You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/10/11 09:10:41 UTC
[cxf-fediz] branch 1.4.x-fixes updated: FEDIZ-213 - Spring plugins
don't handle token expiration properly
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
new 614c254 FEDIZ-213 - Spring plugins don't handle token expiration properly
614c254 is described below
commit 614c254c85ff7a58d3dd6fd4d85593b5b6bf6797
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Oct 11 09:42:51 2017 +0100
FEDIZ-213 - Spring plugins don't handle token expiration properly
---
.../FederationAuthenticationFailureHandler.java | 44 +------
.../FederationAuthenticationFailureHandler.java | 44 +------
systests/spring/pom.xml | 20 ++++
.../fediz/integrationtests/TokenExpiryTest.java | 34 +-----
.../spring/src/test/resources/fediz_config.xml | 1 +
.../spring/src/test/resources/realma/fediz-sts.xml | 127 +++++++++++++++++++++
6 files changed, 160 insertions(+), 110 deletions(-)
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
index 8b98982..99d9f5d 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
@@ -20,22 +20,13 @@
package org.apache.cxf.fediz.spring.web;
import java.io.IOException;
-import java.util.Map;
-import java.util.Map.Entry;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.processor.FedizProcessor;
-import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
-import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.cxf.fediz.spring.FederationConfig;
import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
@@ -44,8 +35,6 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
*/
public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
- private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationFailureHandler.class);
-
private FederationConfig federationConfig;
public FederationAuthenticationFailureHandler() {
@@ -57,36 +46,9 @@ public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticat
AuthenticationException exception) throws IOException, ServletException {
if (exception instanceof ExpiredTokenException) {
- String redirectUrl = null;
- try {
- FedizContext fedContext = federationConfig.getFedizContext();
- FedizProcessor wfProc =
- FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
- RedirectionResponse redirectionResponse =
- wfProc.createSignInRequest(request, fedContext);
- redirectUrl = redirectionResponse.getRedirectionURL();
-
- if (redirectUrl == null) {
- LOG.warn("Failed to create SignInRequest. Redirect URL null");
- throw new ServletException("Failed to create SignInRequest. Redirect URL null");
- }
-
- Map<String, String> headers = redirectionResponse.getHeaders();
- if (!headers.isEmpty()) {
- for (Entry<String, String> entry : headers.entrySet()) {
- response.addHeader(entry.getKey(), entry.getValue());
- }
- }
-
- } catch (ProcessingException ex) {
- LOG.warn("Failed to create SignInRequest", ex);
- throw new ServletException("Failed to create SignInRequest: " + ex.getMessage());
- }
-
- if (LOG.isInfoEnabled()) {
- LOG.info("Redirecting to IDP: " + redirectUrl);
- }
- response.sendRedirect(redirectUrl);
+ // Just redirect back to the original URL and re-start the authentication process.
+ response.sendRedirect(request.getRequestURL().toString());
+ return;
}
super.onAuthenticationFailure(request, response, exception);
diff --git a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
index 8b98982..99d9f5d 100644
--- a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
+++ b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFailureHandler.java
@@ -20,22 +20,13 @@
package org.apache.cxf.fediz.spring.web;
import java.io.IOException;
-import java.util.Map;
-import java.util.Map.Entry;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.processor.FedizProcessor;
-import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
-import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.cxf.fediz.spring.FederationConfig;
import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
@@ -44,8 +35,6 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
*/
public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
- private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationFailureHandler.class);
-
private FederationConfig federationConfig;
public FederationAuthenticationFailureHandler() {
@@ -57,36 +46,9 @@ public class FederationAuthenticationFailureHandler extends SimpleUrlAuthenticat
AuthenticationException exception) throws IOException, ServletException {
if (exception instanceof ExpiredTokenException) {
- String redirectUrl = null;
- try {
- FedizContext fedContext = federationConfig.getFedizContext();
- FedizProcessor wfProc =
- FedizProcessorFactory.newFedizProcessor(fedContext.getProtocol());
- RedirectionResponse redirectionResponse =
- wfProc.createSignInRequest(request, fedContext);
- redirectUrl = redirectionResponse.getRedirectionURL();
-
- if (redirectUrl == null) {
- LOG.warn("Failed to create SignInRequest. Redirect URL null");
- throw new ServletException("Failed to create SignInRequest. Redirect URL null");
- }
-
- Map<String, String> headers = redirectionResponse.getHeaders();
- if (!headers.isEmpty()) {
- for (Entry<String, String> entry : headers.entrySet()) {
- response.addHeader(entry.getKey(), entry.getValue());
- }
- }
-
- } catch (ProcessingException ex) {
- LOG.warn("Failed to create SignInRequest", ex);
- throw new ServletException("Failed to create SignInRequest: " + ex.getMessage());
- }
-
- if (LOG.isInfoEnabled()) {
- LOG.info("Redirecting to IDP: " + redirectUrl);
- }
- response.sendRedirect(redirectUrl);
+ // Just redirect back to the original URL and re-start the authentication process.
+ response.sendRedirect(request.getRequestURL().toString());
+ return;
}
super.onAuthenticationFailure(request, response, exception);
diff --git a/systests/spring/pom.xml b/systests/spring/pom.xml
index fb22385..966c2fc 100644
--- a/systests/spring/pom.xml
+++ b/systests/spring/pom.xml
@@ -214,6 +214,26 @@
</resources>
</configuration>
</execution>
+ <execution>
+ <id>copy-customised-sts-config</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/realma</directory>
+ <includes>
+ <include>fediz-sts.xml</include>
+ </includes>
+ <filtering>false</filtering>
+ </resource>
+ </resources>
+ <overwrite>true</overwrite>
+ </configuration>
+ </execution>
</executions>
</plugin>
<plugin>
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java
index 6ef0586..b565408 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java
@@ -25,9 +25,6 @@ import java.io.IOException;
import javax.servlet.ServletException;
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.WebClient;
-
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleState;
import org.apache.catalina.connector.Connector;
@@ -37,9 +34,9 @@ import org.junit.Assert;
import org.junit.BeforeClass;
/**
- * Test what happens when the IdP token expires. This is "mocked" by setting wfresh to "0" in the plugin configuration.
