Author: owulff
Date: Mon Jun 4 21:16:04 2012
New Revision: 1346157
URL: http://svn.apache.org/viewvc?rev=1346157&view=rev
Log:
Refactoring for pluggable TokenValidator processing
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
Mon Jun 4 21:16:04 2012
@@ -26,6 +26,7 @@ import java.net.URLEncoder;
import java.text.DateFormat;
import java.text.ParseException;
import java.util.Date;
+import java.util.List;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
@@ -38,7 +39,6 @@ import org.xml.sax.SAXException;
import org.apache.cxf.fediz.core.config.FederationContext;
import org.apache.cxf.fediz.core.config.FederationProtocol;
-import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
import org.apache.cxf.fediz.core.spi.HomeRealmCallback;
import org.apache.cxf.fediz.core.spi.IDPCallback;
import org.apache.cxf.fediz.core.spi.WAuthCallback;
@@ -139,64 +139,76 @@ public class FederationProcessorImpl imp
if (currentDate.after(lifeTime.getExpires())) {
LOG.warn("Token already expired");
}
-
if (currentDate.before(lifeTime.getCreated())) {
LOG.warn("Token not yet valid");
- // [TODO] Add Check clocksqew
+ // [TODO] Add Check clockskew
}
}
- // [TODO] Exception: TokenExpiredException, TokenInvalidException,
- // TokenCachedException
-
- // [TODO] Flexible tokenvalidator selection, based on class list
- SAMLTokenValidator validator = new SAMLTokenValidator();
- TokenValidatorResponse response = validator.validateAndProcessToken(
- rst, config);
+ // [TODO] Exception: TokenExpiredException, TokenInvalidException,
TokenCachedException
+ // throw new FedizRuntimeException("Error in providing a token", ex,
FedizRuntimeException.TOKEN_EXPIRED);
+
+ TokenValidatorResponse validatorResponse = null;
+ List<TokenValidator> validators =
((FederationProtocol)config.getProtocol()).getTokenValidators();
+ for (TokenValidator validator : validators) {
+ boolean canHandle = false;
+ if (tt != null) {
+ canHandle = validator.canHandleTokenType(tt);
+ } else {
+ canHandle = validator.canHandleToken(rst);
+ }
+ if (canHandle) {
+ try {
+ validatorResponse = validator.validateAndProcessToken(rst,
config);
+ } catch (RuntimeException ex) {
+ LOG.warn("Failed to validate token", ex);
+ throw ex;
+ }
+ break;
+ }
+ }
// Check whether token already used for signin
- if (response.getUniqueTokenId() != null
+ if (validatorResponse.getUniqueTokenId() != null
&& config.isDetectReplayedTokens()) {
// Check whether token has already been processed once, prevent
// replay attack
- if
(config.getTokenReplayCache().getId(response.getUniqueTokenId()) == null) {
+ if
(config.getTokenReplayCache().getId(validatorResponse.getUniqueTokenId()) ==
null) {
// not cached
Date expires = null;
if (lifeTime != null && lifeTime.getExpires() != null) {
expires = lifeTime.getExpires();
} else {
- expires = response.getExpires();
+ expires = validatorResponse.getExpires();
}
if (expires != null) {
Date currentTime = new Date();
long ttl = expires.getTime() - currentTime.getTime();
-
config.getTokenReplayCache().putId(response.getUniqueTokenId(), ttl / 1000L);
+
config.getTokenReplayCache().putId(validatorResponse.getUniqueTokenId(), ttl /
1000L);
} else {
-
config.getTokenReplayCache().putId(response.getUniqueTokenId());
+
config.getTokenReplayCache().putId(validatorResponse.getUniqueTokenId());
}
} else {
LOG.error("Replay attack with token id: "
- + response.getUniqueTokenId());
+ + validatorResponse.getUniqueTokenId());
throw new RuntimeException("Replay attack with token id: "
- + response.getUniqueTokenId());
+ + validatorResponse.getUniqueTokenId());
}
}
- // [TODO] Token, WeakReference, SoftReference???
