JBoss Identity SVN: r694 - identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp.
by jboss-identity-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2009-08-13 22:33:35 -0400 (Thu, 13 Aug 2009)
New Revision: 694
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
Log:
unnecessary variable
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-14 00:20:17 UTC (rev 693)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-14 02:33:35 UTC (rev 694)
@@ -79,8 +79,6 @@
{
private static Logger log = Logger.getLogger(IDPWebRequestUtil.class);
- private HttpServletRequest request;
-
private boolean redirectProfile = false;
private boolean postProfile = false;
@@ -89,7 +87,6 @@
public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager keym)
{
- this.request = request;
this.idpConfiguration = idp;
this.keyManager = keym;
this.redirectProfile = "GET".equals(request.getMethod());
14 years, 8 months
JBoss Identity SVN: r693 - in identity-federation/trunk: jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat and 8 other directories.
by jboss-identity-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2009-08-13 20:20:17 -0400 (Thu, 13 Aug 2009)
New Revision: 693
Added:
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java
Log:
JBID-164: use dom
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -33,6 +33,7 @@
import javax.xml.ws.WebServiceException;
import javax.xml.ws.WebServiceProvider;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.api.wstrust.STSConfiguration;
import org.jboss.identity.federation.api.wstrust.SecurityTokenService;
import org.jboss.identity.federation.api.wstrust.WSTrustConstants;
@@ -41,12 +42,14 @@
import org.jboss.identity.federation.api.wstrust.WSTrustRequestHandler;
import org.jboss.identity.federation.bindings.config.STSType;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
+import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.core.wstrust.BaseRequestSecurityToken;
import org.jboss.identity.federation.core.wstrust.RequestSecurityToken;
import org.jboss.identity.federation.core.wstrust.RequestSecurityTokenCollection;
import org.jboss.identity.federation.core.wstrust.RequestSecurityTokenResponse;
import org.jboss.identity.federation.core.wstrust.RequestSecurityTokenResponseCollection;
+import org.w3c.dom.Document;
/**
* <p>
@@ -72,7 +75,16 @@
*/
public Source invoke(Source request)
{
- BaseRequestSecurityToken baseRequest = WSTrustJAXBFactory.getInstance().parseRequestSecurityToken(request);
+ BaseRequestSecurityToken baseRequest;
+ try
+ {
+ baseRequest = WSTrustJAXBFactory.getInstance().parseRequestSecurityToken(request);
+ }
+ catch (ParsingException e)
+ {
+ throw new RuntimeException(e);
+ }
+
if (baseRequest instanceof RequestSecurityToken)
return this.handleTokenRequest((RequestSecurityToken) baseRequest);
else if (baseRequest instanceof RequestSecurityTokenCollection)
@@ -92,6 +104,13 @@
*/
protected Source handleTokenRequest(RequestSecurityToken request)
{
+ SAMLDocumentHolder holder = WSTrustJAXBFactory.getInstance().getSAMLDocumentHolderOnThread();
+
+ /**
+ * The RST Document is very important for XML Signatures
+ */
+ request.setRSTDocument(holder.getSamlDocument());
+
if(this.config == null)
try
{
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -38,6 +38,7 @@
import javax.crypto.SecretKey;
+import org.apache.log4j.Logger;
import org.jboss.identity.federation.bindings.config.AuthPropertyType;
import org.jboss.identity.federation.bindings.config.KeyValueType;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyConfigurationException;
@@ -45,7 +46,7 @@
import org.jboss.identity.federation.bindings.interfaces.TrustKeyProcessingException;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.bindings.util.cert.EncryptionKeyUtil;
-import org.jboss.identity.federation.bindings.util.cert.KeyStoreUtil;
+import org.jboss.identity.federation.bindings.util.cert.KeyStoreUtil;
/**
* KeyStore based Trust Key Manager
@@ -64,6 +65,8 @@
*/
private final Map<String,SecretKey> keys = new HashMap<String,SecretKey>();
+ private static Logger log = Logger.getLogger(KeyStoreKeyManager.class);
+
private final HashMap<String,String> domainAliasMap = new HashMap<String,String>();
private final HashMap<String,String> authPropsMap = new HashMap<String,String>();
@@ -185,6 +188,8 @@
public PublicKey getPublicKey(String alias)
throws TrustKeyConfigurationException, TrustKeyProcessingException
{
+ PublicKey publicKey = null;
+
try
{
if(ks == null)
@@ -192,7 +197,13 @@
if(ks == null)
throw new IllegalStateException("KeyStore is null");
- return ks.getCertificate(alias).getPublicKey();
+ Certificate cert = ks.getCertificate(alias);
