You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/11/25 18:06:31 UTC
[1/3] cxf-fediz git commit: Refactor federation validation response
to better handle multiple protocols
Repository: cxf-fediz
Updated Branches:
refs/heads/master 3197f65b5 -> f637eedfc
Refactor federation validation response to better handle multiple protocols
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/1c0b2e87
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/1c0b2e87
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/1c0b2e87
Branch: refs/heads/master
Commit: 1c0b2e87e01787a9ab60585c26cbe7fadca6541a
Parents: 3197f65
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 25 16:23:51 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 25 16:23:51 2016 +0000
----------------------------------------------------------------------
.../cxf/fediz/service/idp/IdpConstants.java | 5 +++
.../flows/federation-signin-response.xml | 7 +++-
.../flows/federation-validate-request.xml | 35 ++++++++++++--------
3 files changed, 32 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1c0b2e87/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
index d33bbc1..5d9c0f2 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
@@ -38,6 +38,11 @@ public final class IdpConstants {
*/
public static final String SAML_AUTHN_REQUEST = "saml_authn_request";
+ /**
+ * A Context variable associated with the request (independent of protocol)
+ */
+ public static final String CONTEXT = "context";
+
private IdpConstants() {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1c0b2e87/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
index d6e761d..3e459cd 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -17,6 +17,11 @@
specific language governing permissions and limitations
under the License.
-->
+<!--
+Process a response from a trusted third party IdP. It starts by restoring the original request parameters for the current context.
+It then converts the response from the third party IdP into a SecurityToken via the TrustedIdPProtocolAction. It then exits this
+subflow to get a RP token from the STS.
+ -->
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
@@ -34,7 +39,7 @@
<input name="whr" />
<on-start>
- <!-- restore 'wreply','wtrealm','whr' for current 'wctx' -->
+ <!-- restore the original request parameters for the current context -->
<evaluate expression="signinParametersCacheAction.restore(flowRequestContext)" />
</on-start>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1c0b2e87/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 35ce933..1ac194d 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -22,8 +22,19 @@
xsi:schemaLocation="http://www.springframework.org/schema/webflow
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
- <!-- protocol check -->
- <decision-state id="WSFederationRequestCheck">
+ <decision-state id="evaluateProtocol">
+ <on-entry>
+ <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
+ </on-entry>
+ <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
+ <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
+ then="selectWsFedProcess" />
+ <if test="requestParameters.SAMLResponse != null" then="selectSAMLProcess"
+ else="selectOIDCAuthorizationCodeFlowProcess"
+ />
+ </decision-state>
+
+ <decision-state id="selectWsFedProcess">
<on-entry>
<set name="flowScope.wtrealm" value="requestParameters.wtrealm" />
<set name="flowScope.wreply" value="requestParameters.wreply" />
@@ -32,23 +43,11 @@
<set name="flowScope.whr" value="requestParameters.whr" />
<set name="flowScope.wresult" value="requestParameters.wresult" />
<set name="flowScope.wreq" value="requestParameters.wreq" />
- <set name="flowScope.RelayState" value="requestParameters.RelayState" />
- <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
- <set name="flowScope.state" value="requestParameters.state" />
- <set name="flowScope.code" value="requestParameters.code" />
<evaluate expression="requestScope.getString('wauth','default')"
result="flowScope.wauth" />
- <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
</on-entry>
<if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
then="validateWReplyForSignout" />
- <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
- <if test="requestParameters.SAMLResponse != null" then="selectSAMLProcess"
- else="selectOIDCAuthorizationCodeFlowProcess"
- />
- </decision-state>
-
- <decision-state id="selectWsFedProcess">
<if test="requestParameters.wresult != null and !requestParameters.wresult.isEmpty()"
then="signinResponse" />
<if test="requestParameters.wtrealm != null and !requestParameters.wtrealm.isEmpty()"
@@ -56,6 +55,10 @@
</decision-state>
<decision-state id="selectSAMLProcess">
+ <on-entry>
+ <set name="flowScope.RelayState" value="requestParameters.RelayState" />
+ <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
+ </on-entry>
<if test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0"
then="viewBadRequest" />
<if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.length() == 0"
@@ -63,6 +66,10 @@
</decision-state>
<decision-state id="selectOIDCAuthorizationCodeFlowProcess">
+ <on-entry>
+ <set name="flowScope.state" value="requestParameters.state" />
+ <set name="flowScope.code" value="requestParameters.code" />
+ </on-entry>
<if test="requestParameters.code == null or requestParameters.code.length() == 0"
then="viewBadRequest" />
<if test="requestParameters.state == null or requestParameters.state.length() == 0"
[2/3] cxf-fediz git commit: Re-enabling fixed test
Posted by co...@apache.org.
