You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/10/11 09:48:03 UTC
[cxf-fediz] branch 1.3.x-fixes updated: FEDIZ-213 - Spring plugins
don't handle token expiration properly
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.3.x-fixes by this push:
new b7201c3 FEDIZ-213 - Spring plugins don't handle token expiration properly
b7201c3 is described below
commit b7201c300ed78123f65f8092edc9c39ec24d0f15
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Oct 11 09:42:51 2017 +0100
FEDIZ-213 - Spring plugins don't handle token expiration properly
---
.../FederationAuthenticationFailureHandler.java | 48 ++-----------
.../spring/web/FederationAuthenticationFilter.java | 84 ++++++----------------
2 files changed, 28 insertions(+), 104 deletions(-)
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
index c1dd134..d6e1fec 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
@@ -20,22 +20,13 @@
package org.apache.cxf.fediz.spring.web;
import java.io.IOException;
-import java.util.Map;
-import java.util.Map.Entry;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.processor.FedizProcessor;
-import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
-import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.cxf.fediz.spring.FederationConfig;
import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
@@ -43,9 +34,7 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
* A AuthenticationFailureHandler which will redirect a expired user (token) back to the IdP.
*/
public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
-
- private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationFailureHandler.class);
-
+
private FederationConfig federationConfig;
public FederationAuthenticationFailureHandler() {
@@ -57,36 +46,9 @@ public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticat
AuthenticationException exception) throws IOException, ServletException {
if (exception instanceof ExpiredTokenException) {
- String redirectUrl = null;
- try {
- FedizContext fedContext = federationConfig.getFedizContext();
- FedizProcessor wfProc =
- FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
- RedirectionResponse redirectionResponse =
- wfProc.createSignInRequest(request, fedContext);
- redirectUrl = redirectionResponse.getRedirectionURL();
-
- if (redirectUrl == null) {
- LOG.warn("Failed to create SignInRequest. Redirect URL null");
- throw new ServletException("Failed to create SignInRequest. Redirect URL null");
- }
-
- Map<String, String> headers = redirectionResponse.getHeaders();
- if (!headers.isEmpty()) {
- for (Entry<String, String> entry : headers.entrySet()) {
- response.addHeader(entry.getKey(), entry.getValue());
- }
- }
-
- } catch (ProcessingException ex) {
- LOG.warn("Failed to create SignInRequest", ex);
- throw new ServletException("Failed to create SignInRequest: " + ex.getMessage());
- }
-
- if (LOG.isInfoEnabled()) {
- LOG.info("Redirecting to IDP: " + redirectUrl);
- }
- response.sendRedirect(redirectUrl);
+ // Just redirect back to the original URL and re-start the authentication process.
+ response.sendRedirect(request.getRequestURL().toString());
+ return;
}
super.onAuthenticationFailure(request, response, exception);
@@ -100,4 +62,4 @@ public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticat
this.federationConfig = fedConfig;
}
-}
\ No newline at end of file
+}
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index d531fde..ff4aef0 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -22,8 +22,6 @@ package org.apache.cxf.fediz.spring.web;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Date;
-import java.util.Map;
-import java.util.Map.Entry;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
@@ -32,17 +30,10 @@ import javax.servlet.http.HttpSession;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.SAMLSSOConstants;
-import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.processor.FedizProcessor;
-import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
import org.apache.cxf.fediz.core.processor.FedizRequest;
-import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.cxf.fediz.spring.FederationConfig;
import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
import org.apache.cxf.fediz.spring.authentication.FederationAuthenticationToken;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationException;
import org.springframework.security.BadCredentialsException;
@@ -54,17 +45,15 @@ import org.springframework.security.ui.FilterChainOrder;
public class FederationAuthenticationFilter extends AbstractProcessingFilter {
