cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: More SAML SSO refactoring
Date Wed, 02 Nov 2016 17:12:40 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 918af3aa0 -> b8aa7ea52


More SAML SSO refactoring


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/b8aa7ea5
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/b8aa7ea5
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/b8aa7ea5

Branch: refs/heads/master
Commit: b8aa7ea5205737adfdf21c10fd7ff684c81b9bb9
Parents: 918af3a
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Nov 2 16:56:09 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Nov 2 16:56:09 2016 +0000

----------------------------------------------------------------------
 .../cxf/fediz/service/idp/IdpConstants.java     |  5 +++
 .../idp/beans/SigninParametersCacheAction.java  | 25 +++++++++++----
 .../WEB-INF/flows/saml-signin-request.xml       | 32 ++++++++++----------
 .../WEB-INF/flows/saml-validate-request.xml     | 13 ++++----
 4 files changed, 47 insertions(+), 28 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
index 2b007dd..95a9fc4 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
@@ -33,6 +33,11 @@ public final class IdpConstants {
      */
     public static final String SAML_AUTHN_REQUEST = "saml_authn_request";
     
+    /**
+     * A key used to store the home realm for the given request.
+     */
+    public static final String HOME_REALM = "home_realm";
+    
     private IdpConstants() {
         // complete
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 0c139c3..b696b6d 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -49,6 +49,8 @@ public class SigninParametersCacheAction {
         Map<String, Object> signinParams = new HashMap<>();
         String uuidKey = UUID.randomUUID().toString();
         
+        WebUtils.removeAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
+        
         Object value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
         if (value != null) {
             signinParams.put(FederationConstants.PARAM_REPLY, value);
@@ -61,13 +63,17 @@ public class SigninParametersCacheAction {
         if (value != null) {
             signinParams.put(FederationConstants.PARAM_HOME_REALM, value);
         }
+        value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
+        if (value != null) {
+            signinParams.put(IdpConstants.HOME_REALM, value);
+        }
         value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
         if (value != null) {
             signinParams.put(FederationConstants.PARAM_CONTEXT, value);
         }
-        value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
+        value = WebUtils.getAttributeFromFlowScope(context, "SAMLRequest");
         if (value != null) {
-            signinParams.put(IdpConstants.SAML_AUTHN_REQUEST, value);
+            signinParams.put("SAMLRequest", value);
         }
         WebUtils.putAttributeInExternalContext(context, uuidKey, signinParams);
         
@@ -105,6 +111,17 @@ public class SigninParametersCacheAction {
                 if (value != null) {
                     WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM,
value);
                 }
+                // TODO...
+                value = (String)signinParams.get(IdpConstants.HOME_REALM);
+                if (value != null) {
+                    WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM,
value);
+                    WebUtils.putAttributeInFlowScope(context, IdpConstants.HOME_REALM, value);
+                }
+                
+                value = (String)signinParams.get("SAMLRequest");
+                if (value != null) {
+                    WebUtils.putAttributeInFlowScope(context, "SAMLRequest", value);
+                } 
                 
                 LOG.debug("SignIn parameters restored: {}", signinParams.toString());
                 WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
@@ -116,10 +133,6 @@ public class SigninParametersCacheAction {
                     WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_CONTEXT,
value);
                 }
                 
-                value = (String)signinParams.get(IdpConstants.SAML_AUTHN_REQUEST);
-                if (value != null) {
-                    WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST,
value);
-                }
             }  else {
                 LOG.debug("Error in restoring security context");
             }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index a166e5d..93ffba7 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -31,9 +31,9 @@
     <decision-state id="processHRDSExpression">
         <on-entry>
             <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext,
null)" 
-                      result="flowScope.homerealm" />
+                      result="flowScope.home_realm" />
         </on-entry>
-        <if test="flowScope.homerealm == null or flowScope.homerealm.trim().isEmpty()"
+        <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
             then="provideIDPListForUser" else="checkIsThisIDP" />
     </decision-state>
     
@@ -60,9 +60,9 @@
         </on-entry>
         <transition on="submit" to="checkIsThisIDP" bind="true"
             validate="true">
-            <set name="flowScope.homerealm" value="trustedIDPSelection.whr" />
+            <set name="flowScope.home_realm" value="trustedIDPSelection.whr" />
             <evaluate
-                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.homerealm)"
/>
+                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)"
/>
         </transition>
         <transition on="cancel" to="checkDefaultToThisIDP"
             bind="false" validate="false" />
@@ -70,7 +70,7 @@
     
     <!-- Home Realm is known then we can store it in cookie -->
     <decision-state id="checkIsThisIDP">
-        <if test="flowScope.idpConfig.realm.equals(flowScope.homerealm)"
+        <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
             then="homeRealmSignInEntryPoint" else="checkIdpTokenWhrWauth" />
     </decision-state>
     
