Author: sergeyb
Date: Fri May 18 12:54:36 2012
New Revision: 1340085
URL: http://svn.apache.org/viewvc?rev=1340085&view=rev
Log:
Checking if ResponseState matches the current web app context and domain if any
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
Fri May 18 12:54:36 2012
@@ -130,38 +130,60 @@ public abstract class AbstractServicePro
Map<String, Cookie> cookies = headers.getCookies();
Cookie securityContextCookie =
cookies.get(SSOConstants.SECURITY_CONTEXT_TOKEN);
+
+ ResponseState responseState =
getValidResponseState(securityContextCookie, m);
+ if (responseState == null) {
+ return false;
+ }
+
+ Cookie relayStateCookie = cookies.get(SSOConstants.RELAY_STATE);
+ if (relayStateCookie == null) {
+ reportError("MISSING_RELAY_COOKIE");
+ return false;
+ }
+ String originalRelayState = responseState.getRelayState();
+ if (!originalRelayState.equals(relayStateCookie.getValue())) {
+ // perhaps the response state should also be removed
+ reportError("INVALID_RELAY_STATE");
+ return false;
+ }
+ //TODO: use ResponseState to set up a proper SecurityContext
+ // on the current message
+ return true;
+ }
+
+ protected ResponseState getValidResponseState(Cookie
securityContextCookie,
+ Message m) {
if (securityContextCookie == null) {
// most likely it means that the user has not been offered
// a chance to get logged on yet, though it might be that the
browser
// has removed an expired cookie from its cache; warning is too
noisy in the
// former case
reportTrace("MISSING_RESPONSE_STATE");
- return false;
+ return null;
}
String contextKey = securityContextCookie.getValue();
+
ResponseState responseState =
getStateProvider().getResponseState(contextKey);
+
if (responseState == null) {
reportError("MISSING_RESPONSE_STATE");
- return false;
+ return null;
}
if (isStateExpired(responseState.getCreatedAt(),
responseState.getExpiresAt())) {
reportError("EXPIRED_RESPONSE_STATE");
getStateProvider().removeResponseState(contextKey);
- return false;
+ return null;
}
- Cookie relayStateCookie = cookies.get(SSOConstants.RELAY_STATE);
- if (relayStateCookie == null) {
- reportError("MISSING_RELAY_COOKIE");
- return false;
- }
- String originalRelayState = responseState.getRelayState();
- if (!originalRelayState.equals(relayStateCookie.getValue())) {
- reportError("INVALID_RELAY_STATE");
- return false;
+ String webAppContext = getWebAppContext(m);
+ if (webAppDomain != null &&
!webAppDomain.equals(responseState.getWebAppDomain())
+ || responseState.getWebAppContext() == null
+ || !webAppContext.equals(responseState.getWebAppContext())) {
+ getStateProvider().removeResponseState(contextKey);
+ reportError("INVALID_RESPONSE_STATE");
+ return null;
}
- //TODO: use ResponseState to set up a proper SecurityContext
- // on the current message
- return true;
+ return responseState;
}
protected String deflateEncodeAuthnRequest(Element authnRequestElement)
@@ -189,13 +211,7 @@ public abstract class AbstractServicePro
SamlRequestInfo info = new SamlRequestInfo();
info.setSamlRequest(authnRequestEncoded);
- String webAppContext = null;
- if (addEndpointAddressToContext) {
- webAppContext = new UriInfoImpl(m).getBaseUri().getRawPath();
- } else {
- String httpBasePath = (String)m.get("http.base.path");
- webAppContext = URI.create(httpBasePath).getRawPath();
- }
+ String webAppContext = getWebAppContext(m);
String originalRequestURI = new
UriInfoImpl(m).getRequestUri().toString();
RequestState requestState = new RequestState(originalRequestURI,
@@ -247,6 +263,15 @@ public abstract class AbstractServicePro
}
}
+ private String getWebAppContext(Message m) {
+ if (addEndpointAddressToContext) {
+ return new UriInfoImpl(m).getBaseUri().getRawPath();
+ } else {
+ String httpBasePath = (String)m.get("http.base.path");
+ return URI.create(httpBasePath).getRawPath();
+ }
+ }
+
public String getWebAppDomain() {
return webAppDomain;
}
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
Fri May 18 12:54:36 2012
@@ -26,6 +26,7 @@ MISSING_SAML_RESPONSE=SamlResponse param
INVALID_SAML_RESPONSE=SamlResponse parameter is invalid
MISSING_ASSERTION_SERVICE_URL=RequestAssertionConsumerService URI is not set
MISSING_RESPONSE_STATE=Response State is not available
+INVALID_RESPONSE_STATE=Response State is invalid
EXPIRED_RESPONSE_STATE=Response State has expired
MISSING_RELAY_STATE=RelayState is missing
MISSING_RELAY_COOKIE=RelayState cookie is not available