+ * Some token expiry tests
*/
-public class TokenExpiryTest {
+public class TokenExpiryTest extends AbstractExpiryTests {
static String idpHttpsPort;
static String rpHttpsPort;
@@ -135,28 +132,9 @@ public class TokenExpiryTest {
return rpHttpsPort;
}
-
- @org.junit.Test
- public void testTokenExpiry() throws Exception {
- // 1. Login
- String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld_wfresh"
- + "/secure/fedservlet";
- String user = "alice";
- String password = "ecila";
-
- CookieManager cookieManager = new CookieManager();
-
- // 1. Login
- HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
-
- // 2. Sign out of the service (but not the Idp)
- final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getPage(url + "?wa=wsignoutcleanup1.0");
- webClient.close();
-
- // 3. Sign back in to the service provider. This time it will get a new IdP token due to wfresh=0.
- HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+ @Override
+ public String getServletContextName() {
+ return "fedizhelloworld_wfresh";
}
+
}
diff --git a/systests/spring/src/test/resources/fediz_config.xml b/systests/spring/src/test/resources/fediz_config.xml
index f8cdb46..1803d05 100644
--- a/systests/spring/src/test/resources/fediz_config.xml
+++ b/systests/spring/src/test/resources/fediz_config.xml
@@ -173,6 +173,7 @@
</protocol>
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/index.html</logoutRedirectTo>
+ <tokenExpirationValidation>true</tokenExpirationValidation>
</contextConfig>
</FedizConfig>
diff --git a/systests/spring/src/test/resources/realma/fediz-sts.xml b/systests/spring/src/test/resources/realma/fediz-sts.xml
new file mode 100644
index 0000000..9a690ab
--- /dev/null
+++ b/systests/spring/src/test/resources/realma/fediz-sts.xml
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd">
+
+ <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+ <bean id="loggerListener" class="org.apache.cxf.sts.event.map.EventMapper">
+ <constructor-arg>
+ <bean class="org.apache.cxf.sts.event.map.MapEventLogger" />
+ </constructor-arg>
+ </bean>
+
+ <util:list id="delegationHandlers">
+ <bean id="samlDelegationHandler"
+ class="org.apache.cxf.fediz.service.sts.FedizSAMLDelegationHandler" />
+ <bean id="x509DelegationHandler"
+ class="org.apache.cxf.fediz.service.sts.FedizX509DelegationHandler" />
+ </util:list>
+
+ <bean id="transportSTSProviderBean"
+ class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
+ <property name="issueOperation" ref="transportIssueDelegate" />
+ <property name="validateOperation" ref="transportValidateDelegate" />
+ </bean>
+
+ <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
+ <property name="tokenProviders" ref="transportTokenProviders" />
+ <property name="services" ref="transportServices" />
+ <property name="stsProperties" ref="transportSTSProperties" />
+ <property name="claimsManager" ref="claimsManager" />
+ <property name="tokenValidators" ref="transportTokenValidators" />
+ <property name="eventListener" ref="loggerListener" />
+ <property name="delegationHandlers" ref="delegationHandlers" />
+ <property name="allowCustomContent" value="true" />
+ </bean>
+
+ <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
+ <property name="tokenValidators" ref="transportTokenValidators" />
+ <property name="stsProperties" ref="transportSTSProperties" />
+ <property name="eventListener" ref="loggerListener" />
+ </bean>
+
+ <util:list id="transportTokenProviders">
+ <ref bean="transportSamlTokenProvider" />
+ </util:list>
+
+ <util:list id="transportTokenValidators">
+ <ref bean="transportSamlTokenValidator" />
+ <bean class="org.apache.cxf.sts.token.validator.X509TokenValidator" />
+ </util:list>
+
+ <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
+ <property name="attributeStatementProviders" ref="attributeStatementProvidersList" />
+ <property name="realmMap" ref="realms" />
+ <property name="conditionsProvider" ref="conditionsProvider" />
+ <property name="subjectProvider" ref="subjectProvider" />
+ </bean>
+
+ <bean id="conditionsProvider"
+ class="org.apache.cxf.sts.token.provider.DefaultConditionsProvider">
+ <property name="lifetime" value="8" />
+ <property name="acceptClientLifetime" value="false" />
+ </bean>
+
+ <bean id="subjectProvider"
+ class="org.apache.cxf.sts.token.provider.DefaultSubjectProvider">
+ <property name="subjectNameIDFormat"
+ value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
+ </bean>
+
+ <util:list id="attributeStatementProvidersList">
+ <ref bean="claimAttributeProvider" />
+ </util:list>
+
+ <bean id="claimAttributeProvider"
+ class="org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider">
+ </bean>
+
+ <bean id="claimsManager" class="org.apache.cxf.sts.claims.ClaimsManager">
+ <property name="claimHandlers" ref="claimHandlerList" />
+ </bean>
+
+ <bean id="transportSamlTokenValidator"
+ class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
+ </bean>
+
+ <util:list id="transportServices">
+ <ref bean="transportService" />
+ </util:list>
+
+ <bean id="transportService" class="org.apache.cxf.sts.service.StaticService">
+ <property name="endpoints">
+ <util:list>
+ <value>.*</value>
+ </util:list>
+ </property>
+ </bean>
+
+</beans>
+
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].