You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/07/17 12:00:31 UTC
git commit: [[CXF-5885] - Validate "ActAs" tokens in the STS
Repository: cxf
Updated Branches:
refs/heads/master 10c0903e2 -> 09faa0fca
[[CXF-5885] - Validate "ActAs" tokens in the STS
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/09faa0fc
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/09faa0fc
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/09faa0fc
Branch: refs/heads/master
Commit: 09faa0fca96a93c2b943b4ce3a559ed807f37dca
Parents: 10c0903
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jul 17 11:00:01 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Jul 17 11:00:01 2014 +0100
----------------------------------------------------------------------
.../cxf/sts/operation/TokenIssueOperation.java | 81 +++++++++++---------
1 file changed, 45 insertions(+), 36 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/09faa0fc/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
index 17bf7a1..d4405d5 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
@@ -152,46 +152,15 @@ public class TokenIssueOperation extends AbstractOperation implements IssueOpera
// Validate OnBehalfOf token if present
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
- TokenValidatorResponse tokenResponse = validateReceivedToken(
- context, realm, tokenRequirements, validateTarget);
-
- if (tokenResponse == null) {
- LOG.fine("No Token Validator has been found that can handle this token");
- } else if (validateTarget.getState().equals(STATE.INVALID)) {
- throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
- } else if (validateTarget.getState().equals(STATE.VALID)) {
- processValidToken(providerParameters, validateTarget, tokenResponse);
- } else {
- //[TODO] Add plugin for validation out-of-band
- // Example:
- // If the requestor is in the possession of a certificate (mutual ssl handshake)
- // the STS trusts the token sent in OnBehalfOf element
- }
-
- Principal tokenPrincipal = null;
- Set<Principal> tokenRoles = null;
-
- if (tokenResponse != null) {
- Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
- if (additionalProperties != null) {
- providerParameters.setAdditionalProperties(additionalProperties);
- }
- tokenPrincipal = tokenResponse.getPrincipal();
- tokenRoles = tokenResponse.getRoles();
- }
-
- // See whether OnBehalfOf is allowed or not
- performDelegationHandling(requestParser, context,
- providerParameters.getTokenRequirements().getOnBehalfOf(),
- tokenPrincipal, tokenRoles);
+ handleDelegationToken(validateTarget, providerParameters, context,
+ realm, tokenRequirements, requestParser);
}
// See whether ActAs is allowed or not
- // TODO Validate ActAs
if (providerParameters.getTokenRequirements().getActAs() != null) {
- performDelegationHandling(requestParser, context,
- providerParameters.getTokenRequirements().getActAs(),
- null, null);
+ ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
+ handleDelegationToken(validateTarget, providerParameters, context,
+ realm, tokenRequirements, requestParser);
}
// create token
@@ -247,6 +216,46 @@ public class TokenIssueOperation extends AbstractOperation implements IssueOpera
throw ex;
}
}
+
+ private void handleDelegationToken(
+ ReceivedToken validateTarget,
+ TokenProviderParameters providerParameters,
+ WebServiceContext context,
+ String realm,
+ TokenRequirements tokenRequirements,
+ RequestParser requestParser
+ ) {
+ TokenValidatorResponse tokenResponse = validateReceivedToken(
+ context, realm, tokenRequirements, validateTarget);
+
+ if (tokenResponse == null) {
+ LOG.fine("No Token Validator has been found that can handle this token");
+ } else if (validateTarget.getState().equals(STATE.INVALID)) {
+ throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
+ } else if (validateTarget.getState().equals(STATE.VALID)) {
+ processValidToken(providerParameters, validateTarget, tokenResponse);
+ } else {
+ //[TODO] Add plugin for validation out-of-band
+ // Example:
+ // If the requestor is in the possession of a certificate (mutual ssl handshake)
+ // the STS trusts the token sent in OnBehalfOf element
+ }
+
+ Principal tokenPrincipal = null;
+ Set<Principal> tokenRoles = null;
+
+ if (tokenResponse != null) {
+ Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
+ if (additionalProperties != null) {
+ providerParameters.setAdditionalProperties(additionalProperties);
+ }
+ tokenPrincipal = tokenResponse.getPrincipal();
+ tokenRoles = tokenResponse.getRoles();
+ }
+
+ // See whether OnBehalfOf/ActAs is allowed or not
+ performDelegationHandling(requestParser, context, validateTarget, tokenPrincipal, tokenRoles);
+ }
private RequestSecurityTokenResponseType createResponse(
EncryptionProperties encryptionProperties,