You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/12/09 11:48:23 UTC
cxf-fediz git commit: Some more OAuthDataManager cleanup
Repository: cxf-fediz
Updated Branches:
refs/heads/master 807c00235 -> 3eaac56a8
Some more OAuthDataManager cleanup
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/3eaac56a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/3eaac56a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/3eaac56a
Branch: refs/heads/master
Commit: 3eaac56a8093fda8d0c130b0fb7a2ee6a49bef8c
Parents: 807c002
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Dec 9 10:48:04 2015 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Dec 9 10:48:04 2015 +0000
----------------------------------------------------------------------
.../service/oidc/LocalSamlTokenConverter.java | 119 -------------------
.../fediz/service/oidc/OAuthDataManager.java | 36 +++---
.../fediz/service/oidc/SamlTokenConverter.java | 97 +++++++++++++--
.../src/main/webapp/WEB-INF/data-manager.xml | 2 +-
4 files changed, 107 insertions(+), 147 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java
deleted file mode 100644
index 82505a8..0000000
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.oidc;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.fediz.core.Claim;
-import org.apache.cxf.fediz.core.ClaimCollection;
-import org.apache.cxf.fediz.core.ClaimTypes;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oidc.common.IdToken;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.opensaml.saml.saml2.core.Assertion;
-import org.opensaml.saml.saml2.core.Issuer;
-
-
-
-
-public class LocalSamlTokenConverter implements SamlTokenConverter {
-
- private String issuer;
-
- @Override
- public IdToken convertToIdToken(Element samlToken,
- String subjectName,
- ClaimCollection claims,
- String clientId,
- String nonce) {
- IdToken idToken = new IdToken();
- idToken.setSubject(subjectName);
- idToken.setAudience(clientId);
-
- long currentTimeInSeconds = System.currentTimeMillis() / 1000L;
- idToken.setIssuedAt(currentTimeInSeconds);
- idToken.setExpiryTime(currentTimeInSeconds + 60000L);
-
- Assertion saml2Assertion = null;
- // Set the authInstant
- try {
- SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
- saml2Assertion = wrapper.getSaml2();
- if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty()) {
- long authInstant =
- saml2Assertion.getAuthnStatements().get(0).getAuthnInstant().getMillis();
- idToken.setAuthenticationTime(authInstant / 1000L);
- }
- } catch (WSSecurityException ex) {
- throw new OAuthServiceException("Error converting SAML token", ex);
- }
-
- // Map claims
- if (claims != null) {
- String firstName = null;
- String lastName = null;
- for (Claim c : claims) {
- if (!(c.getValue() instanceof String)) {
- continue;
- }
- if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) {
- idToken.setGivenName((String)c.getValue());
- firstName = (String)c.getValue();
- } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) {
- idToken.setFamilyName((String)c.getValue());
- lastName = (String)c.getValue();
- } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) {
- idToken.setEmail((String)c.getValue());
- } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) {
- idToken.setBirthDate((String)c.getValue());
- } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) {
- idToken.setPhoneNumber((String)c.getValue());
- } else if (ClaimTypes.GENDER.equals(c.getClaimType())) {
- idToken.setGender((String)c.getValue());
- } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) {
- idToken.setWebsite((String)c.getValue());
- }
- }
-
- if (firstName != null && lastName != null) {
- idToken.setName(firstName + " " + lastName);
- }
- }
-
- if (nonce != null) {
- idToken.setNonce(nonce);
- }
- if (issuer != null) {
- idToken.setIssuer(issuer);
- } else if (saml2Assertion != null) {
- Issuer assertionIssuer = saml2Assertion.getIssuer();
- if (assertionIssuer != null) {
- idToken.setIssuer(assertionIssuer.getValue());
- }
- }
-
- return idToken;
- }
-
-
- public void setIssuer(String issuer) {
- this.issuer = issuer;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
index 5c373b4..51c5296 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
@@ -38,7 +38,7 @@ import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
- private SamlTokenConverter tokenConverter = new LocalSamlTokenConverter();
+ private SamlTokenConverter tokenConverter = new SamlTokenConverter();
public OAuthDataManager() {
}
@@ -76,30 +76,26 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
}
protected OidcUserSubject createOidcSubject(Client client, UserSubject subject, String nonce) {
- IdToken idToken = getIdToken(client, nonce);
- if (idToken != null) {
- OidcUserSubject oidcSub = new OidcUserSubject(subject);
- oidcSub.setIdToken(idToken);
