portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rwat...@apache.org
Subject svn commit: r909924 - in /portals/jetspeed-2/portal/trunk: ./ applications/jetspeed/src/main/webapp/WEB-INF/ components/jetspeed-portal/ components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/ components/jetspeed-portal/src/main/java/org/a...
Date Sat, 13 Feb 2010 22:01:34 GMT
Author: rwatler
Date: Sat Feb 13 22:01:33 2010
New Revision: 909924

URL: http://svn.apache.org/viewvc?rev=909924&view=rev
Log:
JS2-1101: OpenID Support Update:
----------------------------------------------------------------------------------
- use Google's Step2 library to support OpenID verification/discovery for Google
  hosted domains host metadata lookup
- commit version of Step2 that is compatible with openid4java 0.9.5 to BSR repo
  here: https://svn.bluesunrise.com/repos/step2
- deploy Step2 version to BSR maven2 repo
- add OpenIDRelayingPartyServlet configuration to select step2 or openid4java
  OpenID consumer implementation per host/domain to portal web.xml
- upgrade jdom version from 1.0 to 1.1 in portal to support Step2
 

Added:
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/step2/
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/step2/GoogleHostMetaFetcher.java
Modified:
    portals/jetspeed-2/portal/trunk/applications/jetspeed/src/main/webapp/WEB-INF/web.xml
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/pom.xml
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/OpenIDRelayingPartyServlet.java
    portals/jetspeed-2/portal/trunk/pom.xml

Modified: portals/jetspeed-2/portal/trunk/applications/jetspeed/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/applications/jetspeed/src/main/webapp/WEB-INF/web.xml?rev=909924&r1=909923&r2=909924&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/applications/jetspeed/src/main/webapp/WEB-INF/web.xml
(original)
+++ portals/jetspeed-2/portal/trunk/applications/jetspeed/src/main/webapp/WEB-INF/web.xml
Sat Feb 13 22:01:33 2010
@@ -49,12 +49,10 @@
     <filter-class>org.apache.jetspeed.login.filter.PortalFilter</filter-class>
  
   </filter>
   -->
-  <!--
   <filter>
     <filter-name>OpenIDPortalFilter</filter-name>
     <filter-class>org.apache.jetspeed.openid.filter.OpenIDPortalFilter</filter-class>
   </filter>
-  -->
 
   <filter-mapping>
     <filter-name>XXSUrlAttackFilter</filter-name>
@@ -71,12 +69,10 @@
     <url-pattern>/*</url-pattern>    
   </filter-mapping>  
   -->
-  <!--  
   <filter-mapping>
     <filter-name>OpenIDPortalFilter</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
-  -->
 
   <listener>
     <listener-class>org.apache.jetspeed.engine.JetspeedServlet</listener-class>
@@ -164,7 +160,6 @@
   </servlet>
 
   <!-- OpenID Relaying Party Servlet -->
-  <!--
   <servlet>
     <description>
       OpenID Relaying Party, (RP), servlet used to return discovery
@@ -175,21 +170,11 @@
     <servlet-name>OpenIDRelayingPartyServlet</servlet-name>
     <servlet-class>org.apache.jetspeed.openid.OpenIDRelayingPartyServlet</servlet-class>
     <init-param>
-      <description>Discovery domain to URL mapping.</description>
+      <description>Discovery domain to provider URL/host mapping.</description>
       <param-name>discovery.gmail.com</param-name>
       <param-value>https://www.google.com/accounts/o8/id</param-value>
     </init-param>
     <init-param>
-      <description>Discovery domain to URL mapping.</description>
-      <param-name>discovery.yahoo.com</param-name>
-      <param-value>http://yahoo.com</param-value>
-    </init-param>
-    <init-param>
-      <description>Discovery domain to URL mapping.</description>
-      <param-name>discovery.myopenid.com</param-name>
-      <param-value>http://myopenid.com</param-value>
-    </init-param>
-    <init-param>
       <description>Enable servlet init parameter registration configuration.</description>
       <param-name>enableRegistrationConfig</param-name>
       <param-value>false</param-value>
@@ -231,7 +216,6 @@
     </init-param>
     <load-on-startup>2</load-on-startup>
   </servlet>
-  -->
 
