You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/12/14 12:25:51 UTC
[1/4] cxf-fediz git commit: More spring webflow consolidation
Repository: cxf-fediz
Updated Branches:
refs/heads/master 94cafcf36 -> 6fc7f301d
More spring webflow consolidation
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/44633f3d
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/44633f3d
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/44633f3d
Branch: refs/heads/master
Commit: 44633f3d6914224b74917a64e68e186731b06850
Parents: 94cafcf
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Dec 14 10:50:40 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Dec 14 10:50:40 2016 +0000
----------------------------------------------------------------------
.../idp/beans/SigninParametersCacheAction.java | 26 ++++++--------------
.../WEB-INF/flows/federation-signin-request.xml | 9 ++++---
.../flows/federation-validate-request.xml | 5 ++--
.../WEB-INF/flows/saml-signin-request.xml | 12 +++++----
.../WEB-INF/flows/saml-validate-request.xml | 5 ++--
.../webapp/WEB-INF/flows/signin-response.xml | 3 +--
6 files changed, 27 insertions(+), 33 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/44633f3d/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 4572bb5..538841d 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -50,6 +50,10 @@ public class SigninParametersCacheAction {
if (value != null) {
signinParams.put(IdpConstants.HOME_REALM, value);
}
+ value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.CONTEXT);
+ if (value != null) {
+ signinParams.put(IdpConstants.CONTEXT, value);
+ }
if ("wsfed".equals(protocol)) {
value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.RETURN_ADDRESS);
@@ -60,16 +64,7 @@ public class SigninParametersCacheAction {
if (value != null) {
signinParams.put(IdpConstants.REALM, value);
}
- value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
- if (value != null) {
- signinParams.put(FederationConstants.PARAM_CONTEXT, value);
- }
} else if ("samlsso".equals(protocol)) {
- // TODO
- value = WebUtils.getAttributeFromFlowScope(context, "RelayState");
- if (value != null) {
- signinParams.put("RelayState", value);
- }
value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
if (value != null) {
signinParams.put(IdpConstants.SAML_AUTHN_REQUEST, value);
@@ -112,22 +107,17 @@ public class SigninParametersCacheAction {
LOG.info("SignIn parameters restored and " + FederationConstants.PARAM_CONTEXT + "["
+ contextKey + "] cleared.");
- value = (String)signinParams.get(FederationConstants.PARAM_CONTEXT);
- if (value != null) {
- WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_CONTEXT, value);
- }
} else if ("samlsso".equals(protocol)) {
SAMLAuthnRequest authnRequest =
(SAMLAuthnRequest)signinParams.get(IdpConstants.SAML_AUTHN_REQUEST);
if (authnRequest != null) {
WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, authnRequest);
}
+ }
- // TODO
- value = (String)signinParams.get("RelayState");
- if (value != null) {
- WebUtils.putAttributeInFlowScope(context, "RelayState", value);
- }
+ value = (String)signinParams.get(IdpConstants.CONTEXT);
+ if (value != null) {
+ WebUtils.putAttributeInFlowScope(context, IdpConstants.CONTEXT, value);
}
} else {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/44633f3d/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index e202c57..d9e8558 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -24,13 +24,12 @@
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
<input name="idpConfig" />
- <input name="wctx" />
<input name="wfresh" />
- <input name="wauth" />
<input name="realm" />
<input name="home_realm" />
<input name="protocol" />
<input name="return_address" />
+ <input name="request_context" />
<!-- ===== Home Realm Discovery ===== -->
@@ -99,7 +98,8 @@
<action-state id="checkRemoteIdpTokenExpiry">
<evaluate
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
- wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)" />
+ protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+ or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
<transition on="yes" to="redirectToTrustedIDP" />
<transition on="no" to="validateReturnAddress" >
<set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
@@ -125,7 +125,8 @@
<action-state id="checkLocalIdPTokenExpiry">
<evaluate
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
- wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)" />
+ protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+ or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
<transition on="yes" to="redirectToLocalIDP" />
<transition on="no" to="validateReturnAddress">
