Large refactor to support WS-Federation with the CXF plugin
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/7078bdc7 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/7078bdc7 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/7078bdc7 Branch: refs/heads/master Commit: 7078bdc7f42960bf752814e5cc2924ee697e8f72 Parents: 33241a6 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Sep 1 14:14:05 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Sep 1 14:14:05 2014 +0100 ---------------------------------------------------------------------- .../org/apache/cxf/fediz/core/RequestState.java | 44 ++++++++++++-- .../cxf/fediz/core/config/SAMLProtocol.java | 20 ------- .../core/processor/FederationProcessorImpl.java | 18 +++++- .../fediz/core/processor/SAMLProcessorImpl.java | 36 ++++-------- .../src/main/resources/schemas/FedizConfig.xsd | 4 -- .../cxf/fediz/core/samlsso/SAMLRequestTest.java | 1 - .../plugin/AbstractServiceProviderFilter.java | 37 ++++++++---- .../cxf/plugin/FedizRedirectBindingFilter.java | 62 +++++++++++++++----- .../fediz/cxf/plugin/state/ResponseState.java | 10 ++-- 9 files changed, 145 insertions(+), 87 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java index 2a54a61..cfe761f 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/RequestState.java @@ -35,9 +35,9 @@ public class RequestState implements Serializable { private String requestId; private String issuerId; private String webAppContext; - private String webAppDomain; private long createdAt; private String state; + private String webAppDomain; public RequestState() { @@ -52,16 +52,44 @@ public class RequestState implements Serializable { String webAppDomain, String state, long createdAt) { + setTargetAddress(targetAddress); + setIdpServiceAddress(idpServiceAddress); + setRequestId(requestId); + setIssuerId(issuerId); + setWebAppContext(webAppContext); + setWebAppDomain(webAppDomain); + setState(state); + setCreatedAt(createdAt); + } + + + public void setTargetAddress(String targetAddress) { this.targetAddress = targetAddress; + } + + public void setIdpServiceAddress(String idpServiceAddress) { this.idpServiceAddress = idpServiceAddress; + } + + public void setRequestId(String requestId) { this.requestId = requestId; + } + + public void setIssuerId(String issuerId) { this.issuerId = issuerId; + } + + public void setWebAppContext(String webAppContext) { this.webAppContext = webAppContext; - this.webAppDomain = webAppDomain; - this.state = state; + } + + public void setCreatedAt(long createdAt) { this.createdAt = createdAt; } - // CHECKSTYLE:ON + + public void setState(String state) { + this.state = state; + } public String getTargetAddress() { return targetAddress; @@ -86,13 +114,17 @@ public class RequestState implements Serializable { public String getWebAppContext() { return webAppContext; } + + public String getState() { + return state; + } public String getWebAppDomain() { return webAppDomain; } - public String getState() { - return state; + public void setWebAppDomain(String webAppDomain) { + this.webAppDomain = webAppDomain; } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java index 377c71d..adeb1f6 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java @@ -60,26 +60,6 @@ public class SAMLProtocol extends Protocol { getSAMLProtocol().setSignRequest(signRequest); } - public String getWebAppDomain() { - return getSAMLProtocol().getWebAppDomain(); - } - - public void setWebAppDomain(String webAppDomain) { - getSAMLProtocol().setWebAppDomain(webAppDomain); - } - - public long getStateTimeToLive() { - long ttl = getSAMLProtocol().getStateTimeToLive(); - if (ttl > 0) { - return ttl; - } - return 2L * 60L * 1000L; - } - - public void setStateTimeToLive(long stateTimeToLive) { - getSAMLProtocol().setStateTimeToLive(stateTimeToLive); - } - public AuthnRequestBuilder getAuthnRequestBuilder() { if (authnRequestBuilder != null) { return authnRequestBuilder; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java index c4df1a6..a614e62 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java @@ -32,6 +32,7 @@ import java.util.ArrayList; import java.util.Date; import java.util.List; import java.util.Map; +import java.util.UUID; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; @@ -41,6 +42,7 @@ import javax.servlet.http.HttpServletRequest; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.apache.cxf.fediz.core.FederationConstants; +import org.apache.cxf.fediz.core.RequestState; import org.apache.cxf.fediz.core.TokenValidator; import org.apache.cxf.fediz.core.TokenValidatorRequest; import org.apache.cxf.fediz.core.TokenValidatorResponse; @@ -348,6 +350,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor { throws ProcessingException { String redirectURL = null; + RequestState requestState = null; try { if (!