FederationResponse fedResponse = new FederationResponse(
- response.getUsername(), response.getIssuer(),
- response.getRoles(), response.getClaims(),
- response.getAudience(),
+ validatorResponse.getUsername(), validatorResponse.getIssuer(),
+ validatorResponse.getRoles(), validatorResponse.getClaims(),
+ validatorResponse.getAudience(),
(lifeTime != null) ? lifeTime.getCreated() : null,
(lifeTime != null) ? lifeTime.getExpires() : null, rst,
- response.getUniqueTokenId());
+ validatorResponse.getUniqueTokenId());
return fedResponse;
}
private LifeTime processLifeTime(Element lifetimeElem) {
- // [TODO] Get rid of WSS4J dependency
try {
Element createdElem = DOMUtils.getFirstChildWithName(lifetimeElem,
WSConstants.WSU_NS, WSConstants.CREATED_LN);
@@ -348,10 +360,6 @@ public class FederationProcessorImpl imp
// sb.append("wfresh=jjjj");
// }
// if (false) {
- // sb.append("&");
- // sb.append("wauth=jjjj");
- // }
- // if (false) {
// sb.append("&");wct
// sb.append("wreq=jjjj");
// }
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationConfigurator.java
Mon Jun 4 21:16:04 2012
@@ -88,6 +88,7 @@ public class FederationConfigurator {
}
for (FederationContext fedContext : federationContextList) {
if (fedContext.getName().equals(contextName)) {
+ fedContext.init();
return fedContext;
}
}
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
Mon Jun 4 21:16:04 2012
@@ -45,9 +45,17 @@ public class FederationContext implement
private boolean detectReplayedTokens = true;
private String relativePath;
private TokenReplayCache<String> replayCache;
+ private FederationProtocol protocol;
+
public FederationContext(ContextConfig config) {
this.config = config;
+
+ }
+
+ public void init() {
+ //get validators initialized
+ getProtocol();
}
public List<String> getAudienceUris() {
@@ -64,7 +72,7 @@ public class FederationContext implement
return trustedIssuers;
}
-
+ //[TODO] Return Keystore
public List<TrustManager> getCertificateStores() {
CertificateStores certStores = config.getCertificateStores();
List<TrustManagersType> trustManagers = certStores.getTrustManager();
@@ -79,8 +87,8 @@ public class FederationContext implement
return config.getMaximumClockSkew();
}
- public void setMaximumClockSkew(BigInteger maximumClockSqew) {
- config.setMaximumClockSkew(maximumClockSqew);
+ public void setMaximumClockSkew(BigInteger maximumClockSkew) {
+ config.setMaximumClockSkew(maximumClockSkew);
}
// public TrustManager getServiceCertificate() {
@@ -88,11 +96,14 @@ public class FederationContext implement
// }
public Protocol getProtocol() {
+ if (protocol != null) {
+ return protocol;
+ }
ProtocolType type = config.getProtocol();
if (type instanceof FederationProtocolType) {
- return new FederationProtocol(type);
+ protocol = new FederationProtocol(type);
}
- return null;
+ return protocol;
}
@SuppressWarnings("unchecked")
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
Mon Jun 4 21:16:04 2012
@@ -23,12 +23,15 @@ import java.util.ArrayList;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
+
+import org.apache.cxf.fediz.core.TokenValidator;
import org.apache.cxf.fediz.core.config.jaxb.ArgumentType;
import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
+import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -39,9 +42,13 @@ public class FederationProtocol extends
private Object authenticationType;
private Object issuer;
private Object homeRealm;
+ private List<TokenValidator> validators = new ArrayList<TokenValidator>();
public FederationProtocol(ProtocolType protocolType) {
super(protocolType);
+ // [TODO] Flexible tokenvalidator selection, based on class list
+ SAMLTokenValidator validator = new SAMLTokenValidator();
+ validators.add(validator);
}
protected FederationProtocolType getFederationProtocol() {
@@ -229,8 +236,8 @@ public class FederationProtocol extends
getFederationProtocol().setClaimTypesRequested(value);
}
- public List<String> getSecurityTokenValidators() {
- return getFederationProtocol().getSecurityTokenValidators();
+ public List<TokenValidator> getTokenValidators() {
+ return validators;
}
public String getVersion() {
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
Mon Jun 4 21:16:04 2012
@@ -45,6 +45,7 @@ import org.apache.cxf.fediz.core.config.