   <servlet-mapping>
       <servlet-name>DiagnosticsServlet</servlet-name>
@@ -332,13 +316,11 @@
   </servlet-mapping>
 
   <!-- OpenID Relaying Party Servlet -->
-  <!--
   <servlet-mapping>
     <servlet-name>OpenIDRelayingPartyServlet</servlet-name>
     <url-pattern>/openid</url-pattern>
     <url-pattern>/openid/*</url-pattern>
   </servlet-mapping>
-  -->
 
   <!-- The Usual Welcome File List -->
   <welcome-file-list>

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/pom.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/pom.xml?rev=909924&r1=909923&r2=909924&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/pom.xml (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/pom.xml Sat Feb 13 22:01:33
2010
@@ -188,6 +188,10 @@
       <groupId>org.openid4java</groupId>
       <artifactId>openid4java-consumer</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.google.step2</groupId>
+      <artifactId>step2-common</artifactId>
+    </dependency>
 
     <!-- Test Dependencies -->
     <dependency>

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/OpenIDRelayingPartyServlet.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/OpenIDRelayingPartyServlet.java?rev=909924&r1=909923&r2=909924&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/OpenIDRelayingPartyServlet.java
(original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/OpenIDRelayingPartyServlet.java
Sat Feb 13 22:01:33 2010
@@ -21,6 +21,8 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ThreadFactory;
 
 import javax.security.auth.Subject;
 import javax.servlet.ServletConfig;
@@ -34,6 +36,11 @@
 import org.openid4java.consumer.VerificationResult;
 import org.openid4java.discovery.DiscoveryInformation;
 import org.openid4java.discovery.Identifier;
+import org.openid4java.discovery.UrlIdentifier;
+import org.openid4java.discovery.html.HtmlResolver;
+import org.openid4java.discovery.xri.XriDotNetProxyResolver;
+import org.openid4java.discovery.xri.XriResolver;
+import org.openid4java.discovery.yadis.YadisResolver;
 import org.openid4java.message.AuthRequest;
 import org.openid4java.message.AuthSuccess;
 import org.openid4java.message.ParameterList;
@@ -52,11 +59,30 @@
 import org.apache.jetspeed.cache.UserContentCacheManager;
 import org.apache.jetspeed.components.ComponentManager;
 import org.apache.jetspeed.openid.OpenIDRegistrationConfiguration;
+import org.apache.jetspeed.openid.step2.GoogleHostMetaFetcher;
 import org.apache.jetspeed.security.SecurityAttribute;
 import org.apache.jetspeed.security.SecurityAttributes;
 import org.apache.jetspeed.security.User;
 import org.apache.jetspeed.security.UserManager;
 
+import com.google.step2.discovery.DefaultHostMetaFetcher;
+import com.google.step2.discovery.Discovery2;
+import com.google.step2.discovery.HostMetaFetcher;
+import com.google.step2.discovery.IdpIdentifier;
+import com.google.step2.discovery.LegacyXrdsResolver;
+import com.google.step2.discovery.ParallelHostMetaFetcher;
+import com.google.step2.discovery.SecureDiscoveryInformation;
+import com.google.step2.discovery.SecureUrlIdentifier;
+import com.google.step2.discovery.XrdDiscoveryResolver;
+import com.google.step2.http.DefaultHttpFetcher;
+import com.google.step2.http.HttpFetcher;
+import com.google.step2.xmlsimplesign.CachedCertPathValidator;
+import com.google.step2.xmlsimplesign.CertValidator;
+import com.google.step2.xmlsimplesign.DefaultCertValidator;
+import com.google.step2.xmlsimplesign.DefaultTrustRootsProvider;
+import com.google.step2.xmlsimplesign.TrustRootsProvider;
+import com.google.step2.xmlsimplesign.Verifier;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -73,8 +99,14 @@
 
     private static final Logger log = LoggerFactory.getLogger(OpenIDRelayingPartyServlet.class);
     
