You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/12/08 17:03:10 UTC
[1/4] cxf-fediz git commit: Moving SAML Request parsing out of subflow
Repository: cxf-fediz
Updated Branches:
refs/heads/master bd0511cab -> a4ba98893
Moving SAML Request parsing out of subflow
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9fdf81d5
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9fdf81d5
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9fdf81d5
Branch: refs/heads/master
Commit: 9fdf81d521c59a4395084ecfb6e3d39a7900fd82
Parents: bd0511c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Dec 8 12:44:19 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Dec 8 12:44:19 2016 +0000
----------------------------------------------------------------------
.../WEB-INF/flows/saml-signin-request.xml | 20 ++++----------------
.../WEB-INF/flows/saml-validate-request.xml | 17 +++++++++++------
2 files changed, 15 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9fdf81d5/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index c4adbe5..0198ae0 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -24,19 +24,10 @@
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
<input name="idpConfig" />
- <input name="SAMLRequest" />
<input name="RelayState" />
- <input name="Signature" />
<input name="protocol" />
+ <input name="saml_authn_request" />
- <action-state id="parseAuthnRequest">
- <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext, flowScope.idpConfig,
- flowScope.SAMLRequest, flowScope.Signature,
- flowScope.RelayState)" />
- <transition to="processHRDSExpression"/>
- <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
- </action-state>
-
<decision-state id="processHRDSExpression">
<on-entry>
<evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, null)"
@@ -62,14 +53,14 @@
<var name="trustedIDPSelection"
class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
<binder>
- <binding property="whr" required="true" />
+ <binding property="home_realm" required="true" />
</binder>
<on-entry>
<set name="requestScope.idPConfig" value="flowScope.idpConfig" />
</on-entry>
<transition on="submit" to="checkIsThisIDP" bind="true"
validate="true">
- <set name="flowScope.home_realm" value="trustedIDPSelection.whr" />
+ <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" />
<evaluate
expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" />
</transition>
@@ -168,13 +159,10 @@
<end-state id="requestRpToken">
<output name="home_realm" value="flowScope.home_realm" />
<output name="idpToken" value="flowScope.idpToken" />
- <output name="saml_authn_request" value="flowScope.saml_authn_request" />
</end-state>
<!-- abnormal exit point -->
- <end-state id="viewBadRequest">
- <output name="saml_authn_request" value="flowScope.saml_authn_request" />
- </end-state>
+ <end-state id="viewBadRequest" />
<!-- abnormal exit point -->
<end-state id="scInternalServerError" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9fdf81d5/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 36ac3a8..7aeb494 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -57,7 +57,7 @@
<if test="requestParameters.RelayState == null or requestParameters.RelayState.isEmpty()"
then="viewBadRequest" />
<if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
- then="signinSAMLRequest" />
+ then="parseSAMLAuthnRequest" />
<if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.isEmpty()"
then="viewBadRequest" else="signinResponse" />
</decision-state>
@@ -74,26 +74,31 @@
then="viewBadRequest" else="signinResponse" />
</decision-state>
+ <action-state id="parseSAMLAuthnRequest">
+ <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext, flowScope.idpConfig,
+ flowScope.SAMLRequest, flowScope.Signature,
+ flowScope.RelayState)" />
+ <transition to="signinSAMLRequest"/>
+ <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+ </action-state>
+
<subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
<input name="idpConfig" value="flowScope.idpConfig" />
<input name="SAMLRequest" value="flowScope.SAMLRequest" />
<input name="RelayState" value="flowScope.RelayState" />
<input name="Signature" value="flowScope.Signature" />
<input name="protocol" value="'samlsso'" />
+ <input name="saml_authn_request" value="flowScope.saml_authn_request" />
<output name="home_realm" />
<output name="idpToken" />
<output name="trusted_idp_context" />
- <output name="saml_authn_request" />
<transition on="requestRpToken" to="requestRpToken">
<set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
- <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
- </transition>
- <transition on="viewBadRequest" to="viewBadRequest">
- <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
</transition>
+ <transition on="viewBadRequest" to="viewBadRequest" />
<transition on="scInternalServerError" to="scInternalServerError" />
<transition on="redirectToLocalIDP" to="redirectToLocalIDP" />
<transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
[3/4] cxf-fediz git commit: WSS4J update
Posted by co...@apache.org.
