You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/01 09:52:34 UTC
[1/8] git commit: Avoid NPE if no claims
Repository: cxf-fediz
Updated Branches:
refs/heads/master 85f7dda77 -> 4373b960b
Avoid NPE if no claims
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d0108353
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d0108353
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d0108353
Branch: refs/heads/master
Commit: d01083531828754185749035b9e7d9b21a90afda
Parents: 85f7dda
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Sep 29 14:24:00 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Sep 29 14:24:00 2014 +0100
----------------------------------------------------------------------
.../main/java/org/apache/cxf/fediz/core/config/Protocol.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d0108353/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
index 803e228..6900891 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
@@ -189,8 +189,10 @@ public abstract class Protocol {
public List<Claim> getClaimTypesRequested() {
ClaimTypesRequested claimsRequested = getProtocolType().getClaimTypesRequested();
List<Claim> claims = new ArrayList<Claim>();
- for (ClaimType c : claimsRequested.getClaimType()) {
- claims.add(new Claim(c));
+ if (claimsRequested != null) {
+ for (ClaimType c : claimsRequested.getClaimType()) {
+ claims.add(new Claim(c));
+ }
}
return claims;
}
[3/8] git commit: More Metadata namespace fixes
Posted by co...@apache.org.
More Metadata namespace fixes
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/7d4abd35
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/7d4abd35
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/7d4abd35
Branch: refs/heads/master
Commit: 7d4abd357dd9e0d3fdb464ba6d979cd50a032d18
Parents: 63c1d78
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Sep 29 14:59:10 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Sep 29 14:59:10 2014 +0100
----------------------------------------------------------------------
.../apache/cxf/fediz/core/metadata/MetadataWriter.java | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7d4abd35/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index 7f692bf..20fa3fe 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -247,13 +247,13 @@ public class MetadataWriter {
writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
if (config.getLogoutURL() != null) {
- writer.writeStartElement("", "SingleLogoutService", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "SingleLogoutService", SAML2_METADATA_NS);
writer.writeAttribute("Location", config.getLogoutURL());
writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
writer.writeEndElement(); // SingleLogoutService
}
- writer.writeStartElement("", "AssertionConsumerService", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "AssertionConsumerService", SAML2_METADATA_NS);
writer.writeAttribute("Location", serviceURL);
writer.writeAttribute("index", "0");
writer.writeAttribute("isDefault", "true");
@@ -261,16 +261,16 @@ public class MetadataWriter {
writer.writeEndElement(); // AssertionConsumerService
if (protocol.getClaimTypesRequested() != null && !protocol.getClaimTypesRequested().isEmpty()) {
- writer.writeStartElement("", "AttributeConsumingService", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "AttributeConsumingService", SAML2_METADATA_NS);
writer.writeAttribute("index", "0");
- writer.writeStartElement("", "ServiceName", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "ServiceName", SAML2_METADATA_NS);
writer.writeAttribute("xml:lang", "en");
writer.writeCharacters(config.getName());
writer.writeEndElement(); // ServiceName
for (Claim claim : protocol.getClaimTypesRequested()) {
- writer.writeStartElement("", "RequestedAttribute", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "RequestedAttribute", SAML2_METADATA_NS);
writer.writeAttribute("isRequired", Boolean.toString(claim.isOptional()));
writer.writeAttribute("Name", claim.getType());
writer.writeAttribute("NameFormat",
@@ -290,7 +290,7 @@ public class MetadataWriter {
LOG.info("No signingKey element found in config: " + ex.getMessage());
}
if (protocol.isSignRequest() && hasSigningKey) {
- writer.writeStartElement("", "KeyDescriptor", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
writer.writeAttribute("use", "signing");
writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
[8/8] git commit: Adding another unit test
Posted by co...@apache.org.
Adding another unit test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4373b960
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4373b960
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4373b960
Branch: refs/heads/master
Commit: 4373b960b745e7c333643d2e6b26474c8e6575c7
Parents: f3887c2
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Sep 30 18:14:33 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Sep 30 18:14:33 2014 +0100
----------------------------------------------------------------------
.../cxf/fediz/core/samlsso/SAMLRequestTest.java | 27 +++++++++++++++++---
1 file changed, 23 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4373b960/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
index f14d80e..06ae3a8 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
@@ -98,7 +98,7 @@ public class SAMLRequestTest {
}
@org.junit.Test
- public void createSAMLRequest() throws Exception {
+ public void createSAMLAuthnRequest() throws Exception {
// Mock up a Request
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
@@ -124,7 +124,7 @@ public class SAMLRequestTest {
}
@org.junit.Test
- public void testRelayState() throws Exception {
+ public void testAuthnRelayState() throws Exception {
// Mock up a Request
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
@@ -150,7 +150,7 @@ public class SAMLRequestTest {
}
@org.junit.Test
- public void testSAMLRequest() throws Exception {
+ public void testSAMLAuthnRequest() throws Exception {
// Mock up a Request
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
@@ -180,7 +180,7 @@ public class SAMLRequestTest {
}
@org.junit.Test
- public void testSignedSAMLRequest() throws Exception {
+ public void testSignedSAMLAuthnRequest() throws Exception {
// Mock up a Request
FedizContext config = getFederationConfigurator().getFedizContext("SIGNED_ROOT");
@@ -228,4 +228,23 @@ public class SAMLRequestTest {
Assert.assertEquals(TEST_REQUEST_URL, request.getIssuer().getValue());
}
+ @org.junit.Test
+ public void testSignedSAMLLogoutRequest() throws Exception {
+ // Mock up a Request
+ FedizContext config = getFederationConfigurator().getFedizContext("SIGNED_ROOT");
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)).times(1, 2);
+ EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+ EasyMock.expect(req.getRequestURI()).andReturn(TEST_REQUEST_URI).times(1, 2);
+ EasyMock.replay(req);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+
+ String redirectionURL = response.getRedirectionURL();
+ String signature =
+ redirectionURL.substring(redirectionURL.indexOf("Signature=") + "Signature=".length());
+ Assert.assertTrue(signature != null && signature.length() > 0);
+ }
}
\ No newline at end of file
[7/8] git commit: Refactor of SAMLP authentication creation to start
supporting log request creation as well
Posted by co...@apache.org.
