jetty: FederationAuthenticator.java FederationIdentityService.java FederationLoginService.java FederationUserIdentity.java

owulff Thu, 20 Dec 2012 13:03:32 -0800

Author: owulff
Date: Thu Dec 20 21:03:05 2012
New Revision: 1424704

URL: http://svn.apache.org/viewvc?rev=1424704&view=rev
Log:
SAML token validity is checked in every request


Added:
    
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationIdentityService.java
Modified:
    
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
    
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationLoginService.java
    
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java

Modified: 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java?rev=1424704&r1=1424703&r2=1424704&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
 (original)
+++ 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
 Thu Dec 20 21:03:05 2012
@@ -134,16 +134,6 @@ public class FederationAuthenticator ext
         if (uri == null) {
             uri = URIUtil.SLASH;
         }
-        
-        /*
-         * mandatory|=isJSecurityCheck(uri); if (!mandatory) return _deferred;
-         */
-
-        /*
-         * not the case if
-         * 
(isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())))
 return
-         * Authentication.NOT_CHECKED;
-         */
 
         HttpSession session = request.getSession(true);
 
@@ -152,7 +142,6 @@ public class FederationAuthenticator ext
             String wresult = request.getParameter("wresult");
             
             // Handle a request for authentication.
-            
             if (wa != null) {
 
                 FederationResponse wfRes = null;
@@ -301,8 +290,6 @@ public class FederationAuthenticator ext
             
             FederationProcessor wfProc = new FederationProcessorImpl();
             redirectToIssuer(request, response, wfProc);
-            
//response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),
-            //                                                                 
 formLoginPage)));
 
             return Authentication.SEND_CONTINUE;
 

Added: 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationIdentityService.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationIdentityService.java?rev=1424704&view=auto
==============================================================================
--- 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationIdentityService.java
 (added)
+++ 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationIdentityService.java
 Thu Dec 20 21:03:05 2012
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.jetty;
+
+import java.security.Principal;
+
+import javax.security.auth.Subject;
+
+import org.eclipse.jetty.security.IdentityService;
+import org.eclipse.jetty.security.RoleRunAsToken;
+import org.eclipse.jetty.security.RunAsToken;
+import org.eclipse.jetty.server.UserIdentity;
+import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.log.Logger;
+
+
+/**
+ * Federation Identity Service implementation.
+ * This service handles only role reference maps passed in an
+ * associated {@link org.eclipse.jetty.server.UserIdentity.Scope}.  If there 
are roles
+ * refs present, then associate will wrap the UserIdentity with one
+ * that uses the role references in the 
+ * {@link org.eclipse.jetty.server.UserIdentity#isUserInRole(String, 
org.eclipse.jetty.server.UserIdentity.Scope)}
+ * implementation. All other operations are effectively noops.
+ *
+ */
+public class FederationIdentityService implements IdentityService {
+    private static final Logger LOG = 
Log.getLogger(FederationIdentityService.class);
+
+    public FederationIdentityService() {
+    }
+
+
+    /** 
+     * If there are roles refs present in the scope, then wrap the 
UserIdentity 
+     * with one that uses the role references in the
+     * {@link UserIdentity#isUserInRole(String, 
org.eclipse.jetty.server.UserIdentity.Scope)}
+     */
+    public Object associate(UserIdentity user) {
+        return null;
+    }
+
+    public void disassociate(Object previous) {
+    }
+
+    public Object setRunAs(UserIdentity user, RunAsToken token) {
+        return token;
+    }
+
+    public void unsetRunAs(Object lastToken) {
+    }
+
+    public RunAsToken newRunAsToken(String runAsName) {
+        return new RoleRunAsToken(runAsName);
+    }
+
+    public UserIdentity getSystemUserIdentity() {
+        return null;
+    }
+
+    public UserIdentity newUserIdentity(
+        final Subject subject, final Principal userPrincipal, final String[] 
roles) {
+        
+        try {
+            FederationUserPrincipal fup = 
(FederationUserPrincipal)userPrincipal;
+            return new FederationUserIdentity(subject, userPrincipal, roles, 
fup.getFederationResponse());
+        } catch (ClassCastException ex) {
+            LOG.warn("Principal must be instance of FederationUserPrincipal");
+            throw new IllegalStateException("Principal must be instance of 
FederationUserPrincipal");
+        }
+        
+        
+    }
+
+}

