[picketlink-commits] Picketlink SVN: r1349 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat: idp and 1 other directories.
picketlink-commits at lists.jboss.org
picketlink-commits at lists.jboss.org
Tue Jan 31 16:31:57 EST 2012
Author: anil.saldhana at jboss.com
Date: 2012-01-31 16:31:53 -0500 (Tue, 31 Jan 2012)
New Revision: 1349
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
Log:
merge in -r1324
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1144-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1144-1173,1192-1228,1321-1324
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-01-31 21:17:54 UTC (rev 1348)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-01-31 21:31:53 UTC (rev 1349)
@@ -28,7 +28,9 @@
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
+import java.net.MalformedURLException;
import java.net.URI;
+import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
@@ -154,6 +156,11 @@
private Boolean ignoreIncomingSignatures = false;
private Boolean signOutgoingMessages = true;
+
+ /**
+ * Defines how the token's signature will be validated. If true is used the token's issuer, otherwise the request.getRemoteAddr. Default false.
+ */
+ private Boolean validatingAliasToTokenIssuer = false;
private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager();
@@ -220,6 +227,20 @@
}
/**
+ * PLFED-248
+ * Allows to validate the token's signature against the keystore using the token's issuer.
+ */
+ public void setValidatingAliasToTokenIssuer(Boolean validatingAliasToTokenIssuer)
+ {
+ this.validatingAliasToTokenIssuer = validatingAliasToTokenIssuer;
+ }
+
+ public Boolean getValidatingAliasToTokenIssuer()
+ {
+ return validatingAliasToTokenIssuer;
+ }
+
+ /**
* IDP should not do any attributes such as generation of roles etc
* @param ignoreAttributes
*/
@@ -489,8 +510,6 @@
Boolean requestedPostProfile = null;
- //Get the SAML Request Message
- RequestAbstractType requestAbstractType = null;
String samlRequestMessage = (String) session.getNote(GeneralConstants.SAML_REQUEST_KEY);
String relayState = (String) session.getNote(GeneralConstants.RELAY_STATE);
@@ -511,15 +530,23 @@
{
samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage);
samlObject = samlDocumentHolder.getSamlObject();
+
+ if (!(samlObject instanceof RequestAbstractType)) {
+ throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
+ }
+ //Get the SAML Request Message
+ RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
+ String issuer = requestAbstractType.getIssuer().getValue();
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
- boolean isValid = validate(request.getRemoteAddr(), request.getQueryString(), new SessionHolder(
+ String tokenSignatureValidatingAlias = getTokenSignatureValidatingAlias(request, issuer);
+ boolean isValid = validate(tokenSignatureValidatingAlias, request.getQueryString(), new SessionHolder(
samlRequestMessage, signature, sigAlg), isPost);
if (!isValid)
throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
- String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext());
//Create the request/response
@@ -545,12 +572,13 @@
if (this.keyManager != null)
{
- String remoteHost = request.getRemoteAddr();
if (trace)
{
- log.trace("Remote Host=" + remoteHost);
+ log.trace("Remote Host=" + request.getRemoteAddr());
+ log.trace("Validating Alias=" + tokenSignatureValidatingAlias);
}
- PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost);
+
+ PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, tokenSignatureValidatingAlias);
requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey);
requestOptions.put(GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey());
}
@@ -572,31 +600,24 @@
log.trace("Handlers are=" + handlers);
}
- if (samlObject instanceof RequestAbstractType)
+ webRequestUtil.isTrusted(issuer);
+
+ if (handlers != null)
{
- requestAbstractType = (RequestAbstractType) samlObject;
- issuer = requestAbstractType.getIssuer().getValue();
- webRequestUtil.isTrusted(issuer);
-
- if (handlers != null)
+ try
{
- try
+ chainLock.lock();
+ for (SAML2Handler handler : handlers)
{
- chainLock.lock();
- for (SAML2Handler handler : handlers)
- {
- handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse);
- willSendRequest = saml2HandlerResponse.getSendRequest();
- }
+ handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse);
+ willSendRequest = saml2HandlerResponse.getSendRequest();
}
- finally
- {
- chainLock.unlock();
- }
}
+ finally
+ {
+ chainLock.unlock();
+ }
}
- else
- throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
@@ -654,6 +675,34 @@
return;
}
+ /**
+ * Returns the alias to be used for the token's signature verification.
