svn commit: r1441496 - in /cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp: FederationFilter.java STSClientFilter.java

[co...@apache.org]

Author: coheigea
Date: Fri Feb  1 15:54:15 2013
New Revision: 1441496

URL: http://svn.apache.org/viewvc?rev=1441496&view=rev
Log:
[FEDIZ-48] - Support wfresh properly in the IdP 

Modified:
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java?rev=1441496&r1=1441495&r2=1441496&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java Fri Feb  1 15:54:15 2013
@@ -19,6 +19,7 @@
 package org.apache.cxf.fediz.service.idp;
 
 import java.io.IOException;
+import java.util.Date;
 
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
@@ -128,11 +129,12 @@ public class FederationFilter extends Ab
             } else {
                 if (idpToken.isExpired()) {
                     LOG.info("IDP token of '" + user + "' expired. Require authentication.");
-                    authenticationRequired = idpToken.isExpired();
-                } else if (wfresh != null && wfresh.equals("0")) {
-                    LOG.info("IDP token of '" + user + "' valid but relying party requested new authentication");
                     authenticationRequired = true;
-                } else {
+                } else if (wfresh != null) {
+                    authenticationRequired = parseWfresh(wfresh, user, idpToken);
+                }
+                
+                if (!authenticationRequired) {
                     LOG.debug("Session found for '" + user + "'.");
                     //Add it to the request context
                     context.put(sessionToken, idpToken);
@@ -149,6 +151,30 @@ public class FederationFilter extends Ab
         }
     }
 
+    /*
+     * Return true if authentication is required after parsing wfresh
+     */
+    private boolean parseWfresh(String wfresh, String user, SecurityToken idpToken) {
+        if ("0".equals(wfresh)) {
+            LOG.info("IDP token of '" + user + "' valid but relying party requested new authentication");
+            return true;
+        } else {
+            long ttl = Long.parseLong(wfresh);
+            if (ttl > 0) {
+                Date createdDate = idpToken.getCreated();
+                Date expiryDate = new Date();
+                expiryDate.setTime(createdDate.getTime() + (ttl * 60L * 1000L));
+                if (expiryDate.before(new Date())) {
+                    LOG.info("IDP token of '" + user 
+                             + "' valid but relying party requested new authentication via wfresh: " + wfresh);
+                    return true;
+                }
+            } else {
+                LOG.info("wfresh value of " + wfresh + " is invalid");
+            }
+        }
+        return false;
+    }
 
 
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java?rev=1441496&r1=1441495&r2=1441496&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java Fri Feb  1 15:54:15 2013
@@ -248,9 +248,14 @@ public class STSClientFilter extends Abs
                 sts.getProperties().put(SecurityConstants.USERNAME, username);
                 sts.getProperties().put(SecurityConstants.PASSWORD, password);
             }
-
-            // Set TTL on the request if wfresh is configured
-            configureTTL(sts, context);
+            
+            /*
+            if (getInitParameter(S_PARAM_TOKEN_INTERNAL_LIFETIME) != null) {
+                sts.setEnableLifetime(true);
+                int ttl = Integer.parseInt(getInitParameter(S_PARAM_TOKEN_INTERNAL_LIFETIME));
+                sts.setTtl(ttl);
+            }
+            */
 
             if (appliesTo.startsWith("$")) {
                 resolvedAppliesTo = (String)context.get(appliesTo.substring(1));
@@ -370,21 +375,6 @@ public class STSClientFilter extends Abs
         return writer.getDocument().getDocumentElement();
     }
     
-    private void configureTTL(IdpSTSClient sts, AuthContext context) {
-        String wfresh = (String)context.get(FederationFilter.PARAM_WFRESH);
-        if (wfresh != null) {
-            try {
-                int ttl = Integer.parseInt(wfresh);
-                if (ttl > 0) {
-                    sts.setTtl(ttl * 60);                    
-                    sts.setEnableLifetime(true);
-                }
-            } catch (NumberFormatException ex) {
-                LOG.error("Invalid wfresh value '" + wfresh + "': "  + ex.getMessage());
-            }
-        }
-    }
-    
     private synchronized void setSTSWsdlUrl(String wsdlUrl) {
         this.stsWsdlUrl = wsdlUrl;
         this.isPortSet = true;