Author: sohil.shah(a)jboss.com Date: 2011-03-09 13:52:02 -0500 (Wed, 09 Mar 2011) New Revision: 5991 Added: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/InitiateLoginFilter.java Removed: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/GenericSSOAgent.java Modified: components/sso/trunk/agent/pom.xml components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/cas/CASAgent.java components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/josso/JOSSOAgent.java components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/login/SSOLoginModule.java components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java components/sso/trunk/pom.xml Log: merging the sso-wci branch into trunk Modified: components/sso/trunk/agent/pom.xml =================================================================== --- components/sso/trunk/agent/pom.xml 2011-03-09 17:51:29 UTC (rev 5990) +++ components/sso/trunk/agent/pom.xml 2011-03-09 18:52:02 UTC (rev 5991) @@ -28,13 +28,13 @@ </dependency> <dependency> - <groupId>org.exoplatform.portal</groupId> - <artifactId>exo.portal.component.web</artifactId> - </dependency> - <dependency> <groupId>org.exoplatform.core</groupId> <artifactId>exo.core.component.organization.api</artifactId> </dependency> + <dependency> + <groupId>org.gatein.wci</groupId> + <artifactId>wci-wci</artifactId> + </dependency> <dependency> <groupId>commons-httpclient</groupId> Deleted: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/GenericSSOAgent.java =================================================================== --- components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/GenericSSOAgent.java 2011-03-09 17:51:29 UTC (rev 5990) +++ components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/GenericSSOAgent.java 2011-03-09 18:52:02 UTC (rev 5991) @@ -1,136 +0,0 @@ -/* - * JBoss, a division of Red Hat - * Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated - * by the @authors tag. See the copyright.txt in the distribution for a - * full listing of individual contributors. - * - * This is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this software; if not, write to the Free - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. - */ -package org.gatein.sso.agent; - -import java.io.IOException; - -import org.apache.log4j.Logger; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.exoplatform.web.login.InitiateLoginServlet; - -import org.gatein.sso.agent.cas.CASAgent; -import org.gatein.sso.agent.josso.JOSSOAgent; -import org.gatein.sso.agent.opensso.OpenSSOAgent; - -/** - * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> - */ -public class GenericSSOAgent extends InitiateLoginServlet -{ - private static final long serialVersionUID = 6330639010812906309L; - - private static Logger log = Logger.getLogger(GenericSSOAgent.class); - - private String ssoServerUrl; - private String ssoCookieName; - private boolean casRenewTicket; - private String casServiceUrl; - - - @Override - public void init() throws ServletException - { - super.init(); - - this.ssoServerUrl = this.getServletConfig().getInitParameter("ssoServerUrl"); - this.ssoCookieName = this.getServletConfig().getInitParameter("ssoCookieName"); - - String casRenewTicketConfig = this.getServletConfig().getInitParameter("casRenewTicket"); - if(casRenewTicketConfig != null) - { - this.casRenewTicket = Boolean.parseBoolean(casRenewTicketConfig); - } - - String casServiceUrlConfig = this.getServletConfig().getInitParameter("casServiceUrl"); - if(casServiceUrlConfig != null && casServiceUrlConfig.trim().length()>0) - { - casServiceUrl = casServiceUrlConfig; - } - } - - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException - { - try - { - this.processSSOToken(req,resp); - - String portalContext = req.getContextPath(); - if(req.getAttribute("abort") != null) - { - String ssoRedirect = portalContext + "/sso"; - resp.sendRedirect(ssoRedirect); - return; - } - - super.doGet(req, resp); - } - catch(Exception e) - { - log.error(this, e); - throw new ServletException(e); - } - } - - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException - { - this.doGet(req, resp); - } - - private void processSSOToken(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws Exception - { - String ticket = httpRequest.getParameter("ticket"); - String jossoAssertion = httpRequest.getParameter("josso_assertion_id"); - - if (ticket != null && ticket.trim().length() > 0) - { - CASAgent casagent = CASAgent.getInstance(this.ssoServerUrl,this.casServiceUrl); - casagent.setRenewTicket(this.casRenewTicket); - casagent.validateTicket(httpRequest, ticket); - } - else if (jossoAssertion != null && jossoAssertion.trim().length() > 0) - { - //the JOSSO Agent. This will need to the new client side JOSSO stack that can run on 5.1.0.GA - JOSSOAgent.getInstance().validateTicket(httpRequest,httpResponse); - } - else - { - try - { - //See if