You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/01/19 15:51:15 UTC
cxf-fediz git commit: Fixing some issues with the POST binding for
SAML SSO
Repository: cxf-fediz
Updated Branches:
refs/heads/1.2.x-fixes 7584a0c30 -> 4bea6a111
Fixing some issues with the POST binding for SAML SSO
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4bea6a11
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4bea6a11
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4bea6a11
Branch: refs/heads/1.2.x-fixes
Commit: 4bea6a1116112bf23bbe71689d606c9026ef9a84
Parents: 7584a0c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jan 19 14:50:08 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jan 19 14:51:09 2016 +0000
----------------------------------------------------------------------
.../TrustedIdpSAMLProtocolHandler.java | 24 ++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4bea6a11/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index e55a372..713dccb 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -57,10 +57,12 @@ import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.cxf.rs.security.saml.sso.AuthnRequestBuilder;
import org.apache.cxf.rs.security.saml.sso.DefaultAuthnRequestBuilder;
+import org.apache.cxf.rs.security.saml.sso.EHCacheTokenReplayCache;
import org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator;
import org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator;
import org.apache.cxf.rs.security.saml.sso.SSOConstants;
import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
+import org.apache.cxf.rs.security.saml.sso.TokenReplayCache;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.crypto.CertificateStore;
@@ -116,6 +118,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
private static final String SAML_SSO_REQUEST_ID = "saml-sso-request-id";
private AuthnRequestBuilder authnRequestBuilder = new DefaultAuthnRequestBuilder();
+ private TokenReplayCache<String> replayCache;
static {
OpenSAMLUtil.initSamlEngine();
@@ -430,14 +433,20 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
isPropertyConfigured(trustedIdp, REQUIRE_SIGNED_ASSERTIONS, true));
ssoResponseValidator.setEnforceKnownIssuer(
isPropertyConfigured(trustedIdp, REQUIRE_KNOWN_ISSUER, true));
+
+ HttpServletRequest httpServletRequest = WebUtils.getHttpServletRequest(requestContext);
+ boolean post = "POST".equals(httpServletRequest.getMethod());
+ if (post) {
+ ssoResponseValidator.setReplayCache(getReplayCache());
+ }
- return ssoResponseValidator.validateSamlResponse(samlResponse, false);
+ return ssoResponseValidator.validateSamlResponse(samlResponse, post);
} catch (WSSecurityException ex) {
LOG.debug(ex.getMessage(), ex);
throw ExceptionUtils.toBadRequestException(ex, null);
}
}
-
+
// Is a property configured. Defaults to "true" if not
private boolean isPropertyConfigured(TrustedIdp trustedIdp, String property, boolean defaultValue) {
Map<String, String> parameters = trustedIdp.getParameters();
@@ -448,4 +457,15 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
return defaultValue;
}
+
+ public void setReplayCache(TokenReplayCache<String> replayCache) {
+ this.replayCache = replayCache;
+ }
+
+ public TokenReplayCache<String> getReplayCache() {
+ if (replayCache == null) {
+ replayCache = new EHCacheTokenReplayCache();
+ }
+ return replayCache;
+ }
}