Modified: 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationLoginService.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationLoginService.java?rev=1424704&r1=1424703&r2=1424704&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationLoginService.java
 (original)
+++ 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationLoginService.java
 Thu Dec 20 21:03:05 2012
@@ -20,6 +20,7 @@
 package org.apache.cxf.fediz.jetty;
 
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.List;
 
 import javax.security.auth.Subject;
@@ -40,7 +41,7 @@ import org.eclipse.jetty.util.log.Logger
 public class FederationLoginService extends AbstractLifeCycle implements 
LoginService {
     private static final Logger LOG = 
Log.getLogger(FederationLoginService.class);
 
-    protected IdentityService identityService;
+    protected IdentityService identityService = new 
FederationIdentityService();
     protected String name;
     
 
@@ -126,9 +127,6 @@ public class FederationLoginService exte
             String[] aRoles = new String[roles.size()];
             roles.toArray(aRoles);
             
-            //[TODO] Create FederationUserIdentity here
-            //FederationReponse should be protected and
-            //not accessible in Principal
             return identityService.newUserIdentity(subject, user, aRoles);
 
         } catch (Exception ex) {
@@ -139,8 +137,13 @@ public class FederationLoginService exte
     }
 
     public boolean validate(UserIdentity user) {
-        //[TODO] check validity of token???
-        return true;
+        try {
+            FederationUserIdentity fui = (FederationUserIdentity)user;
+            return fui.getExpiryDate().after(new Date());
+        } catch (ClassCastException ex) {
+            LOG.warn("UserIdentity must be instance of 
FederationUserIdentity");
+            throw new IllegalStateException("UserIdentity must be instance of 
FederationUserIdentity");
+        }
     }
 
     @Override

Modified: 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java?rev=1424704&r1=1424703&r2=1424704&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
 (original)
+++ 
cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationUserIdentity.java
 Thu Dec 20 21:03:05 2012
@@ -21,22 +21,26 @@ package org.apache.cxf.fediz.jetty;
 
 
 import java.security.Principal;
-import java.util.List;
+import java.util.Date;
 
 import javax.security.auth.Subject;
 
+import org.apache.cxf.fediz.core.FederationResponse;
 import org.eclipse.jetty.server.UserIdentity;
 
 public class FederationUserIdentity implements UserIdentity {
     
     private Subject subject;
     private Principal principal;
-    private List<String> roles;
+    private String[] roles;
+    private FederationResponse fedResponse;
 
-    public FederationUserIdentity(Subject subject, Principal principal, 
List<String> roles) {
+    public FederationUserIdentity(Subject subject, Principal principal,
+                                  String[] roles, FederationResponse 
fedResponse) {
         this.subject = subject;
         this.principal = principal;
         this.roles = roles;
+        this.fedResponse = fedResponse;
     }
 
 
@@ -49,7 +53,32 @@ public class FederationUserIdentity impl
     }
 
     public boolean isUserInRole(String role, Scope scope) {
-        return roles.contains(role);
+        if (scope != null && scope.getRoleRefMap() != null) {
+            role = scope.getRoleRefMap().get(role);
+        }
+        
+        for (String r : this.roles) {
+            if (r.equals(role)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    public Date getExpiryDate() {
+        return fedResponse.getTokenExpires();
+    }
+    
+    public String getIssuer() {
+        return fedResponse.getIssuer();
+    }
+    
+    public String getAudience() {
+        return fedResponse.getAudience();
+    }
+    
+    public String getId() {
+        return fedResponse.getUniqueTokenId();
     }
 
 }

svn commit: r1424704 - in /cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty: FederationAuthenticator.java FederationIdentityService.java FederationLoginService.java FederationUserIdentity.java

Reply via email to