+ * If <code>validatingAliasToTokenIssuer</code> is true the token issuer will be returned.
+ *
+ * @param request
+ * @param issuer
+ * @return
+ */
+ private String getTokenSignatureValidatingAlias(Request request, String issuer)
+ {
+ String issuerHost = request.getRemoteAddr();
+
+ if (this.validatingAliasToTokenIssuer) {
+ try
+ {
+ issuerHost = new URL(issuer).getHost();
+ }
+ catch (MalformedURLException e)
+ {
+ if (trace) {
+ log.trace("Token issuer is not a valid URL: " + issuer + ". Using the requester address instead.", e);
+ }
+ }
+ }
+
+ return issuerHost;
+ }
+
protected void processSAMLResponseMessage(IDPWebRequestUtil webRequestUtil, Request request, Response response)
throws ServletException, IOException
{
@@ -678,17 +727,22 @@
cleanUpSessionNote(request);
- StatusResponseType statusResponseType = null;
try
{
samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlResponseMessage);
samlObject = samlDocumentHolder.getSamlObject();
-
+
+ if (!(samlObject instanceof StatusResponseType))
+ {
+ throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
+ }
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
boolean isValid = false;
-
- String remoteAddress = request.getRemoteAddr();
-
+ StatusResponseType statusResponseType = (StatusResponseType) samlObject;
+ String issuer = statusResponseType.getIssuer().getValue();
+ String tokenValidatingAlias = getTokenSignatureValidatingAlias(request, issuer);
+
if (isPost)
{
//Validate
@@ -696,7 +750,7 @@
if (ignoreIncomingSignatures == false && signOutgoingMessages == true)
{
- PublicKey publicKey = keyManager.getValidatingKey(remoteAddress);
+ PublicKey publicKey = keyManager.getValidatingKey(tokenValidatingAlias);
isValid = samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey);
}
else
@@ -704,14 +758,13 @@
}
else
{
- isValid = validate(remoteAddress, request.getQueryString(), new SessionHolder(samlResponseMessage,
+ isValid = validate(tokenValidatingAlias, request.getQueryString(), new SessionHolder(samlResponseMessage,
signature, sigAlg), isPost);
}
if (!isValid)
throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
- String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext());
//Create the request/response
@@ -723,32 +776,25 @@
Set<SAML2Handler> handlers = chain.handlers();
- if (samlObject instanceof StatusResponseType)
+ webRequestUtil.isTrusted(issuer);
+
+ if (handlers != null)
{
- statusResponseType = (StatusResponseType) samlObject;
- issuer = statusResponseType.getIssuer().getValue();
- webRequestUtil.isTrusted(issuer);
-
- if (handlers != null)
+ try
{
- try
+ chainLock.lock();
+ for (SAML2Handler handler : handlers)
{
- chainLock.lock();
- for (SAML2Handler handler : handlers)
- {
- handler.reset();
- handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse);
- willSendRequest = saml2HandlerResponse.getSendRequest();
- }
+ handler.reset();
+ handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse);
+ willSendRequest = saml2HandlerResponse.getSendRequest();
}
- finally
- {
- chainLock.unlock();
- }
}
+ finally
+ {
+ chainLock.unlock();
+ }
}
- else
- throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1173,1192-1228,1302-1319
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1173,1192-1228,1302-1319,1321-1324
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2012-01-31 21:17:54 UTC (rev 1348)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2012-01-31 21:31:53 UTC (rev 1349)
@@ -84,11 +84,23 @@
{
this.idpAddress = idpAddress;
}
-
+
@Override
+ public void testStart() throws LifecycleException
+ {
+ super.testStart();
+ this.init();
+ }
+
+ @Override
public void start() throws LifecycleException
{
super.start();
+ this.init();
+ }
+
+ private void init() throws LifecycleException
+ {
Context context = (Context) getContainer();
KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
More information about the picketlink-commits
mailing list