You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ow...@apache.org on 2013/04/02 22:24:04 UTC
svn commit: r1463740 - in /cxf/fediz/trunk/services/idp/src/main:
java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
webapp/WEB-INF/federation-webflow.xml webapp/WEB-INF/idp-servlet.xml
Author: owulff
Date: Tue Apr 2 20:24:04 2013
New Revision: 1463740
URL: http://svn.apache.org/r1463740
Log:
Merged missing changes of pull request
Modified:
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml
cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java?rev=1463740&r1=1463739&r2=1463740&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java Tue Apr 2 20:24:04 2013
@@ -75,12 +75,15 @@ public class STSClientAction {
protected String wsdlEndpoint;
protected String appliesTo;
-
+
protected String tokenType;
+
+ protected boolean useWfreshForTTL = true;
- protected boolean claimsRequired = true;
+ private boolean claimsRequired = true;
+
+ private boolean isPortSet;
- protected boolean isPortSet;
public String getWsdlLocation() {
return wsdlLocation;
@@ -131,6 +134,14 @@ public class STSClientAction {
this.claimsRequired = claimsRequired;
}
+ public boolean isUseWfreshForTTL() {
+ return useWfreshForTTL;
+ }
+
+ public void setUseWfreshForTTL(boolean useWfreshForTTL) {
+ this.useWfreshForTTL = useWfreshForTTL;
+ }
+
/**
* @param credentials
* : username and password provided by user
@@ -147,18 +158,7 @@ public class STSClientAction {
paramTokenType(sts);
sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
- if (!isPortSet) {
- try {
- URL url = new URL(this.wsdlLocation);
- URL updatedUrl = new URL(url.getProtocol(), url.getHost(),
- WebUtils.getHttpServletRequest(context).getLocalPort(), url.getFile());
-
- setSTSWsdlUrl(updatedUrl.toString());
- LOG.info("STS WSDL URL updated to " + updatedUrl.toString());
- } catch (MalformedURLException e) {
- LOG.error("Invalid Url '" + this.wsdlLocation + "': " + e.getMessage());
- }
- }
+ processWsdlLocation(context);
sts.setWsdlLocation(this.wsdlLocation);
sts.setServiceQName(new QName(
HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
@@ -167,7 +167,11 @@ public class STSClientAction {
HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
this.wsdlEndpoint));
- if (this.claimsRequired) {
+ if (isUseWfreshForTTL()) {
+ configureTTL(sts, context);
+ }
+
+ if (isClaimsRequired()) {
addClaims(this.appliesTo, bus, sts);
}
@@ -182,6 +186,36 @@ public class STSClientAction {
return idpToken;
}
+ private void processWsdlLocation(RequestContext context) {
+ if (!isPortSet) {
+ try {
+ URL url = new URL(this.wsdlLocation);
+ URL updatedUrl = new URL(url.getProtocol(), url.getHost(),
+ WebUtils.getHttpServletRequest(context).getLocalPort(), url.getFile());
+
+ setSTSWsdlUrl(updatedUrl.toString());
+ LOG.info("STS WSDL URL updated to " + updatedUrl.toString());
+ } catch (MalformedURLException e) {
+ LOG.error("Invalid Url '" + this.wsdlLocation + "': " + e.getMessage());
+ }
+ }
+ }
+
+ /**
+ * Usage of 'wfresh' parameter, picked up from the webflow context,
+ * like time-to-live of security token to be issued..
