cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf-fediz git commit: Save the context from the sign in request
Date Tue, 20 Dec 2016 11:32:28 GMT
Save the context from the sign in request


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f1aef377
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f1aef377
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f1aef377

Branch: refs/heads/1.2.x-fixes
Commit: f1aef37787f829293d239e62b7a83a53d366494a
Parents: e6e05c8
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Dec 20 10:41:17 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Dec 20 11:16:41 2016 +0000

----------------------------------------------------------------------
 .../fediz/jetty/FederationAuthenticator.java    | 27 ++++++++++++++++----
 1 file changed, 22 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f1aef377/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
index 9b2c684..779d047 100644
--- a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
+++ b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
@@ -87,6 +87,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
     
     public static final String J_URI = "org.eclipse.jetty.security.form_URI";
     public static final String J_POST = "org.eclipse.jetty.security.form_POST";
+    public static final String J_CONTEXT = "org.eclipse.jetty.security.form_CONTEXT";
 
     private static final Logger LOG = Log.getLogger(FederationAuthenticator.class);
     
@@ -248,13 +249,19 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     {
                         session=renewSession(request,response);
 
-                        FederationUserIdentity fui = (FederationUserIdentity)user;
-                        session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
-
                         // Redirect to original request
                         String nuri;
                         synchronized(session)
                         {
+                            // Check the context
+                            String savedContext = (String) session.getAttribute(J_CONTEXT);
+                            String receivedContext = request.getParameter(FederationConstants.PARAM_CONTEXT);
+                            if (savedContext == null || !savedContext.equals(receivedContext))
{
+                                LOG.warn("The received wctx parameter does not match the
saved value");
+                                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                                return Authentication.UNAUTHENTICATED;
+                            }
+                            
                             nuri = (String) session.getAttribute(J_URI);
 
                             if (nuri == null || nuri.length() == 0)
@@ -267,6 +274,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
                             Authentication cached=new SessionAuthentication(getAuthMethod(),
user, wfRes);
                             session.setAttribute(SessionAuthentication.__J_AUTHENTICATED,
cached);
                         }
+                        
+                        FederationUserIdentity fui = (FederationUserIdentity)user;
+                        session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
+                        
                         response.setContentLength(0);   
                         response.sendRedirect(response.encodeRedirectURL(nuri));
 
@@ -279,6 +290,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     }
                     if (response != null) {
                         response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                        return Authentication.UNAUTHENTICATED;
                     }
 
                 }
@@ -394,7 +406,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
             
             FedizProcessor wfProc = 
                 FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
-            signInRedirectToIssuer(request, response, wfProc);
+            signInRedirectToIssuer(request, response, wfProc, session);
 
             return Authentication.SEND_CONTINUE;
 
@@ -482,12 +494,13 @@ public class FederationAuthenticator extends LoginAuthenticator {
      *            Response we are populating
      * @param processor
      *            FederationProcessor
+     * @param session The HTTPSession
      * @throws IOException
      *             If the forward to the login page fails and the call to
      *             {@link HttpServletResponse#sendError(int, String)} throws an
      *             {@link IOException}
      */
-    protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse
response, FedizProcessor processor)
+    protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse
response, FedizProcessor processor, HttpSession session)
         throws IOException {
 
         //Not supported in jetty 7.6
@@ -508,6 +521,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     }
                 }
                 
+                synchronized(session) {
+                    session.setAttribute(J_CONTEXT, redirectionResponse.getRequestState().getState());
+                }
+                
                 response.sendRedirect(redirectURL);
             } else {
                 LOG.warn("Failed to create SignInRequest.");


Mime
View raw message