You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by jb...@apache.org on 2015/03/20 13:11:30 UTC
[05/12] cxf-fediz git commit: Improved Servlet Filter for Websphere
Improved Servlet Filter for Websphere
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ab0d1b0b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ab0d1b0b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ab0d1b0b
Branch: refs/heads/master
Commit: ab0d1b0bcca914f1a24594118e93896880f61241
Parents: 29c9253
Author: Jan Bernhardt <jb...@talend.com>
Authored: Mon Mar 9 11:30:56 2015 +0100
Committer: Jan Bernhardt <jb...@talend.com>
Committed: Thu Mar 19 17:26:33 2015 +0100
----------------------------------------------------------------------
.../src/main/webapp/WEB-INF/web.xml | 7 --
.../was/servlet/filter/FederationFilter.java | 98 ++++++++++++++++++++
.../filter/SecurityContextTTLChecker.java | 8 +-
3 files changed, 104 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ab0d1b0b/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml b/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
index 28d2a3a..a60f3a4 100644
--- a/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
+++ b/examples/websphereWebapp/src/main/webapp/WEB-INF/web.xml
@@ -6,13 +6,6 @@
<display-name>WS Federation Simple Web Application Example</display-name>
<!-- Optional: Cache the security token in Thread Local Storage -->
- <!--
- <filter>
- <filter-name>FederationFilter</filter-name>
- <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
- </filter>
- -->
-
<filter>
<filter-name>FederationFilter</filter-name>
<filter-class>org.apache.cxf.fediz.was.servlet.filter.SecurityContextTTLChecker</filter-class>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ab0d1b0b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java
new file mode 100644
index 0000000..991fd91
--- /dev/null
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/FederationFilter.java
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.was.servlet.filter;
+
+import java.io.IOException;
+import java.util.Hashtable;
+import java.util.Iterator;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServlet;
+
+import org.w3c.dom.Element;
+import com.ibm.websphere.security.WSSecurityException;
+import com.ibm.websphere.security.auth.WSSubject;
+
+import org.apache.cxf.fediz.core.SecurityTokenThreadLocal;
+import org.apache.cxf.fediz.core.processor.FedizResponse;
+import org.apache.cxf.fediz.was.Constants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Add security token to thread local
+ */
+public class FederationFilter extends HttpServlet implements Filter {
+ private static final Logger LOG = LoggerFactory.getLogger(FederationFilter.class);
+ private static final long serialVersionUID = 5732969318462358728L;
+
+ public FederationFilter() {
+ super();
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ /*
+ * (non-Java-doc)
+ * @see javax.servlet.Filter#doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+ ServletException {
+ try {
+ Subject subject = WSSubject.getCallerSubject();
+ if (subject != null) {
+ FedizResponse fedResponse = getCachedFederationResponse(subject);
+ LOG.info("Security token found for user: {}", fedResponse.getUsername());
+ Element el = fedResponse.getToken();
+ if (el != null) {
+ SecurityTokenThreadLocal.setToken(el);
+ LOG.debug("Setting Security Token to SecurityTokenThreadLocal");
+ }
+ }
+ chain.doFilter(request, response);
+ } catch (WSSecurityException e) {
+ LOG.warn("No caller Subject/Principal found in request.");
+ chain.doFilter(request, response);
+ } finally {
+ SecurityTokenThreadLocal.setToken(null);
+ }
+ }
+
+ private FedizResponse getCachedFederationResponse(Subject subject) {
+ Iterator<?> i = subject.getPublicCredentials().iterator();
+ while (i.hasNext()) {
+ Object o = i.next();
+ if (o instanceof Hashtable) {
+ Map<?, ?> table = (Hashtable<?, ?>)o;
+ return (FedizResponse)table.get(Constants.SUBJECT_TOKEN_KEY);
+ }
+ }
+ return null;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ab0d1b0b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
----------------------------------------------------------------------
diff --git a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
index 43efc6b..8ad301b 100644
--- a/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
+++ b/plugins/websphere/src/main/java/org/apache/cxf/fediz/was/servlet/filter/SecurityContextTTLChecker.java
@@ -52,9 +52,9 @@ import org.slf4j.LoggerFactory;
* A Servlet Filter that MUST be configured to match the '/*' request scheme on each Web Application
* to enforce SAML assertion TimeToLive checking
*
- * @deprecated Not needed any longer since version 1.2.0
+ * Only needed if TAI Interceptor is not registered with option "beforeSSO=true". Otherwise use FederationFilter
+ * instead.
*/
-@Deprecated
public class SecurityContextTTLChecker extends HttpServlet implements Filter {
private static final Logger LOG = LoggerFactory.getLogger(SecurityContextTTLChecker.class);
private static final long serialVersionUID = 5732969339258858728L;
@@ -69,6 +69,7 @@ public class SecurityContextTTLChecker extends HttpServlet implements Filter {
super();
}
+ @SuppressWarnings("deprecation")
@Override
public void init(ServletConfig config) throws ServletException {
super.init(config);
@@ -80,6 +81,7 @@ public class SecurityContextTTLChecker extends HttpServlet implements Filter {
* (non-Java-doc)
* @see javax.servlet.Filter#doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
*/
+ @Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
@@ -145,10 +147,12 @@ public class SecurityContextTTLChecker extends HttpServlet implements Filter {
* (non-Java-doc)
* @see javax.servlet.Filter#destroy()
*/
+ @SuppressWarnings("deprecation")
public void destroy() {
FedizInterceptor.deRegisterContext(contextPath);
}
+ @SuppressWarnings("deprecation")
@Override
public void init(FilterConfig filterConfig) throws ServletException {
contextPath = filterConfig.getServletContext().getContextPath();