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Fri May 18 12:54:36 2012
@@ -38,7 +38,6 @@ import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@@ -101,53 +100,28 @@ public class RequestAssertionConsumerSer
@Produces(MediaType.APPLICATION_FORM_URLENCODED)
public Response processSamlResponse(@FormParam(SSOConstants.SAML_RESPONSE)
String encodedSamlResponse,
@FormParam(SSOConstants.RELAY_STATE)
String relayState) {
- RequestState requestState = processRelayState(relayState);
- URI targetURI = getTargetURI(requestState.getTargetAddress());
-
- org.opensaml.saml2.core.Response samlResponse =
- readSAMLResponse(true, encodedSamlResponse);
-
- // Validate the Response
- validateSamlResponseProtocol(samlResponse);
- SSOValidatorResponse validatorResponse =
- validateSamlSSOResponse(true, samlResponse, requestState);
-
- // Set the security context
- String securityContextKey = UUID.randomUUID().toString();
-
- long currentTime = System.currentTimeMillis();
- Date notOnOrAfter = validatorResponse.getSessionNotOnOrAfter();
- long expiresAt = 0;
- if (notOnOrAfter != null) {
- expiresAt = notOnOrAfter.getTime();
- }
- ResponseState responseState =
- new ResponseState(relayState, currentTime, expiresAt);
- getStateProvider().setResponseState(securityContextKey, responseState);
-
- String contextCookie =
createCookie(SSOConstants.SECURITY_CONTEXT_TOKEN,
- securityContextKey,
- requestState.getWebAppContext(),
- requestState.getWebAppDomain());
-
- // Finally, redirect to the service provider endpoint
- return Response.seeOther(targetURI).header("Set-Cookie",
contextCookie).build();
+ return doProcessSamlResponse(encodedSamlResponse, relayState);
}
@GET
public Response getSamlResponse(@QueryParam(SSOConstants.SAML_RESPONSE)
String encodedSamlResponse,
@QueryParam(SSOConstants.RELAY_STATE)
String relayState) {
+ return doProcessSamlResponse(encodedSamlResponse, relayState);
+ }
+
+ protected Response doProcessSamlResponse(String encodedSamlResponse,
+ String relayState) {
RequestState requestState = processRelayState(relayState);
URI targetURI = getTargetURI(requestState.getTargetAddress());
org.opensaml.saml2.core.Response samlResponse =
- readSAMLResponse(false, encodedSamlResponse);
+ readSAMLResponse(true, encodedSamlResponse);
// Validate the Response
validateSamlResponseProtocol(samlResponse);
SSOValidatorResponse validatorResponse =
- validateSamlSSOResponse(false, samlResponse, requestState);
+ validateSamlSSOResponse(true, samlResponse, requestState);
// Set the security context
String securityContextKey = UUID.randomUUID().toString();
@@ -159,7 +133,11 @@ public class RequestAssertionConsumerSer
expiresAt = notOnOrAfter.getTime();
}
ResponseState responseState =
- new ResponseState(relayState, currentTime, expiresAt);
+ new ResponseState(relayState,
+ requestState.getWebAppContext(),
+ requestState.getWebAppDomain(),
+ currentTime,
+ expiresAt);
getStateProvider().setResponseState(securityContextKey, responseState);
String contextCookie =
createCookie(SSOConstants.SECURITY_CONTEXT_TOKEN,
@@ -168,8 +146,8 @@ public class RequestAssertionConsumerSer
requestState.getWebAppDomain());
// Finally, redirect to the service provider endpoint
- return Response.seeOther(targetURI).header(HttpHeaders.SET_COOKIE,
- contextCookie).build();
+ return Response.seeOther(targetURI).header("Set-Cookie",
contextCookie).build();
+
}
private RequestState processRelayState(String relayState) {
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java?rev=1340085&r1=1340084&r2=1340085&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/ResponseState.java
Fri May 18 12:54:36 2012
@@ -21,11 +21,19 @@ package org.apache.cxf.rs.security.saml.
public class ResponseState {
private String relayState;
+ private String webAppContext;
+ private String webAppDomain;
private long createdAt;
private long expiresAt;
- public ResponseState(String relayState, long createdAt, long expiresAt) {
+ public ResponseState(String relayState,
+ String webAppContext,
+ String webAppDomain,
+ long createdAt,
+ long expiresAt) {
this.relayState = relayState;
+ this.webAppContext = webAppContext;
+ this.webAppDomain = webAppDomain;
this.createdAt = createdAt;
this.expiresAt = expiresAt;
}
@@ -41,4 +49,12 @@ public class ResponseState {
public String getRelayState() {
return relayState;
}
+
+ public String getWebAppContext() {
+ return webAppContext;
+ }
+
+ public String getWebAppDomain() {
+ return webAppDomain;
+ }
}
