You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/02/23 18:04:22 UTC
cxf-fediz git commit: [FEDIZ-153] - Some refactoring
Repository: cxf-fediz
Updated Branches:
refs/heads/master a700f7ae2 -> 72f0c939b
[FEDIZ-153] - Some refactoring
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/72f0c939
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/72f0c939
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/72f0c939
Branch: refs/heads/master
Commit: 72f0c939b51c81ff6575d41f406c0f6ec0d5d25b
Parents: a700f7a
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Feb 23 17:04:00 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Feb 23 17:04:00 2016 +0000
----------------------------------------------------------------------
.../idp/beans/TrustedIdpProtocolAction.java | 29 --------
.../TrustedIdpOIDCProtocolHandler.java | 76 +++-----------------
.../TrustedIdpSAMLProtocolHandler.java | 5 --
.../TrustedIdpWSFedProtocolHandler.java | 5 --
.../idp/spi/TrustedIdpProtocolHandler.java | 3 -
.../flows/federation-signin-response.xml | 12 ----
.../flows/federation-validate-request.xml | 1 -
7 files changed, 9 insertions(+), 122 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/72f0c939/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
index 63f8b8c..2369bae 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
@@ -73,35 +73,6 @@ public class TrustedIdpProtocolAction {
return redirectUrl.toString();
}
- public String processSignInResponse(RequestContext requestContext) {
- String trustedIdpRealm = requestContext.getFlowScope().getString("whr");
-
- Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(requestContext, IDP_CONFIG);
-
- TrustedIdp trustedIdp = idpConfig.findTrustedIdp(trustedIdpRealm);
- if (trustedIdp == null) {
- LOG.error("TrustedIdp '{}' not configured", trustedIdpRealm);
- throw new IllegalStateException("TrustedIdp '" + trustedIdpRealm + "'");
- }
-
- String protocol = trustedIdp.getProtocol();
- LOG.debug("TrustedIdp '{}' supports protocol {}", trustedIdpRealm, protocol);
-
- TrustedIdpProtocolHandler protocolHandler = trustedIdpProtocolHandlers.getProtocolHandler(protocol);
- if (protocolHandler == null) {
- LOG.error("No ProtocolHandler found for {}", protocol);
- throw new IllegalStateException("No ProtocolHandler found for '" + protocol + "'");
- }
- URL redirectUrl = protocolHandler.processSignInResponse(requestContext, idpConfig, trustedIdp);
- LOG.info("Redirect required? {}", redirectUrl != null);
- if (redirectUrl != null) {
- String redirectUrlStr = redirectUrl.toString();
- LOG.info("Redirect URL: {}", redirectUrlStr);
- return redirectUrlStr;
- }
- return null;
- }
-
public SecurityToken mapSignInResponse(RequestContext requestContext) {
String trustedIdpRealm = requestContext.getFlowScope().getString("whr");
LOG.info("Prepare validate SignInResponse of Trusted IDP '{}'", trustedIdpRealm);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/72f0c939/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
index c6ebeba..eef38ea 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
@@ -74,7 +74,6 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;
import org.joda.time.DateTime;
@@ -144,50 +143,6 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
}
@Override
- public URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
- /*
- String code = (String) WebUtils.getAttributeFromFlowScope(context,
- OAuthConstants.CODE_RESPONSE_TYPE);
- if (code == null) {
- return null;
- }
-
- try {
- StringBuilder sb = new StringBuilder();
- // sb.append(trustedIdp.getUrl());
- sb.append("http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token"); // TODO
- sb.append("?");
- sb.append("grant_type").append('=');
- sb.append("authorization_code");
- sb.append("&");
- sb.append("code").append('=');
- sb.append(code);
- sb.append("&");
- sb.append("redirect_uri").append('=');
- sb.append(URLEncoder.encode(idp.getIdpUrl().toString(), "UTF-8"));
- sb.append("&");
- sb.append("client_id").append('=');
- sb.append("consumer-id"); //TODO
- // sb.append("&");
-
- // TODOString state = (String) WebUtils.getAttributeFromFlowScope(context,
- // OAuthConstants.STATE);
- // sb.append("state").append('=');
- // sb.append(state);
-
- return new URL(sb.toString());
- } catch (MalformedURLException ex) {
- LOG.error("Invalid Redirect URL for Trusted Idp", ex);
- throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
- } catch (UnsupportedEncodingException ex) {
- LOG.error("Invalid Redirect URL for Trusted Idp", ex);
- throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
- }
- */
- return null;
- }
-
- @Override
public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
String code = (String) WebUtils.getAttributeFromFlowScope(context,
@@ -230,28 +185,17 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
return null;
}
- /*String whr = (String) WebUtils.getAttributeFromFlowScope(context,
+ String whr = (String) WebUtils.getAttributeFromFlowScope(context,
FederationConstants.PARAM_HOME_REALM);
if (whr == null) {
LOG.warn("Home realm is null");
throw new IllegalStateException("Home realm is null");
}
- String wresult = (String) WebUtils.getAttributeFromFlowScope(context,
- FederationConstants.PARAM_RESULT);
- if (wresult == null) {
- LOG.warn("Parameter wresult not found");
