cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf-fediz] branch master updated: FEDIZ-213 - Spring plugins don't handle token expiration properly
Date Wed, 11 Oct 2017 08:43:41 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/master by this push:
     new a8cfa5e  FEDIZ-213 - Spring plugins don't handle token expiration properly
a8cfa5e is described below

commit a8cfa5ee58998237525fbe9b2bd9663c6e0baf1a
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Wed Oct 11 09:42:51 2017 +0100

    FEDIZ-213 - Spring plugins don't handle token expiration properly
---
 .../FederationAuthenticationFailureHandler.java    |  44 +------
 .../FederationAuthenticationFailureHandler.java    |  44 +------
 systests/spring/pom.xml                            |  20 ++++
 .../cxf/fediz/systests/spring/TokenExpiryTest.java |  36 ++----
 .../spring/src/test/resources/fediz_config.xml     |   1 +
 .../spring/src/test/resources/realma/fediz-sts.xml | 127 +++++++++++++++++++++
 6 files changed, 161 insertions(+), 111 deletions(-)

diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
index 8b98982..99d9f5d 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
@@ -20,22 +20,13 @@
 package org.apache.cxf.fediz.spring.web;
 
 import java.io.IOException;
-import java.util.Map;
-import java.util.Map.Entry;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.processor.FedizProcessor;
-import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
-import org.apache.cxf.fediz.core.processor.RedirectionResponse;
 import org.apache.cxf.fediz.spring.FederationConfig;
 import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 
@@ -44,8 +35,6 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
  */
 public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler
{
 
-    private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationFailureHandler.class);
-
     private FederationConfig federationConfig;
 
     public FederationAuthenticationFailureHandler() {
@@ -57,36 +46,9 @@ public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticat
                                         AuthenticationException exception) throws IOException,
ServletException {
 
         if (exception instanceof ExpiredTokenException) {
-            String redirectUrl = null;
-            try {
-                FedizContext fedContext = federationConfig.getFedizContext();
-                FedizProcessor wfProc =
-                    FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
-                RedirectionResponse redirectionResponse =
-                    wfProc.createSignInRequest(request, fedContext);
-                redirectUrl = redirectionResponse.getRedirectionURL();
-
-                if (redirectUrl == null) {
-                    LOG.warn("Failed to create SignInRequest. Redirect URL null");
-                    throw new ServletException("Failed to create SignInRequest. Redirect
URL null");
-                }
-
-                Map<String, String> headers = redirectionResponse.getHeaders();
-                if (!headers.isEmpty()) {
-                    for (Entry<String, String> entry : headers.entrySet()) {
-                        response.addHeader(entry.getKey(), entry.getValue());
-                    }
-                }
-
-            } catch (ProcessingException ex) {
-                LOG.warn("Failed to create SignInRequest", ex);
-                throw new ServletException("Failed to create SignInRequest: " + ex.getMessage());
-            }
-
-            if (LOG.isInfoEnabled()) {
-                LOG.info("Redirecting to IDP: " + redirectUrl);
-            }
-            response.sendRedirect(redirectUrl);
+            // Just redirect back to the original URL and re-start the authentication process.
+            response.sendRedirect(request.getRequestURL().toString());
+            return;
         }
 
         super.onAuthenticationFailure(request, response, exception);
diff --git a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
index 8b98982..99d9f5d 100644
--- a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
+++ b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
@@ -20,22 +20,13 @@
 package org.apache.cxf.fediz.spring.web;
 
 import java.io.IOException;
-import java.util.Map;
-import java.util.Map.Entry;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.processor.FedizProcessor;
-import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
-import org.apache.cxf.fediz.core.processor.RedirectionResponse;
 import org.apache.cxf.fediz.spring.FederationConfig;
 import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 
@@ -44,8 +35,6 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
  */
 public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler
{
 