WSS4J update
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9d2805ff
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9d2805ff
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9d2805ff
Branch: refs/heads/master
Commit: 9d2805ffdb30081ab45465dbb8017cfc12dd9ba3
Parents: 775b209
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Dec 8 15:16:49 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Dec 8 15:16:49 2016 +0000
----------------------------------------------------------------------
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d2805ff/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 4d75b76..c982bcf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -70,7 +70,7 @@
<spring.security.version>3.2.9.RELEASE</spring.security.version>
<tomcat7.version>7.0.72</tomcat7.version>
<tomcat8.version>8.0.38</tomcat8.version>
- <wss4j.version>2.1.7</wss4j.version>
+ <wss4j.version>2.1.8</wss4j.version>
<tomcat.url>http://localhost:8080/manager/text</tomcat.url>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
[4/4] cxf-fediz git commit: SAML SSO Address validation fix
Posted by co...@apache.org.
SAML SSO Address validation fix
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a4ba9889
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a4ba9889
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a4ba9889
Branch: refs/heads/master
Commit: a4ba98893738008adddce4061278cd48a82da756
Parents: 9d2805f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Dec 8 17:02:54 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Dec 8 17:02:54 2016 +0000
----------------------------------------------------------------------
.../webapp/WEB-INF/flows/federation-signin-request.xml | 8 ++++----
.../src/main/webapp/WEB-INF/flows/saml-signin-request.xml | 10 +++++++---
2 files changed, 11 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a4ba9889/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index 6051182..8c908c7 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -94,13 +94,13 @@
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)" />
<transition on="yes" to="redirectToTrustedIDP" />
- <transition on="no" to="validateWReply" >
+ <transition on="no" to="validateReturnAddress" >
<set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
</transition>
<transition on-exception="java.lang.Throwable" to="viewBadRequest" />
</action-state>
- <action-state id="validateWReply">
+ <action-state id="validateReturnAddress">
<evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)
and passiveRequestorValidator.isValid(flowRequestContext, flowScope.wreply, flowScope.wtrealm)"/>
<transition on="yes" to="requestRpToken" />
@@ -134,7 +134,7 @@
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)" />
<transition on="yes" to="redirectToLocalIDP" />
- <transition on="no" to="validateWReply">
+ <transition on="no" to="validateReturnAddress">
<set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
</transition>
<transition on-exception="java.lang.Throwable" to="viewBadRequest" />
@@ -151,7 +151,7 @@
<action-state id="cacheSecurityToken">
<secured attributes="IS_AUTHENTICATED_FULLY" />
<evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
- <transition to="validateWReply">
+ <transition to="validateReturnAddress">
<set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
</transition>
</action-state>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a4ba9889/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index 59ea18b..f167198 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -91,14 +91,18 @@
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or authnRequestParser.isForceAuthentication(flowRequestContext)" />
<transition on="yes" to="redirectToTrustedIDP" />
- <transition on="no" to="validateWReply" >
+ <transition on="no" to="validateReturnAddress" >
<set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
</transition>
<transition on-exception="java.lang.Throwable" to="viewBadRequest" />
</action-state>
- <action-state id="validateWReply">
- <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)
+ <action-state id="validateReturnAddress">
+ <on-entry>
+ <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"
+ result="flowScope.consumerURL"/>
+ </on-entry>
+ <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.consumerURL)
and passiveRequestorValidator.isValid(flowRequestContext, flowScope.consumerURL, flowScope.realm)"/>
<transition on="yes" to="requestRpToken" />
<transition on="no" to="viewBadRequest" />
[2/4] cxf-fediz git commit: More flow refactoring
Posted by co...@apache.org.