Refactor of SAMLP authentication creation to start supporting log request creation as well
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f3887c20
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f3887c20
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f3887c20
Branch: refs/heads/master
Commit: f3887c20f664a1a7d5cbc5ab1da7c26b7ed8759d
Parents: be392d3
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Sep 30 18:11:29 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Sep 30 18:11:29 2014 +0100
----------------------------------------------------------------------
.../cxf/fediz/core/config/SAMLProtocol.java | 30 ++--
.../fediz/core/processor/SAMLProcessorImpl.java | 85 +++++++----
.../fediz/core/samlsso/AuthnRequestBuilder.java | 36 -----
.../samlsso/DefaultAuthnRequestBuilder.java | 105 -------------
.../samlsso/DefaultSAMLPRequestBuilder.java | 151 +++++++++++++++++++
.../fediz/core/samlsso/SAMLPRequestBuilder.java | 47 ++++++
.../samlsso/SamlpRequestComponentBuilder.java | 48 ++++++
.../cxf/fediz/core/samlsso/SAMLRequestTest.java | 16 +-
8 files changed, 331 insertions(+), 187 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index ee59a70..d5a04c5 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -22,8 +22,8 @@ package org.apache.cxf.fediz.core.config;
import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
import org.apache.cxf.fediz.core.config.jaxb.SamlProtocolType;
import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
-import org.apache.cxf.fediz.core.samlsso.AuthnRequestBuilder;
-import org.apache.cxf.fediz.core.samlsso.DefaultAuthnRequestBuilder;
+import org.apache.cxf.fediz.core.samlsso.DefaultSAMLPRequestBuilder;
+import org.apache.cxf.fediz.core.samlsso.SAMLPRequestBuilder;
import org.apache.wss4j.common.util.Loader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -32,7 +32,7 @@ public class SAMLProtocol extends Protocol {
private static final Logger LOG = LoggerFactory.getLogger(SAMLProtocol.class);
- private AuthnRequestBuilder authnRequestBuilder;
+ private SAMLPRequestBuilder samlpRequestBuilder;
public SAMLProtocol(ProtocolType protocolType) {
super(protocolType);
@@ -60,17 +60,17 @@ public class SAMLProtocol extends Protocol {
getSAMLProtocol().setSignRequest(signRequest);
}
- public AuthnRequestBuilder getAuthnRequestBuilder() {
- if (authnRequestBuilder != null) {
- return authnRequestBuilder;
+ public SAMLPRequestBuilder getSAMLPRequestBuilder() {
+ if (samlpRequestBuilder != null) {
+ return samlpRequestBuilder;
}
- // See if we have a custom AuthnRequestBuilder
- String authnRequestBuilderStr = getSAMLProtocol().getAuthnRequestBuilder();
- if (authnRequestBuilderStr != null && !"".equals(authnRequestBuilderStr)) {
+ // See if we have a custom SAMLPRequestBuilder
+ String samlpRequestBuilderStr = getSAMLProtocol().getAuthnRequestBuilder();
+ if (samlpRequestBuilderStr != null && !"".equals(samlpRequestBuilderStr)) {
try {
- Class<?> authnRequestBuilderClass = Loader.loadClass(authnRequestBuilderStr);
- authnRequestBuilder = (AuthnRequestBuilder) authnRequestBuilderClass.newInstance();
+ Class<?> samlpRequestBuilderClass = Loader.loadClass(samlpRequestBuilderStr);
+ samlpRequestBuilder = (SAMLPRequestBuilder) samlpRequestBuilderClass.newInstance();
} catch (ClassNotFoundException ex) {
LOG.debug(ex.getMessage(), ex);
} catch (InstantiationException ex) {
@@ -81,13 +81,13 @@ public class SAMLProtocol extends Protocol {
}
// Default implementation
- authnRequestBuilder = new DefaultAuthnRequestBuilder();
+ samlpRequestBuilder = new DefaultSAMLPRequestBuilder();
- return authnRequestBuilder;
+ return samlpRequestBuilder;
}
- public void setAuthnRequestBuilder(AuthnRequestBuilder authnRequestBuilder) {
- this.authnRequestBuilder = authnRequestBuilder;
+ public void setSAMLPRequestBuilder(SAMLPRequestBuilder requestBuilder) {
+ this.samlpRequestBuilder = requestBuilder;
}
public boolean isDisableDeflateEncoding() {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 99703af..b3766e8 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -34,7 +34,6 @@ import javax.servlet.http.HttpServletRequest;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.SAMLSSOConstants;
import org.apache.cxf.fediz.core.TokenValidator;
@@ -45,8 +44,8 @@ import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
import org.apache.cxf.fediz.core.metadata.MetadataWriter;
-import org.apache.cxf.fediz.core.samlsso.AuthnRequestBuilder;
import org.apache.cxf.fediz.core.samlsso.CompressionUtils;
+import org.apache.cxf.fediz.core.samlsso.SAMLPRequestBuilder;
import org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator;
import org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator;
import org.apache.cxf.fediz.core.samlsso.SSOValidatorResponse;
@@ -60,6 +59,7 @@ import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.xml.XMLObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -286,8 +286,8 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
redirectURL = issuerURL;
}
- AuthnRequestBuilder authnRequestBuilder =
- ((SAMLProtocol)config.getProtocol()).getAuthnRequestBuilder();
+ SAMLPRequestBuilder samlpRequestBuilder =
+ ((SAMLProtocol)config.getProtocol()).getSAMLPRequestBuilder();
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
@@ -296,7 +296,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
String requestURL = request.getRequestURL().toString();
String realm = resolveWTRealm(request, config);
