You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/11/02 17:12:40 UTC
cxf-fediz git commit: More SAML SSO refactoring
Repository: cxf-fediz
Updated Branches:
refs/heads/master 918af3aa0 -> b8aa7ea52
More SAML SSO refactoring
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/b8aa7ea5
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/b8aa7ea5
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/b8aa7ea5
Branch: refs/heads/master
Commit: b8aa7ea5205737adfdf21c10fd7ff684c81b9bb9
Parents: 918af3a
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Nov 2 16:56:09 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Nov 2 16:56:09 2016 +0000
----------------------------------------------------------------------
.../cxf/fediz/service/idp/IdpConstants.java | 5 +++
.../idp/beans/SigninParametersCacheAction.java | 25 +++++++++++----
.../WEB-INF/flows/saml-signin-request.xml | 32 ++++++++++----------
.../WEB-INF/flows/saml-validate-request.xml | 13 ++++----
4 files changed, 47 insertions(+), 28 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
index 2b007dd..95a9fc4 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
@@ -33,6 +33,11 @@ public final class IdpConstants {
*/
public static final String SAML_AUTHN_REQUEST = "saml_authn_request";
+ /**
+ * A key used to store the home realm for the given request.
+ */
+ public static final String HOME_REALM = "home_realm";
+
private IdpConstants() {
// complete
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 0c139c3..b696b6d 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -49,6 +49,8 @@ public class SigninParametersCacheAction {
Map<String, Object> signinParams = new HashMap<>();
String uuidKey = UUID.randomUUID().toString();
+ WebUtils.removeAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
+
Object value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
if (value != null) {
signinParams.put(FederationConstants.PARAM_REPLY, value);
@@ -61,13 +63,17 @@ public class SigninParametersCacheAction {
if (value != null) {
signinParams.put(FederationConstants.PARAM_HOME_REALM, value);
}
+ value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
+ if (value != null) {
+ signinParams.put(IdpConstants.HOME_REALM, value);
+ }
value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
if (value != null) {
signinParams.put(FederationConstants.PARAM_CONTEXT, value);
}
- value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
+ value = WebUtils.getAttributeFromFlowScope(context, "SAMLRequest");
if (value != null) {
- signinParams.put(IdpConstants.SAML_AUTHN_REQUEST, value);
+ signinParams.put("SAMLRequest", value);
}
WebUtils.putAttributeInExternalContext(context, uuidKey, signinParams);
@@ -105,6 +111,17 @@ public class SigninParametersCacheAction {
if (value != null) {
WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM, value);
}
+ // TODO...
+ value = (String)signinParams.get(IdpConstants.HOME_REALM);
+ if (value != null) {
+ WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM, value);
+ WebUtils.putAttributeInFlowScope(context, IdpConstants.HOME_REALM, value);
+ }
+
+ value = (String)signinParams.get("SAMLRequest");
+ if (value != null) {
+ WebUtils.putAttributeInFlowScope(context, "SAMLRequest", value);
+ }
LOG.debug("SignIn parameters restored: {}", signinParams.toString());
WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
@@ -116,10 +133,6 @@ public class SigninParametersCacheAction {
WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_CONTEXT, value);
}
- value = (String)signinParams.get(IdpConstants.SAML_AUTHN_REQUEST);
- if (value != null) {
- WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, value);
- }
} else {
LOG.debug("Error in restoring security context");
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index a166e5d..93ffba7 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -31,9 +31,9 @@
<decision-state id="processHRDSExpression">
<on-entry>
<evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, null)"
- result="flowScope.homerealm" />
+ result="flowScope.home_realm" />
</on-entry>
- <if test="flowScope.homerealm == null or flowScope.homerealm.trim().isEmpty()"
+ <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
then="provideIDPListForUser" else="checkIsThisIDP" />
</decision-state>
@@ -60,9 +60,9 @@
</on-entry>
<transition on="submit" to="checkIsThisIDP" bind="true"
validate="true">
- <set name="flowScope.homerealm" value="trustedIDPSelection.whr" />
+ <set name="flowScope.home_realm" value="trustedIDPSelection.whr" />
<evaluate
- expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.homerealm)" />
+ expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" />
</transition>
<transition on="cancel" to="checkDefaultToThisIDP"
bind="false" validate="false" />
@@ -70,7 +70,7 @@
<!-- Home Realm is known then we can store it in cookie -->
<decision-state id="checkIsThisIDP">
- <if test="flowScope.idpConfig.realm.equals(flowScope.homerealm)"
+ <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
then="homeRealmSignInEntryPoint" else="checkIdpTokenWhrWauth" />
</decision-state>
@@ -79,16 +79,16 @@
<!-- Is 'wresult/RP-IDP token' already received and validated (then stored
in session) from requestor IDP ? -->
<decision-state id="checkIdpTokenWhrWauth">
- <if test="externalContext.sessionMap[flowScope.homerealm] != null"
+ <if test="externalContext.sessionMap[flowScope.home_realm] != null"
then="wfreshParserRemoteAction" else="redirectToTrustedIDP" />
</decision-state>
<action-state id="wfreshParserRemoteAction">
<evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)" />
+ expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)" />
<transition on="yes" to="redirectToTrustedIDP" />
<transition on="no" to="validateWReply" >
- <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" />
+ <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
</transition>
<transition on-exception="java.lang.Throwable" to="viewBadRequest" />
</action-state>
@@ -104,12 +104,12 @@
<decision-state id="homeRealmSignInEntryPoint">
<on-entry>
<!-- Here, home realm is guaranteed to be THIS realm -->
- <set name="flowScope.homerealm" value="flowScope.idpConfig.realm" />
+ <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
</on-entry>
<if test="flowScope.idpConfig.getAuthenticationURIs() == null"
then="scInternalServerError" />
<!-- check presence of cached IDP token for THIS realm -->
- <if test="externalContext.sessionMap[flowScope.homerealm] == null"
+ <if test="externalContext.sessionMap[flowScope.home_realm] == null"
then="cacheSecurityToken" else="checkTokenExpiry" />
</decision-state>
@@ -119,11 +119,11 @@
flowScope.SAMLRequest)" />
</on-entry>
<evaluate
- expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)
+ expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or authnRequestParser.isForceAuthentication(flowRequestContext)" />
<transition on="yes" to="redirectToLocalIDP" />
<transition on="no" to="parseAndValidateSAMLRequest">
- <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" />
+ <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
</transition>
<transition on-exception="java.lang.Throwable" to="scInternalServerError" />
</action-state>
@@ -132,14 +132,14 @@
<on-entry>
<evaluate expression="logoutAction.submit(flowRequestContext)" />
</on-entry>
- <output name="homerealm" value="flowScope.homerealm" />
+ <output name="home_realm" value="flowScope.home_realm" />
</end-state>
<action-state id="cacheSecurityToken">
<secured attributes="IS_AUTHENTICATED_FULLY" />
<evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
<transition to="parseAndValidateSAMLRequest">
- <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" />
+ <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
</transition>
</action-state>
@@ -171,7 +171,7 @@
<!-- normal exit point -->
<end-state id="requestRpToken">
- <output name="homerealm" value="flowScope.homerealm" />
+ <output name="home_realm" value="flowScope.home_realm" />
<output name="idpToken" value="flowScope.idpToken" />
<output name="saml_authn_request" value="flowScope.saml_authn_request" />
</end-state>
@@ -189,7 +189,7 @@
<on-entry>
<evaluate expression="signinParametersCacheAction.store(flowRequestContext)" />
</on-entry>
- <output name="homerealm" value="flowScope.homerealm" />
+ <output name="home_realm" value="flowScope.home_realm" />
<output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
</end-state>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index ca154ba..c49324c 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -29,6 +29,7 @@
<set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" />
<set name="flowScope.Signature" value="requestParameters.Signature" />
<set name="flowScope.wresult" value="requestParameters.wresult" />
+ <set name="flowScope.wctx" value="requestParameters.wctx" />
<set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
</on-entry>
<if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
@@ -48,13 +49,13 @@
<input name="RelayState" value="flowScope.RelayState" />
<input name="Signature" value="flowScope.Signature" />
- <output name="homerealm" />
+ <output name="home_realm" />
<output name="idpToken" />
<output name="trusted_idp_context" />
<output name="saml_authn_request" />
<transition on="requestRpToken" to="requestRpToken">
- <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm" />
+ <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
<set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
</transition>
@@ -64,7 +65,7 @@
<transition on="scInternalServerError" to="scInternalServerError" />
<transition on="redirectToLocalIDP" to="redirectToLocalIDP" />
<transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
- <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm" />
+ <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
<set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/>
</transition>
</subflow-state>
@@ -88,7 +89,7 @@
<output name="idpToken" />
<transition on="requestRpToken" to="requestRpToken">
- <set name="flowScope.homerealm" value="currentEvent.attributes.whr" />
+ <set name="flowScope.home_realm" value="currentEvent.attributes.whr" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
<set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
</transition>
@@ -101,7 +102,7 @@
<on-entry>
<evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)"
result="flowScope.realm"/>
- <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm, flowScope.homerealm)"
+ <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm, flowScope.home_realm)"
result="flowScope.rpTokenElement"/>
</on-entry>
<evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/>
@@ -136,7 +137,7 @@
</end-state>
<action-state id="processTrustedIdpProtocol">
- <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.homerealm)"
+ <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.home_realm)"
result="flowScope.remoteIdpUrl"/>
<transition to="redirectToTrustedIDP" />
<transition on-exception="java.lang.Throwable" to="scInternalServerError" />