More flow refactoring
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/775b209c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/775b209c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/775b209c
Branch: refs/heads/master
Commit: 775b209c05df1996427a1c450e9fb6c393982e87
Parents: 9fdf81d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Dec 8 15:16:29 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Dec 8 15:16:29 2016 +0000
----------------------------------------------------------------------
.../webapp/WEB-INF/flows/federation-signin-request.xml | 10 +++++++---
.../main/webapp/WEB-INF/flows/saml-signin-request.xml | 11 +++++++----
.../main/webapp/WEB-INF/flows/saml-validate-request.xml | 1 +
3 files changed, 15 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/775b209c/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index d62c115..6051182 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -31,6 +31,8 @@
<input name="wauth" />
<input name="home_realm" />
<input name="protocol" />
+
+ <!-- ===== Home Realm Discovery ===== -->
<decision-state id="processHRDSExpression">
<on-entry>
@@ -75,14 +77,14 @@
<!-- Home Realm is known then we can store it in cookie -->
<decision-state id="checkIsThisIDP">
<if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
- then="checkWauthTypeSupported" else="checkIdpTokenWhrWauth" />
+ then="checkWauthTypeSupported" else="checkIdpTokenHomeRealm" />
</decision-state>
<!-- ============================================================================================================= -->
<!-- Is 'wresult/RP-IDP token' already received and validated (then stored
in session) from requestor IDP ? -->
- <decision-state id="checkIdpTokenWhrWauth">
+ <decision-state id="checkIdpTokenHomeRealm">
<if test="externalContext.sessionMap[flowScope.home_realm] != null"
then="wfreshParserRemoteAction" else="redirectToTrustedIDP" />
</decision-state>
@@ -104,7 +106,9 @@
<transition on="yes" to="requestRpToken" />
<transition on="no" to="viewBadRequest" />
</action-state>
-
+
+ <!-- ============================================================================================================= -->
+
<decision-state id="checkWauthTypeSupported">
<on-entry>
<!-- Here, home realm is guaranteed to be THIS realm -->
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/775b209c/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index 0198ae0..59ea18b 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -27,10 +27,13 @@
<input name="RelayState" />
<input name="protocol" />
<input name="saml_authn_request" />
+ <input name="home_realm" />
+
+ <!-- ===== Home Realm Discovery ===== -->
<decision-state id="processHRDSExpression">
<on-entry>
- <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, null)"
+ <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)"
result="flowScope.home_realm" />
</on-entry>
<if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
@@ -71,14 +74,14 @@
<!-- Home Realm is known then we can store it in cookie -->
<decision-state id="checkIsThisIDP">
<if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
- then="homeRealmSignInEntryPoint" else="checkIdpTokenWhrWauth" />
+ then="homeRealmSignInEntryPoint" else="checkIdpTokenHomeRealm" />
</decision-state>
<!-- ============================================================================================================= -->
<!-- Is 'wresult/RP-IDP token' already received and validated (then stored
in session) from requestor IDP ? -->
- <decision-state id="checkIdpTokenWhrWauth">
+ <decision-state id="checkIdpTokenHomeRealm">
<if test="externalContext.sessionMap[flowScope.home_realm] != null"
then="wfreshParserRemoteAction" else="redirectToTrustedIDP" />
</decision-state>
@@ -109,7 +112,7 @@
<set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
</on-entry>
<if test="flowScope.idpConfig.getAuthenticationURIs() == null"
- then="scInternalServerError" />
+ then="viewBadRequest" />
<!-- check presence of cached IDP token for THIS realm -->
<if test="externalContext.sessionMap[flowScope.home_realm] == null"
then="cacheSecurityToken" else="checkTokenExpiry" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/775b209c/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 7aeb494..4a430d7 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -89,6 +89,7 @@
<input name="Signature" value="flowScope.Signature" />
<input name="protocol" value="'samlsso'" />
<input name="saml_authn_request" value="flowScope.saml_authn_request" />
+ <input name="home_realm" value="null" />
<output name="home_realm" />
<output name="idpToken" />