AuthnRequest authnRequest =
- authnRequestBuilder.createAuthnRequest(realm, requestURL);
+ samlpRequestBuilder.createAuthnRequest(realm, requestURL);
if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
authnRequest.setDestination(redirectURL);
@@ -407,7 +407,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
@Override
public RedirectionResponse createSignOutRequest(HttpServletRequest request, FedizContext config)
throws ProcessingException {
-
+
String redirectURL = null;
try {
if (!(config.getProtocol() instanceof SAMLProtocol)) {
@@ -420,34 +420,63 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
if (issuerURL != null && issuerURL.length() > 0) {
redirectURL = issuerURL;
}
+ redirectURL = "http://localhost:8081/IDBUS/CXF/CXFIDP/SAML2/SLO/REDIR";
+
+ SAMLPRequestBuilder samlpRequestBuilder =
+ ((SAMLProtocol)config.getProtocol()).getSAMLPRequestBuilder();
+
+ Document doc = DOMUtils.createDocument();
+ doc.appendChild(doc.createElement("root"));
+
+ // Create the LogoutRequest
+ String requestURL = request.getRequestURL().toString();
+ String realm = resolveWTRealm(request, config);
+ String reason = "urn:oasis:names:tc:SAML:2.0:logout:user";
+ LogoutRequest logoutRequest =
+ samlpRequestBuilder.createLogoutRequest(realm, reason, null); // TODO
+
+ if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
+ logoutRequest.setDestination(redirectURL);
+ }
+
+ Element logoutRequestElement = OpenSAMLUtil.toDom(logoutRequest, doc);
+ String logoutRequestEncoded = encodeAuthnRequest(logoutRequestElement);
+
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ RequestState requestState = new RequestState();
+ requestState.setTargetAddress(requestURL);
+ requestState.setIdpServiceAddress(redirectURL);
+ requestState.setRequestId(logoutRequest.getID());
+ requestState.setIssuerId(realm);
+ requestState.setWebAppContext(logoutRequest.getIssuer().getValue());
+ requestState.setState(relayState);
+ requestState.setCreatedAt(System.currentTimeMillis());
+
+ String urlEncodedRequest =
+ URLEncoder.encode(logoutRequestEncoded, "UTF-8");
StringBuilder sb = new StringBuilder();
- sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNOUT);
-
- String logoutRedirectTo = config.getLogoutRedirectTo();
- if (logoutRedirectTo != null && !logoutRedirectTo.isEmpty()) {
-
- if (logoutRedirectTo.startsWith("/")) {
- logoutRedirectTo = extractFullContextPath(request).concat(logoutRedirectTo.substring(1));
- } else {
- logoutRedirectTo = extractFullContextPath(request).concat(logoutRedirectTo);
- }
-
- LOG.debug("wreply=" + logoutRedirectTo);
-
- sb.append('&').append(FederationConstants.PARAM_REPLY).append('=');
- sb.append(URLEncoder.encode(logoutRedirectTo, "UTF-8"));
+ sb.append(SAMLSSOConstants.SAML_REQUEST).append('=').append(urlEncodedRequest);
+ sb.append("&" + SAMLSSOConstants.RELAY_STATE).append('=').append(relayState);
+
+ if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
+ String signature = signRequest(config, sb);
+ sb.append("&" + SAMLSSOConstants.SIGNATURE).append('=').append(signature);
}
-
+
+ RedirectionResponse response = new RedirectionResponse();
+ response.addHeader("Cache-Control", "no-cache, no-store");
+ response.addHeader("Pragma", "no-cache");
+ response.setRequestState(requestState);
+
redirectURL = redirectURL + "?" + sb.toString();
+ response.setRedirectionURL(redirectURL);
+
+ return response;
} catch (Exception ex) {
- LOG.error("Failed to create SignInRequest", ex);
- throw new ProcessingException("Failed to create SignInRequest");
+ LOG.error("Failed to create SignOutRequest", ex);
+ throw new ProcessingException("Failed to create SignOutRequest");
}
-
- RedirectionResponse response = new RedirectionResponse();
- response.setRedirectionURL(redirectURL);
- return response;
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/AuthnRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/AuthnRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/AuthnRequestBuilder.java
deleted file mode 100644
index bae10dc..0000000
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/AuthnRequestBuilder.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.core.samlsso;
-
-import org.opensaml.saml2.core.AuthnRequest;
-
-/**
- * This interface defines a method to create a SAML 2.0 Protocol AuthnRequest.
- */
-public interface AuthnRequestBuilder {
-
- /**
- * Create a SAML 2.0 Protocol AuthnRequest
- */
- AuthnRequest createAuthnRequest(
- String issuerId,
- String assertionConsumerServiceAddress
- ) throws Exception;
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultAuthnRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultAuthnRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultAuthnRequestBuilder.java
deleted file mode 100644
index f7383b5..0000000
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultAuthnRequestBuilder.java
+++ /dev/null
@@ -1,105 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.core.samlsso;
-
-import java.util.Collections;
-
-import org.opensaml.common.SAMLVersion;
-import org.opensaml.saml2.core.AuthnContextClassRef;
-import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
-import org.opensaml.saml2.core.AuthnRequest;
-import org.opensaml.saml2.core.Issuer;
-import org.opensaml.saml2.core.NameIDPolicy;
-import org.opensaml.saml2.core.RequestedAuthnContext;
-
-/**
- * A default implementation of the AuthnRequestBuilder interface to create a SAML 2.0
- * Protocol AuthnRequest.