(config.getProtocol() instanceof FederationProtocol)) { LOG.error("Unsupported protocol"); @@ -375,7 +378,15 @@ public class FederationProcessorImpl extends AbstractFedizProcessor { String signInQuery = resolveSignInQuery(request, config); LOG.info("SignIn Query: " + signInQuery); - + String wctx = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + String requestURL = request.getRequestURL().toString(); + + requestState = new RequestState(); + requestState.setTargetAddress(requestURL); + requestState.setIdpServiceAddress(redirectURL); + requestState.setState(wctx); + requestState.setCreatedAt(System.currentTimeMillis()); + StringBuilder sb = new StringBuilder(); sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNIN); @@ -436,6 +447,10 @@ public class FederationProcessorImpl extends AbstractFedizProcessor { sb.append('&').append(FederationConstants.PARAM_CURRENT_TIME).append('=') .append(URLEncoder.encode(wct, "UTF-8")); + LOG.debug("wctx=" + wctx); + sb.append('&').append(FederationConstants.PARAM_CONTEXT).append('='); + sb.append(URLEncoder.encode(wctx, "UTF-8")); + // add signin query extensions if (signInQuery != null && signInQuery.length() > 0) { sb.append('&').append(signInQuery); @@ -449,6 +464,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor { RedirectionResponse response = new RedirectionResponse(); response.setRedirectionURL(redirectURL); + response.setRequestState(requestState); return response; } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java index 1546cc2..304b6cb 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java @@ -50,7 +50,6 @@ import org.apache.cxf.fediz.core.samlsso.CompressionUtils; import org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator; import org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator; import org.apache.cxf.fediz.core.samlsso.SSOValidatorResponse; -import org.apache.cxf.fediz.core.util.CookieUtils; import org.apache.cxf.fediz.core.util.DOMUtils; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSSecurityException; @@ -104,9 +103,9 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { } private RequestState processRelayState( - String relayState, RequestState requestState, SAMLProtocol samlProtocol + String relayState, RequestState requestState ) throws ProcessingException { - if (relayState.getBytes().length < 0 || relayState.getBytes().length > 80) { + if (relayState.getBytes().length <= 0 || relayState.getBytes().length > 80) { LOG.error("Invalid RelayState"); throw new ProcessingException(TYPE.INVALID_REQUEST); } @@ -114,11 +113,6 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { LOG.error("Missing Request State"); throw new ProcessingException(TYPE.INVALID_REQUEST); } - if (CookieUtils.isStateExpired(requestState.getCreatedAt(), 0, - samlProtocol.getStateTimeToLive())) { - LOG.error("EXPIRED_REQUEST_STATE"); - throw new ProcessingException(TYPE.INVALID_REQUEST); - } return requestState; } @@ -127,7 +121,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { throws ProcessingException { SAMLProtocol protocol = (SAMLProtocol)config.getProtocol(); RequestState requestState = - processRelayState(request.getState(), request.getRequestState(), protocol); + processRelayState(request.getState(), request.getRequestState()); InputStream tokenStream = null; try { @@ -304,16 +298,15 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc); String authnRequestEncoded = encodeAuthnRequest(authnRequestElement); - String webAppDomain = ((SAMLProtocol)config.getProtocol()).getWebAppDomain(); String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); - RequestState requestState = new RequestState(requestURL, - redirectURL, - authnRequest.getID(), - realm, - authnRequest.getIssuer().getValue(), - webAppDomain, - relayState, - System.currentTimeMillis()); + RequestState requestState = new