+ if(cert != null)
+ publicKey = cert.getPublicKey();
+ else
+ log.debug("No public key found for alias=" + alias);
+
+ return publicKey;
}
catch (KeyStoreException e)
{
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -267,7 +267,7 @@
return request.getParameter("SAMLRequest") != null;
}
- private RequestAbstractType getSAMLRequest(Request request) throws JAXBException, SAXException
+ private RequestAbstractType getSAMLRequest(Request request) throws ParsingException, IOException
{
String samlMessage = getSAMLMessage(request);
InputStream is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -57,7 +57,7 @@
import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType;
-import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
/**
* Generic Web Browser SSO valve for the IDP
@@ -149,23 +149,24 @@
}
- IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration);
+ IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration, keyManager);
+ Document samlErrorResponse = null;
//Look for unauthorized status
if(response.getStatus() == HttpServletResponse.SC_FORBIDDEN)
{
try
{
- ResponseType errorResponseType =
+ samlErrorResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
if(this.signOutgoingMessages)
- webRequestUtil.send(errorResponseType, relayState, response, true,
+ webRequestUtil.send(samlErrorResponse, referer, relayState, response, true,
this.keyManager.getSigningKey());
else
- webRequestUtil.send(errorResponseType, relayState, response, false,null);
+ webRequestUtil.send(samlErrorResponse, referer,relayState, response, false,null);
}
catch (GeneralSecurityException e)
@@ -206,9 +207,9 @@
if(samlMessage != null)
{
//Get the SAML Request Message
- RequestAbstractType requestAbstractType = null;
- ResponseType responseType = null;
-
+ RequestAbstractType requestAbstractType = null;
+ Document samlResponse = null;
+ String destination = null;
try
{
requestAbstractType = webRequestUtil.getSAMLRequest(samlMessage);
@@ -226,60 +227,62 @@
log.trace("Roles have been determined:Creating response");
AuthnRequestType art = (AuthnRequestType) requestAbstractType;
- responseType =
- webRequestUtil.getResponse(art.getAssertionConsumerServiceURL(),
+ destination = art.getAssertionConsumerServiceURL();
+
+ samlResponse =
+ webRequestUtil.getResponse(destination,
userPrincipal, roles,
- this.identityURL, this.assertionValidity);
+ this.identityURL, this.assertionValidity, this.signOutgoingMessages);
}
catch (IssuerNotTrustedException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch (ParsingException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch (ConfigurationException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch (IssueInstantMissingException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch(GeneralSecurityException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
finally
{
try
{
if(this.signOutgoingMessages)
- webRequestUtil.send(responseType, relayState, response, true,
+ webRequestUtil.send(samlResponse, destination,relayState, response, true,
this.keyManager.getSigningKey());
else
- webRequestUtil.send(responseType, relayState, response, false,null);
+ webRequestUtil.send(samlResponse, destination, relayState, response, false,null);
}
catch (ParsingException e)
{
@@ -314,16 +317,16 @@
{
log.trace("About to send error response to SP:" + referrer);
- ResponseType errorResponseType =
+ Document samlResponse =
webRequestUtil.getErrorResponse(referrer, JBossSAMLURIConstants.STATUS_RESPONDER.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
try
{
if(this.signOutgoingMessages)
- webRequestUtil.send(errorResponseType, relayState, response, true,
+ webRequestUtil.send(samlResponse, referrer, relayState, response, true,
this.keyManager.getSigningKey());
else
- webRequestUtil.send(errorResponseType, relayState, response, false,null);
+ webRequestUtil.send(samlResponse, referrer, relayState, response, false,null);
}
catch (ParsingException e1)
{
@@ -461,6 +464,9 @@
if(this.signOutgoingMessages)
{
KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
+ if(keyProvider == null)
+ throw new LifecycleException("Key Provider is null for context=" + context.getName());
+
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -22,7 +22,6 @@
package org.jboss.identity.federation.bindings.tomcat.idp;
import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
@@ -35,16 +34,21 @@
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.JAXBException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactoryConfigurationError;
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.common.IDGenerator;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
