Author: owulff
Date: Sun Oct 14 19:59:59 2012
New Revision: 1398122
URL: http://svn.apache.org/viewvc?rev=1398122&view=rev
Log:
[FEDIZ-30] Relying Party can enforce re-authentication using wfresh parameter
Modified:
cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml
cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/CallbackHandlerTest.java
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationWriterTest.java
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java
Modified: cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml
(original)
+++ cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml Sun
Oct 14 19:59:59 2012
@@ -26,7 +26,7 @@
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<!--<authenticationType type="String">some auth
type</authenticationType>-->
<!--<homeRealm
type="Class">org.apache.fediz.realm.MyHomeRealm</homeRealm>-->
- <freshness>10000</freshness>
+ <!--<freshness>0</freshness>-->
<!--<reply>reply value</reply>-->
<!--<request>REQUEST</request>-->
<claimTypesRequested>
Modified:
cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
---
cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
(original)
+++
cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
Sun Oct 14 19:59:59 2012
@@ -26,7 +26,7 @@
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<!--<authenticationType type="String">some auth
type</authenticationType>-->
<!--<homeRealm
type="Class">org.apache.fediz.realm.MyHomeRealm</homeRealm>-->
- <freshness>10000</freshness>
+ <!--<freshness>0</freshness>-->
<!--<reply>reply value</reply>-->
<!--<request>REQUEST</request>-->
<claimTypesRequested>
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
Sun Oct 14 19:59:59 2012
@@ -39,6 +39,7 @@ import org.apache.cxf.fediz.core.config.
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
import org.apache.cxf.fediz.core.metadata.MetadataWriter;
+import org.apache.cxf.fediz.core.spi.FreshnessCallback;
import org.apache.cxf.fediz.core.spi.HomeRealmCallback;
import org.apache.cxf.fediz.core.spi.IDPCallback;
import org.apache.cxf.fediz.core.spi.WAuthCallback;
@@ -65,6 +66,11 @@ public class FederationProcessorImpl imp
public FederationResponse processRequest(FederationRequest request,
FederationContext config)
throws ProcessingException {
+
+ if (!(config.getProtocol() instanceof FederationProtocol)) {
+ LOG.error("Unsupported protocol");
+ throw new IllegalStateException("Unsupported protocol");
+ }
FederationResponse response = null;
if (FederationConstants.ACTION_SIGNIN.equals(request.getWa())) {
response = this.processSignInRequest(request, config);
@@ -263,6 +269,11 @@ public class FederationProcessorImpl imp
String redirectURL = null;
try {
+ if (!(config.getProtocol() instanceof FederationProtocol)) {
+ LOG.error("Unsupported protocol");
+ throw new IllegalStateException("Unsupported protocol");
+ }
+
Object issuerObj =
((FederationProtocol)config.getProtocol()).getIssuer();
String issuerURL = null;
if (issuerObj instanceof String) {
@@ -306,24 +317,27 @@ public class FederationProcessorImpl imp
}
LOG.info("HomeRealm: " + homeRealm);
+ Object freshnessObj =
((FederationProtocol)config.getProtocol()).getFreshness();
+ String freshness = null;
+ if (freshnessObj != null) {
+ if (freshnessObj instanceof String) {
+ freshness = (String)freshnessObj;
+ } else if (freshnessObj instanceof CallbackHandler) {
+ CallbackHandler frCB = (CallbackHandler)freshnessObj;
+ FreshnessCallback callback = new
FreshnessCallback(request);
+ frCB.handle(new Callback[] {callback});
+ freshness = callback.getFreshness();
+ }
+ }
+ LOG.info("Freshness: " + freshness);
+
StringBuilder sb = new StringBuilder();
-
sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNIN);
-
sb.append('&').append(FederationConstants.PARAM_REPLY).append('=');
sb.append(URLEncoder.encode(request.getRequestURL().toString(),
"UTF-8"));
