You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/03/29 14:00:54 UTC
svn commit: r1306795 - in /cxf/trunk/services/sts/sts-core/src:
main/java/org/apache/cxf/sts/request/
main/java/org/apache/cxf/sts/token/validator/
test/java/org/apache/cxf/sts/token/validator/
Author: coheigea
Date: Thu Mar 29 12:00:53 2012
New Revision: 1306795
URL: http://svn.apache.org/viewvc?rev=1306795&view=rev
Log:
Introducing an EXPIRED State for ReceivedTokens
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java Thu Mar 29 12:00:53 2012
@@ -46,7 +46,7 @@ public class ReceivedToken {
private STATE state = STATE.NONE;
private Principal principal;
- public enum STATE { VALID, INVALID, CANCELLED, NONE };
+ public enum STATE { VALID, INVALID, CANCELLED, EXPIRED, NONE };
public ReceivedToken(Object receivedToken) throws STSException {
if (receivedToken instanceof JAXBElement<?>) {
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java Thu Mar 29 12:00:53 2012
@@ -39,6 +39,7 @@ import org.apache.cxf.sts.request.Receiv
import org.apache.cxf.sts.token.realm.CertConstraintsParser;
import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.SAMLTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
@@ -197,23 +198,6 @@ public class SAMLTokenValidator implemen
}
}
- DateTime validFrom = null;
- DateTime validTill = null;
- if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
- validFrom = assertion.getSaml2().getConditions().getNotBefore();
- validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
- } else {
- validFrom = assertion.getSaml1().getConditions().getNotBefore();
- validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
- }
- if (validFrom.isAfterNow() || validTill.isBeforeNow()) {
- LOG.log(Level.WARNING, "SAML Token condition not met");
- if (secToken != null) {
- tokenParameters.getTokenStore().remove(secToken);
- }
- return response;
- }
-
// Get the realm of the SAML token
String tokenRealm = null;
if (samlRealmCodec != null) {
@@ -230,6 +214,10 @@ public class SAMLTokenValidator implemen
}
}
+ if (!validateConditions(assertion, validateTarget, secToken, tokenParameters.getTokenStore())) {
+ return response;
+ }
+
// Add the AssertionWrapper to the properties, as the claims are required to be transformed
Map<String, Object> addProps = new HashMap<String, Object>();
addProps.put(AssertionWrapper.class.getName(), assertion);
@@ -275,4 +263,35 @@ public class SAMLTokenValidator implemen
}
}
+ protected boolean validateConditions(
+ AssertionWrapper assertion,
+ ReceivedToken validateTarget,
+ SecurityToken secToken,
+ TokenStore tokenStore
+ ) {
+ DateTime validFrom = null;
+ DateTime validTill = null;
+ if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+ validFrom = assertion.getSaml2().getConditions().getNotBefore();
+ validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+ } else {
+ validFrom = assertion.getSaml1().getConditions().getNotBefore();
+ validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+ }
+ if (validFrom.isAfterNow()) {
+ LOG.log(Level.WARNING, "SAML Token condition not met");
+ if (secToken != null) {
+ tokenStore.remove(secToken);
+ }
+ return false;
+ } else if (validTill.isBeforeNow()) {
+ LOG.log(Level.WARNING, "SAML Token condition not met");
+ if (secToken != null) {
+ tokenStore.remove(secToken);
+ }
+ validateTarget.setState(STATE.EXPIRED);
+ return false;
+ }
+ return true;
+ }
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java Thu Mar 29 12:00:53 2012
@@ -105,6 +105,7 @@ public class SCTValidator implements Tok
return response;
}
if (token.isExpired()) {
+ validateTarget.setState(STATE.EXPIRED);
LOG.fine("Token: " + identifier + " is in the cache but expired");
return response;
}
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java Thu Mar 29 12:00:53 2012
@@ -169,7 +169,8 @@ public class UsernameTokenValidator impl
if (ut.getPassword() == null) {
return response;
}
- if (secToken == null || (secToken.getAssociatedHash() != ut.hashCode())) {
+ if (secToken == null || secToken.isExpired()
+ || (secToken.getAssociatedHash() != ut.hashCode())) {
Credential credential = new Credential();
credential.setUsernametoken(ut);
validator.validate(credential, requestData);
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java?rev=1306795&r1=1306794&r2=1306795&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java Thu Mar 29 12:00:53 2012
@@ -233,7 +233,7 @@ public class SAMLTokenValidatorTest exte
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
- assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
+ assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
}
/**
@@ -263,7 +263,7 @@ public class SAMLTokenValidatorTest exte
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
- assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
+ assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
}