Repository: cxf-fediz Updated Branches: refs/heads/master a1111af73 -> e5492d868
Enforce ForceAuthn Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/b0c4e1af Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/b0c4e1af Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/b0c4e1af Branch: refs/heads/master Commit: b0c4e1afd56a5caacbede0a33892f79940791e48 Parents: a1111af Author: Colm O hEigeartaigh <[email protected]> Authored: Sat Mar 26 18:12:28 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Sat Mar 26 18:12:28 2016 +0000 ---------------------------------------------------------------------- .../idp/beans/samlsso/AuthnRequestParser.java | 28 +++++++++++++++----- .../WEB-INF/flows/saml-signin-request.xml | 7 ++++- 2 files changed, 28 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b0c4e1af/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java index 565de41..0f8dd49 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java @@ -53,12 +53,16 @@ public class AuthnRequestParser { if (samlRequest == null) { WebUtils.removeAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); } else { - try { - parsedRequest = extractRequest(samlRequest); - WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, parsedRequest); - LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID()); - } catch (Exception ex) { - LOG.warn("Error parsing request: {}", ex.getMessage()); + parsedRequest = + (AuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); + if (parsedRequest == null) { + try { + parsedRequest = extractRequest(samlRequest); + WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, parsedRequest); + LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID()); + } catch (Exception ex) { + LOG.warn("Error parsing request: {}", ex.getMessage()); + } } } } @@ -118,6 +122,17 @@ public class AuthnRequestParser { return null; } + public boolean isForceAuthentication(RequestContext context) { + AuthnRequest authnRequest = + (AuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); + if (authnRequest != null) { + return authnRequest.isForceAuthn().booleanValue(); + } + + LOG.debug("No AuthnRequest available to be parsed"); + return false; + } + private AuthnRequest extractRequest(String samlRequest) throws Exception { byte[] deflatedToken = Base64Utility.decode(samlRequest); InputStream tokenStream = new DeflateEncoderDecoder().inflateToken(deflatedToken); @@ -130,4 +145,5 @@ public class AuthnRequestParser { } return request; } + } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b0c4e1af/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml index a5c16f1..a609ae1 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml @@ -41,8 +41,13 @@ </decision-state> <action-state id="checkTokenExpiry"> + <on-entry> + <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext, flowScope.idpConfig, + flowScope.SAMLRequest)" /> + </on-entry> <evaluate - expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)" /> + expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext) + or authnRequestParser.isForceAuthentication(flowRequestContext)" /> <transition on="yes" to="redirectToLocalIDP" /> <transition on="no" to="parseAndValidateSAMLRequest"> <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" />