+    private static final long OPEN_ID_DISCOVERY_TIMEOUT_SECONDS = 10L;
+
     private static final String OPEN_ID_DISCOVERY_INIT_PARAM_NAME_PREFIX = "discovery.";
+    private static final String OPEN_ID_CONSUMER_INIT_PARAM_NAME_PREFIX = "consumer.";
+    private static final String OPEN_ID_CONSUMER_INIT_PARAM_NAME_VALUE = "openid4java";
+    private static final String STEP2_CONSUMER_INIT_PARAM_NAME_VALUE = "step2";
     
+    private static final String OPEN_ID_PROVIDER_ATTR_NAME = "org.apache.jetspeed.openid.provider";
     private static final String OPEN_ID_DISCOVERY_INFO_ATTR_NAME = "org.apache.jetspeed.openid.discoveryinfo";
 
     private static final String USER_ATTRIBUTE_EMAIL = "user.business-info.online.email";
@@ -84,6 +116,7 @@
     private static final String USER_ATTRIBUTE_NICKNAME = "user.name.nickName";
     
     private ConsumerManager openIDConsumerManager;
+    private ConsumerManager openIDStep2ConsumerManager;
     private UserManager portalUserManager;
     private PortalAdministration portalAdministration;
     private AuditActivity portalAudit;
@@ -101,7 +134,37 @@
         // setup OpenID
         try
         {
+            // standard OpenID implementation
             openIDConsumerManager = new ConsumerManager();
+            // assemble Step2 OpenID implementation; TODO: utilize a more
+            // robust HTTPFetcher implementation since the DefaultHttpFetcher
+            // may not be entirely thread safe due to connection manager
+            // configuration in HttpComponents, (this is why there are 4
+            // discrete instances of DefaultHttpFetcher used below).
+            HostMetaFetcher step2GoogleHostMetaFetcher = new GoogleHostMetaFetcher(new DefaultHttpFetcher());
+            HostMetaFetcher step2DefaultHostMetaFetcher = new DefaultHostMetaFetcher(new
DefaultHttpFetcher());
+            ThreadFactory parallelThreadFactory = new ThreadFactory()
+            {
+                public Thread newThread(Runnable r)
+                {
+                    Thread newThread = Executors.defaultThreadFactory().newThread(r);
+                    newThread.setName(getClass().getSimpleName()+"-"+newThread.getName());
+                    newThread.setDaemon(true);
+                    return newThread;
+                }
+            };
+            HostMetaFetcher step2HostMetaFetcher = new ParallelHostMetaFetcher(Executors.newFixedThreadPool(10,
parallelThreadFactory), OPEN_ID_DISCOVERY_TIMEOUT_SECONDS, step2GoogleHostMetaFetcher, step2DefaultHostMetaFetcher);
+            TrustRootsProvider step2XrdsTrustProvider = new DefaultTrustRootsProvider();
+            CachedCertPathValidator step2XrdsCertPathValidator = new CachedCertPathValidator(step2XrdsTrustProvider);
+            Verifier step2XrdsVerifier = new Verifier(step2XrdsCertPathValidator, new DefaultHttpFetcher());
+            CertValidator step2XrdsCertValidator = new DefaultCertValidator();
+            XrdDiscoveryResolver step2XrdResolver = new LegacyXrdsResolver(new DefaultHttpFetcher(),
step2XrdsVerifier, step2XrdsCertValidator);
+            HtmlResolver step2HtmlResolver = new HtmlResolver();
+            YadisResolver step2YadisResolver = new YadisResolver();
+            XriResolver step2XriResolver = new XriDotNetProxyResolver();
+            Discovery2 step2Discovery = new Discovery2(step2HostMetaFetcher, step2XrdResolver,
step2HtmlResolver, step2YadisResolver, step2XriResolver);
+            openIDStep2ConsumerManager = new ConsumerManager();
+            openIDStep2ConsumerManager.setDiscovery(step2Discovery);
         }
         catch (OpenIDException oide)
         {
@@ -139,6 +202,7 @@
         portalAuthenticationConfiguration = null;
         portalAdministration = null;
         portalUserManager = null;
+        openIDStep2ConsumerManager = null;
         openIDConsumerManager = null;
         super.destroy();
     }
@@ -212,20 +276,46 @@
                 boolean discoveredProvider = false;
                 try
                 {
-                    // default user supplied discovery string