- return oidcSub;
- }
- return null;
- }
-
- protected IdToken getIdToken(Client client, String nonce) {
Principal principal = getMessageContext().getSecurityContext().getUserPrincipal();
- if (principal instanceof FedizPrincipal) {
- FedizPrincipal fedizPrincipal = (FedizPrincipal)principal;
- return tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
- fedizPrincipal.getName(),
- fedizPrincipal.getClaims(),
- client.getClientId(),
- nonce);
- } else {
+ if (!(principal instanceof FedizPrincipal)) {
throw new OAuthServiceException("Unsupported Principal");
}
+ FedizPrincipal fedizPrincipal = (FedizPrincipal)principal;
+ IdToken idToken = tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
+ fedizPrincipal.getName(),
+ fedizPrincipal.getClaims(),
+ client.getClientId(),
+ nonce);
+
+ //TODO: Consider populating UserInfo at this point too, with UserInfo having few more claims
+ // from the claims collection, and setting it on OidcUserSubject
+
+ OidcUserSubject oidcSub = new OidcUserSubject(subject);
+ oidcSub.setIdToken(idToken);
+ return oidcSub;
}
-
+
public void setTokenConverter(SamlTokenConverter tokenConverter) {
this.tokenConverter = tokenConverter;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
index 2ef225b..5e4a363 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java
@@ -19,14 +19,97 @@
package org.apache.cxf.fediz.service.oidc;
import org.w3c.dom.Element;
+import org.apache.cxf.fediz.core.Claim;
import org.apache.cxf.fediz.core.ClaimCollection;
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oidc.common.IdToken;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.Issuer;
+
+public class SamlTokenConverter {
+
+ private String issuer;
+
+ public IdToken convertToIdToken(Element samlToken,
+ String subjectName,
+ ClaimCollection claims,
+ String clientId,
+ String nonce) {
+ IdToken idToken = new IdToken();
+ idToken.setSubject(subjectName);
+ idToken.setAudience(clientId);
+
+ long currentTimeInSeconds = System.currentTimeMillis() / 1000L;
+ idToken.setIssuedAt(currentTimeInSeconds);
+ idToken.setExpiryTime(currentTimeInSeconds + 60000L);
+
+ Assertion saml2Assertion = null;
+ // Set the authInstant
+ try {
+ SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
+ saml2Assertion = wrapper.getSaml2();
+ if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty()) {
+ long authInstant =
+ saml2Assertion.getAuthnStatements().get(0).getAuthnInstant().getMillis();
+ idToken.setAuthenticationTime(authInstant / 1000L);
+ }
+ } catch (WSSecurityException ex) {
+ throw new OAuthServiceException("Error converting SAML token", ex);
+ }
+
+ // Map claims
+ if (claims != null) {
+ String firstName = null;
+ String lastName = null;
+ for (Claim c : claims) {
+ if (!(c.getValue() instanceof String)) {
+ continue;
+ }
+ if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) {
+ idToken.setGivenName((String)c.getValue());
+ firstName = (String)c.getValue();
+ } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) {
+ idToken.setFamilyName((String)c.getValue());
+ lastName = (String)c.getValue();
+ } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) {
+ idToken.setEmail((String)c.getValue());
+ } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) {
+ idToken.setBirthDate((String)c.getValue());
+ } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) {
+ idToken.setPhoneNumber((String)c.getValue());
+ } else if (ClaimTypes.GENDER.equals(c.getClaimType())) {
+ idToken.setGender((String)c.getValue());
+ } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) {
+ idToken.setWebsite((String)c.getValue());
+ }
+ }
+
+ if (firstName != null && lastName != null) {
+ idToken.setName(firstName + " " + lastName);
+ }
+ }
+
+ if (nonce != null) {
+ idToken.setNonce(nonce);
+ }
+ if (issuer != null) {
+ idToken.setIssuer(issuer);
+ } else if (saml2Assertion != null) {
+ Issuer assertionIssuer = saml2Assertion.getIssuer();
+ if (assertionIssuer != null) {
+ idToken.setIssuer(assertionIssuer.getValue());
+ }
+ }
+
+ return idToken;
+ }
+
+
+ public void setIssuer(String issuer) {
+ this.issuer = issuer;
+ }
-
-public interface SamlTokenConverter {
- IdToken convertToIdToken(Element samlToken,
- String subjectName,
- ClaimCollection claims,
- String audience,
- String nonce);
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index 33789ee..da299c0 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -26,7 +26,7 @@
<bean id="applicationContextProvider" class="org.apache.cxf.fediz.service.oidc.ApplicationContextProvider"/>
- <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.LocalSamlTokenConverter">
+ <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter">
<property name="issuer" value="accounts.fediz.com"/>
</bean>
<bean id="oauthProvider" class="org.apache.cxf.fediz.service.oidc.OAuthDataManager"