- */
-public class DefaultAuthnRequestBuilder implements AuthnRequestBuilder {
-
- private boolean forceAuthn;
- private boolean isPassive;
- private String protocolBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
-
- /**
- * Create a SAML 2.0 Protocol AuthnRequest
- */
- public AuthnRequest createAuthnRequest(
- String issuerId,
- String assertionConsumerServiceAddress
- ) throws Exception {
- Issuer issuer =
- SamlpRequestComponentBuilder.createIssuer(issuerId);
-
- NameIDPolicy nameIDPolicy =
- SamlpRequestComponentBuilder.createNameIDPolicy(
- true, "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", issuerId
- );
-
- AuthnContextClassRef authnCtxClassRef =
- SamlpRequestComponentBuilder.createAuthnCtxClassRef(
- "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
- );
- RequestedAuthnContext authnCtx =
- SamlpRequestComponentBuilder.createRequestedAuthnCtxPolicy(
- AuthnContextComparisonTypeEnumeration.EXACT,
- Collections.singletonList(authnCtxClassRef), null
- );
-
- //CHECKSTYLE:OFF
- return SamlpRequestComponentBuilder.createAuthnRequest(
- assertionConsumerServiceAddress,
- forceAuthn,
- isPassive,
- protocolBinding,
- SAMLVersion.VERSION_20,
- issuer,
- nameIDPolicy,
- authnCtx
- );
-
- }
-
- public boolean isForceAuthn() {
- return forceAuthn;
- }
-
- public void setForceAuthn(boolean forceAuthn) {
- this.forceAuthn = forceAuthn;
- }
-
- public boolean isPassive() {
- return isPassive;
- }
-
- public void setPassive(boolean isPassive) {
- this.isPassive = isPassive;
- }
-
- public String getProtocolBinding() {
- return protocolBinding;
- }
-
- public void setProtocolBinding(String protocolBinding) {
- this.protocolBinding = protocolBinding;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
new file mode 100644
index 0000000..3c80e70
--- /dev/null
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.samlsso;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.LogoutRequest;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+
+/**
+ * A default implementation of the SAMLPRequestBuilder interface to create a SAML 2.0
+ * Protocol AuthnRequest and LogoutRequest
+ */
+public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
+
+ private boolean forceAuthn;
+ private boolean isPassive;
+ private String protocolBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
+
+ /**
+ * Create a SAML 2.0 Protocol AuthnRequest
+ */
+ public AuthnRequest createAuthnRequest(
+ String issuerId,
+ String assertionConsumerServiceAddress
+ ) throws Exception {
+ Issuer issuer =
+ SamlpRequestComponentBuilder.createIssuer(issuerId);
+
+ NameIDPolicy nameIDPolicy =
+ SamlpRequestComponentBuilder.createNameIDPolicy(
+ true, "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", issuerId
+ );
+
+ AuthnContextClassRef authnCtxClassRef =
+ SamlpRequestComponentBuilder.createAuthnCtxClassRef(
+ "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+ );
+ RequestedAuthnContext authnCtx =
+ SamlpRequestComponentBuilder.createRequestedAuthnCtxPolicy(
+ AuthnContextComparisonTypeEnumeration.EXACT,
+ Collections.singletonList(authnCtxClassRef), null
+ );
+
+ //CHECKSTYLE:OFF
+ return SamlpRequestComponentBuilder.createAuthnRequest(
+ assertionConsumerServiceAddress,
+ forceAuthn,
+ isPassive,
+ protocolBinding,
+ SAMLVersion.VERSION_20,
+ issuer,
+ nameIDPolicy,
+ authnCtx
+ );
+
+ }
+
+ public boolean isForceAuthn() {
+ return forceAuthn;
+ }
+
+ public void setForceAuthn(boolean forceAuthn) {
+ this.forceAuthn = forceAuthn;
+ }
+
+ public boolean isPassive() {
+ return isPassive;
+ }
+
+ public void setPassive(boolean isPassive) {
+ this.isPassive = isPassive;
+ }
+
+ public String getProtocolBinding() {
+ return protocolBinding;
+ }
+
+ public void setProtocolBinding(String protocolBinding) {
+ this.protocolBinding = protocolBinding;
+ }
+
+ @Override
+ public LogoutRequest createLogoutRequest(
+ String issuerId,
+ String reason,
+ SamlAssertionWrapper authenticatedAssertion
+ ) throws Exception {
+ Issuer issuer =
+ SamlpRequestComponentBuilder.createIssuer(issuerId);
+
+ NameID nameID = null;
+ List<String> sessionIndices = new ArrayList<String>();
+
+ if (authenticatedAssertion != null) {
+ if (authenticatedAssertion.getSaml2() != null) {
+ org.opensaml.saml2.core.Subject subject =
+ authenticatedAssertion.getSaml2().getSubject();
+ if (subject != null && subject.getNameID() != null) {
+ nameID = subject.getNameID();
+ }
+ }
+ List<AuthnStatement> authnStatements =
+ authenticatedAssertion.getSaml2().getAuthnStatements();
+ if (authnStatements != null && !authnStatements.isEmpty()) {
+ for (AuthnStatement authnStatement : authnStatements) {
+ if (authnStatement.getSessionIndex() != null) {
+ sessionIndices.add(authnStatement.getSessionIndex());
+ }
+ }
+ }
+ }
+
+ //CHECKSTYLE:OFF
+ return SamlpRequestComponentBuilder.createLogoutRequest(
+ issuer,
+ reason,
+ nameID,
+ sessionIndices
+ );
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java
new file mode 100644
index 0000000..ba7efba
--- /dev/null
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.samlsso;
+
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.LogoutRequest;
+
+/**
+ * This interface defines a methods to create a SAML 2.0 Protocol AuthnRequest and LogoutRequest.
+ */
+public interface SAMLPRequestBuilder {
+
+ /**
+ * Create a SAML 2.0 Protocol AuthnRequest
+ */
+ AuthnRequest createAuthnRequest(
+ String issuerId,
+ String assertionConsumerServiceAddress
+ ) throws Exception;
+
+ /**
+ * Create a SAML 2.0 Protocol LogoutRequest
+ */
+ LogoutRequest createLogoutRequest(
+ String issuerId,
+ String reason,
+ SamlAssertionWrapper authenticatedAssertion
+ ) throws Exception;
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java
index 426dc33..12bec45 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java
@@ -32,8 +32,11 @@ import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnContextDeclRef;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.LogoutRequest;
+import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.xml.XMLObjectBuilderFactory;
/**
@@ -43,6 +46,10 @@ public final class SamlpRequestComponentBuilder {
private static volatile SAMLObjectBuilder<AuthnRequest> authnRequestBuilder;
+ private static volatile SAMLObjectBuilder<LogoutRequest> logoutRequestBuilder;
+
+ private static volatile SAMLObjectBuilder<SessionIndex> sessionIndexBuilder;
+
private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
private static volatile SAMLObjectBuilder<NameIDPolicy> nameIDBuilder;
@@ -90,6 +97,47 @@ public final class SamlpRequestComponentBuilder {
}
@SuppressWarnings("unchecked")
+ public static LogoutRequest createLogoutRequest(
+ Issuer issuer,
+ String reason,
+ NameID nameId,
+ List<String> sessionIndices
+ ) {
+ if (logoutRequestBuilder == null) {
+ logoutRequestBuilder = (SAMLObjectBuilder<LogoutRequest>)
+ builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME);
+ }
+ if (sessionIndexBuilder == null) {
+ sessionIndexBuilder = (SAMLObjectBuilder<SessionIndex>)
+ builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME);
