You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/07/22 16:55:24 UTC
git commit: Some work on replay tokens etc.
Repository: cxf-fediz
Updated Branches:
refs/heads/master e057f3413 -> db7b4ea76
Some work on replay tokens etc.
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/db7b4ea7
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/db7b4ea7
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/db7b4ea7
Branch: refs/heads/master
Commit: db7b4ea76b85c52b59bf0acfe8e39cb7070ff325
Parents: e057f34
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 22 15:54:59 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 22 15:54:59 2014 +0100
----------------------------------------------------------------------
.../fediz/core/config/FederationProtocol.java | 18 ------
.../apache/cxf/fediz/core/config/Protocol.java | 15 +++++
.../cxf/fediz/core/metadata/MetadataWriter.java | 67 +++++++++-----------
.../core/processor/AbstractFedizProcessor.java | 30 +++++++++
.../core/processor/FederationProcessorImpl.java | 34 ++--------
.../fediz/core/processor/SAMLProcessorImpl.java | 16 +++--
.../src/main/resources/schemas/FedizConfig.xsd | 2 +-
7 files changed, 93 insertions(+), 89 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
index 17d749f..4809a34 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
@@ -19,14 +19,9 @@
package org.apache.cxf.fediz.core.config;
-import java.util.ArrayList;
-import java.util.List;
-
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
-import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
-import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
@@ -183,19 +178,6 @@ public class FederationProtocol extends Protocol {
getFederationProtocol().setReply(value);
}
- public List<Claim> getClaimTypesRequested() {
- ClaimTypesRequested claimsRequested = getFederationProtocol().getClaimTypesRequested();
- List<Claim> claims = new ArrayList<Claim>();
- for (ClaimType c:claimsRequested.getClaimType()) {
- claims.add(new Claim(c));
- }
- return claims;
- }
-
- public void setClaimTypesRequested(ClaimTypesRequested value) {
- getFederationProtocol().setClaimTypesRequested(value);
- }
-
public String getVersion() {
return getFederationProtocol().getVersion();
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
index 362ae94..c9ff7ae 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
@@ -27,6 +27,8 @@ import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.fediz.core.TokenValidator;
import org.apache.cxf.fediz.core.config.jaxb.ArgumentType;
import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
+import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
+import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
import org.apache.cxf.fediz.core.util.ClassLoaderUtils;
import org.slf4j.Logger;
@@ -176,4 +178,17 @@ public abstract class Protocol {
}
}
+ public List<Claim> getClaimTypesRequested() {
+ ClaimTypesRequested claimsRequested = getProtocolType().getClaimTypesRequested();
+ List<Claim> claims = new ArrayList<Claim>();
+ for (ClaimType c : claimsRequested.getClaimType()) {
+ claims.add(new Claim(c));
+ }
+ return claims;
+ }
+
+ public void setClaimTypesRequested(ClaimTypesRequested value) {
+ getProtocolType().setClaimTypesRequested(value);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index c3c97ed..f7ef25c 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -115,49 +115,43 @@ public class MetadataWriter {
writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
- if (protocol instanceof FederationProtocol) {
- FederationProtocol fedprotocol = (FederationProtocol)protocol;
-
- Object realmObj = fedprotocol.getRealm();
- String realm = null;
- if (realmObj instanceof String) {
- realm = (String)realmObj;
- } else if (realmObj instanceof CallbackHandler) {
- //TODO
- //If realm is resolved at runtime, metadata not updated
- }
-
- if (!(realm == null || "".equals(realm))) {
- writer.writeCharacters(realm);
- }
+ Object realmObj = protocol.getRealm();
+ String realm = null;
+ if (realmObj instanceof String) {
+ realm = (String)realmObj;
+ } else if (realmObj instanceof CallbackHandler) {
+ //TODO
+ //If realm is resolved at runtime, metadata not updated