import org.apache.cxf.fediz.core.saml.SamlAssertionValidator.TRUST_TYPE;
import org.apache.ws.security.SAMLTokenPrincipal;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
@@ -65,15 +66,23 @@ public class SAMLTokenValidator implemen
private static final Logger LOG =
LoggerFactory.getLogger(SAMLTokenValidator.class);
- // [TODO] make sure we answer true only for cases we actually can handle
+
@Override
public boolean canHandleTokenType(String tokenType) {
- return true;
+ if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) ||
WSConstants.SAML2_NS.equals(tokenType)
+ || WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) ||
WSConstants.SAML_NS.equals(tokenType)) {
+ return true;
+ }
+ return false;
}
@Override
public boolean canHandleToken(Element token) {
- return true;
+ String ns = token.getNamespaceURI();
+ if (WSConstants.SAML2_NS.equals(ns) || WSConstants.SAML_NS.equals(ns))
{
+ return true;
+ }
+ return false;
}
public TokenValidatorResponse validateAndProcessToken(Element token,
Modified:
cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd Mon
Jun 4 21:16:04 2012
@@ -100,7 +100,7 @@
<xs:element ref="request" />
<xs:element ref="claimTypesRequested" />
<xs:sequence minOccurs="1"
maxOccurs="unbounded">
- <xs:element
ref="securityTokenValidators" />
+ <xs:element ref="tokenValidators" />
</xs:sequence>
</xs:sequence>
<!-- <xs:attribute name="roleDelimiter"
type="xs:string"/> -->
@@ -158,7 +158,7 @@
</xs:complexType>
</xs:element>
- <xs:element name="securityTokenValidators" type="xs:string" />
+ <xs:element name="tokenValidators" type="xs:string" />
<xs:simpleType name="optionalType">
<xs:restriction base="xs:boolean" />
Modified:
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
Mon Jun 4 21:16:04 2012
@@ -422,10 +422,10 @@ public class FederationProcessorTest {
/**
* Validate SAML 2 token which is not yet valid (in 30 seconds)
- * but within the maximum clock sqew range (60 seconds)
+ * but within the maximum clock skew range (60 seconds)
*/
@org.junit.Test
- public void validateSAML2TokenClockSqewRange() throws Exception {
+ public void validateSAML2TokenClockSkewRange() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
Modified:
cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?rev=1346157&r1=1346156&r2=1346157&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
(original)
+++
cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
Mon Jun 4 21:16:04 2012
@@ -304,28 +304,6 @@ public class FederationAuthenticator ext
}
FederationContext fedConfig =
getContextConfiguration(contextName);
- // Has the callback handler returned a trusted issuer, stored
in
- // session
-// session = request.getSessionInternal();
-// String trustedIssuer = null;
-//
-// //[TODO] How to cache trusted issuer from
FederationProcessor?
-// if (session != null) {
-// trustedIssuer = (String) session.getNote(TRUSTED_ISSUER);
-// if (trustedIssuer == null || trustedIssuer.length() ==
0) {
-// trustedIssuer =
((FederationProtocolType)fedConfig.getProtocol()).getIssuer();
-// } else {
-// log.debug("Trusted issuer cached in session");
-// session.removeNote(TRUSTED_ISSUER);
-// }
-// } else {
-// log.debug("request session null");
-// }
-
- // fedConfig.setTrustedIssuer(trustedIssuer);
- // log.info("Trusted issuer: " + trustedIssuer);
- //
-
FederationProcessor wfProc = new FederationProcessorImpl();
wfRes = wfProc.processRequest(wfReq, fedConfig);
@@ -363,10 +341,6 @@ public class FederationAuthenticator ext
principal = new FederationPrincipalImpl(wfRes.getUsername(),
roles,
wfRes.getClaims());
-
- // [TODO] Cache lifetime (in session), token (in session/TLS),
- // ?audience?
- // [TODO] clocksqew
}
} else {
LOG.error("Not supported action found in parameter wa: " + wa);
