From do-not-reply at jboss.org Wed Feb 1 04:47:11 2012 Content-Type: multipart/mixed; boundary="===============7152064010604000314==" MIME-Version: 1.0 From: do-not-reply at jboss.org To: gatein-commits at lists.jboss.org Subject: [gatein-commits] gatein SVN: r8334 - components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter. Date: Wed, 01 Feb 2012 04:47:07 -0500 Message-ID: <201202010947.q119l71L023142@svn01.web.mwc.hst.phx2.redhat.com> --===============7152064010604000314== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Author: mposolda Date: 2012-02-01 04:47:07 -0500 (Wed, 01 Feb 2012) New Revision: 8334 Added: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/Pic= ketlinkSTSIntegrationFilter.java Log: GTNSSO-4 Filter for integration with PicketlinkSTS and adding SamlCredentia= l into current securityContext Added: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter= /PicketlinkSTSIntegrationFilter.java =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/Pi= cketlinkSTSIntegrationFilter.java (rev 0) +++ components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/Pi= cketlinkSTSIntegrationFilter.java 2012-02-01 09:47:07 UTC (rev 8334) @@ -0,0 +1,141 @@ +/* + * JBoss, a division of Red Hat + * Copyright 2012, Red Hat Middleware, LLC, and individual + * contributors as indicated by the @authors tag. See the + * copyright.txt in the distribution for a full listing of + * individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ + +package org.gatein.sso.agent.filter; + +import org.exoplatform.container.web.AbstractFilter; +import org.exoplatform.services.security.jaas.UserPrincipal; +import org.gatein.common.logging.Logger; +import org.gatein.common.logging.LoggerFactory; +import org.jboss.security.SecurityContext; +import org.jboss.security.SecurityContextAssociation; +import org.jboss.security.client.SecurityClient; +import org.jboss.security.client.SecurityClientFactory; +import org.picketlink.identity.federation.core.wstrust.SamlCredential; + +import javax.security.auth.Subject; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.util.Set; + +/** + * Filter for set {@link SamlCredential} into {@link SecurityClient}, whic= h enables to propagate authentication from SAML2 ticket into + * underlying EJB or WS calls. + * + * @author Marek Posolda + */ +public class PicketlinkSTSIntegrationFilter extends AbstractFilter +{ + private static Logger log =3D LoggerFactory.getLogger(PicketlinkSTSInte= grationFilter.class); + = + public void doFilter(ServletRequest request, ServletResponse response, = FilterChain chain) throws IOException, ServletException + { + HttpServletRequest httpRequest =3D (HttpServletRequest)request; + if (httpRequest.getRemoteUser() !=3D null) + { + try + { + SamlCredential samlCredential =3D getSamlCredential(); + + if (log.isTraceEnabled()) + { + log.trace("Found SamlCredential inside Subject: " + samlCre= dential); + } + + // Now set the security context, which can be used in EJB or o= ther calls + if (samlCredential !=3D null) + { + SecurityClient client =3D SecurityClientFactory.getSecurity= Client(); + // Simple login just updates the security context + client.setSimple(new UserPrincipal(httpRequest.getRemoteUse= r()), samlCredential); + client.login(); + + if (log.isTraceEnabled()) + { + log.trace("SecurityClient successfully updated with SAML= Credential"); + } + } + + } + catch (Exception e) + { + e.printStackTrace(); + } + } + = + chain.doFilter(request, response); + } + + public void destroy() + { = + } + + private SamlCredential getSamlCredential() + { = + Subject subj =3D getCurrentSubject(); + = + if (log.isTraceEnabled()) + { + log.trace("Found subject " + subj); + } + = + if (subj =3D=3D null) + { + return null; + } + = + Set credentials =3D subj.getPublicCredentials(); + for (Object credential : credentials) + { + if (credential instanceof SamlCredential) + { + return (SamlCredential)credential; + } + } + + return null; + } + + /** + * JBoss specific way for obtaining a Subject. + * + * @return subject + */ + protected Subject getCurrentSubject() + { + SecurityContext securityContext =3D AccessController.doPrivileged(ne= w PrivilegedAction() + { + public SecurityContext run() + { + return SecurityContextAssociation.getSecurityContext(); + } + }); + return securityContext.getSubjectInfo().getAuthenticatedSubject(); + } +} --===============7152064010604000314==--