<set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/44633f3d/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 81098a9..52b5d04 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -100,6 +100,7 @@
<input name="home_realm" value="flowScope.whr" />
<input name="protocol" value="'wsfed'" />
<input name="return_address" value="flowScope.wreply" />
+ <input name="request_context" value="flowScope.request_context" />
<output name="home_realm" />
<output name="idpToken" />
@@ -134,13 +135,13 @@
<output name="realm" />
<output name="wreply" />
- <output name="wctx" />
+ <output name="request_context" />
<output name="home_realm" />
<output name="idpToken" />
<transition on="requestRpToken" to="requestRpToken">
<set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
- <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+ <set name="flowScope.wctx" value="currentEvent.attributes.request_context" />
<set name="flowScope.wtrealm" value="currentEvent.attributes.realm" />
<set name="flowScope.wreply" value="currentEvent.attributes.wreply" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/44633f3d/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index f79b331..c3f6dbe 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -24,12 +24,12 @@
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
<input name="idpConfig" />
- <input name="RelayState" />
<input name="saml_authn_request" />
<input name="realm" />
<input name="home_realm" />
<input name="protocol" />
<input name="return_address" />
+ <input name="request_context" />
<!-- ===== Home Realm Discovery ===== -->
@@ -97,8 +97,9 @@
<action-state id="checkRemoteIdpTokenExpiry">
<evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
- or authnRequestParser.isForceAuthentication(flowRequestContext)" />
+ expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
+ protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+ or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
<transition on="yes" to="redirectToTrustedIDP" />
<transition on="no" to="validateReturnAddress" >
<set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
@@ -123,8 +124,9 @@
<action-state id="checkLocalIdPTokenExpiry">
<evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
- or authnRequestParser.isForceAuthentication(flowRequestContext)" />
+ expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
+ protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+ or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
<transition on="yes" to="redirectToLocalIDP" />
<transition on="no" to="validateReturnAddress">
<set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/44633f3d/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 2e6cdad..17d6067 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -106,6 +106,7 @@
<input name="realm" value="flowScope.realm" />
<input name="home_realm" value="null" />
<input name="return_address" value="flowScope.consumerURL" />
+ <input name="request_context" value="flowScope.request_context" />
<output name="home_realm" />
<output name="idpToken" />
@@ -139,13 +140,13 @@
<output name="home_realm" />
<output name="idpToken" />
<output name="saml_authn_request" />
- <output name="RelayState" />
+ <output name="request_context" />
<transition on="requestRpToken" to="requestRpToken">
<set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
<set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
- <set name="flowScope.RelayState" value="currentEvent.attributes.RelayState" />
+ <set name="flowScope.RelayState" value="currentEvent.attributes.request_context" />
</transition>
<transition on="viewBadRequest" to="viewBadRequest" />
<transition on="scInternalServerError" to="scInternalServerError" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/44633f3d/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
index 09a9716..4f63155 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
@@ -66,12 +66,11 @@ subflow to get a RP token from the STS.
<end-state id="requestRpToken">
<output name="home_realm" value="flowScope.home_realm" />
- <output name="wctx" value="flowScope.wctx" />
+ <output name="request_context" value="flowScope.request_context" />
<output name="wreply" value="flowScope.wreply" />
<output name="realm" value="flowScope.realm" />
<output name="idpToken" value="flowScope.idpToken" />
<output name="saml_authn_request" value="flowScope.saml_authn_request" />
- <output name="RelayState" value="flowScope.RelayState" />
</end-state>
<!-- abnormal exit point : Http 400 Bad Request -->
[4/4] cxf-fediz git commit: FEDIZ-184 - Remove OGNL parser from the
IdP
Posted by co...@apache.org.