+import org.jboss.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.jboss.identity.federation.bindings.config.IDPType;
import org.jboss.identity.federation.bindings.config.TrustType;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
+import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
import org.jboss.identity.federation.bindings.util.RedirectBindingUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
@@ -56,11 +60,13 @@
import org.jboss.identity.federation.core.saml.v2.holders.IDPInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.SPInfoHolder;
+import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
import org.xml.sax.SAXException;
/**
@@ -79,35 +85,29 @@
private boolean postProfile = false;
private IDPType idpConfiguration;
+ private TrustKeyManager keyManager;
- public IDPWebRequestUtil(HttpServletRequest request, IDPType idp)
+ public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager keym)
{
this.request = request;
this.idpConfiguration = idp;
- hasSAMLRequestInRedirectProfile();
- hasSAMLRequestInPostProfile();
+ this.keyManager = keym;
+ this.redirectProfile = "GET".equals(request.getMethod());
+ this.postProfile = "POST".equals(request.getMethod());
}
public boolean hasSAMLRequestInRedirectProfile()
{
- if("GET".equalsIgnoreCase(request.getMethod()))
- {
- redirectProfile = request.getParameter("SAMLRequest") != null;
- }
- return redirectProfile;
+ return redirectProfile;
}
public boolean hasSAMLRequestInPostProfile()
{
- if("POST".equalsIgnoreCase(request.getMethod()))
- {
- postProfile = request.getParameter("SAMLRequest") != null;
- }
return postProfile;
}
public RequestAbstractType getSAMLRequest(String samlMessage)
- throws ParsingException
+ throws ParsingException, IOException
{
InputStream is = null;
SAML2Request saml2Request = new SAML2Request();
@@ -121,29 +121,20 @@
log.trace("SAMLRequest=" + new String(samlBytes));
is = new ByteArrayInputStream(samlBytes);
}
-
- try
- {
- return saml2Request.getRequestType(is);
- }
- catch (JAXBException e)
- {
- throw new ParsingException(e);
- }
- catch (SAXException e)
- {
- throw new ParsingException(e);
- }
+ return saml2Request.getRequestType(is);
}
- public ResponseType getResponse( String assertionConsumerURL,
+ public Document getResponse( String assertionConsumerURL,
Principal userPrincipal,
List<String> roles,
String identityURL,
- long assertionValidity)
+ long assertionValidity,
+ boolean supportSignature)
throws ConfigurationException, IssueInstantMissingException
{
+ Document samlResponseDocument = null;
+
log.trace("AssertionConsumerURL=" + assertionConsumerURL +
"::assertion validity=" + assertionValidity);
ResponseType responseType = null;
@@ -192,8 +183,31 @@
}
log.trace("Response="+sw.toString());
}
-
- return responseType;
+
+ log.trace("Support Sig=" + supportSignature + " ::Post Profile?=" + hasSAMLRequestInPostProfile());
+ if(supportSignature && hasSAMLRequestInPostProfile())
+ {
+ try
+ {
+ SAML2Signature saml2Signature = new SAML2Signature();
+ samlResponseDocument = saml2Signature.sign(responseType, keyManager.getSigningKeyPair());
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+ }
+ else
+ try
+ {
+ samlResponseDocument = saml2Response.convert(responseType);
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+
+ return samlResponseDocument;
}
@@ -239,48 +253,47 @@
/**
* Send a response
- * @param responseType
+ * @param responseDoc
* @param relayState
* @param response
* @throws IOException
* @throws GeneralSecurityException
*/
- public void send(ResponseType responseType, String relayState,
+ public void send(Document responseDoc, String destination,
+ String relayState,
Response response,
boolean supportSignature,
PrivateKey signingKey) throws IOException, GeneralSecurityException
{
- if(responseType == null)
- throw new IllegalArgumentException("reponseType is null");
+ if(responseDoc == null)
+ throw new IllegalArgumentException("responseType is null");
- SAML2Response saml2Response = new SAML2Response();
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ byte[] responseBytes = null;
try
{
- saml2Response.marshall(responseType, baos);
- }
- catch (SAXException e1)
+ responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+ }
+ catch (TransformerFactoryConfigurationError e)
{
- log.trace("Parsing Exception in sending response:",e1);
- throw new ParsingException("Parsing Exception in sending response:" , e1);
+ log.trace(e);
}
- catch (JAXBException e1)
+ catch (TransformerException e)
{
- log.trace("Parsing Exception in sending response:",e1);
- throw new ParsingException("Parsing Exception in sending response:" ,e1);
+ log.trace(e);
}
if(redirectProfile)