- String realm = null;
- FederationProtocol fp = null;
- if (config.getProtocol() instanceof FederationProtocol) {
- fp = (FederationProtocol)config.getProtocol();
- } else {
- LOG.error("Unsupported protocol");
- throw new IllegalStateException("Unsupported protocol");
- }
- if (fp.getRealm() != null) {
- realm = fp.getRealm();
- } else {
+ String realm =
((FederationProtocol)config.getProtocol()).getRealm();
+ if (realm == null) {
String contextPath = request.getContextPath();
String requestUrl = request.getRequestURL().toString();
String requestPath = new URL(requestUrl).getPath();
@@ -358,6 +372,12 @@ public class FederationProcessorImpl imp
.append(URLEncoder.encode(homeRealm, "UTF-8"));
}
+ // add freshness parameter wfresh if set
+ if (freshness != null && freshness.length() > 0) {
+
sb.append('&').append(FederationConstants.PARAM_FRESHNESS).append('=')
+ .append(URLEncoder.encode(freshness, "UTF-8"));
+ }
+
// add current time parameter wct
Date creationTime = new Date();
XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
Sun Oct 14 19:59:59 2012
@@ -42,6 +42,7 @@ public class FederationProtocol extends
private Object authenticationType;
private Object issuer;
private Object homeRealm;
+ private Object freshness;
private List<TokenValidator> validators = new ArrayList<TokenValidator>();
public FederationProtocol(ProtocolType protocolType) {
@@ -228,12 +229,41 @@ public class FederationProtocol extends
}
}
- public String getFreshness() {
- return getFederationProtocol().getFreshness();
+ public Object getFreshness() {
+ if (this.freshness != null) {
+ return this.freshness;
+ }
+ CallbackType cbt = getFederationProtocol().getFreshness();
+ if (cbt == null) {
+ return null;
+ }
+ if (cbt.getType() == null ||
cbt.getType().equals(ArgumentType.STRING)) {
+ this.freshness = new String(cbt.getValue());
+ } else if (cbt.getType().equals(ArgumentType.CLASS)) {
+ try {
+ this.freshness =
+
Thread.currentThread().getContextClassLoader().loadClass(cbt.getValue()).newInstance();
+ } catch (Exception e) {
+ LOG.error("Failed to create instance of " + cbt.getValue(), e);
+ throw new IllegalStateException("Failed to create instance of
" + cbt.getValue());
+ }
+ } else {
+ LOG.error("Only String and Class are supported for 'Freshness'");
+ throw new IllegalStateException("Only String and Class are
supported for 'Freshness'");
+ }
+ return this.freshness;
}
- public void setFreshness(String value) {
- getFederationProtocol().setFreshness(value);
+ public void setFreshness(Object value) {
+ final boolean isString = value instanceof String;
+ final boolean isCallbackHandler = value instanceof CallbackHandler;
+ if (isString || isCallbackHandler) {
+ this.freshness = value;
+ } else {
+ LOG.error("Unsupported 'Freshness' object");
+ throw new IllegalArgumentException("Unsupported 'Freshness'
object. Type must be "
+ + "java.lang.String or
javax.security.auth.callback.CallbackHandler.");
+ }
}
public String getReply() {
Modified:
cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd Sun
Oct 14 19:59:59 2012
@@ -107,7 +107,7 @@
<xs:element name="realm" type="xs:string" />
<xs:element name="applicationServiceURL" type="xs:string" />
- <xs:element name="freshness" type="xs:string" />
+
<xs:complexType name="protocolType" abstract="true" />
@@ -122,6 +122,7 @@
<xs:element name="issuer" type="CallbackType" />
<xs:element name="homeRealm" type="CallbackType" />
<xs:element name="authenticationType" type="CallbackType" />
+ <xs:element name="freshness" type="CallbackType" />
<xs:simpleType name="argumentType">
<xs:restriction base="xs:string">
Modified:
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/CallbackHandlerTest.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/CallbackHandlerTest.java?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/CallbackHandlerTest.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/CallbackHandlerTest.java