FEDIZ-184 - Remove OGNL parser from the IdP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/6fc7f301
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/6fc7f301
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/6fc7f301
Branch: refs/heads/master
Commit: 6fc7f301d685c373b1a9c5258658fd56fc95b5f4
Parents: 4a08fe5
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Dec 14 12:25:40 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Dec 14 12:25:40 2016 +0000
----------------------------------------------------------------------
pom.xml | 1 -
services/idp/pom.xml | 18 ------------------
.../webapp/WEB-INF/config/idp-core-servlet.xml | 5 +----
.../WEB-INF/flows/federation-validate-request.xml | 6 +++---
.../WEB-INF/flows/saml-validate-request.xml | 4 ++--
5 files changed, 6 insertions(+), 28 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6fc7f301/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 5d60422..b15207e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -62,7 +62,6 @@
<jetty9.version>9.3.9.v20160517</jetty9.version>
<junit.version>4.12</junit.version>
<log4j.version>1.2.17</log4j.version>
- <ognl.version>3.1.11</ognl.version>
<openjpa.version>2.4.1</openjpa.version>
<servlet.version>2.5</servlet.version>
<slf4j.version>1.7.21</slf4j.version>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6fc7f301/services/idp/pom.xml
----------------------------------------------------------------------
diff --git a/services/idp/pom.xml b/services/idp/pom.xml
index 25556df..7247039 100644
--- a/services/idp/pom.xml
+++ b/services/idp/pom.xml
@@ -99,12 +99,6 @@
<groupId>org.springframework.webflow</groupId>
<artifactId>spring-webflow</artifactId>
<version>2.4.4.RELEASE</version>
- <exclusions>
- <exclusion>
- <groupId>opensymphony</groupId>
- <artifactId>ognl</artifactId>
- </exclusion>
- </exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
@@ -117,18 +111,6 @@
<version>${spring.security.version}</version>
</dependency>
<dependency>
- <groupId>ognl</groupId>
- <artifactId>ognl</artifactId>
- <version>${ognl.version}</version>
- <scope>runtime</scope>
- <exclusions>
- <exclusion>
- <groupId>javassist</groupId>
- <artifactId>javassist</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>${javassist.version}</version>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6fc7f301/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
index 542360e..3d62ad9 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
@@ -54,10 +54,7 @@
</property>
</bean>
- <bean id="expressionParser" class="org.springframework.webflow.expression.WebFlowOgnlExpressionParser" />
-
- <webflow:flow-builder-services id="builder" view-factory-creator="viewFactoryCreator"
- expression-parser="expressionParser" />
+ <webflow:flow-builder-services id="builder" view-factory-creator="viewFactoryCreator" />
<webflow:flow-registry id="flowRegistry" flow-builder-services="builder">
<webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6fc7f301/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 3581ef2..ea9ce68 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -231,7 +231,7 @@
<transition on="cancel" to="redirect" />
</view-state>
- <view-state id="redirect" view="externalRedirect:${flowScope.wreply}" />
+ <view-state id="redirect" view="externalRedirect:#{flowScope.wreply}" />
<!-- normal exit point for logout -->
<end-state id="invalidateSessionAction" view="signoutresponse">
@@ -250,7 +250,7 @@
</end-state>
<!-- redirect to remote idp -->
- <end-state id="redirectToTrustedIDP" view="externalRedirect:${flowScope.remoteIdpUrl}">
+ <end-state id="redirectToTrustedIDP" view="externalRedirect:#{flowScope.remoteIdpUrl}">
<!--
<on-entry>
<set name="flowScope.remoteIdpUrl"
@@ -265,7 +265,7 @@
-->
</end-state>
- <end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
+ <end-state id="redirectToLocalIDP" view="externalRedirect:#{flowScope.localIdpUrl}">
<on-entry>
<set name="flowScope.localIdpUrl"
value="flowScope.idpConfig.idpUrl
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6fc7f301/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index e1993b9..1f12890 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -246,7 +246,7 @@
</on-entry>
</end-state>
- <end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
+ <end-state id="redirectToLocalIDP" view="externalRedirect:#{flowScope.localIdpUrl}">
<on-entry>
<evaluate expression="localRedirectCreator.createRedirectURL(flowRequestContext, flowScope.idpConfig)"
result="flowScope.localIdpUrl"/>
@@ -254,6 +254,6 @@
</end-state>
<!-- redirect to remote idp -->
- <end-state id="redirectToTrustedIDP" view="externalRedirect:${flowScope.remoteIdpUrl}" />
+ <end-state id="redirectToTrustedIDP" view="externalRedirect:#{flowScope.remoteIdpUrl}" />
</flow>
[2/4] cxf-fediz git commit: Consolidating both protocols into a
single subflow for "signin"
Posted by co...@apache.org.
