Repository: cxf Updated Branches: refs/heads/master ec5b09021 -> a25555131
[CXF-5664] - CXF STS does not support wst:Participants Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a2555513 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a2555513 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a2555513 Branch: refs/heads/master Commit: a25555131d5651139b9e16b23e97ed645fa09229 Parents: 0a34954 Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Apr 11 23:00:37 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Apr 11 23:01:09 2014 +0100 ---------------------------------------------------------------------- .../provider/DefaultConditionsProvider.java | 94 +++++++++++++++++--- 1 file changed, 82 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a2555513/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java index dc10315..2b60441 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java @@ -19,12 +19,19 @@ package org.apache.cxf.sts.token.provider; import java.text.ParseException; +import java.util.ArrayList; import java.util.Collections; import java.util.Date; +import java.util.List; import java.util.logging.Logger; +import org.w3c.dom.Element; + import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.helpers.DOMUtils; +import org.apache.cxf.sts.STSConstants; import org.apache.cxf.sts.request.Lifetime; +import org.apache.cxf.sts.request.Participants; import org.apache.cxf.ws.security.sts.provider.STSException; import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean; import org.apache.wss4j.common.saml.bean.ConditionsBean; @@ -132,17 +139,9 @@ public class DefaultConditionsProvider implements ConditionsProvider { * Get a ConditionsBean object. */ public ConditionsBean getConditions(TokenProviderParameters providerParameters) { - return getConditions( - providerParameters.getAppliesToAddress(), - providerParameters.getTokenRequirements().getLifetime() - ); - } - - /** - * Get a ConditionsBean object. - */ - private ConditionsBean getConditions(String appliesToAddress, Lifetime tokenLifetime) { ConditionsBean conditions = new ConditionsBean(); + + Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime(); if (lifetime > 0) { if (acceptClientLifetime && tokenLifetime != null && tokenLifetime.getCreated() != null && tokenLifetime.getExpires() != null) { @@ -202,13 +201,84 @@ public class DefaultConditionsProvider implements ConditionsProvider { } else { conditions.setTokenPeriodMinutes(5); } + + List<AudienceRestrictionBean> audienceRestrictions = createAudienceRestrictions(providerParameters); + if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { + conditions.setAudienceRestrictions(audienceRestrictions); + } + + return conditions; + } + + /** + * Create a list of AudienceRestrictions to be added to the Conditions Element of the + * issued Assertion. The default behaviour is to add a single Audience URI per + * AudienceRestriction Element. The Audience URIs are from an AppliesTo address, and + * the wst:Participants (if either exist). + */ + protected List<AudienceRestrictionBean> createAudienceRestrictions( + TokenProviderParameters providerParameters + ) { + List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); + String appliesToAddress = providerParameters.getAppliesToAddress(); if (appliesToAddress != null) { AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.setAudienceURIs(Collections.singletonList(appliesToAddress)); - conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); + audienceRestrictions.add(audienceRestriction); } - return conditions; + Participants participants = providerParameters.getTokenRequirements().getParticipants(); + if (participants != null) { + if (participants.getPrimaryParticipant() instanceof Element) { + String address = + extractAddressFromParticipantsEPR((Element)participants.getPrimaryParticipant()); + if (address != null) { + AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); + audienceRestriction.setAudienceURIs(Collections.singletonList(address)); + audienceRestrictions.add(audienceRestriction); + } + } + + if (participants.getParticipants() != null) { + for (Object participant : participants.getParticipants()) { + if (participant instanceof Element) { + String address = + extractAddressFromParticipantsEPR((Element)participant); + if (address != null) { + AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); + audienceRestriction.setAudienceURIs(Collections.singletonList(address)); + audienceRestrictions.add(audienceRestriction); + } + } + } + } + } + + return audienceRestrictions; + } + + /** + * Extract an address from a Particpants EPR DOM element + */ + protected static String extractAddressFromParticipantsEPR(Element participants) { + if (participants != null) { + Element endpointRef = + DOMUtils.getFirstChildWithName( + participants, STSConstants.WSA_NS_05, "EndpointReference" + ); + if (endpointRef != null) { + LOG.fine("Found EndpointReference element"); + Element address = + DOMUtils.getFirstChildWithName( + endpointRef, STSConstants.WSA_NS_05, "Address"); + if (address != null) { + LOG.fine("Found address element"); + return address.getTextContent(); + } + } + } + LOG.fine("Participants element does not exist or could not be parsed"); + return null; } }
