gatein SVN: r8304 - in components/sso/trunk/agent/src/main/java/org/gatein/sso/agent: filter and 1 other directories.
5:15 p.m.
Author: mposolda
Date: 2012-01-20 18:15:57 -0500 (Fri, 20 Jan 2012)
New Revision: 8304
Added:
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SAML2LogoutFilter.java
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/saml/
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java
Modified:
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/AbstractLogoutFilter.java
Log:
GTNSSO-4 Support for SAML2 global logout
Modified:
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/AbstractLogoutFilter.java
===================================================================
---
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/AbstractLogoutFilter.java 2012-01-18
19:32:20 UTC (rev 8303)
+++
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/AbstractLogoutFilter.java 2012-01-20
23:15:57 UTC (rev 8304)
@@ -64,8 +64,10 @@
if (httpRequest.getSession().getAttribute("SSO_LOGOUT_FLAG") == null)
{
httpRequest.getSession().setAttribute("SSO_LOGOUT_FLAG", Boolean.TRUE);
-
- httpResponse.sendRedirect(this.getRedirectUrl(httpRequest));
+
+ String redirectUrl = this.getRedirectUrl(httpRequest);
+ redirectUrl = httpResponse.encodeRedirectURL(redirectUrl);
+ httpResponse.sendRedirect(redirectUrl);
return;
}
else
Added:
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SAML2LogoutFilter.java
===================================================================
---
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SAML2LogoutFilter.java
(rev 0)
+++
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SAML2LogoutFilter.java 2012-01-20
23:15:57 UTC (rev 8304)
@@ -0,0 +1,50 @@
+/*
+ * JBoss, a division of Red Hat
+ * Copyright 2012, Red Hat Middleware, LLC, and individual
+ * contributors as indicated by the @authors tag. See the
+ * copyright.txt in the distribution for a full listing of
+ * individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.gatein.sso.agent.filter;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Filter for redirecting GateIn logout request (triggered from GateIn UI by user) to
SAML2 global logout request.
+ * Filter is usable only if we want to enable SAML2 global logout.
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class SAML2LogoutFilter extends AbstractLogoutFilter
+{
+
+ @Override
+ protected String getRedirectUrl(HttpServletRequest httpRequest)
+ {
+ String logoutURL = this.logoutUrl;
+
+ // URL from filter init parameter has priority, but if not provided, we will use
SAML global logout.
+ if (logoutURL == null)
+ {
+ logoutURL = httpRequest.getContextPath() + "/dologin?GLO=true";
+ }
+
+ return logoutURL;
+ }
+}
Added:
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java
===================================================================
---
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java
(rev 0)
+++
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java 2012-01-20
23:15:57 UTC (rev 8304)
@@ -0,0 +1,142 @@
+/*
+ * JBoss, a division of Red Hat
+ * Copyright 2012, Red Hat Middleware, LLC, and individual
+ * contributors as indicated by the @authors tag. See the
+ * copyright.txt in the distribution for a full listing of
+ * individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.gatein.sso.agent.saml;
+
+import org.apache.catalina.Session;
+import org.apache.catalina.connector.Request;
+import org.gatein.common.logging.Logger;
+import org.gatein.common.logging.LoggerFactory;
+import org.gatein.wci.impl.DefaultServletContainerFactory;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
+import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
+import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
+import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
+import org.picketlink.identity.federation.web.core.HTTPContext;
+import org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Extension of {@link SAML2LogOutHandler} because we need to enforce WCI (crossContext)
logout in portal environment.
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class PortalSAML2LogOutHandler extends SAML2LogOutHandler
+{
+ private static Logger log = LoggerFactory.getLogger(PortalSAML2LogOutHandler.class);
+
+ @Override
+ public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse
response) throws ProcessingException
+ {
+ if (request.getSAML2Object() instanceof LogoutRequestType == false)
+ {
+ return;
+ }
+
+ HTTPContext httpContext = (HTTPContext) request.getContext();
+ HttpServletRequest servletRequest = httpContext.getRequest();
+ HttpServletResponse servletResponse = httpContext.getResponse();
+
+ Session catalinaSession = getCatalinaSession(servletRequest);
+
+ // Handle SAML logout request by superclass
+ super.handleRequestType(request, response);
+
+ // Check if session has been invalidated by superclass. If yes,we need to perform
"full" logout at portal level by call WCI logout.
+ if (!catalinaSession.isValid())
+ {
+ portalLogout(servletRequest, servletResponse);
+ }
+ }
+
+ @Override
+ public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse
response)
+ throws ProcessingException
+ {
+ //We do not handle any ResponseType (authentication etc)
+ if (request.getSAML2Object() instanceof ResponseType)
+ return;
+
+ if (request.getSAML2Object() instanceof StatusResponseType == false)
+ return;
+
+
+ HTTPContext httpContext = (HTTPContext) request.getContext();
+ HttpServletRequest servletRequest = httpContext.getRequest();
+ HttpServletResponse servletResponse = httpContext.getResponse();
+
+ Session catalinaSession = getCatalinaSession(servletRequest);
+
+ // Handle SAML logout response by superclass
+ super.handleStatusResponseType(request, response);
+
+ // Check if session has been invalidated by superclass. If yes,we need to perform
"full" logout at portal level by call WCI logout.
+ if (!catalinaSession.isValid())
+ {
+ portalLogout(servletRequest, servletResponse);
+ }
+
+ }
+
+ /**
+ * Performs portal logout by calling WCI logout.
+ *
+ * @param request
+ * @param response
+ */
+ protected void portalLogout(HttpServletRequest request, HttpServletResponse response)
+ {
+ // Workaround: we need to temporary "restore" session to enforce
crossContext logout at WCI layer
+ request.getSession(true);
+
+ try
+ {
+
DefaultServletContainerFactory.getInstance().getServletContainer().logout(request,
response);
+ }
+ catch (Exception e)
+ {
+ String message = "Session has been invalidated but WCI logout
failed.";
+ log.warn(message);
+ if (log.isTraceEnabled())
+ {
+ log.trace(message, e);
+ }
+ }
+ }
+
+ private Session getCatalinaSession(HttpServletRequest servletRequest)
+ {
+ if (!(servletRequest instanceof Request))
+ {
+ throw new IllegalStateException("servletRequest is of class " +
servletRequest.getClass() + ", which is not instanceof " + Request.class);
+ }
+
+ Request catalinaRequest = (Request)servletRequest;
+ return catalinaRequest.getSessionInternal(false);
+ }
+
+}
4741
days inactive
4741
days old
gatein-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
do-not-reply@jboss.org