Consolidating both protocols into a single subflow for "signin"
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/31c75529
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/31c75529
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/31c75529
Branch: refs/heads/master
Commit: 31c7552968565fea3fb0957ab84c03f21f11f279
Parents: 44633f3
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Dec 14 11:01:05 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Dec 14 11:01:05 2016 +0000
----------------------------------------------------------------------
.../webapp/WEB-INF/config/idp-core-servlet.xml | 3 +-
.../WEB-INF/flows/federation-signin-request.xml | 173 -------------------
.../WEB-INF/flows/saml-signin-request.xml | 172 ------------------
.../WEB-INF/flows/saml-validate-request.xml | 5 +-
.../webapp/WEB-INF/flows/signin-request.xml | 173 +++++++++++++++++++
5 files changed, 177 insertions(+), 349 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
index 8a8760a..542360e 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
@@ -64,14 +64,13 @@
<webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up" />
<webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/krb" />
<webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/clientcert" />
- <webflow:flow-location path="/WEB-INF/flows/federation-signin-request.xml" id="signinRequest" />
<webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml" />
<webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up" />
<webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/krb" />
<webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/clientcert" />
- <webflow:flow-location path="/WEB-INF/flows/saml-signin-request.xml" id="signinSAMLRequest" />
+ <webflow:flow-location path="/WEB-INF/flows/signin-request.xml" id="signinRequest" />
<webflow:flow-location path="/WEB-INF/flows/signin-response.xml" id="signinResponse" />
</webflow:flow-registry>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
deleted file mode 100644
index d9e8558..0000000
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<flow xmlns="http://www.springframework.org/schema/webflow"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="
- http://www.springframework.org/schema/webflow
- http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
-
- <input name="idpConfig" />
- <input name="wfresh" />
- <input name="realm" />
- <input name="home_realm" />
- <input name="protocol" />
- <input name="return_address" />
- <input name="request_context" />
-
- <!-- ===== Home Realm Discovery ===== -->
-
- <decision-state id="processHRDSExpression">
- <on-entry>
- <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)"
- result="flowScope.home_realm" />
- </on-entry>
- <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
- then="provideIDPListForUser" else="checkIsThisIDP" />
- </decision-state>
-
- <decision-state id="provideIDPListForUser">
- <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
- then="checkDefaultToThisIDP" />
- <if test="flowScope.idpConfig.isProvideIdpList() == false"
- then="checkDefaultToThisIDP" else="showIDPList" />
- </decision-state>
-
- <decision-state id="checkDefaultToThisIDP">
- <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint"
- else="viewBadRequest" />
- </decision-state>
-
- <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
- <var name="trustedIDPSelection"
- class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
- <binder>
- <binding property="home_realm" required="true" />
- </binder>
- <on-entry>
- <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
- </on-entry>
- <transition on="submit" to="checkIsThisIDP" bind="true"
- validate="true">
- <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" />
- <evaluate
- expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" />
- </transition>
- <transition on="cancel" to="checkDefaultToThisIDP"
- bind="false" validate="false" />
- </view-state>
-
- <!-- Home Realm is known then we can store it in cookie -->
- <decision-state id="checkIsThisIDP">
- <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
- then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" />
- </decision-state>
-
- <!-- ===== Realm independent ===== -->
-
- <action-state id="validateReturnAddress">
- <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address)
- and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/>
- <transition on="yes" to="requestRpToken" />
- <transition on="no" to="viewBadRequest" />
- </action-state>
-
- <!-- ===== Home Realm != this realm ===== -->
-
- <decision-state id="checkRemoteIdpToken">
- <if test="externalContext.sessionMap[flowScope.home_realm] != null"
- then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" />
- </decision-state>
-
- <action-state id="checkRemoteIdpTokenExpiry">
- <evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
- protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