+                    // default user supplied discovery string and provider
                     String userSuppliedDiscoveryString = discovery;
-                    if ((provider == null) && (userSuppliedDiscoveryString != null)
&&
-                        !userSuppliedDiscoveryString.startsWith("http://") && !userSuppliedDiscoveryString.startsWith("https://")
&&
-                        !userSuppliedDiscoveryString.startsWith("xri://"))
+                    if ((provider == null) && (userSuppliedDiscoveryString != null))
                     {
-                        int emailDomainSeparatorIndex = userSuppliedDiscoveryString.indexOf('@');
-                        if (emailDomainSeparatorIndex != -1)
+                        if (!userSuppliedDiscoveryString.startsWith("http://") &&
!userSuppliedDiscoveryString.startsWith("https://"))
                         {
-                            provider = userSuppliedDiscoveryString.substring(emailDomainSeparatorIndex+1);
+                            if (!userSuppliedDiscoveryString.startsWith("xri://") &&
!userSuppliedDiscoveryString.startsWith("=") && !userSuppliedDiscoveryString.startsWith("@"))
+                            {
+                                // extract provider from email address
+                                int emailDomainSeparatorIndex = userSuppliedDiscoveryString.indexOf('@');
+                                if (emailDomainSeparatorIndex != -1)
+                                {
+                                    // extract provider host name from email address
+                                    provider = userSuppliedDiscoveryString.substring(emailDomainSeparatorIndex+1);
+                                }
+                                else if (Character.isLetterOrDigit(userSuppliedDiscoveryString.charAt(0)))
+                                {
+                                    provider = userSuppliedDiscoveryString;
+                                }
+                            }
                         }
-                        else if (Character.isLetterOrDigit(userSuppliedDiscoveryString.charAt(0)))
+                        else
                         {
-                            provider = userSuppliedDiscoveryString;
+                            // extract provider from URL host name
+                            int domainIndex = userSuppliedDiscoveryString.indexOf("://")+3;
+                            int endDomainIndex = userSuppliedDiscoveryString.indexOf('/',
domainIndex);
+                            if (endDomainIndex == -1)
+                            {
+                                endDomainIndex = userSuppliedDiscoveryString.length();
+                            }
+                            provider = userSuppliedDiscoveryString.substring(domainIndex,
endDomainIndex);
+                            domainIndex = provider.lastIndexOf('.', provider.length());
+                            if (domainIndex > 0)
+                            {
+                                domainIndex = provider.lastIndexOf('.', domainIndex-1);
+                            }
+                            if (domainIndex != -1)
+                            {
+                                provider = provider.substring(domainIndex);
+                            }
                         }
                     }
                     if (provider != null)
@@ -233,20 +323,54 @@
                         String providerSuppliedDiscoveryString = getInitParameter(OPEN_ID_DISCOVERY_INIT_PARAM_NAME_PREFIX+provider);
                         if (providerSuppliedDiscoveryString != null)
                         {
+                            // lookup override discovery string from configuration
                             userSuppliedDiscoveryString = providerSuppliedDiscoveryString;
                         }
+                        else if (userSuppliedDiscoveryString == null)
+                        {
+                            // use provider for discover string if not specified
+                            userSuppliedDiscoveryString = provider;
+                        }
                     }
 