+ }
+
+ LogoutRequest logoutRequest = logoutRequestBuilder.buildObject();
+
+ logoutRequest.setID(UUID.randomUUID().toString());
+ logoutRequest.setIssueInstant(new DateTime());
+
+ if (reason != null) {
+ logoutRequest.setReason(reason);
+ }
+ if (nameId != null) {
+ logoutRequest.setNameID(nameId);
+ }
+
+ if (sessionIndices != null && !sessionIndices.isEmpty()) {
+ for (String sessionIndex : sessionIndices) {
+ SessionIndex sessionIndexObj = sessionIndexBuilder.buildObject();
+ sessionIndexObj.setSessionIndex(sessionIndex);
+ logoutRequest.getSessionIndexes().add(sessionIndexObj);
+ }
+ }
+
+ logoutRequest.setIssuer(issuer);
+
+ return logoutRequest;
+ }
+
+ @SuppressWarnings("unchecked")
public static Issuer createIssuer(
String issuerValue
) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f3887c20/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
index 4293565..f14d80e 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
@@ -30,7 +30,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
-
import org.apache.cxf.fediz.common.SecurityTestUtil;
import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.config.FedizConfigurator;
@@ -46,6 +45,7 @@ import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.LogoutRequest;
/**
* Some tests for creating SAMLRequests using the SAMLProcessorImpl
@@ -214,8 +214,18 @@ public class SAMLRequestTest {
RedirectionResponse response = wfProc.createSignOutRequest(req, config);
String redirectionURL = response.getRedirectionURL();
- Assert.assertTrue(redirectionURL.startsWith(TEST_IDP_ISSUER));
- Assert.assertTrue(redirectionURL.endsWith("wa=wsignout1.0"));
+ String samlRequest =
+ redirectionURL.substring(redirectionURL.indexOf("SAMLRequest=") + "SAMLRequest=".length(),
+ redirectionURL.indexOf("RelayState=") - 1);
+
+ byte[] deflatedToken = Base64.decode(URLDecoder.decode(samlRequest, "UTF-8"));
+ InputStream tokenStream = CompressionUtils.inflate(deflatedToken);
+
+ Document requestDoc = DOMUtils.readXml(new InputStreamReader(tokenStream, "UTF-8"));
+ LogoutRequest request =
+ (LogoutRequest)OpenSAMLUtil.fromDom(requestDoc.getDocumentElement());
+
+ Assert.assertEquals(TEST_REQUEST_URL, request.getIssuer().getValue());
}
}
\ No newline at end of file
[2/8] git commit: Fixing Metadata
Posted by co...@apache.org.
Fixing Metadata
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/63c1d78a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/63c1d78a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/63c1d78a
Branch: refs/heads/master
Commit: 63c1d78a11db55fd91d6c61e7682c77d21a44780
Parents: d010835
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Sep 29 14:28:10 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Sep 29 14:28:10 2014 +0100
----------------------------------------------------------------------
.../java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/63c1d78a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index a522c95..7f692bf 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -78,7 +78,7 @@ public class MetadataWriter {
writer.writeStartDocument("UTF-8", "1.0");
String referenceID = IDGenerator.generateID("_");
- writer.writeStartElement("", "EntityDescriptor", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "EntityDescriptor", SAML2_METADATA_NS);
writer.writeAttribute("ID", referenceID);
String serviceURL = protocol.getApplicationServiceURL();
[4/8] git commit: Added support for some more options for the SAML
protocol
Posted by co...@apache.org.
Added support for some more options for the SAML protocol
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/5966160a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/5966160a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/5966160a
Branch: refs/heads/master
Commit: 5966160a29a38bdd6ba5ff670d3596a87b0ee1f0
Parents: 7d4abd3
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Sep 30 10:06:30 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Sep 30 10:06:30 2014 +0100
----------------------------------------------------------------------
.../apache/cxf/fediz/core/config/Protocol.java | 2 +-
.../cxf/fediz/core/config/SAMLProtocol.java | 16 +++
.../fediz/core/processor/SAMLProcessorImpl.java | 14 +-
.../core/samlsso/SAMLSSOResponseValidator.java | 3 +-
.../src/main/resources/schemas/FedizConfig.xsd | 4 +
.../samlsso/SAMLResponseConformanceTest.java | 141 +++++++++++++++++++
.../fediz/integrationtests/AbstractTests.java | 2 +-
7 files changed, 176 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5966160a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
index 6900891..8f82cdf 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
@@ -164,7 +164,7 @@ public abstract class Protocol {
}
protected Object loadCallbackType(CallbackType cbt, String name) {
- if (cbt == null) {
+ if (cbt == null || cbt.getValue() == null) {
return null;
}
if (cbt.getType() == null || cbt.getType().equals(ArgumentType.STRING)) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5966160a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index adeb1f6..ee59a70 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -90,5 +90,21 @@ public class SAMLProtocol extends Protocol {
this.authnRequestBuilder = authnRequestBuilder;
}
+ public boolean isDisableDeflateEncoding() {
+ return getSAMLProtocol().isDisableDeflateEncoding();
+ }
+
+ public void setDisableDeflateEncoding(boolean disableDeflateEncoding) {
+ getSAMLProtocol().setDisableDeflateEncoding(disableDeflateEncoding);
+ }
+
+ public boolean isDoNotEnforceKnownIssuer() {
+ return getSAMLProtocol().isDoNotEnforceKnownIssuer();
+ }
+
+ public void setDoNotEnforceKnownIssuer(boolean doNotEnforceKnownIssuer) {
+ getSAMLProtocol().setDoNotEnforceKnownIssuer(doNotEnforceKnownIssuer);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5966160a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 304b6cb..0bb1fd8 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -19,6 +19,7 @@
package org.apache.cxf.fediz.core.processor;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URLEncoder;
@@ -126,13 +127,17 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
InputStream tokenStream = null;
try {
byte[] deflatedToken = Base64.decode(request.getResponseToken());
- tokenStream = CompressionUtils.inflate(deflatedToken);
+ if (protocol.isDisableDeflateEncoding()) {
+ tokenStream = new ByteArrayInputStream(deflatedToken);
+ } else {
+ tokenStream = CompressionUtils.inflate(deflatedToken);
+ }
} catch (DataFormatException ex) {
throw new ProcessingException(TYPE.INVALID_REQUEST);
} catch (Base64DecodingException e) {
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
-
+
Document doc = null;
Element el = null;
try {
@@ -247,12 +252,15 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
String requestURL = request.getRequestURL().toString();
ssoResponseValidator.setAssertionConsumerURL(requestURL);
ssoResponseValidator.setClientAddress(request.getRemoteAddr());
+
+ boolean doNotEnforceKnownIssuer =
+ ((SAMLProtocol)config.getProtocol()).isDoNotEnforceKnownIssuer();