}
+
+ if (!(realm == null || "".equals(realm))) {
+ writer.writeCharacters(realm);
+ }
+
// writer.writeCharacters("http://host:port/url from config");
writer.writeEndElement(); // Address
writer.writeEndElement(); // EndpointReference
writer.writeEndElement(); // TargetScope
- if (protocol instanceof FederationProtocol) {
- FederationProtocol fedprotocol = (FederationProtocol)protocol;
- List<Claim> claims = fedprotocol.getClaimTypesRequested();
- if (claims != null && claims.size() > 0) {
+ List<Claim> claims = protocol.getClaimTypesRequested();
+ if (claims != null && claims.size() > 0) {
- // create ClaimsType section
- writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS);
- for (Claim claim : claims) {
+ // create ClaimsType section
+ writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS);
+ for (Claim claim : claims) {
- writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS);
- writer.writeAttribute("Uri", claim.getType());
- if (claim.isOptional()) {
- writer.writeAttribute("Optional", "true");
- } else {
- writer.writeAttribute("Optional", "false");
- }
+ writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS);
+ writer.writeAttribute("Uri", claim.getType());
+ if (claim.isOptional()) {
+ writer.writeAttribute("Optional", "true");
+ } else {
+ writer.writeAttribute("Optional", "false");
+ }
- writer.writeEndElement(); // ClaimType
+ writer.writeEndElement(); // ClaimType
- }
- writer.writeEndElement(); // ClaimsTypeRequested
}
+ writer.writeEndElement(); // ClaimsTypeRequested
}
// create sign in endpoint section
@@ -165,12 +159,9 @@ public class MetadataWriter {
writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
- if (protocol instanceof FederationProtocol) {
- FederationProtocol fedprotocol = (FederationProtocol)protocol;
- Object issuer = fedprotocol.getIssuer();
- if (issuer instanceof String && !"".equals(issuer)) {
- writer.writeCharacters((String)issuer);
- }
+ Object issuer = protocol.getIssuer();
+ if (issuer instanceof String && !"".equals(issuer)) {
+ writer.writeCharacters((String)issuer);
}
// writer.writeCharacters("http://host:port/url Issuer from config");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
index cceab0c..fa7e49d 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
@@ -22,6 +22,7 @@ package org.apache.cxf.fediz.core.processor;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
+import java.util.Date;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
@@ -29,10 +30,16 @@ import javax.security.auth.callback.UnsupportedCallbackException;
import javax.servlet.http.HttpServletRequest;
import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
import org.apache.cxf.fediz.core.spi.IDPCallback;
import org.apache.cxf.fediz.core.spi.RealmCallback;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public abstract class AbstractFedizProcessor implements FedizProcessor {
+
+ private static final Logger LOG = LoggerFactory.getLogger(AbstractFedizProcessor.class);
protected String resolveIssuer(HttpServletRequest request, FedizContext config) throws IOException,
UnsupportedCallbackException {
@@ -67,6 +74,29 @@ public abstract class AbstractFedizProcessor implements FedizProcessor {
}
return wtRealm;
}
+
+ protected void testForReplayAttack(String tokenId, FedizContext config, Date expires)
+ throws ProcessingException {
+ // Check whether token already used for signin
+ if (tokenId != null && config.isDetectReplayedTokens()) {
+ // Check whether token has already been processed once, prevent
+ // replay attack
+ if (!config.getTokenReplayCache().contains(tokenId)) {
+ // not cached
+ if (expires != null) {
+ Date currentTime = new Date();
+ long ttl = expires.getTime() - currentTime.getTime();
+ config.getTokenReplayCache().add(tokenId, ttl / 1000L);
+ } else {
+ config.getTokenReplayCache().add(tokenId);
+ }
+ } else {
+ LOG.error("Replay attack with token id: " + tokenId);
+ throw new ProcessingException("Replay attack with token id: "
+ + tokenId, TYPE.TOKEN_REPLAY);
+ }
+ }
+ }
protected String extractFullContextPath(HttpServletRequest request) throws MalformedURLException {
