You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/05/18 18:37:02 UTC
svn commit: r1340163 - in
/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso:
./ state/
Author: sergeyb
Date: Fri May 18 16:37:01 2012
New Revision: 1340163
URL: http://svn.apache.org/viewvc?rev=1340163&view=rev
Log:
[CXF-3589] Setting up a basic SecurityContext on the application path
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java?rev=1340163&r1=1340162&r2=1340163&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java Fri May 18 16:37:01 2012
@@ -19,8 +19,10 @@
package org.apache.cxf.rs.security.saml.sso;
import java.io.IOException;
+import java.io.StringReader;
import java.net.URI;
import java.net.URLEncoder;
+import java.security.Principal;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.UUID;
@@ -37,6 +39,7 @@ import org.w3c.dom.Element;
import org.apache.cxf.common.i18n.BundleUtils;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.ext.RequestHandler;
@@ -44,8 +47,12 @@ import org.apache.cxf.jaxrs.impl.HttpHea
import org.apache.cxf.jaxrs.impl.UriInfoImpl;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
+import org.apache.cxf.rs.security.saml.SAMLUtils;
+import org.apache.cxf.rs.security.saml.assertion.Subject;
import org.apache.cxf.rs.security.saml.sso.state.RequestState;
import org.apache.cxf.rs.security.saml.sso.state.ResponseState;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.util.DOM2Writer;
import org.opensaml.saml2.core.AuthnRequest;
@@ -147,11 +154,39 @@ public abstract class AbstractServicePro
reportError("INVALID_RELAY_STATE");
return false;
}
- //TODO: use ResponseState to set up a proper SecurityContext
- // on the current message
+ try {
+ String assertion = responseState.getAssertion();
+ AssertionWrapper assertionWrapper =
+ new AssertionWrapper(
+ DOMUtils.readXml(new StringReader(assertion)).getDocumentElement());
+ setSecurityContext(m, assertionWrapper);
+ } catch (Exception ex) {
+ reportError("INVALID_RESPONSE_STATE");
+ return false;
+ }
return true;
}
+ protected void setSecurityContext(Message m, AssertionWrapper assertionWrapper) {
+ // don't worry about roles/claims for now, just set a basic SecurityContext
+ Subject subject = SAMLUtils.getSubject(m, assertionWrapper);
+ final String name = subject.getName();
+
+ if (name != null) {
+ final SecurityContext sc = new SecurityContext() {
+
+ public Principal getUserPrincipal() {
+ return new SimplePrincipal(name);
+ }
+
+ public boolean isUserInRole(String role) {
+ return false;
+ }
+ };
+ m.put(SecurityContext.class, sc);
+ }
+ }
+
protected ResponseState getValidResponseState(Cookie securityContextCookie,
Message m) {
if (securityContextCookie == null) {
@@ -185,6 +220,10 @@ public abstract class AbstractServicePro
reportError("INVALID_RESPONSE_STATE");
return null;
}
+ if (responseState.getAssertion() == null) {
+ reportError("INVALID_RESPONSE_STATE");
+ return null;
+ }
return responseState;
}
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1340163&r1=1340162&r2=1340163&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Fri May 18 16:37:01 2012
@@ -131,9 +131,13 @@ public class RequestAssertionConsumerSer
long expiresAt = 0;
if (notOnOrAfter != null) {
expiresAt = notOnOrAfter.getTime();
+ } else {
+ expiresAt = currentTime + getStateTimeToLive();
}
+
ResponseState responseState =
- new ResponseState(relayState,
+ new ResponseState(validatorResponse.getAssertion(),
+ relayState,
requestState.getWebAppContext(),
requestState.getWebAppDomain(),
currentTime,
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1340163&r1=1340162&r2=1340163&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Fri May 18 16:37:01 2012
@@ -24,6 +24,7 @@ import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnStatement;
@@ -127,7 +128,9 @@ public class SAMLSSOResponseValidator {
SSOValidatorResponse validatorResponse = new SSOValidatorResponse();
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
-
+ // the assumption for now is that SAMLResponse will contain only a single assertion
+ validatorResponse.setAssertion(
+ new AssertionWrapper(samlResponse.getAssertions().get(0)).assertionToString());
return validatorResponse;
}
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java?rev=1340163&r1=1340162&r2=1340163&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java Fri May 18 16:37:01 2012
@@ -26,6 +26,15 @@ import java.util.Date;
public class SSOValidatorResponse {
private Date sessionNotOnOrAfter;
private String responseId;
+ private String assertion;
+
+ public String getAssertion() {
+ return assertion;
+ }
+
+ public void setAssertion(String assertion) {
+ this.assertion = assertion;
+ }
public Date getSessionNotOnOrAfter() {
return sessionNotOnOrAfter;
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java?rev=1340163&r1=1340162&r2=1340163&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java Fri May 18 16:37:01 2012
@@ -18,19 +18,23 @@
*/
package org.apache.cxf.rs.security.saml.sso.state;
+
public class ResponseState {
+ private String assertion;
private String relayState;
private String webAppContext;
private String webAppDomain;
private long createdAt;
private long expiresAt;
- public ResponseState(String relayState,
+ public ResponseState(String assertion,
+ String relayState,
String webAppContext,
String webAppDomain,
long createdAt,
long expiresAt) {
+ this.assertion = assertion;
this.relayState = relayState;
this.webAppContext = webAppContext;
this.webAppDomain = webAppDomain;
@@ -57,4 +61,8 @@ public class ResponseState {
public String getWebAppDomain() {
return webAppDomain;
}
+
+ public String getAssertion() {
+ return assertion;
+ }
}