[jboss-identity-commits] JBoss Identity SVN: r252 - in identity-federation/trunk: identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp and 3 other directories.
jboss-identity-commits at lists.jboss.org
jboss-identity-commits at lists.jboss.org
Mon Jan 26 23:59:22 EST 2009
Author: anil.saldhana at jboss.com
Date: 2009-01-26 23:59:21 -0500 (Mon, 26 Jan 2009)
New Revision: 252
Added:
identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/util/ValveUtilUnitTestCase.java
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/exceptions/IssuerNotTrustedException.java
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java
Log:
bring in trust between SP and IDP
Modified: identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
===================================================================
--- identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-01-26 13:20:45 UTC (rev 251)
+++ identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-01-27 04:59:21 UTC (rev 252)
@@ -44,12 +44,14 @@
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.bindings.config.IDP;
+import org.jboss.identity.federation.bindings.config.Trust;
import org.jboss.identity.federation.bindings.interfaces.RoleGenerator;
import org.jboss.identity.federation.bindings.tomcat.TomcatRoleGenerator;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
import org.jboss.identity.federation.bindings.util.RedirectBindingUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.core.saml.v2.holders.IDPInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.SPInfoHolder;
@@ -120,6 +122,8 @@
requestAbstractType = getSAMLRequest(request);
this.validate(request);
+ this.isTrusted(requestAbstractType.getIssuer().getValue());
+
ResponseType responseType = this.getResponse(request, userPrincipal);
send(responseType, request.getParameter("RelayState"), response);
}
@@ -143,6 +147,30 @@
}
}
+ /**
+ * Verify that the issuer is trusted
+ * @param issuer
+ * @throws IssuerNotTrustedException
+ */
+ protected void isTrusted(String issuer) throws IssuerNotTrustedException
+ {
+ try
+ {
+ String issuerDomain = ValveUtil.getDomain(issuer);
+ Trust idpTrust = idpConfiguration.getTrust();
+ if(idpTrust != null)
+ {
+ String domainsTrusted = idpTrust.getDomains();
+ if(domainsTrusted.indexOf(issuerDomain) < 0)
+ throw new IssuerNotTrustedException(issuer);
+ }
+ }
+ catch (Exception e)
+ {
+ throw new IssuerNotTrustedException(e.getLocalizedMessage(),e);
+ }
+ }
+
protected void send(ResponseType responseType, String relayState, Response response) throws ServletException
{
try
Modified: identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
--- identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-01-26 13:20:45 UTC (rev 251)
+++ identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-01-27 04:59:21 UTC (rev 252)
@@ -42,12 +42,14 @@
import org.jboss.identity.federation.api.util.Base64;
import org.jboss.identity.federation.api.util.DeflateUtil;
import org.jboss.identity.federation.bindings.config.SP;
+import org.jboss.identity.federation.bindings.config.Trust;
import org.jboss.identity.federation.bindings.jboss.DefaultJBossSubjectRegistration;
import org.jboss.identity.federation.bindings.jboss.JBossSubjectRegistration;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
import org.jboss.identity.federation.bindings.util.RedirectBindingUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
+import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
@@ -158,16 +160,14 @@
catch (Exception e)
{
//TODO: send a saml response message
- log.trace("Exception:",e);
- e.printStackTrace();
+ log.trace("Exception:",e);
}
return false;
}
catch(Exception e)
{
//TODO: send a saml response message
- log.debug("Exception :",e);
- e.printStackTrace();
+ log.debug("Exception :",e);
}
//fallback
@@ -205,6 +205,25 @@
return sb.toString();
}
+ protected void isTrusted(String issuer) throws IssuerNotTrustedException
+ {
+ try
+ {
+ String issuerDomain = ValveUtil.getDomain(issuer);
+ Trust idpTrust = spConfiguration.getTrust();
+ if(idpTrust != null)
+ {
+ String domainsTrusted = idpTrust.getDomains();
+ if(domainsTrusted.indexOf(issuerDomain) < 0)
+ throw new IssuerNotTrustedException(issuer);
+ }
+ }
+ catch (Exception e)
+ {
+ throw new IssuerNotTrustedException(e.getLocalizedMessage(),e);
+ }
+ }
+
protected boolean validate(Request request) throws Exception
{
return request.getParameter("SAMLResponse") != null;
@@ -226,6 +245,8 @@
SAML2Response saml2Response = new SAML2Response();
ResponseType responseType = saml2Response.getResponseType(is);
+
+ this.isTrusted(responseType.getIssuer().getValue());
SPUtil spUtil = new SPUtil();
return spUtil.handleSAMLResponse(request, responseType);
Modified: identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java
===================================================================
--- identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java 2009-01-26 13:20:45 UTC (rev 251)
+++ identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java 2009-01-27 04:59:21 UTC (rev 252)
@@ -95,4 +95,16 @@
JAXBElement<SP> jaxbSp = (JAXBElement<SP>) un.unmarshal(is);
return jaxbSp.getValue();
}
+
+ /**
+ * Given a SP or IDP issuer from the assertion, return the host
+ * @param domainURL
+ * @return
+ * @throws Exception
+ */
+ public static String getDomain(String domainURL) throws Exception
+ {
+ URL url = new URL(domainURL);
+ return url.getHost();
+ }
}
\ No newline at end of file
Added: identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/util/ValveUtilUnitTestCase.java
===================================================================
--- identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/util/ValveUtilUnitTestCase.java (rev 0)
+++ identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/util/ValveUtilUnitTestCase.java 2009-01-27 04:59:21 UTC (rev 252)
@@ -0,0 +1,49 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.identity.federation.bindings.util;
+
+import org.jboss.identity.federation.bindings.util.ValveUtil;
+
+import junit.framework.TestCase;
+
+/**
+ * Unit tests for the ValveUtil
+ * @author Anil.Saldhana at redhat.com
+ * @since Jan 26, 2009
+ */
+public class ValveUtilUnitTestCase extends TestCase
+{
+ /**
+ * Given an issuer url, retrieve the host
+ * @throws Exception
+ */
+ public void testTrustedDomain() throws Exception
+ {
+ String issuerURL = "http://localhost:8080/sp";
+ String issuer = ValveUtil.getDomain(issuerURL);
+ assertEquals("localhost", "localhost", issuer);
+
+ issuerURL = "http://192.168.0.1/idp";
+ issuer = ValveUtil.getDomain(issuerURL);
+ assertEquals("192.168.0.1", "192.168.0.1", issuer);
+ }
+}
\ No newline at end of file
Added: identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/exceptions/IssuerNotTrustedException.java
===================================================================
--- identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/exceptions/IssuerNotTrustedException.java (rev 0)
+++ identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/exceptions/IssuerNotTrustedException.java 2009-01-27 04:59:21 UTC (rev 252)
@@ -0,0 +1,54 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.federation.core.saml.v2.exceptions;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception indicating that the issuer is not trusted
+ * @author Anil.Saldhana at redhat.com
+ * @since Jan 26, 2009
+ */
+public class IssuerNotTrustedException extends GeneralSecurityException
+{
+ private static final long serialVersionUID = 1L;
+
+ public IssuerNotTrustedException()
+ {
+ super();
+ }
+
+ public IssuerNotTrustedException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+
+ public IssuerNotTrustedException(String msg)
+ {
+ super(msg);
+ }
+
+ public IssuerNotTrustedException(Throwable cause)
+ {
+ super(cause);
+ }
+}
\ No newline at end of file
More information about the jboss-identity-commits
mailing list