- or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
- <transition on="yes" to="redirectToTrustedIDP" />
- <transition on="no" to="validateReturnAddress" >
- <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
- </transition>
- <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
- </action-state>
-
- <!-- ===== Home Realm == this realm ===== -->
-
- <decision-state id="homeRealmSignInEntryPoint">
- <on-entry>
- <!-- Here, home realm is guaranteed to be THIS realm -->
- <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
- </on-entry>
- <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
- then="viewBadRequest" />
-
- <!-- check presence of cached IDP token for THIS realm -->
- <if test="externalContext.sessionMap[flowScope.home_realm] == null"
- then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" />
- </decision-state>
-
- <action-state id="checkLocalIdPTokenExpiry">
- <evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
- protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
- or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
- <transition on="yes" to="redirectToLocalIDP" />
- <transition on="no" to="validateReturnAddress">
- <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
- </transition>
- <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
- </action-state>
-
- <end-state id="redirectToLocalIDP">
- <on-entry>
- <evaluate expression="logoutAction.submit(flowRequestContext)" />
- </on-entry>
- <output name="wctx" value="flowScope.wctx" />
- <output name="home_realm" value="flowScope.home_realm" />
- </end-state>
-
- <action-state id="cacheSecurityToken">
- <secured attributes="IS_AUTHENTICATED_FULLY" />
- <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
- <transition to="validateReturnAddress">
- <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" />
- </transition>
- </action-state>
-
- <!-- ============================================================================================================= -->
-
- <!-- normal exit point -->
- <end-state id="requestRpToken">
- <output name="home_realm" value="flowScope.home_realm" />
- <output name="idpToken" value="flowScope.idpToken" />
- </end-state>
-
- <!-- abnormal exit point : Http 400 Bad Request -->
- <end-state id="viewBadRequest" />
-
- <!-- redirects to requestor idp -->
- <end-state id="redirectToTrustedIDP">
- <on-entry>
- <evaluate expression="signinParametersCacheAction.store(flowRequestContext, protocol)" />
- </on-entry>
- <output name="home_realm" value="flowScope.home_realm" />
- <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
- </end-state>
-
-</flow>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
deleted file mode 100644
index c3f6dbe..0000000
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ /dev/null
@@ -1,172 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<flow xmlns="http://www.springframework.org/schema/webflow"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="
- http://www.springframework.org/schema/webflow
- http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
-
- <input name="idpConfig" />
- <input name="saml_authn_request" />
- <input name="realm" />
- <input name="home_realm" />
- <input name="protocol" />
- <input name="return_address" />
- <input name="request_context" />
-
- <!-- ===== Home Realm Discovery ===== -->
-
- <decision-state id="processHRDSExpression">
- <on-entry>
- <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)"
- result="flowScope.home_realm" />
- </on-entry>
- <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
- then="provideIDPListForUser" else="checkIsThisIDP" />
- </decision-state>
-
- <decision-state id="provideIDPListForUser">
- <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
- then="checkDefaultToThisIDP" />
- <if test="flowScope.idpConfig.isProvideIdpList() == false"
- then="checkDefaultToThisIDP" else="showIDPList" />
- </decision-state>
-
- <decision-state id="checkDefaultToThisIDP">
- <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint"
- else="viewBadRequest" />
- </decision-state>
-
- <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
- <var name="trustedIDPSelection"
- class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
- <binder>
- <binding property="home_realm" required="true" />
- </binder>
- <on-entry>
- <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
- </on-entry>
- <transition on="submit" to="checkIsThisIDP" bind="true"
- validate="true">
- <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" />
- <evaluate
- expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" />
- </transition>
- <transition on="cancel" to="checkDefaultToThisIDP"
- bind="false" validate="false" />
- </view-state>
-
- <!-- Home Realm is known then we can store it in cookie -->
- <decision-state id="checkIsThisIDP">
- <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
- then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" />
- </decision-state>
-
