You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/24 16:53:16 UTC
git commit: More logout work for SAML SSO
Repository: cxf-fediz
Updated Branches:
refs/heads/master cc8c123cd -> f233488c3
More logout work for SAML SSO
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f233488c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f233488c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f233488c
Branch: refs/heads/master
Commit: f233488c3ff9ec15a063862e4fa7b11c9f0b98ff
Parents: cc8c123
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Oct 24 15:52:57 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Oct 24 15:52:57 2014 +0100
----------------------------------------------------------------------
.../cxf/fediz/core/config/SAMLProtocol.java | 4 +-
.../fediz/core/processor/SAMLProcessorImpl.java | 26 +++++-------
.../src/main/resources/schemas/FedizConfig.xsd | 2 +
.../fediz/tomcat/FederationAuthenticator.java | 44 ++++++++++++--------
4 files changed, 42 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index d5a04c5..a9736e9 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -106,5 +106,7 @@ public class SAMLProtocol extends Protocol {
getSAMLProtocol().setDoNotEnforceKnownIssuer(doNotEnforceKnownIssuer);
}
-
+ public String getIssuerLogoutURL() {
+ return getSAMLProtocol().getIssuerLogoutURL();
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 47634d9..ed6dd31 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -418,12 +418,18 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
throw new IllegalStateException("Unsupported protocol");
}
- String issuerURL = resolveIssuer(request, config);
- LOG.info("Issuer url: " + issuerURL);
- if (issuerURL != null && issuerURL.length() > 0) {
- redirectURL = issuerURL;
+ redirectURL = ((SAMLProtocol)config.getProtocol()).getIssuerLogoutURL();
+ if (redirectURL == null) {
+ String issuerURL = resolveIssuer(request, config);
+ LOG.info("Issuer url: " + issuerURL);
+ if (issuerURL != null && issuerURL.length() > 0) {
+ redirectURL = issuerURL;
+ }
+ }
+ if (redirectURL == null) {
+ LOG.debug("No issuerLogoutURL or issuer parameter specified for logout");
+ throw new ProcessingException("Failed to create SignOutRequest");
}
- redirectURL = "http://localhost:8081/IDBUS/CXF/CXFIDP/SAML2/SLO/REDIR";
SAMLPRequestBuilder samlpRequestBuilder =
((SAMLProtocol)config.getProtocol()).getSAMLPRequestBuilder();
@@ -432,7 +438,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
doc.appendChild(doc.createElement("root"));
// Create the LogoutRequest
- String requestURL = request.getRequestURL().toString();
String realm = resolveWTRealm(request, config);
String reason = "urn:oasis:names:tc:SAML:2.0:logout:user";
LogoutRequest logoutRequest =
@@ -446,14 +451,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
String logoutRequestEncoded = encodeAuthnRequest(logoutRequestElement);
String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
- RequestState requestState = new RequestState();
- requestState.setTargetAddress(requestURL);
- requestState.setIdpServiceAddress(redirectURL);
- requestState.setRequestId(logoutRequest.getID());
- requestState.setIssuerId(realm);
- requestState.setWebAppContext(logoutRequest.getIssuer().getValue());
- requestState.setState(relayState);
- requestState.setCreatedAt(System.currentTimeMillis());
String urlEncodedRequest =
URLEncoder.encode(logoutRequestEncoded, "UTF-8");
@@ -470,7 +467,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
RedirectionResponse response = new RedirectionResponse();
response.addHeader("Cache-Control", "no-cache, no-store");
response.addHeader("Pragma", "no-cache");
- response.setRequestState(requestState);
redirectURL = redirectURL + "?" + sb.toString();
response.setRedirectionURL(redirectURL);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index d26ad25..f430c91 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -113,6 +113,7 @@
<xs:element ref="authnRequestBuilder"/>
<xs:element ref="disableDeflateEncoding"/>
<xs:element ref="doNotEnforceKnownIssuer"/>
+ <xs:element ref="issuerLogoutURL"/>
</xs:sequence>
<xs:attribute name="version" use="required" type="xs:string" />
</xs:extension>
@@ -129,6 +130,7 @@
<xs:element name="authnRequestBuilder" type="xs:string" />
<xs:element name="disableDeflateEncoding" type="xs:boolean"/>
<xs:element name="doNotEnforceKnownIssuer" type="xs:boolean"/>
+ <xs:element name="issuerLogoutURL" type="xs:string"/>
<xs:complexType name="protocolType" abstract="true">
<xs:sequence>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f233488c/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index a7e9a00..4e7bae9 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -222,20 +222,7 @@ public class FederationAuthenticator extends FormAuthenticator {
}
request.getSession().invalidate();
-
- final ServletOutputStream responseOutputStream = response.getOutputStream();
- InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg");
- if (inputStream == null) {
- LOG.warn("Could not write logout.jpg");
- return;
- }
- int read = 0;
- byte[] buf = new byte[1024];
- while ((read = inputStream.read(buf)) != -1) {
- responseOutputStream.write(buf, 0, read);
- }
- inputStream.close();
- responseOutputStream.flush();
+ handleLogout(response.getOutputStream());
return;
}
@@ -244,6 +231,21 @@ public class FederationAuthenticator extends FormAuthenticator {
}
+ private void handleLogout(final ServletOutputStream responseOutputStream) throws IOException {
+ InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg");
+ if (inputStream == null) {
+ LOG.warn("Could not write logout.jpg");
+ return;
+ }
+ int read = 0;
+ byte[] buf = new byte[1024];
+ while ((read = inputStream.read(buf)) != -1) {
+ responseOutputStream.write(buf, 0, read);
+ }
+ inputStream.close();
+ responseOutputStream.flush();
+ }
+
private String getMetadataURI(FedizContext fedConfig) {
if (fedConfig.getProtocol().getMetadataURI() != null) {
return fedConfig.getProtocol().getMetadataURI();
@@ -260,7 +262,7 @@ public class FederationAuthenticator extends FormAuthenticator {
@Override
public boolean authenticate(Request request, HttpServletResponse response,
LoginConfig config) throws IOException {
-
+
LOG.debug("authenticate invoked");
// References to objects we will need later
Session session = null;
@@ -273,10 +275,11 @@ public class FederationAuthenticator extends FormAuthenticator {
//logout
String logoutUrl = fedConfig.getLogoutURL();
- if (logoutUrl != null && !logoutUrl.isEmpty()) {
+ if (logoutUrl != null && !logoutUrl.isEmpty()
+ && request.getRequestURI().equals(contextName + logoutUrl)) {
HttpSession httpSession = request.getSession(false);
- String uri = request.getRequestURI();
- if (httpSession != null && uri.equals(contextName + logoutUrl)) {
+ if (httpSession != null) {
+ // Here the user is already logged in
session = request.getSessionInternal();
Element token =
@@ -295,6 +298,11 @@ public class FederationAuthenticator extends FormAuthenticator {
signOutRedirectToIssuer(request, response, token, wfProc);
return false;
+ } else {
+ // The user is already logged out
+ handleLogout(response.getOutputStream());
+
+ return false;
}
}