        if (ttlMs > 0) {
-
-            SecurityToken idpToken = 
-                (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
-            Date createdDate = idpToken.getCreated();
-            if (createdDate != null) {
-                Date expiryDate = new Date();
-                expiryDate.setTime(createdDate.getTime() + ttlMs);
-                if (expiryDate.before(new Date())) {
-                    LOG.info("[IDP_TOKEN="
-                            + idpToken.getId()
-                            + "] is valid but relying party requested new authentication
caused by wfresh="
-                            + wfresh + " outdated.");
-                    return true;
-                }
-            } else {
-                LOG.info("token creation date not set. Unable to check wfresh is outdated.");
-            }
-        } else {
-            LOG.info("ttl value '" + ttl + "' is negative or is too large.");
-        }
-        return false;
-    }
-    
-    private boolean checkIsIdpTokenExpired(String whr, RequestContext context) {
-        SecurityToken idpToken = 
-            (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
-        if (idpToken == null) {
-            return true;
-        }
-        
-        if (tokenExpirationValidation && idpToken.isExpired()) {
-            LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] is expired.");
-            return true;
-        }
-
-        return false;
-    }
-
-    public boolean isTokenExpirationValidation() {
-        return tokenExpirationValidation;
-    }
-
-    /**
-     * Set whether the token validation (e.g. lifetime) shall be performed on every request
(true) or only 
-     * once at initial authentication (false). The default is "true" (note that the plugins
default for this
-     * configuration option is "true").
-     * @param tokenExpirationValidation Whether to perform token expiration validation per
request
-     */
-    public void setTokenExpirationValidation(boolean tokenExpirationValidation) {
-        this.tokenExpirationValidation = tokenExpirationValidation;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
new file mode 100644
index 0000000..1a11873
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.beans.wsfed;
+
+import java.util.Date;
+
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * This class is responsible to parse the 'wfresh' parameter 
+ */
+@Component
+public class WfreshParser {
+
+    private static final Logger LOG = LoggerFactory.getLogger(WfreshParser.class);
+
+    public boolean authenticationRequired(String wfresh, String whr, RequestContext context)
+        throws Exception {
+        
+        if (wfresh == null || wfresh.trim().isEmpty()) {
+            return false;
+        }
+
+        long ttl;
+        try {
+            ttl = Long.parseLong(wfresh.trim());
+        } catch (Exception e) {
+            LOG.info("wfresh value '" + wfresh + "' is invalid.");
+            return false;
+        }
+        if (ttl == 0) {
+            return true;
+        }
+        
+        long ttlMs = ttl * 60L * 1000L;
+        if (ttlMs > 0) {
+
+            SecurityToken idpToken = 
+                (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
+            Date createdDate = idpToken.getCreated();
+            if (createdDate != null) {
+                Date expiryDate = new Date();
+                expiryDate.setTime(createdDate.getTime() + ttlMs);
+                if (expiryDate.before(new Date())) {
+                    LOG.info("[IDP_TOKEN="
+                            + idpToken.getId()
+                            + "] is valid but relying party requested new authentication
caused by wfresh="
+                            + wfresh + " outdated.");
+                    return true;
+                }
+            } else {
+                LOG.info("token creation date not set. Unable to check wfresh is outdated.");
+            }
+        } else {
+            LOG.info("ttl value '" + ttl + "' is negative or is too large.");
+        }
+        return false;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index 86f51b1..0dcc21b 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -42,7 +42,8 @@
 
     <decision-state id="processHRDSExpression">
         <on-entry>
-            <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext)"
result="flowScope.whr" />
+            <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext,
flowScope.whr)" 
+                      result="flowScope.whr" />
         </on-entry>
         <if test="flowScope.whr == null or flowScope.whr.trim().isEmpty()"
             then="provideIDPListForUser" else="checkIsThisIDP" />
@@ -91,7 +92,8 @@
 
     <action-state id="wfreshParserRemoteAction">
         <evaluate
-            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.whr, flowRequestContext)
or
+                        wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
         <transition on="yes" to="redirectToTrustedIDP" />
         <transition on="no" to="requestRpToken" >
             <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
@@ -121,7 +123,8 @@
         from 'IDP_TOKEN' -->
     <action-state id="wfreshParserAction">
         <evaluate
-            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.whr, flowRequestContext)
or
+                        wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
         <transition on="yes" to="redirectToLocalIDP" />
         <transition on="no" to="requestRpToken">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
index f424edc..5697173 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -31,6 +31,7 @@
     <input name="SAMLResponse" />
     <input name="state" />
     <input name="code" />
+    <input name="whr" />
 
     <on-start>
         <!-- restore 'wreply','wtrealm','whr' for current 'wctx' -->
@@ -39,7 +40,7 @@
     
     <!-- validate token issued by requestor IDP ('wresult') given its 'whr' -->
     <action-state id="validateToken">
-        <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext)"
+        <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext,
whr)"
             result="flowScope.idpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken"
/>
         <transition to="checkCacheTrustedIdpToken" />
         <transition

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index b22f48e..d5febf9 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -115,6 +115,7 @@
         <input name="SAMLResponse" value="flowScope.SAMLResponse" />
         <input name="state" value="flowScope.state" />
         <input name="code" value="flowScope.code" />
+        <input name="whr" value="flowScope.whr" />
 
         <output name="wtrealm" />
         <output name="wreply" />
@@ -146,7 +147,7 @@
     </action-state>
     
     <action-state id="processTrustedIdpProtocol">
-        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext)"
+        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext,
flowScope.whr)"
                       result="flowScope.remoteIdpUrl"/>
         <transition to="redirectToTrustedIDP" />
         <transition on-exception="java.lang.Throwable" to="scInternalServerError" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index 909fb44..61610e3 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -36,14 +36,12 @@
             then="viewBadRequest" />
         <!-- check presence of cached IDP token for THIS realm -->
         <if test="externalContext.sessionMap[flowScope.whr] == null"
-            then="cacheSecurityToken" else="wfreshParserAction" />
+            then="cacheSecurityToken" else="checkTokenExpiry" />
     </decision-state>
 
-    <!-- parse wfresh parameter, provided by resource RP, overriding ttl 
-        from 'IDP_TOKEN' -->
-    <action-state id="wfreshParserAction">
+    <action-state id="checkTokenExpiry">
         <evaluate
-            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.whr, flowRequestContext)"
/>
         <transition on="yes" to="redirectToLocalIDP" />
         <transition on="no" to="requestRpToken">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index 39e0cb7..d8891e5 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -70,7 +70,7 @@
     </security:authentication-manager>
     
     <!-- Redirects to a dedicated http config -->
-    <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint">
+    <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint">
         <property name="realm" value="${realm-uri}" />
         <property name="configService" ref="config" />
     </bean>
@@ -85,7 +85,7 @@
     </bean>
     
     <!-- Main entry point -->
-    <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint">
+    <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
     </security:http>
@@ -129,7 +129,7 @@
     </security:http>
     
     <!-- Main entry point -->
-    <security:http pattern="/saml" use-expressions="true" entry-point-ref="federationEntryPoint">
+    <security:http pattern="/saml" use-expressions="true" entry-point-ref="fedizEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
     </security:http>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c23f3a89/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realmb/security-config.xml b/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
index 91d79b0..e59ace7 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
@@ -67,13 +67,13 @@
     </security:authentication-manager>
 
     <!-- Redirects to a dedicated http config -->
-    <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint">
+    <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint">
         <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
         <property name="configService" ref="config" />
     </bean>
     
     <!-- Main entry point -->
-    <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint">
+    <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />


Mime
View raw message