[3/4] cxf-fediz git commit: Fixing Spring plugins

Mon, 19 Dec 2016 06:02:00 -0800 

Fixing Spring plugins


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/acdbe8c2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/acdbe8c2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/acdbe8c2

Branch: refs/heads/master
Commit: acdbe8c213576792dd95d87315bcc181ea61b57f
Parents: c6aa62c
Author: Colm O hEigeartaigh <[email protected]>
Authored: Mon Dec 19 13:20:30 2016 +0000
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Mon Dec 19 13:20:30 2016 +0000

----------------------------------------------------------------------
 .../web/FederationAuthenticationEntryPoint.java | 10 ++++-
 .../web/FederationAuthenticationFilter.java     | 39 +++++++++++++++-----
 .../web/FederationAuthenticationEntryPoint.java |  8 ++++
 .../web/FederationAuthenticationFilter.java     | 34 +++++++++++++----
 4 files changed, 74 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git 
a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
 
b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
index c4c9010..4993cd4 100644
--- 
a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
+++ 
b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
@@ -26,6 +26,7 @@ import java.util.Map.Entry;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.cxf.fediz.core.config.FedizContext;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
@@ -55,6 +56,11 @@ import org.springframework.util.Assert;
 public class FederationAuthenticationEntryPoint implements 
AuthenticationEntryPoint,
     InitializingBean, ApplicationContextAware {
     
+    /**
+     * The key used to save the context of the request
+     */
+    public static final String SAVED_CONTEXT = "SAVED_CONTEXT";
+    
     private static final Logger LOG = 
LoggerFactory.getLogger(FederationAuthenticationEntryPoint.class);
     
     private ApplicationContext appContext;
@@ -106,6 +112,8 @@ public class FederationAuthenticationEntryPoint implements 
AuthenticationEntryPo
                 }
             }
             
+            HttpSession session = servletRequest.getSession(true);
+            session.setAttribute(SAVED_CONTEXT, 
redirectionResponse.getRequestState().getState());
         } catch (ProcessingException ex) {
             LOG.warn("Failed to create SignInRequest", ex);
             throw new ServletException("Failed to create SignInRequest: " + 
ex.getMessage());
@@ -117,7 +125,7 @@ public class FederationAuthenticationEntryPoint implements 
AuthenticationEntryPo
         }
         response.sendRedirect(redirectUrl);
     }
-
+    
     /**
      * Template method for you to do your own pre-processing before the 
redirect occurs.
      *

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git 
a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
 
b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 1c13f18..c18d238 100644
--- 
a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ 
b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -26,6 +26,7 @@ import java.util.Date;
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.SAMLSSOConstants;
@@ -33,6 +34,7 @@ import org.apache.cxf.fediz.core.processor.FedizRequest;
 import org.apache.cxf.fediz.spring.FederationConfig;
 import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
 import 
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationToken;
+import org.springframework.security.authentication.BadCredentialsException;
 import 
org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -55,15 +57,12 @@ public class FederationAuthenticationFilter extends 
AbstractAuthenticationProces
     public Authentication attemptAuthentication(final HttpServletRequest 
request, final HttpServletResponse response)
         throws AuthenticationException, IOException {
 
-        SecurityContext context = SecurityContextHolder.getContext();
-        if (context != null) {
-            Authentication authentication = context.getAuthentication();
-            if (authentication instanceof FederationAuthenticationToken) {
-                // If we reach this point then the token must be expired
-                throw new ExpiredTokenException("Token is expired");
-            }
+        if (isTokenExpired()) {
+            throw new ExpiredTokenException("Token is expired");
         }
- 
+        
+        verifySavedState(request);
+        
         String wa = request.getParameter(FederationConstants.PARAM_ACTION);
         String responseToken = getResponseToken(request);
         
@@ -106,7 +105,7 @@ public class FederationAuthenticationFilter extends 
AbstractAuthenticationProces
             
         return false;
     }
-  
+    
     private String getResponseToken(ServletRequest request) {
         if (request.getParameter(FederationConstants.PARAM_RESULT) != null) {
             return request.getParameter(FederationConstants.PARAM_RESULT);
@@ -116,7 +115,29 @@ public class FederationAuthenticationFilter extends 
AbstractAuthenticationProces
         
         return null;
     }
+    
+    private String getState(ServletRequest request) {
+        if (request.getParameter(FederationConstants.PARAM_CONTEXT) != null) {
+            return request.getParameter(FederationConstants.PARAM_CONTEXT);
+        } else if (request.getParameter(SAMLSSOConstants.RELAY_STATE) != null) 
{
+            return request.getParameter(SAMLSSOConstants.RELAY_STATE);
+        }
+        
+        return null;
+    }
 
