Repository: cxf-fediz Updated Branches: refs/heads/master e43023cc9 -> 94cafcf36
More sign-in webflow consolidation Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a3477b2c Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a3477b2c Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a3477b2c Branch: refs/heads/master Commit: a3477b2c16099f3f6447bb3e11947e17eb2eb58a Parents: e43023c Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Dec 13 14:37:50 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Dec 13 14:37:50 2016 +0000 ---------------------------------------------------------------------- .../cxf/fediz/service/idp/IdpConstants.java | 5 +++ .../idp/beans/SigninParametersCacheAction.java | 12 +++---- .../WEB-INF/flows/federation-signin-request.xml | 20 ++++++------ .../flows/federation-validate-request.xml | 6 ++-- .../WEB-INF/flows/saml-signin-request.xml | 33 ++++++++------------ .../WEB-INF/flows/saml-validate-request.xml | 8 +++++ .../webapp/WEB-INF/flows/signin-response.xml | 2 +- 7 files changed, 47 insertions(+), 39 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a3477b2c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java index bcc5b6f..1e2969b 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java @@ -29,6 +29,11 @@ public final class IdpConstants { public static final String TRUSTED_IDP_CONTEXT = "trusted_idp_context"; /** + * A key used to store the application realm for the given request. + */ + public static final String REALM = "realm"; + + /** * A key used to store the home realm for the given request. */ public static final String HOME_REALM = "home_realm"; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a3477b2c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java index 5451508..4572bb5 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java @@ -56,9 +56,9 @@ public class SigninParametersCacheAction { if (value != null) { signinParams.put(FederationConstants.PARAM_REPLY, value); } - value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_TREALM); + value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.REALM); if (value != null) { - signinParams.put(FederationConstants.PARAM_TREALM, value); + signinParams.put(IdpConstants.REALM, value); } value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT); if (value != null) { @@ -97,16 +97,16 @@ public class SigninParametersCacheAction { if (value != null) { WebUtils.putAttributeInFlowScope(context, IdpConstants.HOME_REALM, value); } + value = (String)signinParams.get(IdpConstants.REALM); + if (value != null) { + WebUtils.putAttributeInFlowScope(context, IdpConstants.REALM, value); + } if ("wsfed".equals(protocol)) { value = (String)signinParams.get(FederationConstants.PARAM_REPLY); if (value != null) { WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_REPLY, value); } - value = (String)signinParams.get(FederationConstants.PARAM_TREALM); - if (value != null) { - WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_TREALM, value); - } WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT); LOG.info("SignIn parameters restored and " + FederationConstants.PARAM_CONTEXT + "[" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a3477b2c/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml index 785d6a8..5ba8f28 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml @@ -24,10 +24,10 @@ http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd";> <input name="idpConfig" /> - <input name="wtrealm" /> <input name="wctx" /> <input name="wfresh" /> <input name="wauth" /> + <input name="realm" /> <input name="home_realm" /> <input name="protocol" /> <input name="return_address" /> @@ -79,7 +79,16 @@ <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)" then="checkWauthTypeSupported" else="checkRemoteIdpToken" /> </decision-state> - + + <!-- ===== Realm independent ===== --> + + <action-state id="validateReturnAddress"> + <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address) + and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/> + <transition on="yes" to="requestRpToken" /> + <transition on="no" to="viewBadRequest" /> + </action-state> + <!-- ===== Home Realm != this realm ===== --> <decision-state id="checkRemoteIdpToken"> @@ -98,13 +107,6 @@ <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> </action-state> - <action-state id="validateReturnAddress"> - <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address) - and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.wtrealm)"/> - <transition on="yes" to="requestRpToken" /> - <transition on="no" to="viewBadRequest" /> - </action-state> - <!