Re-enabling fixed test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/861d3661
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/861d3661
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/861d3661
Branch: refs/heads/master
Commit: 861d3661b17d7a6d06f4b511c5a63387d9f64ab3
Parents: 1c0b2e8
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 25 17:43:56 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 25 17:43:56 2016 +0000
----------------------------------------------------------------------
.../src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java | 2 --
1 file changed, 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/861d3661/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index e5ac8fd..186fb41 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -926,9 +926,7 @@ public class IdpTest {
webClient.close();
}
- // TODO - Re-enable
@org.junit.Ignore
- @org.junit.Test
public void testMissingRelayState() throws Exception {
OpenSAMLUtil.initSamlEngine();
[3/3] cxf-fediz git commit: Extensive refactoring of Fediz response
web flow
Posted by co...@apache.org.
Extensive refactoring of Fediz response web flow
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f637eedf
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f637eedf
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f637eedf
Branch: refs/heads/master
Commit: f637eedfc0eacd5b9e538665f053032a2846d1cc
Parents: 861d366
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 25 18:05:55 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 25 18:05:55 2016 +0000
----------------------------------------------------------------------
.../cxf/fediz/service/idp/IdpConstants.java | 2 +-
.../idp/beans/SigninParametersCacheAction.java | 23 +++------
.../TrustedIdpFacebookProtocolHandler.java | 5 +-
.../TrustedIdpOIDCProtocolHandler.java | 5 +-
.../TrustedIdpSAMLProtocolHandler.java | 4 +-
.../TrustedIdpWSFedProtocolHandler.java | 3 +-
.../flows/federation-signin-response.xml | 17 +++---
.../flows/federation-validate-request.xml | 20 ++++----
.../WEB-INF/flows/saml-validate-request.xml | 54 +++++++++++++-------
9 files changed, 68 insertions(+), 65 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
index 5d9c0f2..fc4e831 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
@@ -41,7 +41,7 @@ public final class IdpConstants {
/**
* A Context variable associated with the request (independent of protocol)
*/
- public static final String CONTEXT = "context";
+ public static final String CONTEXT = "context_key";
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 2ecb08e..f719860 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -24,14 +24,12 @@ import java.util.Map;
import java.util.UUID;
import org.apache.cxf.fediz.core.FederationConstants;
-import org.apache.cxf.fediz.core.SAMLSSOConstants;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.service.idp.IdpConstants;
import org.apache.cxf.fediz.service.idp.domain.Application;
import org.apache.cxf.fediz.service.idp.domain.Idp;
import org.apache.cxf.fediz.service.idp.samlsso.SAMLAuthnRequest;
import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@@ -86,21 +84,12 @@ public class SigninParametersCacheAction {
LOG.info("SignIn parameters cached and context set to [" + uuidKey + "].");
}
- public void restore(RequestContext context) {
+ public void restore(RequestContext context, String contextKey) {
- String uuidKey = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
-
- if (uuidKey == null) {
- uuidKey = (String)WebUtils.getAttributeFromFlowScope(context, SAMLSSOConstants.RELAY_STATE);
- }
- if (uuidKey == null) {
- uuidKey = (String)WebUtils.getAttributeFromFlowScope(context, OAuthConstants.STATE);
- }
-
- if (uuidKey != null) {
+ if (contextKey != null) {
@SuppressWarnings("unchecked")
Map<String, Object> signinParams =
- (Map<String, Object>)WebUtils.getAttributeFromExternalContext(context, uuidKey);
+ (Map<String, Object>)WebUtils.getAttributeFromExternalContext(context, contextKey);
if (signinParams != null) {
String value = (String)signinParams.get(FederationConstants.PARAM_REPLY);
@@ -111,14 +100,14 @@ public class SigninParametersCacheAction {
if (value != null) {
WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_TREALM, value);
}
+ // TODO - Remove
value = (String)signinParams.get(FederationConstants.PARAM_HOME_REALM);
if (value != null) {
WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM, value);
+ WebUtils.putAttributeInFlowScope(context, IdpConstants.HOME_REALM, value);
}
- // TODO...
