Repository: cxf-fediz Updated Branches: refs/heads/master 918af3aa0 -> b8aa7ea52
More SAML SSO refactoring Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/b8aa7ea5 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/b8aa7ea5 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/b8aa7ea5 Branch: refs/heads/master Commit: b8aa7ea5205737adfdf21c10fd7ff684c81b9bb9 Parents: 918af3a Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Nov 2 16:56:09 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Nov 2 16:56:09 2016 +0000 ---------------------------------------------------------------------- .../cxf/fediz/service/idp/IdpConstants.java | 5 +++ .../idp/beans/SigninParametersCacheAction.java | 25 +++++++++++---- .../WEB-INF/flows/saml-signin-request.xml | 32 ++++++++++---------- .../WEB-INF/flows/saml-validate-request.xml | 13 ++++---- 4 files changed, 47 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java index 2b007dd..95a9fc4 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java @@ -33,6 +33,11 @@ public final class IdpConstants { */ public static final String SAML_AUTHN_REQUEST = "saml_authn_request"; + /** + * A key used to store the home realm for the given request. + */ + public static final String HOME_REALM = "home_realm"; + private IdpConstants() { // complete } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java index 0c139c3..b696b6d 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java @@ -49,6 +49,8 @@ public class SigninParametersCacheAction { Map<String, Object> signinParams = new HashMap<>(); String uuidKey = UUID.randomUUID().toString(); + WebUtils.removeAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); + Object value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY); if (value != null) { signinParams.put(FederationConstants.PARAM_REPLY, value); @@ -61,13 +63,17 @@ public class SigninParametersCacheAction { if (value != null) { signinParams.put(FederationConstants.PARAM_HOME_REALM, value); } + value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM); + if (value != null) { + signinParams.put(IdpConstants.HOME_REALM, value); + } value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT); if (value != null) { signinParams.put(FederationConstants.PARAM_CONTEXT, value); } - value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); + value = WebUtils.getAttributeFromFlowScope(context, "SAMLRequest"); if (value != null) { - signinParams.put(IdpConstants.SAML_AUTHN_REQUEST, value); + signinParams.put("SAMLRequest", value); } WebUtils.putAttributeInExternalContext(context, uuidKey, signinParams); @@ -105,6 +111,17 @@ public class SigninParametersCacheAction { if (value != null) { WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM, value); } + // TODO... + value = (String)signinParams.get(IdpConstants.HOME_REALM); + if (value != null) { + WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM, value); + WebUtils.putAttributeInFlowScope(context, IdpConstants.HOME_REALM, value); + } + + value = (String)signinParams.get("SAMLRequest"); + if (value != null) { + WebUtils.putAttributeInFlowScope(context, "SAMLRequest", value); + } LOG.debug("SignIn parameters restored: {}", signinParams.toString()); WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT); @@ -116,10 +133,6 @@ public class SigninParametersCacheAction { WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_CONTEXT, value); } - value = (String)signinParams.get(IdpConstants.SAML_AUTHN_REQUEST); - if (value != null) { - WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, value); - } } else { LOG.debug("Error in restoring security context"); } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml index a166e5d..93ffba7 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml @@ -31,9 +31,9 @@ <decision-state id="processHRDSExpression"> <on-entry> <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, null)" - result="flowScope.homerealm" /> + result="flowScope.home_realm" /> </on-entry> - <if test="flowScope.homerealm == null or flowScope.homerealm.trim().isEmpty()" + <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()" then="provideIDPListForUser" else="checkIsThisIDP" /> </decision-state> @@ -60,9 +60,9 @@ </on-entry> <transition on="submit" to="checkIsThisIDP" bind="true" validate="true"> - <set name="flowScope.homerealm" value="trustedIDPSelection.whr" /> + <set name="flowScope.home_realm" value="trustedIDPSelection.whr" /> <evaluate - expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.homerealm)" /> + expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" /> </transition> <transition on="cancel" to="checkDefaultToThisIDP" bind="false" validate="false" /> @@ -70,7 +70,7 @@ <!-- Home Realm is known then we can store it in cookie --> <decision-state id="checkIsThisIDP"> - <if test="flowScope.idpConfig.realm.equals(flowScope.homerealm)" + <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)" then="homeRealmSignInEntryPoint" else="checkIdpTokenWhrWauth" /> </decision-state> @@ -79,16 +79,16 @@ <!-- Is 'wresult/RP-IDP token' already received and validated (then stored in session) from requestor IDP ? --> <decision-state id="checkIdpTokenWhrWauth"> - <if test="externalContext.sessionMap[flowScope.homerealm] != null" + <if test="externalContext.sessionMap[flowScope.home_realm] != null" then="wfreshParserRemoteAction" else="redirectToTrustedIDP" /> </decision-state> <action-state id="wfreshParserRemoteAction"> <evaluate - expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)" /> + expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)" /> <transition on="yes" to="redirectToTrustedIDP" /> <transition on="no" to="validateWReply" > - <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" /> + <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> </transition> <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> </action-state> @@ -104,12 +104,12 @@ <decision-state id="homeRealmSignInEntryPoint"> <on-entry> <!