-    private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationFailureHandler.class);
-
     private FederationConfig federationConfig;
 
     public FederationAuthenticationFailureHandler() {
@@ -57,36 +46,9 @@ public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticat
                                         AuthenticationException exception) throws IOException,
ServletException {
 
         if (exception instanceof ExpiredTokenException) {
-            String redirectUrl = null;
-            try {
-                FedizContext fedContext = federationConfig.getFedizContext();
-                FedizProcessor wfProc =
-                    FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
-                RedirectionResponse redirectionResponse =
-                    wfProc.createSignInRequest(request, fedContext);
-                redirectUrl = redirectionResponse.getRedirectionURL();
-
-                if (redirectUrl == null) {
-                    LOG.warn("Failed to create SignInRequest. Redirect URL null");
-                    throw new ServletException("Failed to create SignInRequest. Redirect
URL null");
-                }
-
-                Map<String, String> headers = redirectionResponse.getHeaders();
-                if (!headers.isEmpty()) {
-                    for (Entry<String, String> entry : headers.entrySet()) {
-                        response.addHeader(entry.getKey(), entry.getValue());
-                    }
-                }
-
-            } catch (ProcessingException ex) {
-                LOG.warn("Failed to create SignInRequest", ex);
-                throw new ServletException("Failed to create SignInRequest: " + ex.getMessage());
-            }
-
-            if (LOG.isInfoEnabled()) {
-                LOG.info("Redirecting to IDP: " + redirectUrl);
-            }
-            response.sendRedirect(redirectUrl);
+            // Just redirect back to the original URL and re-start the authentication process.
+            response.sendRedirect(request.getRequestURL().toString());
+            return;
         }
 
         super.onAuthenticationFailure(request, response, exception);
diff --git a/systests/spring/pom.xml b/systests/spring/pom.xml
index e5148fc..9b088da 100644
--- a/systests/spring/pom.xml
+++ b/systests/spring/pom.xml
@@ -194,6 +194,26 @@
                             </resources>              
                         </configuration>            
                     </execution>
+                    <execution>
+                        <id>copy-customised-sts-config</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF</outputDirectory>
+                            <resources>          
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/realma</directory>
+                                    <includes>
+                                        <include>fediz-sts.xml</include>
+                                    </includes>
+                                    <filtering>false</filtering>
+                                </resource>
+                            </resources>              
+                            <overwrite>true</overwrite>       
+                        </configuration>            
+                    </execution>
                 </executions>
             </plugin>
             <plugin>
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/systests/spring/TokenExpiryTest.java
b/systests/spring/src/test/java/org/apache/cxf/fediz/systests/spring/TokenExpiryTest.java
index f9221b4..bff87c8 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/systests/spring/TokenExpiryTest.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/systests/spring/TokenExpiryTest.java
@@ -25,22 +25,19 @@ import java.io.IOException;
 
 import javax.servlet.ServletException;
 
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.WebClient;
-
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.LifecycleState;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.startup.Tomcat;
-import org.apache.cxf.fediz.systests.common.HTTPTestUtils;
+import org.apache.cxf.fediz.systests.common.AbstractExpiryTests;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
 
 /**
- * Test what happens when the IdP token expires. This is "mocked" by setting wfresh to "0"
in the plugin configuration.
+ * Some token expiry tests
  */
-public class TokenExpiryTest {
+public class TokenExpiryTest extends AbstractExpiryTests {
 
     static String idpHttpsPort;
     static String rpHttpsPort;
@@ -136,28 +133,9 @@ public class TokenExpiryTest {
         return rpHttpsPort;
     }
 
-
-    @org.junit.Test
-    public void testTokenExpiry() throws Exception {
-        // 1. Login
-        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld_wfresh"
-            + "/secure/fedservlet";
-        String user = "alice";
-        String password = "ecila";
-
-        CookieManager cookieManager = new CookieManager();
-
-        // 1. Login
-        HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
-
-        // 2. Sign out of the service (but not the Idp)
-        final WebClient webClient = new WebClient();
-        webClient.setCookieManager(cookieManager);
-        webClient.getOptions().setUseInsecureSSL(true);
-        webClient.getPage(url + "?wa=wsignoutcleanup1.0");
-        webClient.close();
-
-        // 3. Sign back in to the service provider. This time it will get a new IdP token
due to wfresh=0.
-        HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+    @Override
+    public String getServletContextName() {
+        return "fedizhelloworld_wfresh";
     }
+
 }
diff --git a/systests/spring/src/test/resources/fediz_config.xml b/systests/spring/src/test/resources/fediz_config.xml
index 131b064..f954c60 100644
--- a/systests/spring/src/test/resources/fediz_config.xml
+++ b/systests/spring/src/test/resources/fediz_config.xml
@@ -134,6 +134,7 @@
         </protocol>
         <logoutURL>/secure/logout</logoutURL>
         <logoutRedirectTo>/index.html</logoutRedirectTo>
+        <tokenExpirationValidation>true</tokenExpirationValidation>
     </contextConfig>
 </FedizConfig>
 
