You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ow...@apache.org on 2012/05/16 14:59:01 UTC
svn commit: r1339145 - in /cxf/fediz/trunk:
examples/simpleWebapp/src/main/config/
examples/wsclientWebapp/webapp/src/main/config/
plugins/core/src/main/java/org/apache/cxf/fediz/core/
plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/
Author: owulff
Date: Wed May 16 12:59:00 2012
New Revision: 1339145
URL: http://svn.apache.org/viewvc?rev=1339145&view=rev
Log:
AudienceURI validation added and configuration of custom realm
Modified:
cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml
cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
Modified: cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?rev=1339145&r1=1339144&r2=1339145&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml Wed May 16 12:59:00 2012
@@ -2,7 +2,7 @@
<FedizConfig>
<contextConfig name="/fedizhelloworld">
<audienceUris>
- <audienceItem>http://host_one:port/url</audienceItem>
+ <audienceItem>https://localhost:8443/fedizhelloworld/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
Modified: cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml?rev=1339145&r1=1339144&r2=1339145&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml Wed May 16 12:59:00 2012
@@ -2,7 +2,7 @@
<FedizConfig>
<contextConfig name="/fedizhelloworld">
<audienceUris>
- <audienceItem>http://host_one:port/url</audienceItem>
+ <audienceItem>https://localhost:8443/fedizhelloworld/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1339145&r1=1339144&r2=1339145&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java Wed May 16 12:59:00 2012
@@ -267,22 +267,32 @@ public class FederationProcessorImpl imp
.encode(request.getRequestURL().toString(), "UTF-8"));
String realm = null;
- String contextPath = request.getContextPath();
- String requestUrl = request.getRequestURL().toString();
- String requestPath = new URL(requestUrl).getPath();
-
- // Cut request path of request url and add context path if not ROOT
- if (requestPath != null && requestPath.length() > 0) {
- int lastIndex = requestUrl.lastIndexOf(requestPath);
- realm = requestUrl.substring(0, lastIndex);
+ FederationProtocol fp = null;
+ if (config.getProtocol() instanceof FederationProtocol) {
+ fp = (FederationProtocol)config.getProtocol();
} else {
- realm = requestUrl;
+ LOG.error("Unsupported protocol");
+ throw new IllegalStateException("Unsupported protocol");
}
- if (contextPath != null && contextPath.length() > 0) {
- // contextPath contains starting slash
- realm = realm + contextPath + "/";
+ if (fp.getRealm() != null) {
+ realm = fp.getRealm();
} else {
- realm = realm + "/";
+ String contextPath = request.getContextPath();
+ String requestUrl = request.getRequestURL().toString();
+ String requestPath = new URL(requestUrl).getPath();
+ // Cut request path of request url and add context path if not ROOT
+ if (requestPath != null && requestPath.length() > 0) {
+ int lastIndex = requestUrl.lastIndexOf(requestPath);
+ realm = requestUrl.substring(0, lastIndex);
+ } else {
+ realm = requestUrl;
+ }
+ if (contextPath != null && contextPath.length() > 0) {
+ // contextPath contains starting slash
+ realm = realm + contextPath + "/";
+ } else {
+ realm = realm + "/";
+ }
}
LOG.debug("wtrealm=" + realm);
Modified: cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?rev=1339145&r1=1339144&r2=1339145&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java (original)
+++ cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java Wed May 16 12:59:00 2012
@@ -36,6 +36,7 @@ import org.apache.catalina.authenticator
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
+import org.apache.cxf.fediz.core.Claim;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.FederationProcessor;
import org.apache.cxf.fediz.core.FederationProcessorImpl;
@@ -309,12 +310,30 @@ public class FederationAuthenticator ext
FederationProcessor wfProc = new FederationProcessorImpl();
wfRes = wfProc.processRequest(wfReq, fedConfig);
-
- if (wfRes.getAudience() != null
- && request.getRequestURL().indexOf(wfRes.getAudience()) == -1) {
- log.debug("Audience doesn't match with request URL ["
- + wfRes.getAudience() + "] ["
- + request.getRequestURL() + "]");
+
+ // Validate the AudienceRestriction in Security Token (e.g. SAML)
+ // against the configured list of audienceURIs
+ if (wfRes.getAudience() != null) {
+ List<String> audienceURIs = fedConfig.getAudienceUris();
+ boolean validAudience = false;
+ for (String a : audienceURIs) {
+ if (wfRes.getAudience().startsWith(a)) {
+ validAudience = true;
+ break;
+ }
+ }
+
+ if (!validAudience) {
+ log.warn("Token AudienceRestriction [" + wfRes.getAudience() + "] doesn't match with specified list of URIs.");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return (false);
+ }
+
+ if (log.isDebugEnabled() && request.getRequestURL().indexOf(wfRes.getAudience()) == -1) {
+ log.debug("Token AudienceRestriction doesn't match with request URL ["
+ + wfRes.getAudience() + "] ["
+ + request.getRequestURL() + "]");
+ }
}
List<String> roles = wfRes.getRoles();