+ */
+ private void configureTTL(IdpSTSClient sts, RequestContext requestContext) {
+ String wfresh = (String)WebUtils.getAttributeFromExternalContext(requestContext, "wfresh");
+ if (wfresh != null) {
+ int ttl = Integer.parseInt(wfresh);
+ if (ttl > 0) {
+ sts.setTtl(ttl * 60);
+ sts.setEnableLifetime(true);
+ }
+ }
+ }
+
/**
* @param credentials
* {@link SecurityToken}
@@ -190,7 +224,7 @@ public class STSClientAction {
* @return a serialized RP security token
* @throws Exception
*/
- public String submit(SecurityToken credentials, String wtrealm)
+ public String submit(SecurityToken credentials, String wtrealm, RequestContext context)
throws Exception {
Bus bus = BusFactory.getDefaultBus();
@@ -200,6 +234,7 @@ public class STSClientAction {
paramTokenType(sts);
sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+ processWsdlLocation(context);
sts.setWsdlLocation(wsdlLocation);
sts.setServiceQName(new QName(
HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml?rev=1463740&r1=1463739&r2=1463740&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml Tue Apr 2 20:24:04 2013
@@ -14,41 +14,61 @@
<set name="externalContext.sessionMap['wtrealm']" value="requestParameters.wtrealm" />
<set name="externalContext.sessionMap['wreply']" value="requestParameters.wreply" />
<set name="externalContext.sessionMap['wctx']" value="requestParameters.wctx" />
+ <set name="externalContext.sessionMap['wfresh']" value="requestParameters.wfresh" />
+ <set name="externalContext.sessionMap['wauth']" value="requestParameters.wauth" />
</on-entry>
<if test="requestParameters.wa == null" then="viewBadRequest" />
<if test="requestParameters.wa != 'wsignin1.0' and requestParameters.wa != 'wsignout1.0' and requestParameters.wa != 'wsignoutcleanup1.0'" then="viewBadRequest" />
<if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'" then="invalidateSessionAction" />
<if test="requestParameters.wtrealm == null or requestParameters.wtrealm.length() == 0" then="viewBadRequest" />
+<!-- check if IDP token exists in session -->
<if test="externalContext.sessionMap['IDP_TOKEN'] == null" then="authenticationRequired" />
+<!-- check if IDP token is expired -->
<if test="externalContext.sessionMap['IDP_TOKEN'].isExpired() == true" then="authenticationRequired" />
- <if test="requestParameters.wfresh != null and requestParameters.wfresh.equals('0')" then="authenticationRequired" else="rpTokenAction" />
+<!-- check if IDP token is still valid but relying party requested new authentication -->
+ <if test="requestParameters.wfresh != null and requestParameters.wfresh.equals('0')" then="authenticationRequired" />
+<!-- check if IDP token is still valid but relying party requested new authentication via wfresh -->
+ <if test="requestParameters.wfresh != null" then="wfreshParserAction" else="rpTokenAction" />
</decision-state>
+ <!-- parse wfresh parameter, provided by resource RP, overriding ttl from 'IDP_TOKEN' -->
+ <action-state id="wfreshParserAction">
+ <evaluate expression="wfreshParser.authenticationRequired(requestParameters.wfresh, externalContext.sessionMap['IDP_TOKEN'])" />
+ <transition on="true" to="authenticationRequired"/>
+ <transition on="false" to="rpTokenAction"/>
+<!-- <transition on-exception="java.lang.Throwable" to="scInternalServerError" /> -->
+<!-- wfresh invalid, ignore exception, force authentication -->
+ <transition on-exception="java.lang.Throwable" to="authenticationRequired" />
+ </action-state>
+
<!-- select authentication support type -->
<decision-state id="authenticationRequired">
<on-entry>
+<!-- remove IDP token from session (if present) -->
<set name="externalContext.sessionMap['IDP_TOKEN']" value="null" />
</on-entry>
- <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" />
+<!-- don't remove line commented below, stands for future use ... -->
+<!-- <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" /> -->
<if test="flowScope['idp.authSupportType'] == 'BASIC'" then="basicAuthenticationCheck" else="viewBadRequest" />
</decision-state>
<!-- display authentication form 'signinform.jsp' (username/password credentials) -->
- <view-state id="formAuthenticationView" view="signinform" model="usernamePasswordCredentials">
- <var name="usernamePasswordCredentials"
- class="org.apache.cxf.fediz.service.idp.UsernamePasswordCredentials" />
- <binder>
- <binding property="username" />
- <binding property="password" />
- </binder>
- <on-entry>
- <evaluate expression="externalContext.nativeResponse.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private')" />
- </on-entry>
