[[CXF-5885] - Validate "ActAs" tokens in the STS
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0ebf9dd2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0ebf9dd2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0ebf9dd2 Branch: refs/heads/2.7.x-fixes Commit: 0ebf9dd24d956a9a1a8865a0e77317e23e110f5e Parents: 1bd129b Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Jul 17 11:00:01 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Jul 17 11:01:12 2014 +0100 ---------------------------------------------------------------------- .../cxf/sts/operation/TokenIssueOperation.java | 81 +++++++++++--------- 1 file changed, 45 insertions(+), 36 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/0ebf9dd2/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java index 030acae..c77c179 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java @@ -149,46 +149,15 @@ public class TokenIssueOperation extends AbstractOperation implements IssueOpera // Validate OnBehalfOf token if present if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) { ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf(); - TokenValidatorResponse tokenResponse = validateReceivedToken( - context, realm, tokenRequirements, validateTarget); - - if (tokenResponse == null) { - LOG.fine("No Token Validator has been found that can handle this token"); - } else if (validateTarget.getState().equals(STATE.INVALID)) { - throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED); - } else if (validateTarget.getState().equals(STATE.VALID)) { - processValidToken(providerParameters, validateTarget, tokenResponse); - } else { - //[TODO] Add plugin for validation out-of-band - // Example: - // If the requestor is in the possession of a certificate (mutual ssl handshake) - // the STS trusts the token sent in OnBehalfOf element - } - - Principal tokenPrincipal = null; - Set<Principal> tokenRoles = null; - - if (tokenResponse != null) { - Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties(); - if (additionalProperties != null) { - providerParameters.setAdditionalProperties(additionalProperties); - } - tokenPrincipal = tokenResponse.getPrincipal(); - tokenRoles = tokenResponse.getRoles(); - } - - // See whether OnBehalfOf is allowed or not - performDelegationHandling(requestParser, context, - providerParameters.getTokenRequirements().getOnBehalfOf(), - tokenPrincipal, tokenRoles); + handleDelegationToken(validateTarget, providerParameters, context, + realm, tokenRequirements, requestParser); } // See whether ActAs is allowed or not - // TODO Validate ActAs if (providerParameters.getTokenRequirements().getActAs() != null) { - performDelegationHandling(requestParser, context, - providerParameters.getTokenRequirements().getActAs(), - null, null); + ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs(); + handleDelegationToken(validateTarget, providerParameters, context, + realm, tokenRequirements, requestParser); } // create token @@ -244,6 +213,46 @@ public class TokenIssueOperation extends AbstractOperation implements IssueOpera throw ex; } } + + private void handleDelegationToken( + ReceivedToken validateTarget, + TokenProviderParameters providerParameters, + WebServiceContext context, + String realm, + TokenRequirements tokenRequirements, + RequestParser requestParser + ) { + TokenValidatorResponse tokenResponse = validateReceivedToken( + context, realm, tokenRequirements, validateTarget); + + if (tokenResponse == null) { + LOG.fine("No Token Validator has been found that can handle this token"); + } else if (validateTarget.getState().equals(STATE.INVALID)) { + throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED); + } else if (validateTarget.getState().equals(STATE.VALID)) { + processValidToken(providerParameters, validateTarget, tokenResponse); + } else { + //[TODO] Add plugin for validation out-of-band + // Example: + // If the requestor is in the possession of a certificate (mutual ssl handshake) + // the STS trusts the token sent in OnBehalfOf element + } + + Principal tokenPrincipal = null; + Set<Principal> tokenRoles = null; + + if (tokenResponse != null) { + Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties(); + if (additionalProperties != null) { + providerParameters.setAdditionalProperties(additionalProperties); + } + tokenPrincipal = tokenResponse.getPrincipal(); + tokenRoles = tokenResponse.getRoles(); + } + + // See whether OnBehalfOf/ActAs is allowed or not + performDelegationHandling(requestParser, context, validateTarget, tokenPrincipal, tokenRoles); + } private RequestSecurityTokenResponseType createResponse( EncryptionProperties encryptionProperties,
