Save the context from the sign in request
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/aaeea60c Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/aaeea60c Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/aaeea60c Branch: refs/heads/1.3.x-fixes Commit: aaeea60c7edae9973134c868c1d49c67d658e6c3 Parents: a271c79 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Dec 20 10:41:17 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Dec 20 10:58:20 2016 +0000 ---------------------------------------------------------------------- .../fediz/jetty8/FederationAuthenticator.java | 27 ++++++++++++++++---- .../fediz/jetty9/FederationAuthenticator.java | 27 ++++++++++++++++---- 2 files changed, 44 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aaeea60c/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java ---------------------------------------------------------------------- diff --git a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java index dfeab1d..56656a0 100644 --- a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java +++ b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java @@ -84,6 +84,7 @@ public class FederationAuthenticator extends LoginAuthenticator { public static final String J_URI = "org.eclipse.jetty.security.form_URI"; public static final String J_POST = "org.eclipse.jetty.security.form_POST"; + public static final String J_CONTEXT = "org.eclipse.jetty.security.form_CONTEXT"; private static final Logger LOG = Log.getLogger(FederationAuthenticator.class); @@ -222,13 +223,19 @@ public class FederationAuthenticator extends LoginAuthenticator { { session=renewSession(request,response); - FederationUserIdentity fui = (FederationUserIdentity)user; - session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken()); - // Redirect to original request String nuri; synchronized(session) { + // Check the context + String savedContext = (String) session.getAttribute(J_CONTEXT); + String receivedContext = request.getParameter(FederationConstants.PARAM_CONTEXT); + if (savedContext == null || !savedContext.equals(receivedContext)) { + LOG.warn("The received wctx parameter does not match the saved value"); + response.sendError(HttpServletResponse.SC_FORBIDDEN); + return Authentication.UNAUTHENTICATED; + } + nuri = (String) session.getAttribute(J_URI); if (nuri == null || nuri.length() == 0) @@ -241,6 +248,10 @@ public class FederationAuthenticator extends LoginAuthenticator { Authentication cached=new SessionAuthentication(getAuthMethod(), user, wfRes); session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached); } + + FederationUserIdentity fui = (FederationUserIdentity)user; + session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken()); + response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(nuri)); @@ -253,6 +264,7 @@ public class FederationAuthenticator extends LoginAuthenticator { } if (response != null) { response.sendError(HttpServletResponse.SC_FORBIDDEN); + return Authentication.UNAUTHENTICATED; } } @@ -369,7 +381,7 @@ public class FederationAuthenticator extends LoginAuthenticator { FedizProcessor wfProc = FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol()); - signInRedirectToIssuer(request, response, wfProc); + signInRedirectToIssuer(request, response, wfProc, session); return Authentication.SEND_CONTINUE; @@ -445,12 +457,13 @@ public class FederationAuthenticator extends LoginAuthenticator { * Response we are populating * @param processor * FederationProcessor + * @param session The HTTPSession * @throws IOException * If the forward to the login page fails and the call to * {@link HttpServletResponse#sendError(int, String)} throws an * {@link IOException} */ - protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor) + protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor, HttpSession session) throws IOException { //Not supported in jetty 7.6 @@ -471,6 +484,10 @@ public class FederationAuthenticator extends LoginAuthenticator { } } + synchronized(session) { + session.setAttribute(J_CONTEXT, redirectionResponse.getRequestState().getState()); + } + response.sendRedirect(redirectURL); } else { LOG.warn("Failed to create SignInRequest."); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aaeea60c/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java ---------------------------------------------------------------------- diff --git a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java index 7205e44..e845b08 100644 --- a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java +++ b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java @@ -83,6 +83,7 @@ public class FederationAuthenticator extends LoginAuthenticator { public static final String J_URI = "org.eclipse.jetty.security.form_URI"; public static final String J_POST = "org.eclipse.jetty.security.form_POST"; + public static final String J_CONTEXT = "org.eclipse.jetty.security.form_CONTEXT"; private static final Logger LOG = Log.getLogger(FederationAuthenticator.class); @@ -221,13 +222,19 @@ public class FederationAuthenticator extends LoginAuthenticator { { session=renewSession(request,response); - FederationUserIdentity fui = (FederationUserIdentity)user; - session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken()); - // Redirect to original request String nuri; synchronized(session) { + // Check the context + String savedContext = (String) session.getAttribute(J_CONTEXT); + String receivedContext = request.getParameter(FederationConstants.PARAM_CONTEXT); + if (savedContext == null || !savedContext.equals(receivedContext)) { + LOG.warn("The received wctx parameter does not match the saved value"); + response.sendError(HttpServletResponse.SC_FORBIDDEN); + return Authentication.UNAUTHENTICATED; + } + nuri = (String) session.getAttribute(J_URI); if (nuri == null || nuri.length() == 0) @@ -240,6 +247,10 @@ public class FederationAuthenticator extends LoginAuthenticator { Authentication cached=new SessionAuthentication(getAuthMethod(), user, wfRes); session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached); } + + FederationUserIdentity fui = (FederationUserIdentity)user; + session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken()); + response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(nuri)); @@ -252,6 +263,7 @@ public class FederationAuthenticator extends LoginAuthenticator { } if (response != null) { response.sendError(HttpServletResponse.SC_FORBIDDEN); + return Authentication.UNAUTHENTICATED; } } @@ -371,7 +383,7 @@ public class FederationAuthenticator extends LoginAuthenticator { FedizProcessor wfProc = FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol()); - signInRedirectToIssuer(request, response, wfProc); + signInRedirectToIssuer(request, response, wfProc, session); return Authentication.SEND_CONTINUE; @@ -447,12 +459,13 @@ public class FederationAuthenticator extends LoginAuthenticator { * Response we are populating * @param processor * FederationProcessor + * @param session The HTTPSession * @throws IOException * If the forward to the login page fails and the call to * {@link HttpServletResponse#sendError(int, String)} throws an * {@link IOException} */ - protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor) + protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor, HttpSession session) throws IOException { //Not supported in jetty 7.6 @@ -473,6 +486,10 @@ public class FederationAuthenticator extends LoginAuthenticator { } } + synchronized(session) { + session.setAttribute(J_CONTEXT, redirectionResponse.getRequestState().getState()); + } + response.sendRedirect(redirectURL); } else { LOG.warn("Failed to create SignInRequest.");