+    private void verifySavedState(HttpServletRequest request) {
+        HttpSession session = request.getSession(false);
+        if (session != null) {
+            String savedContext = 
(String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+            String state = getState(request);
+            if (savedContext != null && !savedContext.equals(state)) {
+                logger.warn("The received state does not match the state saved 
in the context");
+                throw new BadCredentialsException("The received state does not 
match the state saved in the context");
+            }
+        }
+    }
+    
     /**
      * 
      */

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git 
a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
 
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
index a4b58e3..eeff761 100644
--- 
a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
+++ 
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
@@ -28,6 +28,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.cxf.fediz.core.config.FedizContext;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
@@ -57,6 +58,11 @@ import org.springframework.util.Assert;
 public class FederationAuthenticationEntryPoint implements 
AuthenticationEntryPoint,
     InitializingBean, ApplicationContextAware {
     
+    /**
+     * The key used to save the context of the request
+     */
+    public static final String SAVED_CONTEXT = "SAVED_CONTEXT";
+    
     private static final Logger LOG = 
LoggerFactory.getLogger(FederationAuthenticationEntryPoint.class);
     
     private ApplicationContext appContext;
@@ -129,6 +135,8 @@ public class FederationAuthenticationEntryPoint implements 
AuthenticationEntryPo
                 }
             }
             
+            HttpSession session = 
((HttpServletRequest)request).getSession(true);
+            session.setAttribute(SAVED_CONTEXT, 
redirectionResponse.getRequestState().getState());
         } catch (ProcessingException ex) {
             System.err.println("Failed to create SignInRequest: " + 
ex.getMessage());
             LOG.warn("Failed to create SignInRequest: " + ex.getMessage());

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git 
a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
 
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 9a1373b..6011c37 100644
--- 
a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ 
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -28,6 +28,7 @@ import java.util.Map.Entry;
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.SAMLSSOConstants;
@@ -106,15 +107,12 @@ public class FederationAuthenticationFilter extends 
AbstractProcessingFilter {
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request) 
throws AuthenticationException {
         
-        SecurityContext context = SecurityContextHolder.getContext();
-        if (context != null) {
-            Authentication authentication = context.getAuthentication();
-            if (authentication instanceof FederationAuthenticationToken) {
-                // If we reach this point then the token must be expired
-                throw new ExpiredTokenException("Token is expired");
-            }
+        if (isTokenExpired()) {
+            throw new ExpiredTokenException("Token is expired");
         }
         
+        verifySavedState(request);
+        
         String wa = request.getParameter(FederationConstants.PARAM_ACTION);
         String responseToken = getResponseToken(request);
         FedizRequest wfReq = new FedizRequest();
@@ -134,6 +132,28 @@ public class FederationAuthenticationFilter extends 
AbstractProcessingFilter {
         return this.getAuthenticationManager().authenticate(authRequest);
     }
     
+    private void verifySavedState(HttpServletRequest request) {
+        HttpSession session = request.getSession(false);
+        if (session != null) {
+            String savedContext = 
(String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+            String state = getState(request);
+            if (savedContext != null && !savedContext.equals(state)) {
+                logger.warn("The received state does not match the state saved 
in the context");
+                throw new BadCredentialsException("The received state does not 
match the state saved in the context");
+            }
+        }
+    }
+    
+    private String getState(ServletRequest request) {
+        if (request.getParameter(FederationConstants.PARAM_CONTEXT) != null) {
+            return request.getParameter(FederationConstants.PARAM_CONTEXT);
+        } else if (request.getParameter(SAMLSSOConstants.RELAY_STATE) != null) 
{
+            return request.getParameter(SAMLSSOConstants.RELAY_STATE);
+        }
+        
+        return null;
+    }
+    
     @Override
     public void onUnsuccessfulAuthentication(HttpServletRequest request, 
HttpServletResponse response,
                                              AuthenticationException 
authException) {

Reply via email to