value = (String)signinParams.get(IdpConstants.HOME_REALM);
if (value != null) {
- WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM, value);
WebUtils.putAttributeInFlowScope(context, IdpConstants.HOME_REALM, value);
}
@@ -137,7 +126,7 @@ public class SigninParametersCacheAction {
LOG.debug("SignIn parameters restored: {}", signinParams.toString());
WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
LOG.info("SignIn parameters restored and " + FederationConstants.PARAM_CONTEXT + "["
- + uuidKey + "] cleared.");
+ + contextKey + "] cleared.");
value = (String)signinParams.get(FederationConstants.PARAM_CONTEXT);
if (value != null) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java
index 643eb7c..36db3ae 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java
@@ -30,7 +30,7 @@ import javax.ws.rs.core.Response;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.service.idp.IdpConstants;
import org.apache.cxf.fediz.service.idp.domain.Idp;
import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
import org.apache.cxf.fediz.service.idp.util.WebUtils;
@@ -118,8 +118,7 @@ public class TrustedIdpFacebookProtocolHandler extends AbstractTrustedIdpOAuth2P
// user's claims
String subjectName = getSubjectName(apiEndpoint, accessToken.getTokenKey(), trustedIdp);
try {
- String whr = (String) WebUtils.getAttributeFromFlowScope(context,
- FederationConstants.PARAM_HOME_REALM);
+ String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
if (whr == null) {
LOG.warn("Home realm is null");
throw new IllegalStateException("Home realm is null");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
index 8eb8af8..b45c763 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
@@ -33,10 +33,10 @@ import javax.ws.rs.core.Response;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.util.CertsUtils;
import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.cxf.fediz.service.idp.IdpConstants;
import org.apache.cxf.fediz.service.idp.domain.Idp;
import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
import org.apache.cxf.fediz.service.idp.util.WebUtils;
@@ -157,8 +157,7 @@ public class TrustedIdpOIDCProtocolHandler extends AbstractTrustedIdpOAuth2Proto
client.close();
try {
- String whr = (String) WebUtils.getAttributeFromFlowScope(context,
- FederationConstants.PARAM_HOME_REALM);
+ String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
if (whr == null) {
LOG.warn("Home realm is null");
throw new IllegalStateException("Home realm is null");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index 3f5c0a2..4214705 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -42,7 +42,6 @@ import org.w3c.dom.Element;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.CertsUtils;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.cxf.fediz.service.idp.IdpConstants;
@@ -200,8 +199,7 @@ public class TrustedIdpSAMLProtocolHandler extends AbstractTrustedIdpProtocolHan
new SecurityToken(id, validatorResponse.getCreated(), validatorResponse.getSessionNotOnOrAfter());
idpToken.setToken(validatorResponse.getAssertionElement());
- String whr = (String) WebUtils.getAttributeFromFlowScope(context,
- FederationConstants.PARAM_HOME_REALM);
+ String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
LOG.info("[IDP_TOKEN={}] created from [RP_TOKEN={}] issued by home realm [{}]",
id, validatorResponse.getResponseId(), whr);
LOG.debug("Created date={}", validatorResponse.getCreated());
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
index 25a5e9c..ea8feb4 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
@@ -115,8 +115,7 @@ public class TrustedIdpWSFedProtocolHandler extends AbstractTrustedIdpProtocolHa
public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
try {
- String whr = (String) WebUtils.getAttributeFromFlowScope(context,
- FederationConstants.PARAM_HOME_REALM);
+ String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
if (whr == null) {
LOG.warn("Home realm is null");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
index 3e459cd..8d8f4ec 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -29,23 +29,22 @@ subflow to get a RP token from the STS.