diff --git a/systests/spring/src/test/resources/realma/fediz-sts.xml b/systests/spring/src/test/resources/realma/fediz-sts.xml
new file mode 100644
index 0000000..9a690ab
--- /dev/null
+++ b/systests/spring/src/test/resources/realma/fediz-sts.xml
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:cxf="http://cxf.apache.org/core"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd">
+
+    <import resource="classpath:META-INF/cxf/cxf.xml" />
+    
+    <bean id="loggerListener" class="org.apache.cxf.sts.event.map.EventMapper">
+        <constructor-arg>
+            <bean class="org.apache.cxf.sts.event.map.MapEventLogger" />
+        </constructor-arg>
+    </bean>
+
+    <util:list id="delegationHandlers">
+        <bean id="samlDelegationHandler"
+            class="org.apache.cxf.fediz.service.sts.FedizSAMLDelegationHandler" />
+        <bean id="x509DelegationHandler"
+            class="org.apache.cxf.fediz.service.sts.FedizX509DelegationHandler" />
+    </util:list>
+
+    <bean id="transportSTSProviderBean"
+        class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
+        <property name="issueOperation" ref="transportIssueDelegate" />
+        <property name="validateOperation" ref="transportValidateDelegate" />
+    </bean>
+
+    <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
+        <property name="tokenProviders" ref="transportTokenProviders" />
+        <property name="services" ref="transportServices" />
+        <property name="stsProperties" ref="transportSTSProperties" />
+        <property name="claimsManager" ref="claimsManager" />
+        <property name="tokenValidators" ref="transportTokenValidators" />
+        <property name="eventListener" ref="loggerListener" />
+        <property name="delegationHandlers" ref="delegationHandlers" />
+        <property name="allowCustomContent" value="true" />
+    </bean>
+
+    <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
+        <property name="tokenValidators" ref="transportTokenValidators" />
+        <property name="stsProperties" ref="transportSTSProperties" />
+        <property name="eventListener" ref="loggerListener" />
+    </bean>
+
+    <util:list id="transportTokenProviders">
+        <ref bean="transportSamlTokenProvider" />
+    </util:list>
+
+    <util:list id="transportTokenValidators">
+        <ref bean="transportSamlTokenValidator" />
+        <bean class="org.apache.cxf.sts.token.validator.X509TokenValidator" />
+    </util:list>
+
+    <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
+        <property name="attributeStatementProviders" ref="attributeStatementProvidersList"
/>
+        <property name="realmMap" ref="realms" />
+        <property name="conditionsProvider" ref="conditionsProvider" />
+        <property name="subjectProvider" ref="subjectProvider" />
+    </bean>
+
+    <bean id="conditionsProvider"
+        class="org.apache.cxf.sts.token.provider.DefaultConditionsProvider">
+        <property name="lifetime" value="8" />
+        <property name="acceptClientLifetime" value="false" />
+    </bean>
+    
+    <bean id="subjectProvider"
+        class="org.apache.cxf.sts.token.provider.DefaultSubjectProvider">
+        <property name="subjectNameIDFormat" 
+                  value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
+    </bean>
+
+    <util:list id="attributeStatementProvidersList">
+        <ref bean="claimAttributeProvider" />
+    </util:list>
+
+    <bean id="claimAttributeProvider"
+        class="org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider">
+    </bean>
+
+    <bean id="claimsManager" class="org.apache.cxf.sts.claims.ClaimsManager">
+        <property name="claimHandlers" ref="claimHandlerList" />
+    </bean>
+
+    <bean id="transportSamlTokenValidator"
+        class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
+    </bean>
+
+    <util:list id="transportServices">
+        <ref bean="transportService" />
+    </util:list>
+
+    <bean id="transportService" class="org.apache.cxf.sts.service.StaticService">
+        <property name="endpoints">
+            <util:list>
+                <value>.*</value>
+            </util:list>
+        </property>
+    </bean>
+    
+</beans>
+

-- 
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <commits@cxf.apache.org>'].

Mime
View raw message