-
- private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationFilter.class);
-
+
private FederationConfig federationConfig;
-
+
public FederationAuthenticationFilter() {
super();
}
/**
- *
+ *
*/
@Override
protected boolean requiresAuthentication(final HttpServletRequest request, final HttpServletResponse response) {
@@ -75,15 +64,15 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
}
return result;
}
-
+
private boolean isTokenExpired() {
SecurityContext context = SecurityContextHolder.getContext();
- boolean detectExpiredTokens =
+ boolean detectExpiredTokens =
federationConfig != null && federationConfig.getFedizContext().isDetectExpiredTokens();
if (context != null && detectExpiredTokens) {
Authentication authentication = context.getAuthentication();
if (authentication instanceof FederationAuthenticationToken) {
- Date tokenExpires =
+ Date tokenExpires =
((FederationAuthenticationToken)authentication).getResponse().getTokenExpires();
if (tokenExpires == null) {
return false;
@@ -95,7 +84,7 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
}
}
}
-
+
return false;
}
@@ -106,13 +95,13 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
-
+
if (isTokenExpired()) {
throw new ExpiredTokenException("Token is expired");
}
-
+
verifySavedState(request);
-
+
String wa = request.getParameter(FederationConstants.PARAM_ACTION);
String responseToken = getResponseToken(request);
FedizRequest wfReq = new FedizRequest();
@@ -120,18 +109,18 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
wfReq.setResponseToken(responseToken);
wfReq.setState(getState(request));
wfReq.setRequest(request);
-
- X509Certificate certs[] =
+
+ X509Certificate certs[] =
(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
wfReq.setCerts(certs);
-
+
final UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(null, wfReq);
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
return this.getAuthenticationManager().authenticate(authRequest);
}
-
+
private void verifySavedState(HttpServletRequest request) {
HttpSession session = request.getSession(false);
@@ -148,71 +137,44 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
}
session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
}
-
+
private String getState(ServletRequest request) {
if (request.getParameter(FederationConstants.PARAM_CONTEXT) != null) {
return request.getParameter(FederationConstants.PARAM_CONTEXT);
} else if (request.getParameter(SAMLSSOConstants.RELAY_STATE) != null) {
return request.getParameter(SAMLSSOConstants.RELAY_STATE);
}
-
+
return null;
}
-
+
@Override
public void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) {
if (authException instanceof ExpiredTokenException) {
- String redirectUrl = null;
- try {
- FedizContext fedContext = federationConfig.getFedizContext();
- FedizProcessor wfProc =
- FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
- RedirectionResponse redirectionResponse =
- wfProc.createSignInRequest(request, fedContext);
- redirectUrl = redirectionResponse.getRedirectionURL();
-
- if (redirectUrl == null) {
- LOG.warn("Failed to create SignInRequest. Redirect URL null");
- throw new BadCredentialsException("Failed to create SignInRequest. Redirect URL null");
- }
-
- Map<String, String> headers = redirectionResponse.getHeaders();
- if (!headers.isEmpty()) {
- for (Entry<String, String> entry : headers.entrySet()) {
- response.addHeader(entry.getKey(), entry.getValue());
- }
- }
-
- } catch (ProcessingException ex) {
- LOG.warn("Failed to create SignInRequest", ex);
- throw new BadCredentialsException("Failed to create SignInRequest: " + ex.getMessage());
- }
-
- if (LOG.isInfoEnabled()) {
- LOG.info("Redirecting to IDP: " + redirectUrl);
- }
try {
- response.sendRedirect(redirectUrl);
+ // Just redirect back to the original URL and re-start the authentication process.
+ response.sendRedirect(request.getRequestURL().toString());
+ return;
} catch (IOException ex) {
throw new BadCredentialsException(ex.getMessage(), ex);
}
}
-
+
try {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} catch (IOException e) {
throw authException;
}
}
-
+
private String getResponseToken(ServletRequest request) {
if (request.getParameter(FederationConstants.PARAM_RESULT) != null) {
return request.getParameter(FederationConstants.PARAM_RESULT);
} else if (request.getParameter(SAMLSSOConstants.SAML_RESPONSE) != null) {
return request.getParameter(SAMLSSOConstants.SAML_RESPONSE);
}
-
+
return null;
}
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].