- <!-- ===== Realm independent ===== -->
-
- <action-state id="validateReturnAddress">
- <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address)
- and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/>
- <transition on="yes" to="requestRpToken" />
- <transition on="no" to="viewBadRequest" />
- </action-state>
-
- <!-- ===== Home Realm != this realm ===== -->
-
- <decision-state id="checkRemoteIdpToken">
- <if test="externalContext.sessionMap[flowScope.home_realm] != null"
- then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" />
- </decision-state>
-
- <action-state id="checkRemoteIdpTokenExpiry">
- <evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
- protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
- or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
- <transition on="yes" to="redirectToTrustedIDP" />
- <transition on="no" to="validateReturnAddress" >
- <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
- </transition>
- <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
- </action-state>
-
- <!-- ===== Home Realm == this realm ===== -->
-
- <decision-state id="homeRealmSignInEntryPoint">
- <on-entry>
- <!-- Here, home realm is guaranteed to be THIS realm -->
- <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
- </on-entry>
- <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
- then="viewBadRequest" />
-
- <!-- check presence of cached IDP token for THIS realm -->
- <if test="externalContext.sessionMap[flowScope.home_realm] == null"
- then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" />
- </decision-state>
-
- <action-state id="checkLocalIdPTokenExpiry">
- <evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
- protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
- or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
- <transition on="yes" to="redirectToLocalIDP" />
- <transition on="no" to="validateReturnAddress">
- <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
- </transition>
- <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
- </action-state>
-
- <end-state id="redirectToLocalIDP">
- <on-entry>
- <evaluate expression="logoutAction.submit(flowRequestContext)" />
- </on-entry>
- <output name="home_realm" value="flowScope.home_realm" />
- </end-state>
-
- <action-state id="cacheSecurityToken">
- <secured attributes="IS_AUTHENTICATED_FULLY" />
- <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
- <transition to="validateReturnAddress">
- <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
- </transition>
- </action-state>
-
- <!-- ============================================================================================================= -->
-
- <!-- normal exit point -->
- <end-state id="requestRpToken">
- <output name="home_realm" value="flowScope.home_realm" />
- <output name="idpToken" value="flowScope.idpToken" />
- </end-state>
-
- <!-- abnormal exit point -->
- <end-state id="viewBadRequest" />
-
- <!-- redirects to requestor idp -->
- <end-state id="redirectToTrustedIDP">
- <on-entry>
- <evaluate expression="signinParametersCacheAction.store(flowRequestContext, protocol)" />
- </on-entry>
- <output name="home_realm" value="flowScope.home_realm" />
- <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
- </end-state>
-
-</flow>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 17d6067..e1993b9 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -92,11 +92,11 @@
<action-state id="retrieveRealm">
<evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)"
result="flowScope.realm"/>
- <transition to="signinSAMLRequest"/>
+ <transition to="signinRequest"/>
<transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
</action-state>
- <subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
+ <subflow-state id="signinRequest" subflow="signinRequest">
<input name="idpConfig" value="flowScope.idpConfig" />
<input name="SAMLRequest" value="flowScope.SAMLRequest" />
<input name="RelayState" value="flowScope.RelayState" />
@@ -105,6 +105,7 @@
<input name="saml_authn_request" value="flowScope.saml_authn_request" />
<input name="realm" value="flowScope.realm" />
<input name="home_realm" value="null" />
+ <input name="wfresh" value="null" />
<input name="return_address" value="flowScope.consumerURL" />
<input name="request_context" value="flowScope.request_context" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
new file mode 100644
index 0000000..78b149e
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
@@ -0,0 +1,173 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/webflow
+ http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+ <input name="idpConfig" />
+ <input name="wfresh" />
+ <input name="saml_authn_request" />
+ <input name="realm" />
+ <input name="home_realm" />
+ <input name="protocol" />
+ <input name="return_address" />
+ <input name="request_context" />
+
+ <!-- ===== Home Realm Discovery ===== -->
+
+ <decision-state id="processHRDSExpression">
