Support caching option for trusted Idp tokens
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f5ea1923 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f5ea1923 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f5ea1923 Branch: refs/heads/master Commit: f5ea192342247a152f6013b65f377d307bd13f1d Parents: 00a61f4 Author: Oliver Wulff <[email protected]> Authored: Tue Mar 18 22:09:24 2014 +0100 Committer: Oliver Wulff <[email protected]> Committed: Tue Mar 18 22:09:24 2014 +0100 ---------------------------------------------------------------------- .../service/idp/beans/STSClientAction.java | 23 +++++++---------- .../idp/service/jpa/ConfigServiceJPA.java | 4 +-- .../WEB-INF/federation-signin-request.xml | 13 +++++++--- .../WEB-INF/federation-signin-response.xml | 27 +++++++------------- .../WEB-INF/federation-validate-request.xml | 4 +++ 5 files changed, 34 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f5ea1923/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java index b645dc7..2a03cb3 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java @@ -293,22 +293,17 @@ public class STSClientAction { private SecurityToken getSecurityToken(RequestContext context) throws ProcessingException { String whr = (String) WebUtils. getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM); - SecurityToken idpToken = null; - if (whr != null) { - idpToken = (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr); - if (idpToken != null) { - if (LOG.isDebugEnabled()) { - LOG.debug("[IDP_TOKEN=" - + idpToken.getId() - + "] successfully retrieved from cache for home realm [" - + whr + "]"); - } - } else { - LOG.error("IDP_TOKEN not found"); - throw new ProcessingException(TYPE.BAD_REQUEST); + + SecurityToken idpToken = (SecurityToken) WebUtils.getAttributeFromFlowScope(context, "idpToken"); + if (idpToken != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("[IDP_TOKEN=" + + idpToken.getId() + + "] successfully retrieved from cache for home realm [" + + whr + "]"); } } else { - LOG.error("Home realm not found"); + LOG.error("IDP_TOKEN not found"); throw new ProcessingException(TYPE.BAD_REQUEST); } return idpToken; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f5ea1923/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ConfigServiceJPA.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ConfigServiceJPA.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ConfigServiceJPA.java index 2b481ff..fe1fac7 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ConfigServiceJPA.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ConfigServiceJPA.java @@ -39,7 +39,7 @@ import org.springframework.security.core.context.SecurityContextHolder; public class ConfigServiceJPA implements ConfigService { - private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpDAOJPAImpl.class); + private static final Logger LOG = LoggerFactory.getLogger(ConfigServiceJPA.class); IdpService idpService; @@ -62,7 +62,7 @@ public class ConfigServiceJPA implements ConfigService { } } finally { SecurityContextHolder.getContext().setAuthentication(currentAuthentication); - LOG.error("Old Spring security context restored"); + LOG.info("Old Spring security context restored"); } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f5ea1923/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml index ca28ee3..48d876d 100644 --- a/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml @@ -115,7 +115,9 @@ <evaluate expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" /> <transition on="yes" to="redirectToTrustedIDP" /> - <transition on="no" to="requestRpToken" /> + <transition on="no" to="requestRpToken" > + <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" /> + </transition> <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> </action-state> @@ -143,7 +145,9 @@ <evaluate expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" /> <transition on="yes" to="redirectToLocalIDP" /> - <transition on="no" to="requestRpToken" /> + <transition on="no" to="requestRpToken"> + <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" /> + </transition> <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> </action-state> @@ -157,7 +161,9 @@ <action-state id="cacheTokenForWauth"> <secured attributes="IS_AUTHENTICATED_FULLY" /> <evaluate expression="cacheTokenForWauthAction.submit(flowRequestContext)" /> - <transition to="requestRpToken" /> + <transition to="requestRpToken"> + <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" /> + </transition> </action-state> <!-- ============================================================================================================= --> @@ -166,6 +172,7 @@ <end-state id="requestRpToken"> <output name="whr" value="flowScope.whr" /> <output name="wctx" value="flowScope.wctx" /> + <output name="idpToken" value="flowScope.idpToken" /> </end-state> <!-- abnormal exit point : Http 400 Bad Request --> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f5ea1923/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml index ffee75e..3feef6e 100644 --- a/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml +++ b/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml @@ -34,33 +34,23 @@ </on-start> <!-- validate token issued by requestor IDP ('wresult') given its 'whr' --> - <!-- <action-state id="validateToken"> - <evaluate expression="validateTokenAction.submit(flowRequestContext)" - result="flowScope.rpIdpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" /> - <transition to="requestRpToken"> - <set name="externalContext.sessionMap[flowScope.whr]" - value="flowScope.rpIdpToken" /> - </transition> + <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext)" + result="flowScope.idpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" /> + <transition to="checkCacheTrustedIdpToken" /> <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" /> <transition on-exception="java.lang.Throwable" to="scInternalServerError" /> </action-state> - --> - <action-state id="validateToken"> - <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext)" - result="flowScope.rpIdpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" /> - <transition to="requestRpToken"> - <!-- cache validated token under key = requestor home realm --> + <action-state id="checkCacheTrustedIdpToken"> + <evaluate expression="idpConfig.findTrustedIdp(flowScope.whr).cacheTokens" /> + <transition on="yes" to="requestRpToken"> <set name="externalContext.sessionMap[flowScope.whr]" - value="flowScope.rpIdpToken" /> + value="flowScope.idpToken" /> </transition> - <transition - on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" - to="viewBadRequest" /> - <transition on-exception="java.lang.Throwable" to="scInternalServerError" /> + <transition on="no" to="requestRpToken" /> </action-state> <end-state id="requestRpToken"> @@ -68,6 +58,7 @@ <output name="wctx" value="flowScope.wctx" /> <output name="wreply" value="flowScope.wreply" /> <output name="wtrealm" value="flowScope.wtrealm" /> + <output name="idpToken" value="flowScope.idpToken" /> </end-state> <!-- abnormal exit point : Http 400 Bad Request --> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f5ea1923/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml index f517a81..6f7d232 100644 --- a/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml @@ -73,10 +73,12 @@ <output name="whr" /> <output name="wctx" /> + <output name="idpToken" /> <transition on="requestRpToken" to="requestRpToken"> <set name="flowScope.whr" value="currentEvent.attributes.whr" /> <set name="flowScope.wctx" value="currentEvent.attributes.wctx" /> + <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" /> </transition> <transition on="viewBadRequest" to="viewBadRequest" /> <transition on="scInternalServerError" to="scInternalServerError" /> @@ -100,12 +102,14 @@ <output name="wreply" /> <output name="wctx" /> <output name="whr" /> + <output name="idpToken" /> <transition on="requestRpToken" to="requestRpToken"> <set name="flowScope.whr" value="currentEvent.attributes.whr" /> <set name="flowScope.wctx" value="currentEvent.attributes.wctx" /> <set name="flowScope.wtrealm" value="currentEvent.attributes.wtrealm" /> <set name="flowScope.wreply" value="currentEvent.attributes.wreply" /> + <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" /> </transition> <transition on="viewBadRequest" to="viewBadRequest" /> <transition on="scInternalServerError" to="scInternalServerError" />
