Repository: cxf-fediz Updated Branches: refs/heads/master abd1fe2c6 -> f15c92f65
Added initial support for SAML SSO Metadata in the plugin core Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f15c92f6 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f15c92f6 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f15c92f6 Branch: refs/heads/master Commit: f15c92f653d2b63bec10d17129eed4be226beebb Parents: abd1fe2 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Jul 29 15:09:37 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Jul 29 15:09:37 2014 +0100 ---------------------------------------------------------------------- .../cxf/fediz/core/FederationConstants.java | 2 + .../fediz/core/config/FederationProtocol.java | 9 - .../apache/cxf/fediz/core/config/Protocol.java | 7 + .../cxf/fediz/core/metadata/MetadataWriter.java | 205 +++++++++++-------- .../src/main/resources/schemas/FedizConfig.xsd | 2 +- .../fediz/tomcat/FederationAuthenticator.java | 5 +- 6 files changed, 133 insertions(+), 97 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java index 767faf0..3ffa654 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java @@ -221,6 +221,8 @@ public final class FederationConstants { public static final String METADATA_PATH_URI = "FederationMetadata/2007-06/FederationMetadata.xml"; + public static final String FEDIZ_SAML_METADATA_PATH_URI = "SAML/Metadata.xml"; + private FederationConstants() { } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java index 4809a34..6b37505 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java @@ -56,15 +56,6 @@ public class FederationProtocol extends Protocol { super.setProtocolType(federationProtocol); } - - public String getApplicationServiceURL() { - return getFederationProtocol().getApplicationServiceURL(); - } - - public void setApplicationServiceURL(String value) { - getFederationProtocol().setApplicationServiceURL(value); - } - public Object getAuthenticationType() { if (this.authenticationType != null) { return this.authenticationType; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java index c9ff7ae..d49e24d 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java @@ -191,4 +191,11 @@ public abstract class Protocol { getProtocolType().setClaimTypesRequested(value); } + public String getApplicationServiceURL() { + return getProtocolType().getApplicationServiceURL(); + } + + public void setApplicationServiceURL(String value) { + getProtocolType().setApplicationServiceURL(value); + } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java index f7ef25c..af3a558 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java @@ -29,14 +29,15 @@ import java.util.List; import javax.security.auth.callback.CallbackHandler; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.stream.XMLOutputFactory; +import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamWriter; import org.w3c.dom.Document; - import org.apache.cxf.fediz.core.config.Claim; import org.apache.cxf.fediz.core.config.FederationProtocol; import org.apache.cxf.fediz.core.config.FedizContext; import org.apache.cxf.fediz.core.config.Protocol; +import org.apache.cxf.fediz.core.config.SAMLProtocol; import org.apache.cxf.fediz.core.exception.ProcessingException; import org.apache.cxf.fediz.core.util.DOMUtils; import org.apache.cxf.fediz.core.util.SignatureUtils; @@ -77,13 +78,10 @@ public class MetadataWriter { writer.writeAttribute("ID", referenceID); String audience = "_someID"; - String serviceURL = null; - if (protocol instanceof FederationProtocol) { - serviceURL = ((FederationProtocol)protocol).getApplicationServiceURL(); - List<String> audienceList = config.getAudienceUris(); - if (audienceList != null && audienceList.size() > 0 && !"".equals(audienceList.get(0))) { - audience = audienceList.get(0); - } + String serviceURL = protocol.getApplicationServiceURL(); + List<String> audienceList = config.getAudienceUris(); + if (audienceList != null && audienceList.size() > 0 && !"".equals(audienceList.get(0))) { + audience = audienceList.get(0); } if (serviceURL == null) { serviceURL = audience; @@ -91,88 +89,16 @@ public class MetadataWriter { writer.writeAttribute("entityID", serviceURL); - writer.writeNamespace("fed", WS_FEDERATION_NS); - writer.writeNamespace("wsa", WS_ADDRESSING_NS); - writer.writeNamespace("auth", WS_FEDERATION_NS); - writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS); - - writer.writeStartElement("fed", "RoleDescriptor", WS_FEDERATION_NS); - writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:ApplicationServiceType"); - writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS); - - writer.writeStartElement("fed", "ApplicationServiceEndpoint", WS_FEDERATION_NS); - writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS); - - writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS); - writer.writeCharacters(serviceURL); - - writer.writeEndElement(); // Address - writer.writeEndElement(); // EndpointReference - writer.writeEndElement(); // ApplicationServiceEndpoint - - // create target scope element - writer.writeStartElement("fed", "TargetScope", WS_FEDERATION_NS); - writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS); - writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS); - - Object realmObj = protocol.getRealm(); - String realm = null; - if (realmObj instanceof String) { - realm = (String)realmObj; - } else if (realmObj instanceof CallbackHandler) { - //TODO - //If realm is resolved at runtime, metadata not updated - } - - if (!(realm == null || "".equals(realm))) { - writer.writeCharacters(realm); + if (protocol instanceof FederationProtocol) { + writeFederationMetadata(writer, config, serviceURL); + } else if (protocol instanceof SAMLProtocol) { + writeSAMLMetadata(writer, config, serviceURL); } - // writer.writeCharacters("http://host:port/url from config"); - writer.writeEndElement(); // Address - writer.writeEndElement(); // EndpointReference - writer.writeEndElement(); // TargetScope - - List<Claim> claims = protocol.getClaimTypesRequested(); - if (claims != null && claims.size() > 0) { - - // create ClaimsType section - writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS); - for (Claim claim : claims) { - - writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS); - writer.writeAttribute("Uri", claim.getType()); - if (claim.isOptional()) { - writer.writeAttribute("Optional", "true"); - } else { - writer.writeAttribute("Optional", "false"); - } - - writer.writeEndElement(); // ClaimType - - } - writer.writeEndElement(); // ClaimsTypeRequested - } - // create sign in endpoint section - - writer.writeStartElement("fed", "PassiveRequestorEndpoint", WS_FEDERATION_NS); - writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS); - writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS); - - Object issuer = protocol.getIssuer(); - if (issuer instanceof String && !"".equals(issuer)) { - writer.writeCharacters((String)issuer); - } - - // writer.writeCharacters("http://host:port/url Issuer from config"); - writer.writeEndElement(); // Address - writer.writeEndElement(); // EndpointReference - - writer.writeEndElement(); // PassiveRequestorEndpoint - writer.writeEndElement(); // RoleDescriptor writer.writeEndElement(); // EntityDescriptor writer.writeEndDocument(); + streamWriter.flush(); bout.flush(); // @@ -213,6 +139,115 @@ public class MetadataWriter { } + private void writeFederationMetadata( + XMLStreamWriter writer, + FedizContext config, + String serviceURL + ) throws XMLStreamException { + writer.writeNamespace("fed", WS_FEDERATION_NS); + writer.writeNamespace("wsa", WS_ADDRESSING_NS); + writer.writeNamespace("auth", WS_FEDERATION_NS); + writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS); + + writer.writeStartElement("fed", "RoleDescriptor", WS_FEDERATION_NS); + writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:ApplicationServiceType"); + writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS); + + writer.writeStartElement("fed", "ApplicationServiceEndpoint", WS_FEDERATION_NS); + writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS); + + writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS); + writer.writeCharacters(serviceURL); + + writer.writeEndElement(); // Address + writer.writeEndElement(); // EndpointReference + writer.writeEndElement(); // ApplicationServiceEndpoint + + // create target scope element + writer.writeStartElement("fed", "TargetScope", WS_FEDERATION_NS); + writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS); + writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS); + + FederationProtocol protocol = (FederationProtocol)config.getProtocol(); + + Object realmObj = protocol.getRealm(); + String realm = null; + if (realmObj instanceof String) { + realm = (String)realmObj; + } else if (realmObj instanceof CallbackHandler) { + //TODO + //If realm is resolved at runtime, metadata not updated + } + + if (!