+                    // select consumer implementation based on provider
+                    String providerConsumer = OPEN_ID_CONSUMER_INIT_PARAM_NAME_VALUE;
+                    ConsumerManager providerOpenIDConsumerManager = openIDConsumerManager;
+                    if (provider != null)
+                    {
+                        String consumer = getInitParameter(OPEN_ID_CONSUMER_INIT_PARAM_NAME_PREFIX+provider);
+                        if ((consumer != null) && consumer.equals(STEP2_CONSUMER_INIT_PARAM_NAME_VALUE))
+                        {
+                            providerConsumer = STEP2_CONSUMER_INIT_PARAM_NAME_VALUE;
+                            providerOpenIDConsumerManager = openIDStep2ConsumerManager;
+                        }
+                    }
+                    
                     // OpenID discovery
                     DiscoveryInformation discovered = null;
                     try
                     {
                         if (userSuppliedDiscoveryString != null)
                         {
-                            List discoveries = openIDConsumerManager.discover(userSuppliedDiscoveryString);
+                            List discoveries = null;
+                            if (providerConsumer.equals(STEP2_CONSUMER_INIT_PARAM_NAME_VALUE))
+                            {
+                                // verify discovery string is likely a host name
+                                if ((userSuppliedDiscoveryString.indexOf("://") == -1) &&
(userSuppliedDiscoveryString.indexOf('@') == -1) && (userSuppliedDiscoveryString.indexOf('=')
== -1))
+                                {
+                                    // Step2 OpenId discovery
+                                    IdpIdentifier providerIdentifier = new IdpIdentifier(userSuppliedDiscoveryString);
+                                    discoveries = providerOpenIDConsumerManager.getDiscovery().discover(providerIdentifier);
                                   
+                                }
+                            }
+                            else
+                            {
+                                // standard OpenId discovery
+                                discoveries = providerOpenIDConsumerManager.discover(userSuppliedDiscoveryString);
+                            }
                             if ((discoveries != null) && !discoveries.isEmpty())
                             {
-                                discovered = openIDConsumerManager.associate(discoveries);
+                                discovered = providerOpenIDConsumerManager.associate(discoveries);
                             }
                         }
                     }
@@ -256,17 +380,18 @@
                     }
                     if (discovered == null)
                     {
-                        throw new RuntimeException("No OpenID provider discovered");    
               
+                        throw new RuntimeException("No OpenID provider discovered for: "+userSuppliedDiscoveryString);
                   
                     }
                     discoveredProvider = true;
 
                     // log OpenID provider
                     if (log.isDebugEnabled())
                     {
-                        log.debug("Discovered OpenID provider endpoint: "+discovered.getOPEndpoint());
+                        log.debug("Discovered OpenID provider endpoint: "+discovered.getOPEndpoint()+",
["+discovered.getClass().getSimpleName()+"]");
                     }
 
                     // save OpenID provider in session
+                    request.getSession().setAttribute(OPEN_ID_PROVIDER_ATTR_NAME, provider);
                     request.getSession().setAttribute(OPEN_ID_DISCOVERY_INFO_ATTR_NAME, discovered);
 
                     // create OpenID authentication request and redirect
@@ -275,7 +400,7 @@
                     try
                     {
                         // authentication request
-                        AuthRequest authRequest = openIDConsumerManager.authenticate(discovered,
authReturnToURL, openIDRealmURL);
+                        AuthRequest authRequest = providerOpenIDConsumerManager.authenticate(discovered,
authReturnToURL, openIDRealmURL);
                         // request attribute exchange data
                         FetchRequest axRequest = FetchRequest.createFetchRequest();
                         axRequest.addAttribute("email", "http://axschema.org/contact/email",
true);
@@ -338,6 +463,7 @@
                     ParameterList authParams = new ParameterList(request.getParameterMap());
 
                     // retrieve OpenID provider from session
+                    String provider = (String)request.getSession().getAttribute(OPEN_ID_PROVIDER_ATTR_NAME);
                     DiscoveryInformation discovered = (DiscoveryInformation)request.getSession().getAttribute(OPEN_ID_DISCOVERY_INFO_ATTR_NAME);
 
                     // reconstruct the authenticated request URL
@@ -349,19 +475,33 @@
                     }
                     String authRequestURL = authRequestURLBuffer.toString();
 