+ <on-entry>
+ <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)"
+ result="flowScope.home_realm" />
+ </on-entry>
+ <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
+ then="provideIDPListForUser" else="checkIsThisIDP" />
+ </decision-state>
+
+ <decision-state id="provideIDPListForUser">
+ <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
+ then="checkDefaultToThisIDP" />
+ <if test="flowScope.idpConfig.isProvideIdpList() == false"
+ then="checkDefaultToThisIDP" else="showIDPList" />
+ </decision-state>
+
+ <decision-state id="checkDefaultToThisIDP">
+ <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint"
+ else="viewBadRequest" />
+ </decision-state>
+
+ <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
+ <var name="trustedIDPSelection"
+ class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
+ <binder>
+ <binding property="home_realm" required="true" />
+ </binder>
+ <on-entry>
+ <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
+ </on-entry>
+ <transition on="submit" to="checkIsThisIDP" bind="true"
+ validate="true">
+ <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" />
+ <evaluate
+ expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" />
+ </transition>
+ <transition on="cancel" to="checkDefaultToThisIDP"
+ bind="false" validate="false" />
+ </view-state>
+
+ <!-- Home Realm is known then we can store it in cookie -->
+ <decision-state id="checkIsThisIDP">
+ <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
+ then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" />
+ </decision-state>
+
+ <!-- ===== Realm independent ===== -->
+
+ <action-state id="validateReturnAddress">
+ <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address)
+ and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/>
+ <transition on="yes" to="requestRpToken" />
+ <transition on="no" to="viewBadRequest" />
+ </action-state>
+
+ <!-- ===== Home Realm != this realm ===== -->
+
+ <decision-state id="checkRemoteIdpToken">
+ <if test="externalContext.sessionMap[flowScope.home_realm] != null"
+ then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" />
+ </decision-state>
+
+ <action-state id="checkRemoteIdpTokenExpiry">
+ <evaluate
+ expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
+ protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+ or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
+ <transition on="yes" to="redirectToTrustedIDP" />
+ <transition on="no" to="validateReturnAddress" >
+ <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
+ </transition>
+ <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+ </action-state>
+
+ <!-- ===== Home Realm == this realm ===== -->
+
+ <decision-state id="homeRealmSignInEntryPoint">
+ <on-entry>
+ <!-- Here, home realm is guaranteed to be THIS realm -->
+ <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
+ </on-entry>
+ <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
+ then="viewBadRequest" />
+
+ <!-- check presence of cached IDP token for THIS realm -->
+ <if test="externalContext.sessionMap[flowScope.home_realm] == null"
+ then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" />
+ </decision-state>
+
+ <action-state id="checkLocalIdPTokenExpiry">
+ <evaluate
+ expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
+ protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+ or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
+ <transition on="yes" to="redirectToLocalIDP" />
+ <transition on="no" to="validateReturnAddress">
+ <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
+ </transition>
+ <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+ </action-state>
+
+ <end-state id="redirectToLocalIDP">
+ <on-entry>
+ <evaluate expression="logoutAction.submit(flowRequestContext)" />
+ </on-entry>
+ <output name="home_realm" value="flowScope.home_realm" />
+ </end-state>
+
+ <action-state id="cacheSecurityToken">
+ <secured attributes="IS_AUTHENTICATED_FULLY" />
+ <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
+ <transition to="validateReturnAddress">
+ <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
+ </transition>
+ </action-state>
+
+ <!-- ============================================================================================================= -->
+
+ <!-- normal exit point -->
+ <end-state id="requestRpToken">
+ <output name="home_realm" value="flowScope.home_realm" />
+ <output name="idpToken" value="flowScope.idpToken" />
+ </end-state>
+
+ <!-- abnormal exit point -->
+ <end-state id="viewBadRequest" />
+
+ <!-- redirects to requestor idp -->
+ <end-state id="redirectToTrustedIDP">
+ <on-entry>
+ <evaluate expression="signinParametersCacheAction.store(flowRequestContext, protocol)" />
+ </on-entry>
+ <output name="home_realm" value="flowScope.home_realm" />
+ <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
+ </end-state>
+
+</flow>
[3/4] cxf-fediz git commit: More refactoring
Posted by co...@apache.org.