{
- String urlEncodedResponse = RedirectBindingUtil.deflateBase64URLEncode(baos.toByteArray());
-
- String destination = responseType.getDestination();
+ String urlEncodedResponse = RedirectBindingUtil.deflateBase64URLEncode(responseBytes);
+
log.trace("IDP:Destination=" + destination);
if(relayState != null && relayState.length() > 0)
relayState = RedirectBindingUtil.urlEncode(relayState);
- String finalDest = destination + getDestination(urlEncodedResponse, relayState);
+ String finalDest = destination + getDestination(urlEncodedResponse, relayState,
+ supportSignature);
+ log.trace("Redirecting to="+ finalDest);
HTTPRedirectUtil.sendRedirectForResponder(finalDest, response);
}
else
@@ -292,17 +305,11 @@
* created as part of the HTTP/POST binding
*/
response.recycle();
- String samlResponse = PostBindingUtil.base64Encode(baos.toString());
+
+ String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes));
- if(supportSignature)
- {
- //SigAlg
- String algo = signingKey.getAlgorithm();
- String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
-
- sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
- }
- PostBindingUtil.sendPost(new DestinationInfoHolder(responseType.getDestination(),
+
+ PostBindingUtil.sendPost(new DestinationInfoHolder(destination,
samlResponse, relayState), response, false);
}
}
@@ -314,14 +321,32 @@
* @param urlEncodedRelayState
* @return
*/
- public String getDestination(String urlEncodedResponse, String urlEncodedRelayState)
+ public String getDestination(String urlEncodedResponse, String urlEncodedRelayState,
+ boolean supportSignature)
{
+ StringBuilder sb = new StringBuilder();
+ sb.append("?");
+
if(redirectProfile)
{
- StringBuilder sb = new StringBuilder();
- sb.append("?SAMLResponse=").append(urlEncodedResponse);
- if(urlEncodedRelayState != null && urlEncodedRelayState.length() > 0)
- sb.append("&RelayState=").append(urlEncodedRelayState);
+ if(supportSignature)
+ {
+ try
+ {
+ sb.append(RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(urlEncodedResponse,
+ urlEncodedRelayState, keyManager.getSigningKey()));
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+ }
+ else
+ {
+ sb.append("?SAMLResponse=").append(urlEncodedResponse);
+ if(urlEncodedRelayState != null && urlEncodedRelayState.length() > 0)
+ sb.append("&RelayState=").append(urlEncodedRelayState);
+ }
return sb.toString();
}
@@ -333,12 +358,14 @@
* @param responseURL
* @param status
* @param identityURL
+ * @param supportSignature
* @return
* @throws ConfigurationException
*/
- public ResponseType getErrorResponse(String responseURL, String status,
- String identityURL)
+ public Document getErrorResponse(String responseURL, String status,
+ String identityURL, boolean supportSignature)
{
+ Document samlResponse = null;
ResponseType responseType = null;
SAML2Response saml2Response = new SAML2Response();
@@ -365,7 +392,7 @@
responseType = saml2Response.createResponseType();
}
- log.debug("ResponseType = ");
+ log.debug("Error_ResponseType = ");
//Lets see how the response looks like
if(log.isTraceEnabled())
{
@@ -385,6 +412,34 @@
log.trace("Response="+sw.toString());
}
- return responseType;
+ if(supportSignature)
+ {
+ try
+ {
+ //SigAlg
+ String algo = keyManager.getSigningKey().getAlgorithm();
+ String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
+
+ sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
+
+ SAML2Signature ss = new SAML2Signature();
+ samlResponse = ss.sign(responseType, keyManager.getSigningKeyPair());
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+ }
+ else
+ try
+ {
+ samlResponse = saml2Response.convert(responseType);
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+
+ return samlResponse;
}
}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -41,6 +41,7 @@
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.log4j.Logger;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.bindings.config.TrustType;
@@ -234,7 +235,14 @@
SAML2Response saml2Response = new SAML2Response();
ResponseType responseType = saml2Response.getResponseType(is);
-
+
+ SAMLDocumentHolder samlDocumentHolder = saml2Response.getSamlDocumentHolder();
+
+ boolean validSignature = this.verifySignature(samlDocumentHolder);
+
+ if(validSignature == false)
+ throw new IssuerNotTrustedException("Signature in saml document is invalid");
+
this.isTrusted(responseType.getIssuer().getValue());
List<Object> assertions = responseType.getAssertionOrEncryptedAssertion();
@@ -252,4 +260,10 @@
}
return userPrincipal;
}
+
+ protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws IssuerNotTrustedException
+ {
+ //this authenticator does not deal with signatures.