+                    // select consumer implementation based on provider
+                    String providerConsumer = OPEN_ID_CONSUMER_INIT_PARAM_NAME_VALUE;
+                    if (provider != null)
+                    {
+                        String consumer = getInitParameter(OPEN_ID_CONSUMER_INIT_PARAM_NAME_PREFIX+provider);
+                        if ((consumer != null) && consumer.equals(STEP2_CONSUMER_INIT_PARAM_NAME_VALUE))
+                        {
+                            providerConsumer = STEP2_CONSUMER_INIT_PARAM_NAME_VALUE;
+                        }
+                    }
+                    
                     // verify the authenticated request
-                    VerificationResult verification = null;
-                    try
+                    VerificationResults verificationResults = null;
+                    if (providerConsumer.equals(STEP2_CONSUMER_INIT_PARAM_NAME_VALUE))
                     {
-                        verification = openIDConsumerManager.verify(authRequestURL, authParams,
discovered);
+                        // Step2 OpenId verification
+                        verificationResults = openIDStep2Verification(authRequestURL, authParams,
discovered);
                     }
-                    catch (OpenIDException oide)
+                    else
                     {
-                        throw new RuntimeException("Unexpected OpenID authenticated verification
exception: "+oide, oide);
+                        // standard OpenId verification
+                        verificationResults = openIDVerification(authRequestURL, authParams,
discovered);
                     }
+                    VerificationResult verification = verificationResults.verification;
+                    Identifier verifiedIdentifier = verificationResults.verifiedIdentifier;
 
                     // extract identifier from verified authenticated request
-                    Identifier verifiedIdentifier = verification.getVerifiedId();
                     if (verifiedIdentifier == null)
                     {
                         throw new RuntimeException("Verified identifier unavailable for authenticated
OpenID login");                    
@@ -650,5 +790,197 @@
         }
         openIDRealmURLBuilder.append(request.getContextPath()+request.getServletPath());
         return openIDRealmURLBuilder.toString();        
-    }    
+    }
+    
+    /**
+     * OpenID authenticated request verification results.
+     */
+    private class VerificationResults
+    {
+        public VerificationResult verification = null;
+        public Identifier verifiedIdentifier = null;
+    }
+    
+    /**
+     * Standard OpenId authenticated request verification.
+     * 
+     * @param authRequestURL authenticated request URL
+     * @param authParams authenticated request parameters
+     * @param discovered discovery information
+     * @return verification result
+     */
+    private VerificationResults openIDVerification(String authRequestURL, ParameterList authParams,
DiscoveryInformation discovered)
+    {
+        try
+        {
+            if (log.isDebugEnabled())
+            {
+                log.debug("Verify standard OpenID authentication request using: "+discovered.getOPEndpoint());
+            }
+
+            VerificationResults results = new VerificationResults();
+            // verify using previously discovered discovery information
+            results.verification = openIDConsumerManager.verify(authRequestURL, authParams,
discovered);
+
+            if (log.isDebugEnabled() && (results.verification != null))
+            {
+                log.debug("Verified standard OpenID authentication request: "+authRequestURL);
+            }            
+            
+            // return verified identifier
+            results.verifiedIdentifier = results.verification.getVerifiedId();
+
+            if (log.isDebugEnabled() && (results.verifiedIdentifier != null))
+            {
+                log.debug("Verified standard OpenID authentication request identity: "+results.verifiedIdentifier);
+            }
+            
+            return results;
+        }
+        catch (OpenIDException oide)
+        {
+            throw new RuntimeException("Unexpected standard OpenId authenticated request
verification exception: "+oide, oide);
+        }
+    }
+
+    /**
+     * Step2 OpenId authenticated request verification.
+     * 
+     * @param authRequestURL authenticated request URL
+     * @param authParams authenticated request parameters
+     * @param discovered discovery information
+     * @return verification result
+     */
+    private VerificationResults openIDStep2Verification(String authRequestURL, ParameterList
authParams, DiscoveryInformation discovered)
+    {
+        try
+        {
+            VerificationResults results = new VerificationResults();
+            // verify OpenId authentication request
+            String openIdMode = authParams.getParameterValue("openid.mode");
+            if ((openIdMode != null) && openIdMode.equals("id_res"))
+            {
+                AuthSuccess authResponse = AuthSuccess.createAuthSuccess(authParams);
+                if ((authResponse != null) && authResponse.isVersion2() &&
(authResponse.getIdentity() != null) && (authResponse.getClaimed() != null))
+                {
+                    // get OpenId identifier
+                    String providerId = authResponse.getIdentity();
+                    Identifier responseClaimedId = openIDStep2ConsumerManager.getDiscovery().parseIdentifier(authResponse.getClaimed(),
true);
+                    String responseEndpoint = authResponse.getOpEndpoint();
+                    
+                    if (log.isDebugEnabled())
+                    {
+                        log.debug("Step2 discovery for identity: "+responseClaimedId);
+                    }
+
+                    // get Step2 secure discovery information
+                    SecureDiscoveryInformation secureDiscovered = null;
+                    
+                    // validate previously discovered secure discovery information
+                    if (discovered instanceof SecureDiscoveryInformation)
+                    {
+                        // check for matching version, identifiers, and endpoints
+                        if (discovered.isVersion2() && discovered.hasClaimedIdentifier()
&& discovered.getClaimedIdentifier().equals(responseClaimedId) && discovered.getOPEndpoint().equals(responseEndpoint))
+                        {
+                            String discoveredProviderId = (discovered.hasDelegateIdentifier()
? discovered.getDelegateIdentifier() : discovered.getClaimedIdentifier().getIdentifier());
+                            if (discoveredProviderId.equals(providerId))
+                            {
+                                secureDiscovered = (SecureDiscoveryInformation)discovered;
+
+                                if (log.isDebugEnabled())
+                                {
+                                    log.debug("Matched previously discovered Step2 secure
discovery information for "+responseClaimedId+" identity: "+secureDiscovered.getOPEndpoint());
+                                }
+                            }
+                        }
+                    }
+
+                    // discover secure discovery information if necessary
+                    if (secureDiscovered == null)
+                    {
+                        // perform discovery on claimed identifier
+                        List<SecureDiscoveryInformation> discoveredInfos = openIDStep2ConsumerManager.getDiscovery().discover(responseClaimedId);
+                        // match secure discovered information: prefer previously associated
matches
+                        for (SecureDiscoveryInformation discoveredInfo : discoveredInfos)
+                        {
+                            // match secure discovered information
+                            String version = discoveredInfo.getVersion();
+                            if ((version != null) && version.equals(DiscoveryInformation.OPENID2_OP)
&& discoveredInfo.isVersion2() && discoveredInfo.getOPEndpoint().equals(responseEndpoint))
+                            {
+                                String discoveredProviderId = (discoveredInfo.hasDelegateIdentifier()
? discoveredInfo.getDelegateIdentifier() : discoveredInfo.getClaimedIdentifier().getIdentifier());
+                                if (discoveredProviderId.equals(providerId))
+                                {
+                                    // match previously associated or first discovered
+                                    if (openIDStep2ConsumerManager.getPrivateAssociationStore().load(discoveredInfo.getOPEndpoint().toString(),
authResponse.getHandle()) != null)
+                                    {
+                                        secureDiscovered = discoveredInfo;
+                                        break;
+                                    }
+                                    else if (secureDiscovered == null)
+                                    {
+                                        secureDiscovered = discoveredInfo;              
                     