(realm == null || "".equals(realm))) { + writer.writeCharacters(realm); + } + + // writer.writeCharacters("http://host:port/url from config"); + writer.writeEndElement(); // Address + writer.writeEndElement(); // EndpointReference + writer.writeEndElement(); // TargetScope + + List<Claim> claims = protocol.getClaimTypesRequested(); + if (claims != null && claims.size() > 0) { + + // create ClaimsType section + writer.writeStartElement("fed", "ClaimTypesRequested", WS_FEDERATION_NS); + for (Claim claim : claims) { + + writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS); + writer.writeAttribute("Uri", claim.getType()); + if (claim.isOptional()) { + writer.writeAttribute("Optional", "true"); + } else { + writer.writeAttribute("Optional", "false"); + } + + writer.writeEndElement(); // ClaimType + + } + writer.writeEndElement(); // ClaimsTypeRequested + } + // create sign in endpoint section + + writer.writeStartElement("fed", "PassiveRequestorEndpoint", WS_FEDERATION_NS); + writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS); + writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS); + + Object issuer = protocol.getIssuer(); + if (issuer instanceof String && !"".equals(issuer)) { + writer.writeCharacters((String)issuer); + } + + // writer.writeCharacters("http://host:port/url Issuer from config"); + writer.writeEndElement(); // Address + writer.writeEndElement(); // EndpointReference + + writer.writeEndElement(); // PassiveRequestorEndpoint + writer.writeEndElement(); // RoleDescriptor + } + private void writeSAMLMetadata( + XMLStreamWriter writer, + FedizContext config, + String serviceURL + ) throws XMLStreamException { + + SAMLProtocol protocol = (SAMLProtocol)config.getProtocol(); + + writer.writeStartElement("", "SPSSODescriptor", SAML2_METADATA_NS); + writer.writeAttribute("AuthnRequestsSigned", Boolean.toString(protocol.isSignRequest())); + writer.writeAttribute("WantAssertionsSigned", "true"); + writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol"); + + writer.writeStartElement("", "AssertionConsumerService", SAML2_METADATA_NS); + writer.writeAttribute("index", "0"); + writer.writeAttribute("isDefault", "true"); + writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); + writer.writeAttribute("Location", serviceURL); + + writer.writeEndElement(); // AssertionConsumerService + writer.writeEndElement(); // SPSSODescriptor + } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/core/src/main/resources/schemas/FedizConfig.xsd ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd index 7c7b91c..516e03d 100644 --- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd +++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd @@ -99,7 +99,6 @@ <xs:element ref="reply" /> <xs:element ref="request" /> <xs:element ref="signInQuery" /> - <xs:element ref="applicationServiceURL" /> </xs:sequence> <xs:attribute name="version" use="required" type="xs:string" /> </xs:extension> @@ -134,6 +133,7 @@ <xs:complexType name="protocolType" abstract="true"> <xs:sequence> + <xs:element ref="applicationServiceURL" /> <xs:element ref="roleDelimiter" /> <xs:element ref="roleURI" /> <xs:element ref="claimTypesRequested" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f15c92f6/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java ---------------------------------------------------------------------- diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java index 5c64332..73c9d97 100644 --- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java +++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java @@ -181,9 +181,10 @@ public class FederationAuthenticator extends FormAuthenticator { LOG.debug("WsFedAuthenticator:invoke()"); request.setCharacterEncoding(this.encoding); - if (request.getRequestURL().indexOf(FederationConstants.METADATA_PATH_URI) != -1) { + if (request.getRequestURL().indexOf(FederationConstants.METADATA_PATH_URI) != -1 + || request.getRequestURL().indexOf(FederationConstants.FEDIZ_SAML_METADATA_PATH_URI) != -1) { if (LOG.isInfoEnabled()) { - LOG.info("WS-Federation Metadata document requested"); + LOG.info("Metadata document requested"); } response.setContentType("text/xml"); PrintWriter out = response.getWriter();