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
<input name="idpConfig" />
- <input name="wctx" />
- <input name="wauth" />
+ <input name="context_key" />
<input name="wresult" />
<input name="RelayState" />
<input name="SAMLResponse" />
<input name="state" />
<input name="code" />
- <input name="whr" />
+ <input name="home_realm" />
<on-start>
<!-- restore the original request parameters for the current context -->
- <evaluate expression="signinParametersCacheAction.restore(flowRequestContext)" />
+ <evaluate expression="signinParametersCacheAction.restore(flowRequestContext, context_key)" />
</on-start>
- <!-- validate token issued by requestor IDP ('wresult') given its 'whr' -->
+ <!-- validate token issued by requestor IDP given its home realm -->
<action-state id="validateToken">
- <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext, whr)"
+ <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext, home_realm)"
result="flowScope.idpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" />
<transition to="checkCacheTrustedIdpToken" />
<transition
@@ -55,16 +54,16 @@ subflow to get a RP token from the STS.
</action-state>
<action-state id="checkCacheTrustedIdpToken">
- <evaluate expression="idpConfig.findTrustedIdp(flowScope.whr).cacheTokens" />
+ <evaluate expression="idpConfig.findTrustedIdp(flowScope.home_realm).cacheTokens" />
<transition on="yes" to="requestRpToken">
- <set name="externalContext.sessionMap[flowScope.whr]"
+ <set name="externalContext.sessionMap[flowScope.home_realm]"
value="flowScope.idpToken" />
</transition>
<transition on="no" to="requestRpToken" />
</action-state>
<end-state id="requestRpToken">
- <output name="whr" value="flowScope.whr" />
+ <output name="home_realm" value="flowScope.home_realm" />
<output name="wctx" value="flowScope.wctx" />
<output name="wreply" value="flowScope.wreply" />
<output name="wtrealm" value="flowScope.wtrealm" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 1ac194d..578be04 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -39,6 +39,7 @@
<set name="flowScope.wtrealm" value="requestParameters.wtrealm" />
<set name="flowScope.wreply" value="requestParameters.wreply" />
<set name="flowScope.wctx" value="requestParameters.wctx" />
+ <set name="flowScope.context_key" value="requestParameters.wctx" />
<set name="flowScope.wfresh" value="requestParameters.wfresh" />
<set name="flowScope.whr" value="requestParameters.whr" />
<set name="flowScope.wresult" value="requestParameters.wresult" />
@@ -57,22 +58,24 @@
<decision-state id="selectSAMLProcess">
<on-entry>
<set name="flowScope.RelayState" value="requestParameters.RelayState" />
+ <set name="flowScope.context_key" value="requestParameters.RelayState" />
<set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
</on-entry>
- <if test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0"
+ <if test="requestParameters.RelayState == null or requestParameters.RelayState.isEmpty()"
then="viewBadRequest" />
- <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.length() == 0"
+ <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.isEmpty()"
then="viewBadRequest" else="signinResponse" />
</decision-state>
<decision-state id="selectOIDCAuthorizationCodeFlowProcess">
<on-entry>
<set name="flowScope.state" value="requestParameters.state" />
+ <set name="flowScope.context_key" value="requestParameters.state" />
<set name="flowScope.code" value="requestParameters.code" />
</on-entry>
- <if test="requestParameters.code == null or requestParameters.code.length() == 0"
+ <if test="requestParameters.code == null or requestParameters.code.isEmpty()"
then="viewBadRequest" />
- <if test="requestParameters.state == null or requestParameters.state.length() == 0"
+ <if test="requestParameters.state == null or requestParameters.state.isEmpty()"
then="viewBadRequest" else="signinResponse" />
</decision-state>
@@ -121,23 +124,22 @@
<subflow-state id="signinResponse" subflow="signinResponse">
<input name="idpConfig" value="flowScope.idpConfig" />
<input name="wfresh" value="flowScope.wfresh" />
- <input name="wctx" value="flowScope.wctx" />
- <input name="wauth" value="flowScope.wauth" />
+ <input name="context_key" value="flowScope.context_key" />
<input name="wresult" value="flowScope.wresult" />
<input name="RelayState" value="flowScope.RelayState" />
<input name="SAMLResponse" value="flowScope.SAMLResponse" />
<input name="state" value="flowScope.state" />
<input name="code" value="flowScope.code" />
- <input name="whr" value="flowScope.whr" />
+ <input name="home_realm" value="flowScope.whr" />
<output name="wtrealm" />
<output name="wreply" />
<output name="wctx" />
- <output name="whr" />
+ <output name="home_realm" />
<output name="idpToken" />