+                                    }
+                                }                            
+                            }
+                        }
+
+                        if (log.isDebugEnabled() && (secureDiscovered != null))
+                        {
+                            log.debug("Discovered Step2 secure discovery information for
"+responseClaimedId+" identity: "+secureDiscovered.getOPEndpoint());
+                        }
+                    }
+
+                    if (log.isDebugEnabled() && (secureDiscovered != null))
+                    {
+                        log.debug("Verify Step2 OpenID authentication request using: "+secureDiscovered.getOPEndpoint());
+                    }
+
+                    // verify using secure discovery information
+                    results.verification = openIDStep2ConsumerManager.verify(authRequestURL,
authParams, secureDiscovered);
+
+                    if (log.isDebugEnabled() && (results.verification != null))
+                    {
+                        log.debug("Verified Step2 OpenID authentication request: "+authRequestURL);
+                    }
+                    
+                    // verify secure verified identifier
+                    if ((results.verification.getAuthResponse() instanceof AuthSuccess) &&
(results.verification.getVerifiedId() != null))
+                    {
+                        // verify secure verification
+                        boolean secureVerification = ((secureDiscovered != null) &&
(secureDiscovered.getClaimedIdentifier() != null) && secureDiscovered.isSecure());
+                        if (secureVerification)
+                        {
+                            try
+                            {
+                                UrlIdentifier verifiedClaimedId = new UrlIdentifier(results.verification.getVerifiedId().getIdentifier(),
true);
+                                secureVerification = secureDiscovered.getClaimedIdentifier().getIdentifier().equals(verifiedClaimedId.getIdentifier());
+                            }
+                            catch (OpenIDException oide)
+                            {
+                                secureVerification = false;
+                            }
+                        }
+                        
+                        // return verified identifier
+                        Identifier verifiedId = results.verification.getVerifiedId();
+                        results.verifiedIdentifier = (secureVerification ? new SecureUrlIdentifier(verifiedId)
: verifiedId);
+
+                        if (log.isDebugEnabled())
+                        {
+                            log.debug("Verified Step2 OpenID authentication request identity:
"+results.verifiedIdentifier);
+                        }
+                    }
+                    else
+                    {
+                        throw new RuntimeException("Step2 OpenId authenticated request verification
failed");
+                    }
+                }
+            }
+            return results;
+        }
+        catch (OpenIDException oide)
+        {
+            throw new RuntimeException("Unexpected Step2 OpenId authenticated request verification
exception: "+oide, oide);
+        }
+    }
 }