+ ssoResponseValidator.setEnforceKnownIssuer(!doNotEnforceKnownIssuer);
ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
ssoResponseValidator.setRequestId(requestState.getRequestId());
ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
ssoResponseValidator.setEnforceAssertionsSigned(true);
- ssoResponseValidator.setEnforceKnownIssuer(true);
ssoResponseValidator.setReplayCache(config.getTokenReplayCache());
return ssoResponseValidator.validateSamlResponse(samlResponse, false);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5966160a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 92cf01d..86bb005 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -245,7 +245,8 @@ public class SAMLSSOResponseValidator {
// InResponseTo must match the AuthnRequest request Id
if (requestId != null && !requestId.equals(subjectConfData.getInResponseTo())) {
- LOG.debug("The InResponseTo String does match the original request id " + requestId);
+ LOG.debug("The InResponseTo String " + subjectConfData.getInResponseTo()
+ + " does match the original request id " + requestId);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5966160a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index 4d4c1f9..d26ad25 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -111,6 +111,8 @@
<xs:sequence>
<xs:element ref="signRequest" />
<xs:element ref="authnRequestBuilder"/>
+ <xs:element ref="disableDeflateEncoding"/>
+ <xs:element ref="doNotEnforceKnownIssuer"/>
</xs:sequence>
<xs:attribute name="version" use="required" type="xs:string" />
</xs:extension>
@@ -125,6 +127,8 @@
<xs:element name="signRequest" type="xs:boolean" />
<xs:element name="authnRequestBuilder" type="xs:string" />
+ <xs:element name="disableDeflateEncoding" type="xs:boolean"/>
+ <xs:element name="doNotEnforceKnownIssuer" type="xs:boolean"/>
<xs:complexType name="protocolType" abstract="true">
<xs:sequence>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5966160a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java
index 08c3090..1c698c6 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java
@@ -41,6 +41,7 @@ import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.SAML2CallbackHandler;
import org.apache.cxf.fediz.core.config.FedizConfigurator;
import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
import org.apache.cxf.fediz.core.processor.FedizProcessor;
@@ -974,6 +975,146 @@ public class SAMLResponseConformanceTest {
}
}
+ @org.junit.Test
+ public void testIssuerEnforcementFailure() throws Exception {
+ // Mock up a Request
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ RequestState requestState = new RequestState(TEST_REQUEST_URL,
+ TEST_IDP_ISSUER,
+ requestId,
+ TEST_REQUEST_URL,
+ (String)config.getProtocol().getIssuer(),
+ null,
+ relayState,
+ System.currentTimeMillis());
+
+ // Create SAML Response
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setAlsoAddAuthnStatement(true);
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setIssuer(TEST_IDP_ISSUER + "/other-issuer");
+ callbackHandler.setSubjectName(TEST_USER);
+
+ ConditionsBean cp = new ConditionsBean();
+ AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+ audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
+ cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+ callbackHandler.setConditions(cp);
+
+ // Subject Confirmation Data
+ SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+ subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
+ subjectConfirmationData.setInResponseTo(requestId);
+ subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
+ callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+
+ Issuer issuer =
+ SAML2PResponseComponentBuilder.createIssuer(assertion.getIssuerString());
+
+ Element response = createSamlResponse(assertion, "mystskey", true, requestId, issuer);
+ String responseStr = encodeResponse(response);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(responseStr);
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setRequestState(requestState);
+
+ // Failure expected on an unknown issuer value
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected");
+ } catch (ProcessingException ex) {
+ if (!TYPE.INVALID_REQUEST.equals(ex.getType())) {
+ fail("Expected ProcessingException with INVALID_REQUEST type");
+ }
+ }
+ }
+
+ @org.junit.Test
+ public void testIssuerEnforcementDisable() throws Exception {
+ // Mock up a Request
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ RequestState requestState = new RequestState(TEST_REQUEST_URL,
+ TEST_IDP_ISSUER,
+ requestId,
+ TEST_REQUEST_URL,
+ (String)config.getProtocol().getIssuer(),
+ null,
+ relayState,
+ System.currentTimeMillis());
+
+ // Create SAML Response
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setAlsoAddAuthnStatement(true);
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setIssuer(TEST_IDP_ISSUER + "/other-issuer");
+ callbackHandler.setSubjectName(TEST_USER);
+
+ ConditionsBean cp = new ConditionsBean();
+ AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+ audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
+ cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+ callbackHandler.setConditions(cp);
+
+ // Subject Confirmation Data
+ SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+ subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
+ subjectConfirmationData.setInResponseTo(requestId);
+ subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
+ callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+
+ Issuer issuer =
+ SAML2PResponseComponentBuilder.createIssuer(assertion.getIssuerString());
+
+ Element response = createSamlResponse(assertion, "mystskey", true, requestId, issuer);
+ String responseStr = encodeResponse(response);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(responseStr);
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setRequestState(requestState);
+
+ // Disable the issuer enforcement check
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ ((SAMLProtocol)config.getProtocol()).setDoNotEnforceKnownIssuer(true);
+ Assert.assertTrue(((SAMLProtocol)config.getProtocol()).isDoNotEnforceKnownIssuer());
+ FedizResponse wfRes = wfProc.processRequest(wfReq, config);
+ Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
+
+ }
private Element createSamlResponse(SamlAssertionWrapper assertion, String alias,
boolean sign, String requestID, Issuer issuer)
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5966160a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 0892d9e..af799f5 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -313,7 +313,7 @@ public abstract class AbstractTests {
final XmlPage rpPage = webClient.getPage(url);
final String xmlContent = rpPage.asXml();
- Assert.assertTrue(xmlContent.startsWith("<EntityDescriptor"));
+ Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
// Now validate the Signature
Document doc = rpPage.getXmlDocument();
[5/8] git commit: Adding SAML Logout unit test + fixing bug
Posted by co...@apache.org.