an OpenSSO Token was used - OpenSSOAgent.getInstance(this.ssoServerUrl, this.ssoCookieName).validateTicket(httpRequest); - } - catch(IllegalStateException ilse) - { - //somehow cookie failed validation, retry by starting the opensso login process again - httpRequest.setAttribute("abort", Boolean.TRUE); - } - } - } -} Modified: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/cas/CASAgent.java =================================================================== --- components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/cas/CASAgent.java 2011-03-09 17:51:29 UTC (rev 5990) +++ components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/cas/CASAgent.java 2011-03-09 18:52:02 UTC (rev 5991) @@ -25,13 +25,10 @@ import javax.servlet.http.HttpServletRequest; +import org.gatein.wci.security.Credentials; import org.jasig.cas.client.validation.Cas20ProxyTicketValidator; import org.jasig.cas.client.validation.Assertion; -import org.exoplatform.web.security.Credentials; - -import org.gatein.sso.agent.GenericSSOAgent; - /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> */ @@ -44,13 +41,13 @@ private boolean renewTicket; private String casServiceUrl; - private CASAgent(String casServerUrl, String casServiceUrl) + private CASAgent(String casServerUrl,String casServiceUrl) { this.casServerUrl = casServerUrl; this.casServiceUrl = casServiceUrl; } - public static CASAgent getInstance(String casServerUrl,String casServiceUrl) + public static CASAgent getInstance(String casServerUrl, String casServiceUrl) { if(CASAgent.singleton == null) { @@ -79,22 +76,24 @@ public void validateTicket(HttpServletRequest httpRequest, String ticket) throws Exception { Cas20ProxyTicketValidator ticketValidator = new Cas20ProxyTicketValidator(casServerUrl); - ticketValidator.setRenew(this.renewTicket); - - //String serviceUrl = "http://"+ httpRequest.getServerName() +":" + httpRequest.getServerPort() + - //httpRequest.getContextPath() +"/private/classic"; - Assertion assertion = ticketValidator.validate(ticket, this.casServiceUrl); - - log.debug("------------------------------------------------------------------------------------"); - log.debug("Service: "+this.casServiceUrl); - log.debug("Principal: "+assertion.getPrincipal().getName()); - log.debug("------------------------------------------------------------------------------------"); - - - //Use empty password....it shouldn't be needed...this is a SSO login. The password has - //already been presented with the SSO server. It should not be passed around for - //better security - Credentials credentials = new Credentials(assertion.getPrincipal().getName(), ""); - httpRequest.getSession().setAttribute(GenericSSOAgent.CREDENTIALS, credentials); + ticketValidator.setRenew(this.renewTicket); + + //String serviceUrl = "http://"+ httpRequest.getServerName() +":" + httpRequest.getServerPort() + + //httpRequest.getContextPath() +"/private/classic"; + Assertion assertion = ticketValidator.validate(ticket, this.casServiceUrl); + + log.debug("------------------------------------------------------------------------------------"); + log.debug("Service: "+this.casServiceUrl); + log.debug("Principal: "+assertion.getPrincipal().getName()); + log.debug("------------------------------------------------------------------------------------"); + + + //Use empty password....it shouldn't be needed...this is a SSO login. The password has + //already been presented with the SSO server. It should not be passed around for + //better security + String principal = assertion.getPrincipal().getName(); + Credentials credentials = new Credentials(principal, ""); + httpRequest.getSession().setAttribute(Credentials.CREDENTIALS, credentials); + httpRequest.getSession().setAttribute("username", principal); } } Added: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/InitiateLoginFilter.java =================================================================== --- components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/InitiateLoginFilter.java (rev 0) +++ components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/InitiateLoginFilter.java 2011-03-09 18:52:02 UTC (rev 5991) @@ -0,0 +1,110 @@ +/** + * + */ +package org.gatein.sso.agent.filter; + +import java.io.IOException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.gatein.sso.agent.cas.CASAgent; +import org.gatein.sso.agent.josso.JOSSOAgent; +import org.gatein.sso.agent.opensso.OpenSSOAgent; + +/** + * @author soshah + * + */ +public class InitiateLoginFilter implements Filter +{ + private String ssoServerUrl; + private String ssoCookieName; + private boolean casRenewTicket; + private String casServiceUrl; + + public void init(FilterConfig filterConfig) throws ServletException + { + this.ssoServerUrl = filterConfig.getInitParameter("ssoServerUrl"); + this.ssoCookieName = filterConfig.getInitParameter("ssoCookieName"); + + String casRenewTicketConfig = filterConfig.getInitParameter("casRenewTicket"); + if(casRenewTicketConfig != null) + { + this.casRenewTicket = Boolean.parseBoolean(casRenewTicketConfig); + } + + String casServiceUrlConfig = filterConfig.getInitParameter("casServiceUrl"); + if(casServiceUrlConfig != null && casServiceUrlConfig.trim().length()>0) + { + casServiceUrl = casServiceUrlConfig; + } + } + + public void doFilter(ServletRequest request, ServletResponse response, + FilterChain chain) throws IOException, ServletException + { + try + { + HttpServletRequest req = (HttpServletRequest)request; + HttpServletResponse resp = (HttpServletResponse)response; + + this.processSSOToken(req,resp); + + String portalContext = req.getContextPath(); + if(req.getAttribute("abort") != null) + { + String ssoRedirect = portalContext + "/sso"; + resp.sendRedirect(ssoRedirect); + return; + } + + chain.doFilter(request, response); + } + catch(Exception e) + { + throw new ServletException(e); + } + } + + public void destroy() + { + } + + private void processSSOToken(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws Exception + { + String ticket = httpRequest.getParameter("ticket"); + String jossoAssertion = httpRequest.getParameter("josso_assertion_id"); + + if (ticket != null && ticket.trim().length() > 0) + { + CASAgent casagent = CASAgent.getInstance(this.ssoServerUrl, this.casServiceUrl); + casagent.setRenewTicket(this.casRenewTicket); + casagent.validateTicket(httpRequest, ticket); + } + else if (jossoAssertion != null && jossoAssertion.trim().length() > 0) + { + //the JOSSO Agent. This will need to the new client side JOSSO stack that can run on 5.1.0.GA + JOSSOAgent.getInstance().validateTicket(httpRequest,httpResponse); + } + else + { + try + { + //See if an OpenSSO Token was used + OpenSSOAgent.getInstance(this.ssoServerUrl, this.ssoCookieName).validateTicket(httpRequest); + } + catch(IllegalStateException ilse) + { + //somehow cookie failed validation, retry by starting the opensso login process again + httpRequest.setAttribute("abort", Boolean.TRUE); + } + } + } +} Modified: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/josso/JOSSOAgent.java =================================================================== --- components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/josso/JOSSOAgent.java 2011-03-09 17:51:29 UTC (rev 5990) +++ components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/josso/JOSSOAgent.java 2011-03-09 18:52:02 UTC (rev 5991) @@ -26,8 +26,7 @@ import org.apache.log4j.Logger; -import org.exoplatform.web.security.Credentials; -import org.gatein.sso.agent.GenericSSOAgent; +import org.gatein.wci.security.Credentials; import org.josso.agent.Lookup; import org.josso.agent.SSOAgentRequest; @@ -101,7 +100,8 @@ log.debug("-----------------------------------------------------------"); Credentials credentials = new Credentials(principal, ""); - httpRequest.getSession().setAttribute(GenericSSOAgent.CREDENTIALS, credentials); + httpRequest.getSession().setAttribute(Credentials.CREDENTIALS, credentials); + httpRequest.getSession().setAttribute("username", principal); } } Modified: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/login/SSOLoginModule.java =================================================================== --- components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/login/SSOLoginModule.java 2011-03-09 17:51:29 UTC (rev 5990) +++ components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/login/SSOLoginModule.java 2011-03-09 18:52:02 UTC (rev 5991) @@ -21,35 +21,49 @@ */ package org.gatein.sso.agent.login; +import java.lang.reflect.Method; + import javax.security.auth.callback.Callback; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.login.LoginException; +import javax.servlet.http.HttpServletRequest; -import org.exoplatform.container.ExoContainer; import org.exoplatform.services.log.ExoLogger; import org.exoplatform.services.log.Log; import org.exoplatform.services.security.Authenticator; import org.exoplatform.services.security.Identity; import org.exoplatform.services.security.UsernameCredential; import org.exoplatform.services.security.jaas.AbstractLoginModule; -import org.exoplatform.web.security.Credentials; -import org.exoplatform.web.security.security.CookieTokenService; -import org.exoplatform.web.security.security.TransientTokenService; /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> */ public final class SSOLoginModule extends AbstractLoginModule { - private static final Log LOG = ExoLogger.getLogger(SSOLoginModule.class + private static final Log log = ExoLogger.getLogger(SSOLoginModule.class .getName()); + + /** JACC get context method. */ + private static Method getContextMethod; - protected Log getLogger() - { - return LOG; - } - + static + { + try + { + Class<?