- <transition on="authenticate" bind="true" validate="true" to="idpUsernamePasswordTokenAction">
- <set name="flowScope.usernamePasswordCredentials" value="usernamePasswordCredentials" />
- </transition>
- </view-state>
+<!-- don't remove view-state commented below, stands for future use ... -->
+<!-- <view-state id="formAuthenticationView" view="signinform" model="usernamePasswordCredentials"> -->
+<!-- <var name="usernamePasswordCredentials" -->
+<!-- class="org.apache.cxf.fediz.service.idp.UsernamePasswordCredentials" /> -->
+<!-- <binder> -->
+<!-- <binding property="username" /> -->
+<!-- <binding property="password" /> -->
+<!-- </binder> -->
+<!-- <on-entry> -->
+<!-- <evaluate expression="externalContext.nativeResponse.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private')" /> -->
+<!-- </on-entry> -->
+<!-- <transition on="authenticate" bind="true" validate="true" to="idpUsernamePasswordTokenAction"> -->
+<!-- <set name="flowScope.usernamePasswordCredentials" value="usernamePasswordCredentials" /> -->
+<!-- </transition> -->
+<!-- </view-state> -->
<!-- check basic authentication state -->
<decision-state id="basicAuthenticationCheck">
@@ -78,7 +98,7 @@
<!-- Receiving username/password as credentials, produce IDP security token (as SecurityToken type) and store it in session -->
<!-- catch SoapFault in case of wrong credentials to redirect the flow -->
<action-state id="idpUsernamePasswordTokenAction">
- <evaluate expression="stsClientForIdpAction.submit(flowScope.usernamePasswordCredentials,flowRequestContext)"
+ <evaluate expression="stsClientForIdpAction.submit(flowScope.usernamePasswordCredentials, flowRequestContext)"
result="flowScope.idpToken"
result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" />
<transition on="success" to="rpTokenAction">
@@ -91,13 +111,14 @@
<!-- when authentication failed, depending on the authentication support type set -->
<decision-state id="authenticationFailedSwitch">
- <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" />
+<!-- don't remove line commented below, stands for future use ... -->
+<!-- <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" /> -->
<if test="flowScope['idp.authSupportType'] == 'BASIC'" then="basicAuthenticationRequested" />
</decision-state>
<!-- produce RP security token (as String type) -->
<action-state id="rpTokenAction">
- <evaluate expression="stsClientForRpAction.submit(externalContext.sessionMap['IDP_TOKEN'], externalContext.sessionMap['wtrealm'])"
+ <evaluate expression="stsClientForRpAction.submit(externalContext.sessionMap['IDP_TOKEN'], externalContext.sessionMap['wtrealm'], flowRequestContext)"
result="flowScope.rpToken"
result-type="java.lang.String" />
<transition to="formResponseView" />
Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml?rev=1463740&r1=1463739&r2=1463740&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml Tue Apr 2 20:24:04 2013
@@ -7,7 +7,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
- <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
+ <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
p:flowRegistry-ref="flowRegistry"
p:order="2">
<!-- <property name="interceptors"> -->
@@ -51,11 +51,12 @@
<property name="wsdlEndpoint" value="TransportUT_Port"/>
<property name="appliesTo" value="urn:fediz:idp"/>
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+ <property name="useWfreshForTTL" value="true"/>
<property name="claimsRequired" value="true"/>
</bean>
<bean id="stsClientForRpAction" class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
- <property name="wsdlLocation" value="https://localhost:9443/fediz-idp-sts/STSServiceTransport?wsdl"/>
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/STSServiceTransport?wsdl"/>
<property name="wsdlEndpoint" value="Transport_Port"/>
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
<property name="claimsRequired" value="true"/>
@@ -63,10 +64,11 @@
<bean id="logoutAction" class="org.apache.cxf.fediz.service.idp.beans.LogoutAction" />
- <bean id="decodeAuthorizationHeaderAction" class="org.apache.cxf.fediz.service.idp.beans.DecodeAuthorizationHeaderAction" />
-
+ <bean id="decodeAuthorizationHeaderAction" class="org.apache.cxf.fediz.service.idp.beans.DecodeAuthorizationHeaderAction" />
+
+ <bean id="wfreshParser" class="org.apache.cxf.fediz.service.idp.beans.WfreshParser" />
+
<bean id="initialFlowSetupAction" class="org.apache.cxf.fediz.service.idp.beans.InitialFlowSetupAction" >
-<!-- <property name="authSupportType" value="FORM" /> -->
<property name="authSupportType" value="BASIC" />
<property name="idpName" value="LocalIDP" />
</bean>