cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf-fediz git commit: Save the context from the sign in request
Date Tue, 20 Dec 2016 10:58:29 GMT
Save the context from the sign in request


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/aaeea60c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/aaeea60c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/aaeea60c

Branch: refs/heads/1.3.x-fixes
Commit: aaeea60c7edae9973134c868c1d49c67d658e6c3
Parents: a271c79
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Dec 20 10:41:17 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Dec 20 10:58:20 2016 +0000

----------------------------------------------------------------------
 .../fediz/jetty8/FederationAuthenticator.java   | 27 ++++++++++++++++----
 .../fediz/jetty9/FederationAuthenticator.java   | 27 ++++++++++++++++----
 2 files changed, 44 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aaeea60c/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
index dfeab1d..56656a0 100644
--- a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
+++ b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
@@ -84,6 +84,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
     
     public static final String J_URI = "org.eclipse.jetty.security.form_URI";
     public static final String J_POST = "org.eclipse.jetty.security.form_POST";
+    public static final String J_CONTEXT = "org.eclipse.jetty.security.form_CONTEXT";
 
     private static final Logger LOG = Log.getLogger(FederationAuthenticator.class);
     
@@ -222,13 +223,19 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     {
                         session=renewSession(request,response);
 
-                        FederationUserIdentity fui = (FederationUserIdentity)user;
-                        session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
-
                         // Redirect to original request
                         String nuri;
                         synchronized(session)
                         {
+                            // Check the context
+                            String savedContext = (String) session.getAttribute(J_CONTEXT);
+                            String receivedContext = request.getParameter(FederationConstants.PARAM_CONTEXT);
+                            if (savedContext == null || !savedContext.equals(receivedContext))
{
+                                LOG.warn("The received wctx parameter does not match the
saved value");
+                                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                return Authentication.UNAUTHENTICATED;
+                            }
+                            
                             nuri = (String) session.getAttribute(J_URI);
 
                             if (nuri == null || nuri.length() == 0)
@@ -241,6 +248,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
                             Authentication cached=new SessionAuthentication(getAuthMethod(),
user, wfRes);
                             session.setAttribute(SessionAuthentication.__J_AUTHENTICATED,
cached);
                         }
+                        
+                        FederationUserIdentity fui = (FederationUserIdentity)user;
+                        session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
+                        
                         response.setContentLength(0);   
                         response.sendRedirect(response.encodeRedirectURL(nuri));
 
@@ -253,6 +264,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     }
                     if (response != null) {
                         response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                        return Authentication.UNAUTHENTICATED;
                     }
 
                 }
@@ -369,7 +381,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
             
             FedizProcessor wfProc = 
                 FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
-            signInRedirectToIssuer(request, response, wfProc);
+            signInRedirectToIssuer(request, response, wfProc, session);
 
             return Authentication.SEND_CONTINUE;
 
@@ -445,12 +457,13 @@ public class FederationAuthenticator extends LoginAuthenticator {
      *            Response we are populating
      * @param processor
      *            FederationProcessor
+     * @param session The HTTPSession
      * @throws IOException
      *             If the forward to the login page fails and the call to
      *             {@link HttpServletResponse#sendError(int, String)} throws an
      *             {@link IOException}
      */
-    protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse
response, FedizProcessor processor)
+    protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse
response, FedizProcessor processor, HttpSession session)
         throws IOException {
 
         //Not supported in jetty 7.6
@@ -471,6 +484,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     }
                 }
                 
+                synchronized(session) {
+                    session.setAttribute(J_CONTEXT, redirectionResponse.getRequestState().getState());
+                }
+                
                 response.sendRedirect(redirectURL);
             } else {
                 LOG.warn("Failed to create SignInRequest.");

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aaeea60c/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
index 7205e44..e845b08 100644
--- a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
+++ b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
@@ -83,6 +83,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
     
     public static final String J_URI = "org.eclipse.jetty.security.form_URI";
     public static final String J_POST = "org.eclipse.jetty.security.form_POST";
+    public static final String J_CONTEXT = "org.eclipse.jetty.security.form_CONTEXT";
 
     private static final Logger LOG = Log.getLogger(FederationAuthenticator.class);
     
@@ -221,13 +222,19 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     {
                         session=renewSession(request,response);
 
-                        FederationUserIdentity fui = (FederationUserIdentity)user;
-                        session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
-
                         // Redirect to original request
                         String nuri;
                         synchronized(session)
                         {
+                            // Check the context
+                            String savedContext = (String) session.getAttribute(J_CONTEXT);
+                            String receivedContext = request.getParameter(FederationConstants.PARAM_CONTEXT);
+                            if (savedContext == null || !savedContext.equals(receivedContext))
{
+                                LOG.warn("The received wctx parameter does not match the
saved value");
+                                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                return Authentication.UNAUTHENTICATED;
+                            }
+                            
                             nuri = (String) session.getAttribute(J_URI);
 
                             if (nuri == null || nuri.length() == 0)
@@ -240,6 +247,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
                             Authentication cached=new SessionAuthentication(getAuthMethod(),
user, wfRes);
                             session.setAttribute(SessionAuthentication.__J_AUTHENTICATED,
cached);
                         }
+                        
+                        FederationUserIdentity fui = (FederationUserIdentity)user;
+                        session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
+                        
                         response.setContentLength(0);   
                         response.sendRedirect(response.encodeRedirectURL(nuri));
 
@@ -252,6 +263,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     }
                     if (response != null) {
                         response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                        return Authentication.UNAUTHENTICATED;
                     }
 
                 }
@@ -371,7 +383,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
             
             FedizProcessor wfProc = 
                 FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
-            signInRedirectToIssuer(request, response, wfProc);
+            signInRedirectToIssuer(request, response, wfProc, session);
 
             return Authentication.SEND_CONTINUE;
 
@@ -447,12 +459,13 @@ public class FederationAuthenticator extends LoginAuthenticator {
      *            Response we are populating
      * @param processor
      *            FederationProcessor
+     * @param session The HTTPSession
      * @throws IOException
      *             If the forward to the login page fails and the call to
      *             {@link HttpServletResponse#sendError(int, String)} throws an
      *             {@link IOException}
      */
-    protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse
response, FedizProcessor processor)
+    protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse
response, FedizProcessor processor, HttpSession session)
         throws IOException {
 
         //Not supported in jetty 7.6
@@ -473,6 +486,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     }
                 }
                 
+                synchronized(session) {
+                    session.setAttribute(J_CONTEXT, redirectionResponse.getRequestState().getState());
+                }
+                
                 response.sendRedirect(redirectURL);
             } else {
                 LOG.warn("Failed to create SignInRequest.");


Mime
View raw message