cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: Return 500 from the IdP if the STS URL is configured incorrectly instead of the default 401
Date Fri, 07 Apr 2017 18:23:40 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 2d42d674a -> e6a2d15ff


Return 500 from the IdP if the STS URL is configured incorrectly instead of the default 401


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e6a2d15f
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e6a2d15f
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e6a2d15f

Branch: refs/heads/master
Commit: e6a2d15ff834f29b7ff3223ba20450387406bf5e
Parents: 2d42d67
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Apr 7 18:23:51 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Apr 7 18:23:51 2017 +0100

----------------------------------------------------------------------
 .../fediz/service/idp/BasicAuthEntryPoint.java  | 57 ++++++++++++++++++++
 .../idp/STSUPAuthenticationProvider.java        |  8 +++
 .../WEB-INF/config/security-up-config.xml       |  4 +-
 3 files changed, 68 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e6a2d15f/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java
b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java
new file mode 100644
index 0000000..7058988
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+
+/**
+ * The entry point for BasicAuthentication. If the exception thrown is an AuthenticationServiceException,
which
+ * is thrown if the URL for the STS is incorrect for example, it returns 500. Otherwise 401.
+ */
+@Component
+public class BasicAuthEntryPoint extends BasicAuthenticationEntryPoint {
+
+    public void commence(HttpServletRequest request, HttpServletResponse response,
+                         AuthenticationException ex) throws IOException, ServletException
{
+        if (ex instanceof AuthenticationServiceException) {
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+            response.flushBuffer();
+        } else {
+            super.commence(request, response, ex);
+        }
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+        setRealmName("Fediz");
+        super.afterPropertiesSet();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e6a2d15f/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
index 54fb24e..7c47f63 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
@@ -25,11 +25,13 @@ import javax.servlet.http.HttpServletResponse;
 import javax.xml.namespace.QName;
 
 import org.apache.cxf.Bus;
+import org.apache.cxf.service.factory.ServiceConstructionException;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.wss4j.dom.WSConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -114,6 +116,12 @@ public class STSUPAuthenticationProvider extends STSAuthenticationProvider
{
             LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName());
             return upat;
 
+        } catch (ServiceConstructionException ex) {
+            // Explictly catch ServiceConstructionException here - this allows us to handle
the case of
+            // the STS being down separately
+            LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() +
"'", ex);
+            throw new AuthenticationServiceException("Failed to authenticate user '"
+                + usernamePasswordToken.getName(), ex);
         } catch (Exception ex) {
             LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() +
"'", ex);
             return null;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e6a2d15f/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
index 2ba5f86..657360d 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
@@ -35,6 +35,8 @@
 
     <!-- DISABLE in production as it might log confidential information about the user
-->
     <!-- <security:debug /> -->
+    
+    <bean id="basicAuthEntryPoint" class="org.apache.cxf.fediz.service.idp.BasicAuthEntryPoint"
/>
 
     <!-- HTTP/BA entry point for WS-Federation -->
     <security:http pattern="/federation/up/**" use-expressions="true">
@@ -42,7 +44,7 @@
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
 
-        <security:http-basic />
+        <security:http-basic entry-point-ref="basicAuthEntryPoint"/>
 	<!--security:form-login login-page='/federation/up/login'
 		login-processing-url="/federation/up/login.do"
 		authentication-failure-url="/federation/up/login?error" 


Mime
View raw message