You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/07/29 16:30:15 UTC
git commit: Added initial support for SAML SSO Metadata in the plugin
core
Repository: cxf-fediz
Updated Branches:
refs/heads/master abd1fe2c6 -> f15c92f65
Added initial support for SAML SSO Metadata in the plugin core
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f15c92f6
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f15c92f6
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f15c92f6
Branch: refs/heads/master
Commit: f15c92f653d2b63bec10d17129eed4be226beebb
Parents: abd1fe2
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 29 15:09:37 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 29 15:09:37 2014 +0100
----------------------------------------------------------------------
.../cxf/fediz/core/FederationConstants.java | 2 +
.../fediz/core/config/FederationProtocol.java | 9 -
.../apache/cxf/fediz/core/config/Protocol.java | 7 +
.../cxf/fediz/core/metadata/MetadataWriter.java | 205 +++++++++++--------
.../src/main/resources/schemas/FedizConfig.xsd | 2 +-
.../fediz/tomcat/FederationAuthenticator.java | 5 +-
6 files changed, 133 insertions(+), 97 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
index 767faf0..3ffa654 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
@@ -221,6 +221,8 @@ public final class FederationConstants {
public static final String METADATA_PATH_URI = "FederationMetadata/2007-06/FederationMetadata.xml";
+ public static final String FEDIZ_SAML_METADATA_PATH_URI = "SAML/Metadata.xml";
+
private FederationConstants() {
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
index 4809a34..6b37505 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
@@ -56,15 +56,6 @@ public class FederationProtocol extends Protocol {
super.setProtocolType(federationProtocol);
}
-
- public String getApplicationServiceURL() {
- return getFederationProtocol().getApplicationServiceURL();
- }
-
- public void setApplicationServiceURL(String value) {
- getFederationProtocol().setApplicationServiceURL(value);
- }
-
public Object getAuthenticationType() {
if (this.authenticationType != null) {
return this.authenticationType;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
index c9ff7ae..d49e24d 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
@@ -191,4 +191,11 @@ public abstract class Protocol {
getProtocolType().setClaimTypesRequested(value);
}
+ public String getApplicationServiceURL() {
+ return getProtocolType().getApplicationServiceURL();
+ }
+
+ public void setApplicationServiceURL(String value) {
+ getProtocolType().setApplicationServiceURL(value);
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index f7ef25c..af3a558 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -29,14 +29,15 @@ import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import org.w3c.dom.Document;
-
import org.apache.cxf.fediz.core.config.Claim;
import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.Protocol;
+import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.cxf.fediz.core.util.SignatureUtils;
@@ -77,13 +78,10 @@ public class MetadataWriter {
writer.writeAttribute("ID", referenceID);
String audience = "_someID";
- String serviceURL = null;
- if (protocol instanceof FederationProtocol) {
- serviceURL = ((FederationProtocol)protocol).getApplicationServiceURL();
- List<String> audienceList = config.getAudienceUris();
- if (audienceList != null && audienceList.size() > 0 && !"".equals(audienceList.get(0))) {
- audience = audienceList.get(0);
- }
+ String serviceURL = protocol.getApplicationServiceURL();
+ List<String> audienceList = config.getAudienceUris();
+ if (audienceList != null && audienceList.size() > 0 && !"".equals(audienceList.get(0))) {
+ audience = audienceList.get(0);
}
if (serviceURL == null) {
serviceURL = audience;
@@ -91,88 +89,16 @@ public class MetadataWriter {
writer.writeAttribute("entityID", serviceURL);
- writer.writeNamespace("fed", WS_FEDERATION_NS);
- writer.writeNamespace("wsa", WS_ADDRESSING_NS);
- writer.writeNamespace("auth", WS_FEDERATION_NS);
- writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS);
-
