You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/23 13:14:36 UTC
git commit: Some work on Logout to support SAML
Repository: cxf-fediz
Updated Branches:
refs/heads/master 62b7250d7 -> cc8c123cd
Some work on Logout to support SAML
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cc8c123c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cc8c123c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cc8c123c
Branch: refs/heads/master
Commit: cc8c123cd5515df3840a2c1f9c3e5fd7de3302c1
Parents: 62b7250
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Oct 23 12:14:13 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Oct 23 12:14:13 2014 +0100
----------------------------------------------------------------------
.../core/processor/FederationProcessorImpl.java | 5 +-
.../fediz/core/processor/FedizProcessor.java | 8 ++-
.../fediz/core/processor/SAMLProcessorImpl.java | 7 +-
.../samlsso/DefaultSAMLPRequestBuilder.java | 5 ++
.../core/federation/FederationRequestTest.java | 2 +-
.../cxf/fediz/core/samlsso/SAMLRequestTest.java | 4 +-
.../cxf/plugin/FedizRedirectBindingFilter.java | 2 +-
.../fediz/jetty/FederationAuthenticator.java | 3 +-
.../web/FederationLogoutSuccessHandler.java | 2 +-
.../fediz/tomcat/FederationAuthenticator.java | 69 ++++++++++++--------
10 files changed, 70 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index ed830e6..7a4dc52 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -60,6 +60,7 @@ import org.apache.cxf.fediz.core.spi.WReqCallback;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSDocInfo;
@@ -473,7 +474,9 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
@Override
- public RedirectionResponse createSignOutRequest(HttpServletRequest request, FedizContext config)
+ public RedirectionResponse createSignOutRequest(HttpServletRequest request,
+ SamlAssertionWrapper token,
+ FedizContext config)
throws ProcessingException {
String redirectURL = null;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
index c6cea4e..846ebf8 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
@@ -20,21 +20,25 @@
package org.apache.cxf.fediz.core.processor;
import javax.servlet.http.HttpServletRequest;
+
import org.w3c.dom.Document;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
public interface FedizProcessor {
- FedizResponse processRequest(FedizRequest request, FedizContext config) throws ProcessingException;
+ FedizResponse processRequest(
+ FedizRequest request, FedizContext config
+ ) throws ProcessingException;
RedirectionResponse createSignInRequest(
HttpServletRequest request, FedizContext config
) throws ProcessingException;
RedirectionResponse createSignOutRequest(
- HttpServletRequest request, FedizContext config
+ HttpServletRequest request, SamlAssertionWrapper token, FedizContext config
) throws ProcessingException;
Document getMetaData(
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index b3766e8..47634d9 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -53,6 +53,7 @@ import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.dom.WSConstants;
import org.apache.xml.security.exceptions.Base64DecodingException;
@@ -405,7 +406,9 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
}
@Override
- public RedirectionResponse createSignOutRequest(HttpServletRequest request, FedizContext config)
+ public RedirectionResponse createSignOutRequest(HttpServletRequest request,
+ SamlAssertionWrapper token,
+ FedizContext config)
throws ProcessingException {
String redirectURL = null;
@@ -433,7 +436,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
String realm = resolveWTRealm(request, config);
String reason = "urn:oasis:names:tc:SAML:2.0:logout:user";
LogoutRequest logoutRequest =
- samlpRequestBuilder.createLogoutRequest(realm, reason, null); // TODO
+ samlpRequestBuilder.createLogoutRequest(realm, reason, token);
if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
logoutRequest.setDestination(redirectURL);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
index 3c80e70..6ef8eb5 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
@@ -128,6 +128,11 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
nameID = subject.getNameID();
}
}
+
+ if (nameID != null) {
+ nameID.detach();
+ }
+
List<AuthnStatement> authnStatements =
authenticatedAssertion.getSaml2().getAuthnStatements();
if (authnStatements != null && !authnStatements.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
index b48521b..6624f85 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationRequestTest.java
@@ -120,7 +120,7 @@ public class FederationRequestTest {
EasyMock.replay(req);
FedizProcessor wfProc = new FederationProcessorImpl();
- RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+ RedirectionResponse response = wfProc.createSignOutRequest(req, null, config);
String redirectionURL = response.getRedirectionURL();
Assert.assertTrue(redirectionURL.startsWith(TEST_IDP_ISSUER));
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
index 06ae3a8..05c4f7a 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java
@@ -211,7 +211,7 @@ public class SAMLRequestTest {
EasyMock.replay(req);
FedizProcessor wfProc = new SAMLProcessorImpl();
- RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+ RedirectionResponse response = wfProc.createSignOutRequest(req, null, config);
String redirectionURL = response.getRedirectionURL();
String samlRequest =
@@ -240,7 +240,7 @@ public class SAMLRequestTest {
EasyMock.replay(req);
FedizProcessor wfProc = new SAMLProcessorImpl();
- RedirectionResponse response = wfProc.createSignOutRequest(req, config);
+ RedirectionResponse response = wfProc.createSignOutRequest(req, null, config);
String redirectionURL = response.getRedirectionURL();
String signature =
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
index 83eb3b5..7bc417e 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