-- Here, home realm is guaranteed to be THIS realm --> - <set name="flowScope.homerealm" value="flowScope.idpConfig.realm" /> + <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" /> </on-entry> <if test="flowScope.idpConfig.getAuthenticationURIs() == null" then="scInternalServerError" /> <!-- check presence of cached IDP token for THIS realm --> - <if test="externalContext.sessionMap[flowScope.homerealm] == null" + <if test="externalContext.sessionMap[flowScope.home_realm] == null" then="cacheSecurityToken" else="checkTokenExpiry" /> </decision-state> @@ -119,11 +119,11 @@ flowScope.SAMLRequest)" /> </on-entry> <evaluate - expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext) + expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or authnRequestParser.isForceAuthentication(flowRequestContext)" /> <transition on="yes" to="redirectToLocalIDP" /> <transition on="no" to="parseAndValidateSAMLRequest"> - <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" /> + <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> </transition> <transition on-exception="java.lang.Throwable" to="scInternalServerError" /> </action-state> @@ -132,14 +132,14 @@ <on-entry> <evaluate expression="logoutAction.submit(flowRequestContext)" /> </on-entry> - <output name="homerealm" value="flowScope.homerealm" /> + <output name="home_realm" value="flowScope.home_realm" /> </end-state> <action-state id="cacheSecurityToken"> <secured attributes="IS_AUTHENTICATED_FULLY" /> <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" /> <transition to="parseAndValidateSAMLRequest"> - <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" /> + <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> </transition> </action-state> @@ -171,7 +171,7 @@ <!-- normal exit point --> <end-state id="requestRpToken"> - <output name="homerealm" value="flowScope.homerealm" /> + <output name="home_realm" value="flowScope.home_realm" /> <output name="idpToken" value="flowScope.idpToken" /> <output name="saml_authn_request" value="flowScope.saml_authn_request" /> </end-state> @@ -189,7 +189,7 @@ <on-entry> <evaluate expression="signinParametersCacheAction.store(flowRequestContext)" /> </on-entry> - <output name="homerealm" value="flowScope.homerealm" /> + <output name="home_realm" value="flowScope.home_realm" /> <output name="trusted_idp_context" value="flowScope.trusted_idp_context" /> </end-state> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b8aa7ea5/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml index ca154ba..c49324c 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml @@ -29,6 +29,7 @@ <set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" /> <set name="flowScope.Signature" value="requestParameters.Signature" /> <set name="flowScope.wresult" value="requestParameters.wresult" /> + <set name="flowScope.wctx" value="requestParameters.wctx" /> <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" /> </on-entry> <if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()" @@ -48,13 +49,13 @@ <input name="RelayState" value="flowScope.RelayState" /> <input name="Signature" value="flowScope.Signature" /> - <output name="homerealm" /> + <output name="home_realm" /> <output name="idpToken" /> <output name="trusted_idp_context" /> <output name="saml_authn_request" /> <transition on="requestRpToken" to="requestRpToken"> - <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm" /> + <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" /> <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" /> <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" /> </transition> @@ -64,7 +65,7 @@ <transition on="scInternalServerError" to="scInternalServerError" /> <transition on="redirectToLocalIDP" to="redirectToLocalIDP" /> <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol"> - <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm" /> + <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" /> <set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/> </transition> </subflow-state> @@ -88,7 +89,7 @@ <output name="idpToken" /> <transition on="requestRpToken" to="requestRpToken"> - <set name="flowScope.homerealm" value="currentEvent.attributes.whr" /> + <set name="flowScope.home_realm" value="currentEvent.attributes.whr" /> <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" /> <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" /> </transition> @@ -101,7 +102,7 @@ <on-entry> <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)" result="flowScope.realm"/> - <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm, flowScope.homerealm)" + <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm, flowScope.home_realm)" result="flowScope.rpTokenElement"/> </on-entry> <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/> @@ -136,7 +137,7 @@ </end-state> <action-state id="processTrustedIdpProtocol"> - <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.homerealm)" + <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.home_realm)" result="flowScope.remoteIdpUrl"/> <transition to="redirectToTrustedIDP" /> <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