<transition on="requestRpToken" to="requestRpToken">
- <set name="flowScope.whr" value="currentEvent.attributes.whr" />
+ <set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
<set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
<set name="flowScope.wtrealm" value="currentEvent.attributes.wtrealm" />
<set name="flowScope.wreply" value="currentEvent.attributes.wreply" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f637eedf/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index b52d122..4bb0531 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -22,25 +22,44 @@
xsi:schemaLocation="http://www.springframework.org/schema/webflow
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
- <!-- protocol check -->
- <decision-state id="SAMLRequestCheck">
+ <decision-state id="evaluateProtocol">
+ <on-entry>
+ <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
+ </on-entry>
+ <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
+ <if test="requestParameters.SAMLRequest != null or requestParameters.SAMLResponse != null"
+ then="selectSAMLProcess" else="viewBadRequest"
+ />
+ </decision-state>
+
+ <decision-state id="selectWsFedProcess">
+ <on-entry>
+ <set name="flowScope.wresult" value="requestParameters.wresult" />
+ <set name="flowScope.wctx" value="requestParameters.wctx" />
+ <set name="flowScope.context_key" value="requestParameters.wctx" />
+ </on-entry>
+ <if test="requestParameters.wctx == null or requestParameters.wctx.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.wresult == null or requestParameters.wresult.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.wtrealm != null and !requestParameters.wtrealm.isEmpty()"
+ then="signinResponse" else="viewBadRequest" />
+ </decision-state>
+
+ <decision-state id="selectSAMLProcess">
<on-entry>
<set name="flowScope.RelayState" value="requestParameters.RelayState" />
+ <set name="flowScope.context_key" value="requestParameters.RelayState" />
+ <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
<set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" />
<set name="flowScope.Signature" value="requestParameters.Signature" />
- <set name="flowScope.wresult" value="requestParameters.wresult" />
- <set name="flowScope.wctx" value="requestParameters.wctx" />
- <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
</on-entry>
+ <if test="requestParameters.RelayState == null or requestParameters.RelayState.isEmpty()"
+ then="handleBadRequestError" />
<if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
then="signinSAMLRequest" />
- <if test="requestParameters.wresult != null and !requestParameters.wresult.isEmpty()"
- then="signinResponse" />
- <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.length() == 0"
- then="viewBadRequest" else="signinResponse" />
- <!-- TODO Refactor this -->
- <if test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0"
- then="handleBadRequestError" />
+ <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.isEmpty()"
+ then="handleBadRequestError" else="signinResponse" />
</decision-state>
<subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
@@ -73,25 +92,24 @@
<subflow-state id="signinResponse" subflow="signinResponse">
<input name="idpConfig" value="flowScope.idpConfig" />
<input name="wfresh" value="flowScope.wfresh" />
- <input name="wctx" value="flowScope.wctx" />
- <input name="wauth" value="flowScope.wauth" />
+ <input name="context_key" value="flowScope.context_key" />
<input name="wresult" value="flowScope.wresult" />
<input name="RelayState" value="flowScope.RelayState" />
<input name="SAMLResponse" value="flowScope.SAMLResponse" />
<input name="state" value="flowScope.state" />
<input name="code" value="flowScope.code" />
- <input name="whr" value="flowScope.whr" />
+ <input name="home_realm" value="flowScope.whr" />
<output name="wtrealm" />
<output name="wreply" />
<output name="wctx" />
- <output name="whr" />
+ <output name="home_realm" />
<output name="idpToken" />
<output name="saml_authn_request" />
<output name="RelayState" />
<transition on="requestRpToken" to="requestRpToken">
- <set name="flowScope.home_realm" value="currentEvent.attributes.whr" />
+ <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
<set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
<set name="flowScope.RelayState" value="currentEvent.attributes.RelayState" />
@@ -153,7 +171,7 @@
result="requestScope.samlAction"/>
</on-entry>
<!-- See if we managed to at least parse the request to get the response URL -->
- <if test="requestScope.samlAction == null or requestScope.samlAction.length() == 0"
+ <if test="requestScope.samlAction == null or requestScope.samlAction.isEmpty()"
then="viewBadRequestParsingError" else="viewBadRequest"/>
</decision-state>