Repository: cxf Updated Branches: refs/heads/master adba5b8c1 -> 5b17d24cc
Updating RACS filter to ignore requests without expected parameters and let authentication filters deal with it Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5b17d24c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5b17d24c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5b17d24c Branch: refs/heads/master Commit: 5b17d24cc88b7fe91ebad4f51a42748666962a58 Parents: adba5b8 Author: Sergey Beryozkin <[email protected]> Authored: Tue Apr 1 21:39:38 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Apr 1 21:39:38 2014 +0100 ---------------------------------------------------------------------- .../saml/sso/AbstractServiceProviderFilter.java | 13 ++++++++----- .../saml/sso/RequestAssertionConsumerFilter.java | 7 ++++++- .../apache/cxf/rs/security/saml/sso/SSOConstants.java | 4 +++- 3 files changed, 17 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/5b17d24c/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java index 21b5c46..e96566a 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java @@ -48,6 +48,7 @@ import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.jaxrs.impl.HttpHeadersImpl; import org.apache.cxf.jaxrs.impl.UriInfoImpl; import org.apache.cxf.jaxrs.utils.ExceptionUtils; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.message.Message; import org.apache.cxf.rs.security.saml.SAMLUtils; import org.apache.cxf.rs.security.saml.assertion.Subject; @@ -290,11 +291,13 @@ public abstract class AbstractServiceProviderFilter extends AbstractSSOSpHandler protected abstract void signAuthnRequest(AuthnRequest authnRequest) throws Exception; private String getAbsoluteAssertionServiceAddress(Message m) { - if (assertionConsumerServiceAddress == null) { - //TODO: Review the possibility of using this filter - //for validating SAMLResponse too - reportError("MISSING_ASSERTION_SERVICE_URL"); - throw ExceptionUtils.toInternalServerErrorException(null, null); + if (assertionConsumerServiceAddress == null) { + if (Boolean.TRUE.equals(JAXRSUtils.getCurrentMessage().get(SSOConstants.RACS_IS_COLLOCATED))) { + assertionConsumerServiceAddress = new UriInfoImpl(m).getAbsolutePath().toString(); + } else { + reportError("MISSING_ASSERTION_SERVICE_URL"); + throw ExceptionUtils.toInternalServerErrorException(null, null); + } } if (!assertionConsumerServiceAddress.startsWith("http")) { String httpBasePath = (String)m.get("http.base.path"); http://git-wip-us.apache.org/repos/asf/cxf/blob/5b17d24c/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java index 49f572d..bf9903a 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java @@ -61,7 +61,12 @@ public class RequestAssertionConsumerFilter extends AbstractRequestAssertionCons MultivaluedMap<String, String> params, boolean postBinding) { String encodedSamlResponse = params.getFirst(SSOConstants.SAML_RESPONSE); - String relayState = params.getFirst(SSOConstants.RELAY_STATE); + String relayState = params.getFirst(SSOConstants.RELAY_STATE); + if (relayState == null && encodedSamlResponse == null) { + // initial redirect to IDP has not happened yet, let the SAML authentication filter do it + JAXRSUtils.getCurrentMessage().put(SSOConstants.RACS_IS_COLLOCATED, Boolean.TRUE); + return; + } RequestState requestState = processRelayState(relayState); String targetUri = requestState.getTargetAddress(); if (targetUri != null http://git-wip-us.apache.org/repos/asf/cxf/blob/5b17d24c/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOConstants.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOConstants.java index 245d5d2..fde2ddd 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOConstants.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOConstants.java @@ -26,13 +26,15 @@ public final class SSOConstants { public static final String RELAY_STATE = "RelayState"; public static final String SIG_ALG = "SigAlg"; public static final String SIGNATURE = "Signature"; - public static final String SECURITY_CONTEXT_TOKEN = "org.apache.cxf.websso.context"; public static final long DEFAULT_STATE_TIME = 2L * 60L * 1000L; public static final String RSA_SHA1 = WSConstants.RSA_SHA1; public static final String DSA_SHA1 = WSConstants.DSA; + public static final String SECURITY_CONTEXT_TOKEN = "org.apache.cxf.websso.context"; + public static final String RACS_IS_COLLOCATED = "org.apache.cxf.racs.is.collocated"; + private SSOConstants() { } }
