You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/12/15 18:21:59 UTC
cxf-fediz git commit: Update the converter to use the original
assertion's time properties if available
Repository: cxf-fediz
Updated Branches:
refs/heads/master 6068e648c -> d56d64742
Update the converter to use the original assertion's time properties if available
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d56d6474
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d56d6474
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d56d6474
Branch: refs/heads/master
Commit: d56d6474227d15fac434d510bd76a85f0a2e0452
Parents: 6068e64
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Tue Dec 15 17:21:42 2015 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Tue Dec 15 17:21:42 2015 +0000
----------------------------------------------------------------------
.../fediz/service/oidc/SamlTokenConverter.java | 93 +++++++++++++++-----
1 file changed, 69 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d56d6474/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
index 4178017..2d0e31d 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
@@ -27,6 +27,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.joda.time.DateTime;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Issuer;
@@ -34,33 +35,69 @@ import org.opensaml.saml.saml2.core.Issuer;
public class SamlTokenConverter {
private String issuer;
+ private long defaultTimeToLive = 3600L;
public IdToken convertToIdToken(Element samlToken,
String subjectName,
ClaimCollection claims,
String clientId) {
+ // The current SAML Assertion represents an authentication record.
+ // It has to be translated into IdToken (JWT) so that it can be returned
+ // to client applications participating in various OIDC flows.
+
IdToken idToken = new IdToken();
+ // Subject name is provided by FedizPrincipal which is initialized from the current SAML token
idToken.setSubject(subjectName);
+ // SAML assertion audiences might be added if needed given that JWT can hold an array of audiences
idToken.setAudience(clientId);
- long currentTimeInSeconds = System.currentTimeMillis() / 1000L;
- idToken.setIssuedAt(currentTimeInSeconds);
- idToken.setExpiryTime(currentTimeInSeconds + 60000L);
-
- Assertion saml2Assertion = null;
- // Set the authInstant
- try {
- SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
- saml2Assertion = wrapper.getSaml2();
- if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty()) {
- long authInstant =
- saml2Assertion.getAuthnStatements().get(0).getAuthnInstant().getMillis();
- idToken.setAuthenticationTime(authInstant / 1000L);
+ Assertion saml2Assertion = getSaml2Assertion(samlToken);
+ if (saml2Assertion != null) {
+ // Issuer
+ Issuer assertionIssuer = saml2Assertion.getIssuer();
+ if (assertionIssuer != null) {
+ idToken.setIssuer(assertionIssuer.getValue());
}
- } catch (WSSecurityException ex) {
- throw new OAuthServiceException("Error converting SAML token", ex);
+ // issueInstant
+ DateTime issueInstant = saml2Assertion.getIssueInstant();
+ if (issueInstant != null) {
+ idToken.setIssuedAt(issueInstant.getMillis() / 1000);
+ }
+
+ // expiryTime
+ if (saml2Assertion.getConditions() != null) {
+ DateTime expires = saml2Assertion.getConditions().getNotOnOrAfter();
+ if (expires != null) {
+ idToken.setExpiryTime(expires.getMillis() / 1000);
+ }
+ }
+
+ // authInstant
+ if (!saml2Assertion.getAuthnStatements().isEmpty()) {
+ DateTime authInstant =
+ saml2Assertion.getAuthnStatements().get(0).getAuthnInstant();
+ idToken.setAuthenticationTime(authInstant.getMillis() / 1000L);
+ }
+ }
+ // Check if default issuer, issuedAt and expiryTime values have to be set
+ if (issuer != null) {
+ idToken.setIssuer(issuer);
+ } else if (saml2Assertion != null) {
+ Issuer assertionIssuer = saml2Assertion.getIssuer();
+ if (assertionIssuer != null) {
+ idToken.setIssuer(assertionIssuer.getValue());
+ }
+ }
+
+ long currentTimeInSecs = System.currentTimeMillis() / 1000;
+ if (idToken.getIssuedAt() == null) {
+ idToken.setIssuedAt(currentTimeInSecs);
+ }
+ if (idToken.getExpiryTime() == null) {
+ idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive);
}
+
// Map claims
if (claims != null) {
String firstName = null;
@@ -93,21 +130,29 @@ public class SamlTokenConverter {
}
}
- if (issuer != null) {
- idToken.setIssuer(issuer);
- } else if (saml2Assertion != null) {
- Issuer assertionIssuer = saml2Assertion.getIssuer();
- if (assertionIssuer != null) {
- idToken.setIssuer(assertionIssuer.getValue());
- }
- }
-
return idToken;
}
+ private Assertion getSaml2Assertion(Element samlToken) {
+ // Should a null assertion lead to the exception ?
+ try {
+ SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
+ return wrapper.getSaml2();
+ } catch (WSSecurityException ex) {
+ throw new OAuthServiceException("Error converting SAML token", ex);
+ }
+
+ }
+
+
public void setIssuer(String issuer) {
this.issuer = issuer;
}
+
+ public void setDefaultTimeToLive(long defaultTimeToLive) {
+ this.defaultTimeToLive = defaultTimeToLive;
+ }
+
}