Sun Oct 14 19:59:59 2012
@@ -118,8 +118,11 @@ public class CallbackHandlerTest {
claimType.setType(CLAIM_TYPE);
claimTypeReq.getClaimType().add(claimType);
protocol.setClaimTypesRequested(claimTypeReq);
-
- protocol.setFreshness(FRESHNESS_VALUE);
+
+ CallbackType freshness = new CallbackType();
+ freshness.setValue(FRESHNESS_VALUE);
+ protocol.setFreshness(freshness);
+
protocol.setRealm(TARGET_REALM);
protocol.setReply(REPLY);
protocol.setRequest("REQUEST");
Modified:
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
Sun Oct 14 19:59:59 2012
@@ -180,7 +180,9 @@ public class FedizConfigurationTest {
protocol.setClaimTypesRequested(claimTypeReq);
- protocol.setFreshness(FRESHNESS_VALUE);
+ CallbackType freshness = new CallbackType();
+ freshness.setValue(FRESHNESS_VALUE);
+ protocol.setFreshness(freshness);
CallbackType homeRealm = new CallbackType();
homeRealm.setType(ArgumentType.CLASS);
Modified:
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationWriterTest.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationWriterTest.java?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
---
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationWriterTest.java
(original)
+++
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationWriterTest.java
Sun Oct 14 19:59:59 2012
@@ -158,7 +158,9 @@ public class FedizConfigurationWriterTes
protocol.setClaimTypesRequested(claimTypeReq);
- protocol.setFreshness(FRESHNESS_VALUE);
+ CallbackType freshness = new CallbackType();
+ freshness.setValue(FRESHNESS_VALUE);
+ protocol.setFreshness(freshness);
CallbackType homeRealm = new CallbackType();
homeRealm.setType(ArgumentType.CLASS);
Modified:
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java
URL:
http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java?rev=1398122&r1=1398121&r2=1398122&view=diff
==============================================================================
---
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java
(original)
+++
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java
Sun Oct 14 19:59:59 2012
@@ -61,6 +61,8 @@ public class IdpServlet extends HttpServ
public static final String PARAM_WRESULT = "wresult";
public static final String PARAM_WCONTEXT = "wctx";
+
+ public static final String PARAM_WFRESH = "wfresh";
public static final String AUTH_HEADER_NAME = "WWW-Authenticate";
@@ -139,6 +141,7 @@ public class IdpServlet extends HttpServ
String wtrealm = request.getParameter(PARAM_WTREALM);
String wctx = request.getParameter(PARAM_WCONTEXT);
String wreply = request.getParameter(PARAM_WREPLY);
+ String wfresh = request.getParameter(PARAM_WFRESH);
if (action == null) {
LOG.error("Bad request. HTTP parameter '" + PARAM_ACTION
@@ -173,6 +176,9 @@ public class IdpServlet extends HttpServ
if (idpToken.isExpired()) {
LOG.info("IDP token of '" + user + "' expired. Require
authentication.");
authenticationRequired = idpToken.isExpired();
+ } else if (wfresh != null && wfresh.equals("0")) {
+ LOG.info("IDP token of '" + user + "' valid but
relying party requested new authentication");
+ authenticationRequired = true;
} else {
LOG.debug("Session found for '" + user + "'.");
}
@@ -193,6 +199,7 @@ public class IdpServlet extends HttpServ
StringBuilder value = new StringBuilder(16);
value.append("Basic realm=\"IDP\"");
response.setHeader(AUTH_HEADER_NAME, value.toString());
+ response.setHeader("Cache-Control", "no-store, no-cache,
must-revalidate, private");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
} else {
@@ -274,6 +281,7 @@ public class IdpServlet extends HttpServ
}
LOG.debug("Forward to jsp...");
+ response.setHeader("Cache-Control", "no-store, no-cache,
must-revalidate, private");
this.getServletContext().getRequestDispatcher("/WEB-INF/signinresponse.jsp")
.forward(request, response);