Adding SAML Logout unit test + fixing bug
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/1b6058db
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/1b6058db
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/1b6058db
Branch: refs/heads/master
Commit: 1b6058dbcde7da2a9a2924acb15b9bece2d72e6a
Parents: 5966160
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Sep 30 10:27:09 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Sep 30 10:27:09 2014 +0100
----------------------------------------------------------------------
.../fediz/core/processor/SAMLProcessorImpl.java | 3 +--
.../cxf/fediz/core/samlsso/SAMLRequestTest.java | 19 +++++++++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1b6058db/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 0bb1fd8..64ffe36 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -40,7 +40,6 @@ import org.apache.cxf.fediz.core.SAMLSSOConstants;
import org.apache.cxf.fediz.core.TokenValidator;
import org.apache.cxf.fediz.core.TokenValidatorRequest;
import org.apache.cxf.fediz.core.TokenValidatorResponse;
-import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
@@ -411,7 +410,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
String redirectURL = null;
try {
- if (!(config.getProtocol() instanceof FederationProtocol)) {
+ if (!(config.getProtocol() instanceof SAMLProtocol)) {
LOG.error("Unsupported protocol");
throw new IllegalStateException("Unsupported protocol");
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1b6058db/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
index 3cab944..4293565 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
@@ -199,4 +199,23 @@ public class SAMLRequestTest {
Assert.assertTrue(signature != null && signature.length() > 0);
}
+ @org.junit.Test
+ public void createSAMLLogoutRequest() throws Exception {
+ // Mock up a Request
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)).times(1, 2);
+ EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+ EasyMock.expect(req.getRequestURI()).andReturn(TEST_REQUEST_URI).times(1, 2);
+ EasyMock.replay(req);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+
+ String redirectionURL = response.getRedirectionURL();
+ Assert.assertTrue(redirectionURL.startsWith(TEST_IDP_ISSUER));
+ Assert.assertTrue(redirectionURL.endsWith("wa=wsignout1.0"));
+ }
+
}
\ No newline at end of file
[6/8] git commit: Fixing Metadata Logout URL
Posted by co...@apache.org.
Fixing Metadata Logout URL
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/be392d35
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/be392d35
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/be392d35
Branch: refs/heads/master
Commit: be392d35c78ca0a5dc24211b051cfeacba5f59d3
Parents: 1b6058d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Sep 30 11:46:34 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Sep 30 11:46:34 2014 +0100
----------------------------------------------------------------------
.../cxf/fediz/core/metadata/MetadataWriter.java | 41 ++++++++++++++++++--
.../core/processor/FederationProcessorImpl.java | 4 +-
.../fediz/core/processor/FedizProcessor.java | 4 +-
.../fediz/core/processor/SAMLProcessorImpl.java | 4 +-
.../core/federation/FederationMetaDataTest.java | 6 +--
.../fediz/core/samlsso/SAMLMetaDataTest.java | 26 +++++++++++--
.../cxf/plugin/FedizRedirectBindingFilter.java | 3 +-
.../fediz/jetty/FederationAuthenticator.java | 2 +-
.../web/FederationAuthenticationEntryPoint.java | 2 +-
.../web/FederationAuthenticationEntryPoint.java | 4 +-
.../fediz/tomcat/FederationAuthenticator.java | 2 +-
11 files changed, 76 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index 20fa3fe..3edde28 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -24,17 +24,19 @@ import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.io.Writer;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
+import javax.servlet.http.HttpServletRequest;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import org.w3c.dom.Document;
-
import org.apache.cxf.fediz.core.config.Claim;
import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizContext;
@@ -66,7 +68,9 @@ public class MetadataWriter {
}
//CHECKSTYLE:OFF
- public Document getMetaData(FedizContext config) throws ProcessingException {
+ public Document getMetaData(
+ HttpServletRequest request, FedizContext config
+ ) throws ProcessingException {
try {
ByteArrayOutputStream bout = new ByteArrayOutputStream(4096);
@@ -102,7 +106,7 @@ public class MetadataWriter {
if (protocol instanceof FederationProtocol) {
writeFederationMetadata(writer, config, serviceURL);
} else if (protocol instanceof SAMLProtocol) {
- writeSAMLMetadata(writer, config, serviceURL);
+ writeSAMLMetadata(writer, request, config, serviceURL);
}
writer.writeEndElement(); // EntityDescriptor
@@ -235,6 +239,7 @@ public class MetadataWriter {
private void writeSAMLMetadata(
XMLStreamWriter writer,
+ HttpServletRequest request,
FedizContext config,
String serviceURL
) throws Exception {
@@ -248,7 +253,15 @@ public class MetadataWriter {
if (config.getLogoutURL() != null) {
writer.writeStartElement("md", "SingleLogoutService", SAML2_METADATA_NS);
- writer.writeAttribute("Location", config.getLogoutURL());
+
+ String logoutURL = config.getLogoutURL();
+ if (logoutURL.startsWith("/")) {
+ logoutURL = extractFullContextPath(request).concat(logoutURL.substring(1));
+ } else {
+ logoutURL = extractFullContextPath(request).concat(logoutURL);
+ }
+ writer.writeAttribute("Location", logoutURL);
+
writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
writer.writeEndElement(); // SingleLogoutService
}
@@ -323,4 +336,24 @@ public class MetadataWriter {
writer.writeEndElement(); // SPSSODescriptor
}
+ private String extractFullContextPath(HttpServletRequest request) throws MalformedURLException {
+ String result = null;
+ String contextPath = request.getContextPath();
+ String requestUrl = request.getRequestURL().toString();
+ String requestPath = new URL(requestUrl).getPath();
+ // Cut request path of request url and add context path if not ROOT
+ if (requestPath != null && requestPath.length() > 0) {
+ int lastIndex = requestUrl.lastIndexOf(requestPath);
+ result = requestUrl.substring(0, lastIndex);
+ } else {
+ result = requestUrl;
+ }
+ if (contextPath != null && contextPath.length() > 0) {
+ // contextPath contains starting slash
+ result = result + contextPath + "/";
+ } else {
+ result = result + "/";
+ }
+ return result;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 9e0d383..ed830e6 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -109,8 +109,8 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
- public Document getMetaData(FedizContext config) throws ProcessingException {
- return new MetadataWriter().getMetaData(config);
+ public Document getMetaData(HttpServletRequest request, FedizContext config) throws ProcessingException {
+ return new MetadataWriter().getMetaData(request, config);
}
protected FedizResponse processSignInRequest(
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
