[picketlink-commits] Picketlink SVN: r1001 - federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth.

picketlink-commits at lists.jboss.org picketlink-commits at lists.jboss.org
Mon Jun 13 20:02:59 EDT 2011 

Author: anil.saldhana at jboss.com
Date: 2011-06-13 20:02:59 -0400 (Mon, 13 Jun 2011)
New Revision: 1001

Modified:
   federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java
Log:
deal with roles from saml assertion

Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java	2011-06-13 23:52:49 UTC (rev 1000)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java	2011-06-14 00:02:59 UTC (rev 1001)
@@ -23,6 +23,7 @@
 import java.io.IOException;
 import java.security.Principal;
 import java.security.acl.Group;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -48,6 +49,7 @@
 import org.jboss.security.mapping.MappingContext;
 import org.jboss.security.mapping.MappingManager;
 import org.jboss.security.mapping.MappingType;
+import org.picketlink.identity.federation.core.constants.AttributeConstants;
 import org.picketlink.identity.federation.core.constants.PicketLinkFederationConstants;
 import org.picketlink.identity.federation.core.exceptions.ParsingException;
 import org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
@@ -150,8 +152,8 @@
  * 
  * <h3>Additional Configuration</h3>
  * <p>
- * groupPrincipalName: If you want the group principal in the subject representing the subject roles to have a name that is different
- *                     from "Roles".
+ * roleKey: By default, the saml attributes with key "Role" are assumed to represent user roles. You can configure a comma
+ * separated list of string values to represent the attribute names for user roles.
  * </p>
  * 
  * <p>cache.invalidation:  set it to true if you require invalidation of JBoss Auth Cache at SAML Principal expiration.</p>
@@ -192,10 +194,9 @@
    public static final String STS_CONFIG_FILE = "configFile";
 
    /**
-    * Historically, JBoss has used the "Roles" as the group principal name in the subject
-    * to represent the subject roles. Users can customize this name with this option.
+    * Attribute names indicating the user roles
     */
-   public static final String GROUP_PRINCIPAL_NAME = "groupPrincipalName";
+   public static final String ROLE_KEY = "roleKey";
 
    /**
     * Key to specify the end point address
@@ -274,9 +275,9 @@
    protected boolean useOptionsCredentials;
 
    /**
-    * Name of the group principal. If unconfigured, will be "null"
+    * Name of the saml attribute representing roles. Can be csv
     */
-   protected String groupPrincipalName = null;
+   protected String roleKey = AttributeConstants.ROLE_IDENTIFIER_ASSERTION;
 
    protected boolean enableCacheInvalidation = false;
 
@@ -325,9 +326,9 @@
       if (useOptionsCreds != null)
          useOptionsCredentials = useOptionsCreds.booleanValue();
 
-      final String gpPrincipalName = (String) options.get(GROUP_PRINCIPAL_NAME);
-      if (gpPrincipalName != null && gpPrincipalName.length() > 0)
-         groupPrincipalName = gpPrincipalName;
+      final String roleKeyStr = (String) options.get(ROLE_KEY);
+      if (roleKeyStr != null && roleKeyStr.length() > 0)
+         roleKey = roleKeyStr;
 
       String cacheInvalidation = (String) options.get("cache.invalidation");
       if (cacheInvalidation != null && !cacheInvalidation.isEmpty())
@@ -777,24 +778,29 @@
          roleMappingContext.performMapping(contextMap, null);
          RoleGroup group = roleMappingContext.getMappingResult().getMappedObject();
 
-         SimpleGroup rolePrincipal = null;
+         SimpleGroup rolePrincipal = new SimpleGroup(group.getRoleName());
 
-         if (groupPrincipalName != null)
-         {
-            rolePrincipal = new SimpleGroup(groupPrincipalName);
-         }
-         else
-         {
-            rolePrincipal = new SimpleGroup(group.getRoleName());
-         }
-
          for (Role role : group.getRoles())
          {
             rolePrincipal.addMember(new SimplePrincipal(role.getRoleName()));
          }
          subject.getPrincipals().add(rolePrincipal);
       }
+      else
+      {
+         List<String> roleKeys = new ArrayList<String>();
+         roleKeys.addAll(StringUtil.tokenize(roleKey));
 
+         List<String> roles = AssertionUtil.getRoles(assertion, roleKeys);
+
+         SimpleGroup group = new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER);
+         for (String role : roles)
+         {
+            group.addMember(new SimplePrincipal(role));
+         }
+         subject.getPrincipals().add(group);
+      }
+
       if (injectCallerPrincipalGroup)
       {
          Group callerPrincipal = new SimpleGroup("CallerPrincipal");

More information about the picketlink-commits mailing list