String result = null;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 3bf4a93..370e1c7 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -194,40 +194,18 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
validateToken(rst, tt, config, request.getCerts());
// Check whether token already used for signin
- if (validatorResponse.getUniqueTokenId() != null
- && config.isDetectReplayedTokens()) {
- // Check whether token has already been processed once, prevent
- // replay attack
- if (!config.getTokenReplayCache().contains(validatorResponse.getUniqueTokenId())) {
- // not cached
- Date expires = null;
- if (lifeTime != null && lifeTime.getExpires() != null) {
- expires = lifeTime.getExpires();
- } else {
- expires = validatorResponse.getExpires();
- }
- if (expires != null) {
- Date currentTime = new Date();
- long ttl = expires.getTime() - currentTime.getTime();
- config.getTokenReplayCache().add(validatorResponse.getUniqueTokenId(), ttl / 1000L);
- } else {
- config.getTokenReplayCache().add(validatorResponse.getUniqueTokenId());
- }
- } else {
- LOG.error("Replay attack with token id: " + validatorResponse.getUniqueTokenId());
- throw new ProcessingException("Replay attack with token id: "
- + validatorResponse.getUniqueTokenId(), TYPE.TOKEN_REPLAY);
- }
+ Date expires = null;
+ if (lifeTime != null && lifeTime.getExpires() != null) {
+ expires = lifeTime.getExpires();
+ } else {
+ expires = validatorResponse.getExpires();
}
+ testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
Date created = validatorResponse.getCreated();
if (lifeTime != null && lifeTime.getCreated() != null) {
created = lifeTime.getCreated();
}
- Date expires = validatorResponse.getExpires();
- if (lifeTime != null && lifeTime.getExpires() != null) {
- expires = lifeTime.getExpires();
- }
FedizResponse fedResponse = new FedizResponse(
validatorResponse.getUsername(), validatorResponse.getIssuer(),
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index a57393d..73404d7 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -178,6 +178,10 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
// Validate the Response
validateSamlResponseProtocol((org.opensaml.saml2.core.Response)responseObject, config);
+ SSOValidatorResponse ssoValidatorResponse =
+ validateSamlSSOResponse((org.opensaml.saml2.core.Response)responseObject,
+ request.getRequest(), requestState, config);
+
// Validate the internal assertion(s)
TokenValidatorResponse validatorResponse = null;
List<Element> assertions =
@@ -210,15 +214,19 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
}
}
- validateSamlSSOResponse((org.opensaml.saml2.core.Response)responseObject,
- request.getRequest(), requestState, config);
+ // Check whether token already used for signin
+ Date expires = validatorResponse.getExpires();
+ if (expires == null) {
+ expires = ssoValidatorResponse.getSessionNotOnOrAfter();
+ }
+ testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
FedizResponse fedResponse = new FedizResponse(
validatorResponse.getUsername(), validatorResponse.getIssuer(),
validatorResponse.getRoles(), validatorResponse.getClaims(),
validatorResponse.getAudience(),
validatorResponse.getCreated(),
- validatorResponse.getExpires(),
+ expires,
token,
validatorResponse.getUniqueTokenId());
@@ -314,7 +322,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
redirectURL,
authnRequest.getID(),
realm,
- config.getName(),
+ authnRequest.getIssuer().getValue(),
webAppDomain,
System.currentTimeMillis());
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db7b4ea7/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index 750ec31..7c7b91c 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -99,7 +99,6 @@
<xs:element ref="reply" />
<xs:element ref="request" />
<xs:element ref="signInQuery" />
- <xs:element ref="claimTypesRequested" />
<xs:element ref="applicationServiceURL" />
</xs:sequence>
<xs:attribute name="version" use="required" type="xs:string" />
@@ -137,6 +136,7 @@
<xs:sequence>
<xs:element ref="roleDelimiter" />
<xs:element ref="roleURI" />
+ <xs:element ref="claimTypesRequested" />
<xs:element ref="issuer" />
<xs:element ref="realm" />
<xs:element ref="tokenValidators" />