More refactoring
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4a08fe5b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4a08fe5b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4a08fe5b
Branch: refs/heads/master
Commit: 4a08fe5bea001bdf64a10488067f17ec6464f48f
Parents: 31c7552
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Dec 14 11:45:28 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Dec 14 11:45:28 2016 +0000
----------------------------------------------------------------------
.../idp/beans/SigninParametersCacheAction.java | 40 ++++++++++----------
.../flows/federation-validate-request.xml | 4 +-
.../webapp/WEB-INF/flows/signin-request.xml | 2 -
.../webapp/WEB-INF/flows/signin-response.xml | 2 +-
4 files changed, 24 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a08fe5b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 538841d..bbecc5a 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -54,17 +54,20 @@ public class SigninParametersCacheAction {
if (value != null) {
signinParams.put(IdpConstants.CONTEXT, value);
}
+ value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.REALM);
+ if (value != null) {
+ signinParams.put(IdpConstants.REALM, value);
+ }
+ value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.RETURN_ADDRESS);
+ if (value != null) {
+ signinParams.put(IdpConstants.RETURN_ADDRESS, value);
+ }
+ value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.RETURN_ADDRESS);
+ if (value != null) {
+ signinParams.put(IdpConstants.RETURN_ADDRESS, value);
+ }
- if ("wsfed".equals(protocol)) {
- value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.RETURN_ADDRESS);
- if (value != null) {
- signinParams.put(FederationConstants.PARAM_REPLY, value);
- }
- value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.REALM);
- if (value != null) {
- signinParams.put(IdpConstants.REALM, value);
- }
- } else if ("samlsso".equals(protocol)) {
+ if ("samlsso".equals(protocol)) {
value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
if (value != null) {
signinParams.put(IdpConstants.SAML_AUTHN_REQUEST, value);
@@ -96,12 +99,16 @@ public class SigninParametersCacheAction {
if (value != null) {
WebUtils.putAttributeInFlowScope(context, IdpConstants.REALM, value);
}
+ value = (String)signinParams.get(IdpConstants.RETURN_ADDRESS);
+ if (value != null) {
+ WebUtils.putAttributeInFlowScope(context, IdpConstants.RETURN_ADDRESS, value);
+ }
+ value = (String)signinParams.get(IdpConstants.CONTEXT);
+ if (value != null) {
+ WebUtils.putAttributeInFlowScope(context, IdpConstants.CONTEXT, value);
+ }
if ("wsfed".equals(protocol)) {
- value = (String)signinParams.get(FederationConstants.PARAM_REPLY);
- if (value != null) {
- WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_REPLY, value);
- }
WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
LOG.info("SignIn parameters restored and " + FederationConstants.PARAM_CONTEXT + "["
@@ -115,11 +122,6 @@ public class SigninParametersCacheAction {
}
}
- value = (String)signinParams.get(IdpConstants.CONTEXT);
- if (value != null) {
- WebUtils.putAttributeInFlowScope(context, IdpConstants.CONTEXT, value);
- }
-
} else {
LOG.debug("Error in restoring security context");
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a08fe5b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 52b5d04..3581ef2 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -134,7 +134,7 @@
<input name="protocol" value="'wsfed'" />
<output name="realm" />
- <output name="wreply" />
+ <output name="return_address" />
<output name="request_context" />
<output name="home_realm" />
<output name="idpToken" />
@@ -143,7 +143,7 @@
<set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
<set name="flowScope.wctx" value="currentEvent.attributes.request_context" />
<set name="flowScope.wtrealm" value="currentEvent.attributes.realm" />
- <set name="flowScope.wreply" value="currentEvent.attributes.wreply" />
+ <set name="flowScope.wreply" value="currentEvent.attributes.return_address" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
</transition>
<transition on="viewBadRequest" to="viewBadRequest" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a08fe5b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
index 78b149e..d618c76 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
@@ -115,8 +115,6 @@
<!-- Here, home realm is guaranteed to be THIS realm -->
<set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
</on-entry>
- <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
- then="viewBadRequest" />
<!-- check presence of cached IDP token for THIS realm -->
<if test="externalContext.sessionMap[flowScope.home_realm] == null"
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a08fe5b/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
index 4f63155..ebfbf1f 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml
@@ -67,7 +67,7 @@ subflow to get a RP token from the STS.
<end-state id="requestRpToken">
<output name="home_realm" value="flowScope.home_realm" />
<output name="request_context" value="flowScope.request_context" />
- <output name="wreply" value="flowScope.wreply" />
+ <output name="return_address" value="flowScope.return_address" />
<output name="realm" value="flowScope.realm" />
<output name="idpToken" value="flowScope.idpToken" />
<output name="saml_authn_request" value="flowScope.saml_authn_request" />