- writer.writeStartElement("fed", "RoleDescriptor", WS_FEDERATION_NS);
- writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:ApplicationServiceType");
- writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS);
-
- writer.writeStartElement("fed", "ApplicationServiceEndpoint", WS_FEDERATION_NS);
- writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
-
- writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
- writer.writeCharacters(serviceURL);
-
- writer.writeEndElement(); // Address
- writer.writeEndElement(); // EndpointReference
- writer.writeEndElement(); // ApplicationServiceEndpoint
-
- // create target scope element
- writer.writeStartElement("fed", "TargetScope", WS_FEDERATION_NS);
- writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
- writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
-
- Object realmObj = protocol.getRealm();
- String realm = null;
- if (realmObj instanceof String) {
- realm = (String)realmObj;
- } else if (realmObj instanceof CallbackHandler) {
- //TODO
- //If realm is resolved at runtime, metadata not updated
- }
-
- if (!(realm == null || "".equals(realm))) {
- writer.writeCharacters(realm);
+ if (protocol instanceof FederationProtocol) {
+ writeFederationMetadata(writer, config, serviceURL);
+ } else if (protocol instanceof SAMLProtocol) {
+ writeSAMLMetadata(writer, config, serviceURL);
}
- // writer.writeCharacters("http://host:port/url from config");
- writer.writeEndElement(); // Address
- writer.writeEndElement(); // EndpointReference
- writer.writeEndElement(); // TargetScope
-
- List<Claim> claims = protocol.getClaimTypesRequested();
- if (claims != null && claims.size() > 0) {
-
- // create ClaimsType section
- writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS);
- for (Claim claim : claims) {
-
- writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS);
- writer.writeAttribute("Uri", claim.getType());
- if (claim.isOptional()) {
- writer.writeAttribute("Optional", "true");
- } else {
- writer.writeAttribute("Optional", "false");
- }
-
- writer.writeEndElement(); // ClaimType
-
- }
- writer.writeEndElement(); // ClaimsTypeRequested
- }
- // create sign in endpoint section
-
- writer.writeStartElement("fed", "PassiveRequestorEndpoint", WS_FEDERATION_NS);
- writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
- writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
-
- Object issuer = protocol.getIssuer();
- if (issuer instanceof String && !"".equals(issuer)) {
- writer.writeCharacters((String)issuer);
- }
-
- // writer.writeCharacters("http://host:port/url Issuer from config");
- writer.writeEndElement(); // Address
- writer.writeEndElement(); // EndpointReference
-
- writer.writeEndElement(); // PassiveRequestorEndpoint
- writer.writeEndElement(); // RoleDescriptor
writer.writeEndElement(); // EntityDescriptor
writer.writeEndDocument();
+
streamWriter.flush();
bout.flush();
//
@@ -213,6 +139,115 @@ public class MetadataWriter {
}
+ private void writeFederationMetadata(
+ XMLStreamWriter writer,
+ FedizContext config,
+ String serviceURL
+ ) throws XMLStreamException {
+ writer.writeNamespace("fed", WS_FEDERATION_NS);
+ writer.writeNamespace("wsa", WS_ADDRESSING_NS);
+ writer.writeNamespace("auth", WS_FEDERATION_NS);
+ writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS);
+
+ writer.writeStartElement("fed", "RoleDescriptor", WS_FEDERATION_NS);
+ writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:ApplicationServiceType");
+ writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS);
+
+ writer.writeStartElement("fed", "ApplicationServiceEndpoint", WS_FEDERATION_NS);
+ writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
+
+ writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
+ writer.writeCharacters(serviceURL);
+
+ writer.writeEndElement(); // Address
+ writer.writeEndElement(); // EndpointReference
+ writer.writeEndElement(); // ApplicationServiceEndpoint
+
+ // create target scope element
+ writer.writeStartElement("fed", "TargetScope", WS_FEDERATION_NS);
+ writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
+ writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
+
+ FederationProtocol protocol = (FederationProtocol)config.getProtocol();
+
+ Object realmObj = protocol.getRealm();
+ String realm = null;
+ if (realmObj instanceof String) {
+ realm = (String)realmObj;
+ } else if (realmObj instanceof CallbackHandler) {
+ //TODO
+ //If realm is resolved at runtime, metadata not updated
+ }
+
+ if (!(realm == null || "".equals(realm))) {
+ writer.writeCharacters(realm);
+ }
+
+ // writer.writeCharacters("http://host:port/url from config");
+ writer.writeEndElement(); // Address
+ writer.writeEndElement(); // EndpointReference
+ writer.writeEndElement(); // TargetScope
+
+ List<Claim> claims = protocol.getClaimTypesRequested();
+ if (claims != null && claims.size() > 0) {
+
+ // create ClaimsType section
+ writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS);
+ for (Claim claim : claims) {
+
+ writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS);
+ writer.writeAttribute("Uri", claim.getType());
+ if (claim.isOptional()) {
+ writer.writeAttribute("Optional", "true");
+ } else {
+ writer.writeAttribute("Optional", "false");
+ }
+
+ writer.writeEndElement(); // ClaimType
+
+ }
+ writer.writeEndElement(); // ClaimsTypeRequested
+ }
+ // create sign in endpoint section
+
+ writer.writeStartElement("fed", "PassiveRequestorEndpoint", WS_FEDERATION_NS);
+ writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
+ writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
+
+ Object issuer = protocol.getIssuer();
+ if (issuer instanceof String && !"".equals(issuer)) {
+ writer.writeCharacters((String)issuer);
+ }
+
+ // writer.writeCharacters("http://host:port/url Issuer from config");
+ writer.writeEndElement(); // Address
+ writer.writeEndElement(); // EndpointReference
+
+ writer.writeEndElement(); // PassiveRequestorEndpoint
+ writer.writeEndElement(); // RoleDescriptor
+ }
+ private void writeSAMLMetadata(
+ XMLStreamWriter writer,
+ FedizContext config,
+ String serviceURL
+ ) throws XMLStreamException {
+
+ SAMLProtocol protocol = (SAMLProtocol)config.getProtocol();
+
+ writer.writeStartElement("", "SPSSODescriptor", SAML2_METADATA_NS);
+ writer.writeAttribute("AuthnRequestsSigned", Boolean.toString(protocol.isSignRequest()));
+ writer.writeAttribute("WantAssertionsSigned", "true");
+ writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
+
+ writer.writeStartElement("", "AssertionConsumerService", SAML2_METADATA_NS);
+ writer.writeAttribute("index", "0");
+ writer.writeAttribute("isDefault", "true");
+ writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+ writer.writeAttribute("Location", serviceURL);
+
+ writer.writeEndElement(); // AssertionConsumerService
+ writer.writeEndElement(); // SPSSODescriptor
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index 7c7b91c..516e03d 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -99,7 +99,6 @@
<xs:element ref="reply" />
<xs:element ref="request" />
<xs:element ref="signInQuery" />
- <xs:element ref="applicationServiceURL" />
</xs:sequence>
<xs:attribute name="version" use="required" type="xs:string" />
</xs:extension>
@@ -134,6 +133,7 @@
<xs:complexType name="protocolType" abstract="true">
<xs:sequence>
+ <xs:element ref="applicationServiceURL" />
<xs:element ref="roleDelimiter" />
<xs:element ref="roleURI" />
<xs:element ref="claimTypesRequested" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index 5c64332..73c9d97 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -181,9 +181,10 @@ public class FederationAuthenticator extends FormAuthenticator {
LOG.debug("WsFedAuthenticator:invoke()");
request.setCharacterEncoding(this.encoding);
- if (request.getRequestURL().indexOf(FederationConstants.METADATA_PATH_URI) != -1) {
+ if (request.getRequestURL().indexOf(FederationConstants.METADATA_PATH_URI) != -1
+ || request.getRequestURL().indexOf(FederationConstants.FEDIZ_SAML_METADATA_PATH_URI) != -1) {
if (LOG.isInfoEnabled()) {
- LOG.info("WS-Federation Metadata document requested");
+ LOG.info("Metadata document requested");
}
response.setContentType("text/xml");
PrintWriter out = response.getWriter();