Repository: cxf Updated Branches: refs/heads/master 4c2589ff6 -> 3fb174a9f
Provide a way of disabling caching for the STS LoginModule Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3fb174a9 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3fb174a9 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3fb174a9 Branch: refs/heads/master Commit: 3fb174a9f27ec69ed2277c92be56f3627d851462 Parents: 4c2589f Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Mar 3 16:11:41 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Mar 3 16:11:41 2015 +0000 ---------------------------------------------------------------------- .../cxf/ws/security/trust/STSLoginModule.java | 12 +++++++ .../ws/security/trust/STSTokenValidator.java | 36 +++++++++++++------- 2 files changed, 36 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/3fb174a9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java index d141b6b..465a4c9 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java @@ -96,6 +96,13 @@ public class STSLoginModule implements LoginModule { public static final String DISABLE_ON_BEHALF_OF = "disable.on.behalf.of"; /** + * Whether to disable caching of validated credentials or not. The default is "false", meaning that + * caching is enabled. However, caching only applies when token transformation takes place, i.e. when + * the "require.roles" property is set to "true". + */ + public static final String DISABLE_CACHING = "disable.caching"; + + /** * The WSDL Location of the STS */ public static final String WSDL_LOCATION = "wsdl.location"; @@ -146,6 +153,7 @@ public class STSLoginModule implements LoginModule { private CallbackHandler callbackHandler; private boolean requireRoles; private boolean disableOnBehalfOf; + private boolean disableCaching; private String wsdlLocation; private String serviceName; private String endpointName; @@ -167,6 +175,9 @@ public class STSLoginModule implements LoginModule { if (options.containsKey(DISABLE_ON_BEHALF_OF)) { disableOnBehalfOf = Boolean.parseBoolean((String)options.get(DISABLE_ON_BEHALF_OF)); } + if (options.containsKey(DISABLE_CACHING)) { + disableCaching = Boolean.parseBoolean((String)options.get(DISABLE_CACHING)); + } if (options.containsKey(WSDL_LOCATION)) { wsdlLocation = (String)options.get(WSDL_LOCATION); } @@ -230,6 +241,7 @@ public class STSLoginModule implements LoginModule { STSTokenValidator validator = new STSTokenValidator(true); validator.setUseIssueBinding(requireRoles); validator.setUseOnBehalfOf(!disableOnBehalfOf); + validator.setDisableCaching(!requireRoles || disableCaching); // Authenticate token try { http://git-wip-us.apache.org/repos/asf/cxf/blob/3fb174a9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java index da7f06b..2a76672 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java @@ -59,6 +59,7 @@ public class STSTokenValidator implements Validator { private boolean useOnBehalfOf = true; private STSClient stsClient; private TokenStore tokenStore; + private boolean disableCaching; public STSTokenValidator() { } @@ -105,17 +106,20 @@ public class STSTokenValidator implements Validator { } token.setToken(tokenElement); - TokenStore ts = getTokenStore(message); - if (ts == null) { - ts = tokenStore; - } - if (ts != null && hash != 0) { - SecurityToken transformedToken = getTransformedToken(ts, hash); - if (transformedToken != null && !transformedToken.isExpired()) { - SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken()); - credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion)); - credential.setTransformedToken(assertion); - return credential; + TokenStore ts = null; + if (!disableCaching) { + ts = getTokenStore(message); + if (ts == null) { + ts = tokenStore; + } + if (ts != null && hash != 0) { + SecurityToken transformedToken = getTransformedToken(ts, hash); + if (transformedToken != null && !transformedToken.isExpired()) { + SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken()); + credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion)); + credential.setTransformedToken(assertion); + return credential; + } } } token.setTokenHash(hash); @@ -152,7 +156,7 @@ public class STSTokenValidator implements Validator { SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken()); credential.setTransformedToken(assertion); credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion)); - if (hash != 0 && ts != null) { + if (!disableCaching && hash != 0 && ts != null) { ts.add(returnedToken); token.setTransformedTokenIdentifier(returnedToken.getId()); ts.add(Integer.toString(hash), token); @@ -251,6 +255,14 @@ public class STSTokenValidator implements Validator { this.tokenStore = tokenStore; } + public boolean isDisableCaching() { + return disableCaching; + } + + public void setDisableCaching(boolean disableCaching) { + this.disableCaching = disableCaching; + } + private static class ElementCallbackHandler implements CallbackHandler { private final Element tokenElement;