@@ -79,16 +79,16 @@
     <!-- Is 'wresult/RP-IDP token' already received and validated (then stored 
         in session) from requestor IDP ? -->
     <decision-state id="checkIdpTokenWhrWauth">
-        <if test="externalContext.sessionMap[flowScope.homerealm] != null"
+        <if test="externalContext.sessionMap[flowScope.home_realm] != null"
             then="wfreshParserRemoteAction" else="redirectToTrustedIDP" />
     </decision-state>
     
     <action-state id="wfreshParserRemoteAction">
         <evaluate
-            expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)"
/>
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)"
/>
         <transition on="yes" to="redirectToTrustedIDP" />
         <transition on="no" to="validateWReply" >
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]"
/>
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
     </action-state>
@@ -104,12 +104,12 @@
     <decision-state id="homeRealmSignInEntryPoint">
         <on-entry>
             <!-- Here, home realm is guaranteed to be THIS realm -->
-            <set name="flowScope.homerealm" value="flowScope.idpConfig.realm" />
+            <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
         </on-entry>
         <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
             then="scInternalServerError" />
         <!-- check presence of cached IDP token for THIS realm -->
-        <if test="externalContext.sessionMap[flowScope.homerealm] == null"
+        <if test="externalContext.sessionMap[flowScope.home_realm] == null"
             then="cacheSecurityToken" else="checkTokenExpiry" />
     </decision-state>
 
@@ -119,11 +119,11 @@
                                                                   flowScope.SAMLRequest)"
/>
         </on-entry>
         <evaluate
-            expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
                         or authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
         <transition on="yes" to="redirectToLocalIDP" />
         <transition on="no" to="parseAndValidateSAMLRequest">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]"
/>
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
         </transition>
         <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
     </action-state>
@@ -132,14 +132,14 @@
         <on-entry>
             <evaluate expression="logoutAction.submit(flowRequestContext)" />
         </on-entry>
-        <output name="homerealm" value="flowScope.homerealm" />
+        <output name="home_realm" value="flowScope.home_realm" />
     </end-state>
 
     <action-state id="cacheSecurityToken">
         <secured attributes="IS_AUTHENTICATED_FULLY" />
         <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
         <transition to="parseAndValidateSAMLRequest">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]"
/>
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
         </transition>
     </action-state>
     
@@ -171,7 +171,7 @@
 
     <!-- normal exit point -->
     <end-state id="requestRpToken">
-        <output name="homerealm" value="flowScope.homerealm" />
+        <output name="home_realm" value="flowScope.home_realm" />
         <output name="idpToken" value="flowScope.idpToken" />
         <output name="saml_authn_request" value="flowScope.saml_authn_request" />
     </end-state>
@@ -189,7 +189,7 @@
         <on-entry>
             <evaluate expression="signinParametersCacheAction.store(flowRequestContext)"
/>
         </on-entry>
-        <output name="homerealm" value="flowScope.homerealm" />
+        <output name="home_realm" value="flowScope.home_realm" />
         <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
     </end-state>
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index ca154ba..c49324c 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -29,6 +29,7 @@
             <set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" />
             <set name="flowScope.Signature" value="requestParameters.Signature" />
             <set name="flowScope.wresult" value="requestParameters.wresult" />
+            <set name="flowScope.wctx" value="requestParameters.wctx" />
             <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())"
/>
         </on-entry>
         <if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
@@ -48,13 +49,13 @@
         <input name="RelayState" value="flowScope.RelayState" />
         <input name="Signature" value="flowScope.Signature" />
 
-        <output name="homerealm" />
+        <output name="home_realm" />
         <output name="idpToken" />
         <output name="trusted_idp_context" />
         <output name="saml_authn_request" />
 
         <transition on="requestRpToken" to="requestRpToken">
-            <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm"
/>
+            <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm"
/>
             <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
             <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request"
/>
         </transition>
@@ -64,7 +65,7 @@
         <transition on="scInternalServerError" to="scInternalServerError" />
         <transition on="redirectToLocalIDP" to="redirectToLocalIDP" />
         <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
-            <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm"
/>
+            <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm"
/>
             <set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/>
         </transition>
     </subflow-state>
@@ -88,7 +89,7 @@
         <output name="idpToken" />
 
         <transition on="requestRpToken" to="requestRpToken">
-            <set name="flowScope.homerealm" value="currentEvent.attributes.whr" />
+            <set name="flowScope.home_realm" value="currentEvent.attributes.whr" />
             <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
             <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request"
/>
         </transition>
@@ -101,7 +102,7 @@
         <on-entry>
             <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)"

                       result="flowScope.realm"/>
-            <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm,
flowScope.homerealm)"
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm,
flowScope.home_realm)"
                       result="flowScope.rpTokenElement"/>
         </on-entry>
         <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/>
@@ -136,7 +137,7 @@
     </end-state>
     
     <action-state id="processTrustedIdpProtocol">
-        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext,
flowScope.homerealm)"
+        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext,
flowScope.home_realm)"
                       result="flowScope.remoteIdpUrl"/>
         <transition to="redirectToTrustedIDP" />
         <transition on-exception="java.lang.Throwable" to="scInternalServerError" />


Mime
View raw message