index 0f7af91..c6cea4e 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
@@ -37,6 +37,8 @@ public interface FedizProcessor {
HttpServletRequest request, FedizContext config
) throws ProcessingException;
- Document getMetaData(FedizContext config) throws ProcessingException;
+ Document getMetaData(
+ HttpServletRequest request, FedizContext config
+ ) throws ProcessingException;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 64ffe36..99703af 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -98,8 +98,8 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
}
- public Document getMetaData(FedizContext config) throws ProcessingException {
- return new MetadataWriter().getMetaData(config);
+ public Document getMetaData(HttpServletRequest request, FedizContext config) throws ProcessingException {
+ return new MetadataWriter().getMetaData(request, config);
}
private RequestState processRelayState(
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
index 441b4be..a0bb6e8 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
@@ -73,7 +73,7 @@ public class FederationMetaDataTest {
FedizContext config = loadConfig("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
- Document doc = wfProc.getMetaData(config);
+ Document doc = wfProc.getMetaData(null, config);
Assert.assertNotNull(doc);
Node signatureNode = doc.getElementsByTagName("Signature").item(0);
@@ -105,7 +105,7 @@ public class FederationMetaDataTest {
FedizProcessor wfProc = new FederationProcessorImpl();
Document doc;
- doc = wfProc.getMetaData(config);
+ doc = wfProc.getMetaData(null, config);
Assert.assertNull(doc);
fail("Failure expected as signing store contains more than one certificate");
} catch (ProcessingException ex) {
@@ -119,7 +119,7 @@ public class FederationMetaDataTest {
FedizContext config = loadConfig("ROOT_NO_SIGNINGKEY");
FedizProcessor wfProc = new FederationProcessorImpl();
- Document doc = wfProc.getMetaData(config);
+ Document doc = wfProc.getMetaData(null, config);
Assert.assertNotNull(doc);
try {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
index 3c04d9d..aafeb34 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
@@ -22,12 +22,12 @@ package org.apache.cxf.fediz.core.samlsso;
import java.io.File;
import java.net.URL;
+import javax.servlet.http.HttpServletRequest;
import javax.xml.transform.TransformerException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
-
import org.apache.cxf.fediz.common.SecurityTestUtil;
import org.apache.cxf.fediz.core.config.FedizConfigurator;
import org.apache.cxf.fediz.core.config.FedizContext;
@@ -39,6 +39,7 @@ import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
+import org.easymock.EasyMock;
import org.junit.AfterClass;
import org.junit.Assert;
@@ -49,6 +50,8 @@ import static org.junit.Assert.fail;
*/
public class SAMLMetaDataTest {
private static final String CONFIG_FILE = "fediz_meta_test_config_saml.xml";
+ private static final String TEST_REQUEST_URL = "https://localhost/fedizhelloworld/";
+ private static final String CONTEXT_PATH = "https://localhost:9443/";
@AfterClass
public static void cleanup() {
@@ -75,7 +78,12 @@ public class SAMLMetaDataTest {
FedizContext config = loadConfig("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
- Document doc = wfProc.getMetaData(config);
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getContextPath()).andReturn(CONTEXT_PATH);
+ EasyMock.replay(req);
+
+ Document doc = wfProc.getMetaData(req, config);
Assert.assertNotNull(doc);
Node signatureNode = doc.getElementsByTagName("Signature").item(0);
@@ -107,8 +115,13 @@ public class SAMLMetaDataTest {
FedizProcessor wfProc = new FederationProcessorImpl();
Document doc;
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getContextPath()).andReturn(CONTEXT_PATH);
+ EasyMock.replay(req);
- doc = wfProc.getMetaData(config);
+ doc = wfProc.getMetaData(req, config);
Assert.assertNull(doc);
fail("Failure expected as signing store contains more than one certificate");
} catch (ProcessingException ex) {
@@ -122,7 +135,12 @@ public class SAMLMetaDataTest {
FedizContext config = loadConfig("ROOT_NO_SIGNINGKEY");
FedizProcessor wfProc = new FederationProcessorImpl();
- Document doc = wfProc.getMetaData(config);
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getContextPath()).andReturn(CONTEXT_PATH);
+ EasyMock.replay(req);
+
+ Document doc = wfProc.getMetaData(req, config);
Assert.assertNotNull(doc);
try {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
index 6a1e81a..83eb3b5 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
@@ -243,7 +243,8 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
try {
- Document metadata = wfProc.getMetaData(fedConfig);
+ HttpServletRequest request = messageContext.getHttpServletRequest();
+ Document metadata = wfProc.getMetaData(request, fedConfig);
String metadataStr = DOM2Writer.nodeToString(metadata);
ResponseBuilder response = Response.ok(metadataStr, "text/xml");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
index 9b8033c..e727ae1 100644
--- a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
+++ b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
@@ -176,7 +176,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
try {
- Document metadata = wfProc.getMetaData(fedConfig);
+ Document metadata = wfProc.getMetaData(request, fedConfig);
out.write(DOM2Writer.nodeToString(metadata));
return Authentication.SEND_CONTINUE;
} catch (Exception ex) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
index e777ab8..9749927 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
@@ -97,7 +97,7 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
try {
- Document metadata = wfProc.getMetaData(fedContext);
+ Document metadata = wfProc.getMetaData(servletRequest, fedContext);
out.write(DOM2Writer.nodeToString(metadata));
return;
} catch (Exception ex) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
index ffc4fe6..3fd799f 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
@@ -100,7 +100,7 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
try {
- Document metadata = wfProc.getMetaData(fedContext);
+ Document metadata = wfProc.getMetaData(servletRequest, fedContext);
out.write(DOM2Writer.nodeToString(metadata));
return;
} catch (Exception ex) {
@@ -189,7 +189,7 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
try {
- Document metadata = wfProc.getMetaData(fedContext);
+ Document metadata = wfProc.getMetaData(hrequest, fedContext);
out.write(DOM2Writer.nodeToString(metadata));
return;
} catch (Exception ex) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/be392d35/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index 024fd14..40d0538 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -201,7 +201,7 @@ public class FederationAuthenticator extends FormAuthenticator {
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
try {
- Document metadata = wfProc.getMetaData(fedConfig);
+ Document metadata = wfProc.getMetaData(request, fedConfig);
out.write(DOM2Writer.nodeToString(metadata));
return;
} catch (Exception ex) {