@@ -274,7 +274,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
HttpServletRequest request = messageContext.getHttpServletRequest();
RedirectionResponse redirectionResponse =
- processor.createSignOutRequest(request, fedConfig);
+ processor.createSignOutRequest(request, null, fedConfig); //TODO
String redirectURL = redirectionResponse.getRedirectionURL();
if (redirectURL != null) {
ResponseBuilder response = Response.seeOther(new URI(redirectURL));
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
index e727ae1..7597c1a 100644
--- a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
+++ b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
@@ -501,7 +501,8 @@ public class FederationAuthenticator extends LoginAuthenticator {
}
FedizContext fedCtx = this.configurator.getFedizContext(contextName);
try {
- RedirectionResponse redirectionResponse = processor.createSignOutRequest(request, fedCtx);
+ RedirectionResponse redirectionResponse =
+ processor.createSignOutRequest(request, null, fedCtx); //TODO
String redirectURL = redirectionResponse.getRedirectionURL();
if (redirectURL != null) {
Map<String, String> headers = redirectionResponse.getHeaders();
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
index 1a2dba3..8d6c5fe 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
@@ -60,7 +60,7 @@ public class FederationLogoutSuccessHandler implements LogoutSuccessHandler {
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedCtx.getProtocol());
RedirectionResponse redirectionResponse =
- wfProc.createSignOutRequest(request, fedCtx);
+ wfProc.createSignOutRequest(request, null, fedCtx); //TODO
String redirectURL = redirectionResponse.getRedirectionURL();
if (redirectURL != null) {
Map<String, String> headers = redirectionResponse.getHeaders();
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cc8c123c/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index 9b741f1..a7e9a00 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -38,6 +38,7 @@ import javax.servlet.http.HttpSession;
import javax.xml.bind.JAXBException;
import org.w3c.dom.Document;
+import org.w3c.dom.Element;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.Constants;
@@ -61,6 +62,8 @@ import org.apache.cxf.fediz.core.processor.FedizResponse;
import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.DOM2Writer;
@@ -211,30 +214,6 @@ public class FederationAuthenticator extends FormAuthenticator {
}
}
- //logout
- String logoutUrl = fedConfig.getLogoutURL();
- if (logoutUrl != null && !logoutUrl.isEmpty()) {
- HttpSession httpSession = request.getSession(false);
- String uri = request.getRequestURI();
- if (httpSession != null && uri.equals(contextName + logoutUrl)) {
- Session session = request.getSessionInternal();
-
- // Cleanup session
- if (session != null) {
- session.removeNote(FEDERATION_NOTE);
- session.setPrincipal(null);
- request.getSession().removeAttribute(SECURITY_TOKEN);
- }
- httpSession.invalidate();
-
- FedizProcessor wfProc =
- FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
- signOutRedirectToIssuer(request, response, wfProc);
-
- return;
- }
- }
-
String wa = request.getParameter(FederationConstants.PARAM_ACTION);
if (FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) {
if (LOG.isDebugEnabled()) {
@@ -291,6 +270,34 @@ public class FederationAuthenticator extends FormAuthenticator {
contextName = "/";
}
FedizContext fedConfig = getContextConfiguration(contextName);
+
+ //logout
+ String logoutUrl = fedConfig.getLogoutURL();
+ if (logoutUrl != null && !logoutUrl.isEmpty()) {
+ HttpSession httpSession = request.getSession(false);
+ String uri = request.getRequestURI();
+ if (httpSession != null && uri.equals(contextName + logoutUrl)) {
+ session = request.getSessionInternal();
+
+ Element token =
+ (Element)request.getSession().getAttribute(SECURITY_TOKEN);
+
+ // Cleanup session
+ if (session != null) {
+ session.removeNote(FEDERATION_NOTE);
+ session.setPrincipal(null);
+ request.getSession().removeAttribute(SECURITY_TOKEN);
+ }
+ httpSession.invalidate();
+
+ FedizProcessor wfProc =
+ FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
+ signOutRedirectToIssuer(request, response, token, wfProc);
+
+ return false;
+ }
+ }
+
// Have we already authenticated someone?
Principal principal = request.getUserPrincipal();
@@ -677,7 +684,8 @@ public class FederationAuthenticator extends FormAuthenticator {
}
}
- protected void signOutRedirectToIssuer(Request request, HttpServletResponse response, FedizProcessor processor)
+ protected void signOutRedirectToIssuer(Request request, HttpServletResponse response,
+ Element token, FedizProcessor processor)
throws IOException {
String contextName = request.getServletContext().getContextPath();
@@ -686,7 +694,12 @@ public class FederationAuthenticator extends FormAuthenticator {
}
FedizContext fedCtx = this.configurator.getFedizContext(contextName);
try {
- RedirectionResponse redirectionResponse = processor.createSignOutRequest(request, fedCtx);
+ SamlAssertionWrapper assertionToken = null;
+ if (token != null) {
+ assertionToken = new SamlAssertionWrapper(token);
+ }
+ RedirectionResponse redirectionResponse =
+ processor.createSignOutRequest(request, assertionToken, fedCtx);
String redirectURL = redirectionResponse.getRedirectionURL();
if (redirectURL != null) {
Map<String, String> headers = redirectionResponse.getHeaders();
@@ -706,6 +719,10 @@ public class FederationAuthenticator extends FormAuthenticator {
LOG.warn("Failed to create SignOutRequest: " + ex.getMessage());
response.sendError(
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+ } catch (WSSecurityException ex) {
+ LOG.warn("Failed to create SignOutRequest: " + ex.getMessage());
+ response.sendError(
+ HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
}
}
}