- throw new IllegalStateException("No security token issued");
- }*/
-
// Parse the received Token
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
JwtToken jwt = jwtConsumer.getJwtToken();
- for (String claim : jwt.getClaims().asMap().keySet()) {
- System.out.println("CLAIM: " + claim + " " + jwt.getClaim(claim));
- }
-
if (!jwtConsumer.verifySignatureWith(validatingCert, SignatureAlgorithm.RS256)) {
LOG.warn("Signature does not validate");
return null;
@@ -261,30 +205,28 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
if (jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) != null) {
created = new Date((long)jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) * 1000L);
}
+ if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
+ LOG.warn("No expiry in the token");
+ return null;
+ }
Date expires = new Date((long)jwt.getClaim(JwtConstants.CLAIM_EXPIRY) * 1000L);
- System.out.println("IAT: " + created);
- System.out.println("EXP: " + expires);
// Convert into a SAML Token
SamlAssertionWrapper assertion = createSamlAssertion(idp, jwt, created, expires);
Document doc = DOMUtils.createDocument();
Element token = assertion.toDOM(doc);
- System.out.println("TOK: " + DOM2Writer.nodeToString(token));
// Create new Security token with new id.
// Parameters for freshness computation are copied from original IDP_TOKEN
SecurityToken idpToken = new SecurityToken(assertion.getId(), created, expires);
idpToken.setToken(token);
- // idpToken.setToken(e);
- // LOG.info("[IDP_TOKEN={}] for user '{}' created from [RP_TOKEN={}] issued by home realm [{}/{}]",
- // id, wfResp.getUsername(), wfResp.getUniqueTokenId(), whr, wfResp.getIssuer());
+ LOG.info("[IDP_TOKEN={}] for user '{}' created from [RP_TOKEN={}] issued by home realm [{}/{}]",
+ assertion.getId(), assertion.getSaml2().getSubject().getNameID().getValue(),
+ jwt.getClaim(JwtConstants.CLAIM_JWT_ID), whr, jwt.getClaim(JwtConstants.CLAIM_ISSUER));
LOG.debug("Created date={}", created);
LOG.debug("Expired date={}", expires);
- if (LOG.isDebugEnabled()) {
- //LOG.debug("Validated 'wresult' : "
- // + System.getProperty("line.separator") + wresult);
- }
+
return idpToken;
} catch (IllegalStateException ex) {
throw ex;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/72f0c939/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index 950d0ce..adc85d1 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -191,11 +191,6 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
}
@Override
- public URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
- return null;
- }
-
- @Override
public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
try {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/72f0c939/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
index 9c9b192..c694b9d 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
@@ -118,11 +118,6 @@ public class TrustedIdpWSFedProtocolHandler implements TrustedIdpProtocolHandler
}
@Override
- public URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
- return null;
- }
-
- @Override
public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
try {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/72f0c939/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
index 45dfa1f..a33591b 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
@@ -34,9 +34,6 @@ public interface TrustedIdpProtocolHandler extends ProtocolHandler {
// Only supports HTTP GET SignIn Requests
URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp);
- // Allow for processing of the Response + redirect again (required by some protocols)
- URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp);
-
//Hook in <action-state id="validateToken"> of federation-signin-response.xml
SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/72f0c939/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
index a66d0b8..f424edc 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -37,16 +37,6 @@
<evaluate expression="signinParametersCacheAction.restore(flowRequestContext)" />
</on-start>
- <!-- See whether a further sign in request is required after processing -->
- <action-state id="isFurtherSignInRedirectRequired">
- <evaluate expression="trustedIdpProtocolAction.processSignInResponse(flowRequestContext)"
- result="flowScope.remoteIdpUrl"/>
- <evaluate expression="flowScope.remoteIdpUrl != null" />
- <transition on="yes" to="redirectToTrustedIDP" />
- <transition on="no" to="validateToken" />
- <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
- </action-state>
-
<!-- validate token issued by requestor IDP ('wresult') given its 'whr' -->
<action-state id="validateToken">
<evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext)"
@@ -81,6 +71,4 @@
<!-- abnormal exit point : Http 500 Internal Server Error -->
<end-state id="scInternalServerError" />
- <end-state id="redirectToTrustedIDP" />
-
</flow>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/72f0c939/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 6622ac3..4a9e20f 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -132,7 +132,6 @@
</transition>
<transition on="viewBadRequest" to="viewBadRequest" />
<transition on="scInternalServerError" to="scInternalServerError" />
- <transition on="redirectToTrustedIDP" to="redirectToTrustedIDP" />
</subflow-state>
<!-- produce RP security token (as String type) -->