-- ===== Home Realm == this realm ===== --> <decision-state id="checkWauthTypeSupported"> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a3477b2c/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml index 1b0e3c2..81098a9 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml @@ -93,7 +93,7 @@ <subflow-state id="signinRequest" subflow="signinRequest"> <input name="idpConfig" value="flowScope.idpConfig" /> - <input name="wtrealm" value="flowScope.wtrealm" /> + <input name="realm" value="flowScope.wtrealm" /> <input name="wctx" value="flowScope.wctx" /> <input name="wfresh" value="flowScope.wfresh" /> <input name="wauth" value="flowScope.wauth" /> @@ -132,7 +132,7 @@ <input name="home_realm" value="flowScope.whr" /> <input name="protocol" value="'wsfed'" /> - <output name="wtrealm" /> + <output name="realm" /> <output name="wreply" /> <output name="wctx" /> <output name="home_realm" /> @@ -141,7 +141,7 @@ <transition on="requestRpToken" to="requestRpToken"> <set name="flowScope.whr" value="currentEvent.attributes.home_realm" /> <set name="flowScope.wctx" value="currentEvent.attributes.wctx" /> - <set name="flowScope.wtrealm" value="currentEvent.attributes.wtrealm" /> + <set name="flowScope.wtrealm" value="currentEvent.attributes.realm" /> <set name="flowScope.wreply" value="currentEvent.attributes.wreply" /> <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" /> </transition> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a3477b2c/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml index 2ca686c..899cd31 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml @@ -25,9 +25,10 @@ <input name="idpConfig" /> <input name="RelayState" /> - <input name="protocol" /> <input name="saml_authn_request" /> + <input name="realm" /> <input name="home_realm" /> + <input name="protocol" /> <input name="return_address" /> <!-- ===== Home Realm Discovery ===== --> @@ -78,6 +79,15 @@ then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" /> </decision-state> + <!-- ===== Realm independent ===== --> + + <action-state id="validateReturnAddress"> + <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address) + and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/> + <transition on="yes" to="requestRpToken" /> + <transition on="no" to="viewBadRequest" /> + </action-state> + <!-- ===== Home Realm != this realm ===== --> <decision-state id="checkRemoteIdpToken"> @@ -96,13 +106,6 @@ <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> </action-state> - <action-state id="validateReturnAddress"> - <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address) - and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/> - <transition on="yes" to="requestRpToken" /> - <transition on="no" to="viewBadRequest" /> - </action-state> - <!-- ===== Home Realm == this realm ===== --> <decision-state id="homeRealmSignInEntryPoint"> @@ -122,7 +125,7 @@ expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or authnRequestParser.isForceAuthentication(flowRequestContext)" /> <transition on="yes" to="redirectToLocalIDP" /> - <transition on="no" to="validateEndpointAddress"> + <transition on="no" to="validateReturnAddress"> <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> </transition> <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> @@ -138,21 +141,11 @@ <action-state id="cacheSecurityToken"> <secured attributes="IS_AUTHENTICATED_FULLY" /> <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" /> - <transition to="validateEndpointAddress"> + <transition to="validateReturnAddress"> <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> </transition> </action-state> - <action-state id="validateEndpointAddress"> - <on-entry> - <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)" - result="flowScope.realm"/> - </on-entry> - <evaluate expression="passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/> - <transition on="yes" to="requestRpToken" /> - <transition on="no" to="viewBadRequest" /> - </action-state> - <!-- ============================================================================================================= --> <!-- normal exit point --> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a3477b2c/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml index 9d4288b..2e6cdad 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml @@ -85,6 +85,13 @@ <action-state id="retrieveConsumerURL"> <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" result="flowScope.consumerURL"/> + <transition to="retrieveRealm"/> + <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" /> + </action-state> + + <action-state id="retrieveRealm"> + <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)" + result="flowScope.realm"/> <transition to="signinSAMLRequest"/> <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" /> </action-state> @@ -96,6 +103,7 @@ <input name="Signature" value="flowScope.Signature" /> <input name="protocol" value="'samlsso'" /> <input name="saml_authn_request" value="flowScope.saml_authn_request" /> + <input name="realm" value="flowScope.realm" /> <input name="home_realm" value="null" /> <input name="return_address" value="flowScope.consumerURL" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a3477b2c/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml index 9a5b123..09a9716 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/signin-response.xml @@ -68,7 +68,7 @@ subflow to get a RP token from the STS. <output name="home_realm" value="flowScope.home_realm" /> <output name="wctx" value="flowScope.wctx" /> <output name="wreply" value="flowScope.wreply" /> - <output name="wtrealm" value="flowScope.wtrealm" /> + <output name="realm" value="flowScope.realm" /> <output name="idpToken" value="flowScope.idpToken" /> <output name="saml_authn_request" value="flowScope.saml_authn_request" /> <output name="RelayState" value="flowScope.RelayState" />