Added: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/step2/GoogleHostMetaFetcher.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/step2/GoogleHostMetaFetcher.java?rev=909924&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/step2/GoogleHostMetaFetcher.java
(added)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/openid/step2/GoogleHostMetaFetcher.java
Sat Feb 13 22:01:33 2010
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.openid.step2;
+
+import com.google.step2.discovery.UrlHostMetaFetcher;
+import com.google.step2.http.HttpFetcher;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+public class GoogleHostMetaFetcher extends UrlHostMetaFetcher
+{
+    private static final String GOOGLE_HOSTED_HOST_META_URI = "https://www.google.com/accounts/o8/.well-known/host-meta";
+    private static final String GOOGLE_HOSTED_HOST_META_HOST_PARAM = "hd";
+
+    public GoogleHostMetaFetcher(HttpFetcher fetcher)
+    {
+        super(fetcher);
+    }
+
+    protected URI getHostMetaUriForHost(String host) throws URISyntaxException
+    {
+        return new URI(GOOGLE_HOSTED_HOST_META_URI+"?"+GOOGLE_HOSTED_HOST_META_HOST_PARAM+"="+host);
+    }
+}

Modified: portals/jetspeed-2/portal/trunk/pom.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/pom.xml?rev=909924&r1=909923&r2=909924&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/pom.xml (original)
+++ portals/jetspeed-2/portal/trunk/pom.xml Sat Feb 13 22:01:33 2010
@@ -273,7 +273,7 @@
     <jaxen.version>1.0-FCS</jaxen.version>
     <jaxb.version>2.1</jaxb.version>
     <jaxb-impl.version>2.1.9</jaxb-impl.version>
-    <jdom.version>1.0</jdom.version>
+    <jdom.version>1.1</jdom.version>
     <log4j.version>1.2.14</log4j.version>
     <lucene.version>2.3.2</lucene.version>
     <myfaces.version>1.1.5</myfaces.version>
@@ -300,6 +300,7 @@
     <spring.version>2.5.6</spring.version>
     <spring.ldap.version>1.3.0.RELEASE</spring.ldap.version>
     <spring.ojb.version>2.0-rc2</spring.ojb.version>    
+    <step2.version>0</step2.version>
     <taglibs-random.version>1.0.2</taglibs-random.version>
     <taglibs-request.version>1.0.1</taglibs-request.version>
     <taglibs-standard.version>1.1.2</taglibs-standard.version>
@@ -1405,6 +1406,21 @@
           </exclusion>
         </exclusions>
       </dependency>
+      <dependency>
+        <groupId>com.google.step2</groupId>
+        <artifactId>step2-common</artifactId>
+        <version>${step2.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>commons-logging</groupId>
+            <artifactId>commons-logging</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-jcl</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
 
     </dependencies>
   </dependencyManagement>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message