RequestState(); + requestState.setTargetAddress(requestURL); + requestState.setIdpServiceAddress(redirectURL); + requestState.setRequestId(authnRequest.getID()); + requestState.setIssuerId(realm); + requestState.setWebAppContext(authnRequest.getIssuer().getValue()); + requestState.setState(relayState); + requestState.setCreatedAt(System.currentTimeMillis()); String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8"); @@ -327,14 +320,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { sb.append("&" + SAMLSSOConstants.SIGNATURE).append('=').append(signature); } - String contextCookie = CookieUtils.createCookie(SAMLSSOConstants.RELAY_STATE, - relayState, - request.getRequestURI(), - webAppDomain, - ((SAMLProtocol)config.getProtocol()).getStateTimeToLive()); - RedirectionResponse response = new RedirectionResponse(); - response.addHeader("Set-Cookie", contextCookie); response.addHeader("Cache-Control", "no-cache, no-store"); response.addHeader("Pragma", "no-cache"); response.setRequestState(requestState); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/main/resources/schemas/FedizConfig.xsd ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd index 367fbab..4d4c1f9 100644 --- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd +++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd @@ -110,8 +110,6 @@ <xs:extension base="protocolType"> <xs:sequence> <xs:element ref="signRequest" /> - <xs:element ref="stateTimeToLive" /> - <xs:element ref="webAppDomain" /> <xs:element ref="authnRequestBuilder"/> </xs:sequence> <xs:attribute name="version" use="required" type="xs:string" /> @@ -126,8 +124,6 @@ <xs:element name="metadataURI" type="xs:string" /> <xs:element name="signRequest" type="xs:boolean" /> - <xs:element name="stateTimeToLive" type="xs:long" default="120000" /> - <xs:element name="webAppDomain" type="xs:string" /> <xs:element name="authnRequestBuilder" type="xs:string" /> <xs:complexType name="protocolType" abstract="true"> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java index 1f93343..3cab944 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java @@ -119,7 +119,6 @@ public class SAMLRequestTest { Map<String, String> headers = response.getHeaders(); Assert.assertNotNull(headers); Assert.assertFalse(headers.isEmpty()); - Assert.assertTrue(headers.containsKey("Set-Cookie")); Assert.assertTrue("no-cache, no-store".equals(headers.get("Cache-Control"))); Assert.assertTrue("no-cache".equals(headers.get("Pragma"))); } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java ---------------------------------------------------------------------- diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java index 3468216..b63d95c 100644 --- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java +++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java @@ -39,11 +39,9 @@ import javax.xml.bind.JAXBException; import org.w3c.dom.Element; import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.common.i18n.BundleUtils; -import org.apache.cxf.fediz.core.SAMLSSOConstants; import org.apache.cxf.fediz.core.SecurityTokenThreadLocal; import org.apache.cxf.fediz.core.config.FedizConfigurator; import org.apache.cxf.fediz.core.config.FedizContext; -import org.apache.cxf.fediz.core.config.SAMLProtocol; import org.apache.cxf.fediz.core.util.CookieUtils; import org.apache.cxf.fediz.cxf.plugin.state.EHCacheSPStateManager; import org.apache.cxf.fediz.cxf.plugin.state.ResponseState; @@ -62,6 +60,9 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF public static final String SECURITY_CONTEXT_TOKEN = "org.apache.fediz.SECURITY_TOKEN"; + public static final String SECURITY_CONTEXT_STATE = + "org.apache.fediz.SECURITY_CONTEXT_STATE"; + protected static final ResourceBundle BUNDLE = BundleUtils.getBundle(AbstractServiceProviderFilter.class); private static final Logger LOG = LoggerFactory.getLogger(AbstractServiceProviderFilter.class); @@ -72,6 +73,8 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF private FedizConfigurator configurator; private String configFile; private SPStateManager stateManager; + private long stateTimeToLive = 120000; + private String webAppDomain; public String getConfigFile() { return configFile; @@ -142,12 +145,12 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF return false; } - Cookie relayStateCookie = cookies.get(SAMLSSOConstants.RELAY_STATE); + Cookie relayStateCookie = cookies.get(SECURITY_CONTEXT_STATE); if (relayStateCookie == null) { reportError("MISSING_RELAY_COOKIE"); return false; } - String originalRelayState = responseState.getRelayState(); + String originalRelayState = responseState.getState(); if (!originalRelayState.equals(relayStateCookie.getValue())) { // perhaps the response state should also be removed reportError("INVALID_RELAY_STATE"); @@ -190,10 +193,6 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF return null; } String contextKey = securityContextCookie.getValue(); - - FedizContext fedizConfig = getFedizContext(m); - - SAMLProtocol protocol = (SAMLProtocol)fedizConfig.getProtocol(); ResponseState responseState = stateManager.getResponseState(contextKey); if (responseState == null) { @@ -202,16 +201,16 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF } if (CookieUtils.isStateExpired(responseState.getCreatedAt(), responseState.getExpiresAt(), - protocol.getStateTimeToLive())) { + getStateTimeToLive())) { reportError("EXPIRED_RESPONSE_STATE"); stateManager.removeResponseState(contextKey); return null; } String webAppContext = getWebAppContext(m); - if (protocol.getWebAppDomain() != null + if (webAppDomain != null && (responseState.getWebAppDomain() == null - || !protocol.getWebAppDomain().equals(responseState.getWebAppDomain())) + || !webAppDomain.equals(responseState.getWebAppDomain())) || responseState.getWebAppContext() == null || !webAppContext.equals(responseState.getWebAppContext())) { stateManager.removeResponseState(contextKey); @@ -288,4 +287,20 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF public void setStateManager(SPStateManager stateManager) { this.stateManager = stateManager; } + + public String getWebAppDomain() { + return webAppDomain; + } + + public void setWebAppDomain(String webAppDomain) { + this.webAppDomain = webAppDomain; + } + + public long getStateTimeToLive() { + return stateTimeToLive; + } + + public void setStateTimeToLive(long stateTimeToLive) { + this.stateTimeToLive = stateTimeToLive; + } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java ---------------------------------------------------------------------- diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java index a10ed5d..c927588 100644 --- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java +++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java @@ -44,6 +44,7 @@ import org.apache.cxf.fediz.core.config.FederationProtocol; import org.apache.cxf.fediz.core.config.FedizContext; import org.apache.cxf.fediz.core.config.SAMLProtocol; import org.apache.cxf.fediz.core.exception.ProcessingException; +import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE; import org.apache.cxf.fediz.core.processor.FedizProcessor; import org.apache.cxf.fediz.core.processor.FedizProcessorFactory; import org.apache.cxf.fediz.core.processor.FedizRequest; @@ -108,6 +109,14 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { RequestState requestState = redirectionResponse.getRequestState(); if (requestState != null && requestState.getState() != null) { getStateManager().setRequestState(requestState.getState(), requestState); + + String contextCookie = + CookieUtils.createCookie(SECURITY_CONTEXT_STATE, + requestState.getState(), + request.getRequestURI(), + getWebAppDomain(), + getStateTimeToLive()); + response.header("Set-Cookie", contextCookie); } context.abortWith(response.build()); @@ -117,6 +126,8 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { } } else if (isSignInRequest(fedConfig, params)) { String responseToken = getResponseToken(fedConfig, params); + String state = getState(fedConfig, params); + if (responseToken == null) { if (LOG.isDebugEnabled()) { LOG.debug("SignIn request must contain a response token from the IdP"); @@ -130,7 +141,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { } FedizResponse wfRes = - validateSignInRequest(fedConfig, params, responseToken); + validateSignInRequest(fedConfig, params, responseToken, state); // Validate AudienceRestriction List<String> audienceURIs = fedConfig.getAudienceUris(); @@ -140,18 +151,16 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { // Set the security context String securityContextKey = UUID.randomUUID().toString(); - SAMLProtocol protocol = (SAMLProtocol)fedConfig.getProtocol(); - long currentTime = System.currentTimeMillis(); Date notOnOrAfter = wfRes.getTokenExpires(); long expiresAt = 0; if (notOnOrAfter != null) { expiresAt = notOnOrAfter.getTime(); } else { - expiresAt = currentTime + protocol.getStateTimeToLive(); + expiresAt = currentTime + getStateTimeToLive(); } - String webAppDomain = protocol.getWebAppDomain(); + String webAppDomain = getWebAppDomain(); String token = DOM2Writer.nodeToString(wfRes.getToken()); List<String> roles = wfRes.getRoles(); if (roles == null || roles.size() == 0) { @@ -162,7 +171,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { ResponseState responseState = new ResponseState(token, - params.getFirst("RelayState"), + state, webAppContext, webAppDomain, currentTime, @@ -173,7 +182,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { responseState.setSubject(wfRes.getUsername()); getStateManager().setResponseState(securityContextKey, responseState); - long stateTimeToLive = protocol.getStateTimeToLive(); + long stateTimeToLive = getStateTimeToLive(); String contextCookie = CookieUtils.createCookie(SECURITY_CONTEXT_TOKEN, securityContextKey, webAppContext, @@ -238,20 +247,45 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { return null; } + private String getState(FedizContext fedConfig, MultivaluedMap<String, String> params) { + if (params != null && fedConfig.getProtocol() instanceof FederationProtocol) { + return params.getFirst(FederationConstants.PARAM_CONTEXT); + } else if (params != null && fedConfig.getProtocol() instanceof SAMLProtocol) { + return params.getFirst(SAMLSSOConstants.RELAY_STATE); + } + + return null; + } + private FedizResponse validateSignInRequest( FedizContext fedConfig, MultivaluedMap<String, String> params, - String responseToken - ) throws UnsupportedEncodingException { + String responseToken, + String state + ) throws UnsupportedEncodingException, ProcessingException { FedizRequest wfReq = new FedizRequest(); wfReq.setAction(params.getFirst(FederationConstants.PARAM_ACTION)); wfReq.setResponseToken(responseToken); - String relayState = params.getFirst("RelayState"); - wfReq.setState(relayState); - if (relayState != null) { - wfReq.setRequestState(getStateManager().removeRequestState(relayState)); + + if (state == null || state.getBytes().length <= 0) { + LOG.error("Invalid RelayState/WCTX"); + throw new ProcessingException(TYPE.INVALID_REQUEST); } - + + wfReq.setState(state); + wfReq.setRequestState(getStateManager().removeRequestState(state)); + + if (wfReq.getRequestState() == null) { + LOG.error("Missing Request State"); + throw new ProcessingException(TYPE.INVALID_REQUEST); + } + + if (CookieUtils.isStateExpired(wfReq.getRequestState().getCreatedAt(), 0, + getStateTimeToLive())) { + LOG.error("EXPIRED_REQUEST_STATE"); + throw new ProcessingException(TYPE.INVALID_REQUEST); + } + HttpServletRequest request = messageContext.getHttpServletRequest(); wfReq.setRequest(request); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7078bdc7/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java ---------------------------------------------------------------------- diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java index 22f1ced..17fa532 100644 --- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java +++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/state/ResponseState.java @@ -34,7 +34,7 @@ public class ResponseState implements Serializable { private static final long serialVersionUID = -3247188797004342462L; private String assertion; - private String relayState; + private String state; private String webAppContext; private String webAppDomain; private long createdAt; @@ -49,13 +49,13 @@ public class ResponseState implements Serializable { } public ResponseState(String assertion, - String relayState, + String state, String webAppContext, String webAppDomain, long createdAt, long expiresAt) { this.assertion = assertion; - this.relayState = relayState; + this.state = state; this.webAppContext = webAppContext; this.webAppDomain = webAppDomain; this.createdAt = createdAt; @@ -70,8 +70,8 @@ public class ResponseState implements Serializable { return expiresAt; } - public String getRelayState() { - return relayState; + public String getState() { + return state; } public String getWebAppContext() {