> policyContextClass = Thread.currentThread().getContextClassLoader().loadClass("javax.security.jacc.PolicyContext"); + getContextMethod = policyContextClass.getDeclaredMethod("getContext", String.class); + } + catch (ClassNotFoundException ignore) + { + log.debug("JACC not found ignoring it", ignore); + } + catch (Exception e) + { + log.error("Could not obtain JACC get context method", e); + } + } + public boolean login() throws LoginException { try @@ -61,33 +75,37 @@ String password = new String(((PasswordCallback) callbacks[1]) .getPassword()); - - ExoContainer container = getContainer(); - Object o = ((TransientTokenService) container - .getComponentInstanceOfType(TransientTokenService.class)) - .validateToken(password, true); - if (o == null) - o = ((CookieTokenService) container - .getComponentInstanceOfType(CookieTokenService.class)) - .validateToken(password, false); - String username = null; - if (o instanceof Credentials) - { - Credentials wc = (Credentials)o; - username = wc.getUsername(); - } - + // + // For clustered config check credentials stored and propagated in session. This won't work in tomcat because + // of lack of JACC PolicyContext so the code must be a bit defensive + String username = null; + if (getContextMethod != null && password.startsWith("wci-ticket")) + { + HttpServletRequest request; + try + { + request = (HttpServletRequest)getContextMethod.invoke(null, "javax.servlet.http.HttpServletRequest"); + username = (String)request.getSession().getAttribute("username"); + } + catch(Throwable e) + { + log.error(this,e); + log.error("LoginModule error. Turn off session credentials checking with proper configuration option of " + + "LoginModule set to false"); + } + } + if (username == null) { - //SSO token could not be validated...hence a user id cannot be found - LOG.error("---------------------------------------------------------"); - LOG.error("SSOLogin Failed. Credential Not Found!!"); - LOG.error("---------------------------------------------------------"); - return false; + //SSO token could not be validated...hence a user id cannot be found + log.error("---------------------------------------------------------"); + log.error("SSOLogin Failed. Credential Not Found!!"); + log.error("---------------------------------------------------------"); + return false; } - + //Perform authentication by setting up the proper Application State Authenticator authenticator = (Authenticator) getContainer() .getComponentInstanceOfType(Authenticator.class); @@ -125,4 +143,10 @@ { return true; } -} + + @Override + protected Log getLogger() + { + return log; + } +} \ No newline at end of file Modified: components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java =================================================================== --- components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java 2011-03-09 17:51:29 UTC (rev 5990) +++ components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java 2011-03-09 18:52:02 UTC (rev 5991) @@ -31,9 +31,9 @@ import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.methods.PostMethod; -import org.exoplatform.web.security.Credentials; -import org.gatein.sso.agent.GenericSSOAgent; +import org.gatein.wci.security.Credentials; + /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> */ @@ -70,6 +70,11 @@ { String token = null; Cookie[] cookies = httpRequest.getCookies(); + if(cookies == null) + { + return; + } + for(Cookie cookie: cookies) { if(cookie.getName().equals(this.cookieName)) @@ -78,6 +83,11 @@ break; } } + + if(token == null) + { + throw new IllegalStateException("No SSO Tokens Found"); + } if(token != null) { @@ -92,7 +102,8 @@ if(subject != null) { Credentials credentials = new Credentials(subject, ""); - httpRequest.getSession().setAttribute(GenericSSOAgent.CREDENTIALS, credentials); + httpRequest.getSession().setAttribute(Credentials.CREDENTIALS, credentials); + httpRequest.getSession().setAttribute("username", subject); } } } Modified: components/sso/trunk/pom.xml =================================================================== --- components/sso/trunk/pom.xml 2011-03-09 17:51:29 UTC (rev 5990) +++ components/sso/trunk/pom.xml 2011-03-09 18:52:02 UTC (rev 5991) @@ -70,7 +70,7 @@ <!-- exo --> <org.exoplatform.core.version>2.3.5-GA</org.exoplatform.core.version> <org.exoplatform.ws.version>2.1.5-GA</org.exoplatform.ws.version> - <org.exoplatform.portal.version>3.1.0-GA</org.exoplatform.portal.version> + <org.gatein.wci.version>2.1.0-Alpha01-SNAPSHOT</org.gatein.wci.version> <!-- JAX-RS jsr-311 --> <version.javax.ws.rs>1.0</version.javax.ws.rs> @@ -190,9 +190,9 @@ <version>${org.exoplatform.core.version}</version> </dependency> <dependency> - <groupId>org.exoplatform.portal</groupId> - <artifactId>exo.portal.component.web</artifactId> - <version>${org.exoplatform.portal.version}</version> + <groupId>org.gatein.wci</groupId> + <artifactId>wci-wci</artifactId> + <version>${org.gatein.wci.version}</version> </dependency>