+ return true;
+ }
}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -23,19 +23,31 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.security.GeneralSecurityException;
+import java.security.PublicKey;
import javax.xml.bind.JAXBException;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.XMLSignatureException;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
+import org.jboss.identity.federation.api.util.XMLSignatureUtil;
import org.jboss.identity.federation.bindings.config.KeyProviderType;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyConfigurationException;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyProcessingException;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
+import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
import org.xml.sax.SAXException;
/**
@@ -102,4 +114,52 @@
PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage, relayState),
response, true);
}
+
+ @Override
+ protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws IssuerNotTrustedException
+ {
+ Document samlResponse = samlDocumentHolder.getSamlDocument();
+ ResponseType response = (ResponseType) samlDocumentHolder.getSamlObject();
+
+ String issuerID = response.getIssuer().getValue();
+
+ if(issuerID == null)
+ throw new IssuerNotTrustedException("Issue missing");
+
+ URL issuerURL;
+ try
+ {
+ issuerURL = new URL(issuerID);
+ }
+ catch (MalformedURLException e1)
+ {
+ throw new IssuerNotTrustedException(e1);
+ }
+
+ try
+ {
+ PublicKey publicKey = keyManager.getValidatingKey(issuerURL.getHost());
+ log.trace("Going to verify signature in the saml response from IDP");
+ boolean sigResult = XMLSignatureUtil.validate(samlResponse, publicKey);
+ log.trace("Signature verification="+sigResult);
+ return sigResult;
+ }
+ catch (TrustKeyConfigurationException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (TrustKeyProcessingException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (MarshalException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (XMLSignatureException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ return false;
+ }
}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -30,6 +30,7 @@
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactoryConfigurationError;
+import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
@@ -69,9 +70,11 @@
public void start() throws LifecycleException
{
super.start();
+ Context context = (Context) getContainer();
+
KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
if(keyProvider == null)
- throw new LifecycleException("KeyProvider is null");
+ throw new LifecycleException("KeyProvider is null for context="+ context.getName());
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
Added: identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java (rev 0)
+++ identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -0,0 +1,74 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.federation.api.saml.v2.common;
+
+import org.w3c.dom.Document;
+
+/**
+ * A Holder class that can store
+ * the SAML object as well as the corresponding
+ * DOM object.
+ * It is thread safe because each thread
+ * can have only one instance of this class
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Aug 13, 2009
+ */
+public class SAMLDocumentHolder
+{
+ private Object samlObject;
+ private Document samlDocument;
+
+ public SAMLDocumentHolder(Object samlObject)
+ {
+ this.samlObject = samlObject;
+ }
+
+ public SAMLDocumentHolder(Document samlDocument)
+ {
+ this.samlDocument = samlDocument;
+ }
+
+ public SAMLDocumentHolder(Object samlObject, Document samlDocument)
+ {
+ this.samlObject = samlObject;
+ this.samlDocument = samlDocument;
+ }
+ public Object getSamlObject()
+ {
+ return samlObject;
+ }
+
+ public void setSamlObject(Object samlObject)
+ {
+ this.samlObject = samlObject;
+ }
+
+ public Document getSamlDocument()
+ {
+ return samlDocument;
+ }
+
+ public void setSamlDocument(Document samlDocument)
+ {
+ this.samlDocument = samlDocument;
+ }
+}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -34,13 +34,16 @@
import javax.xml.bind.Unmarshaller;
import javax.xml.parsers.ParserConfigurationException;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.core.constants.JBossIdentityFederationConstants;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
+import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLAuthnRequestFactory;
import org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLBaseFactory;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.JAXBElementMappingUtil;
import org.jboss.identity.federation.core.saml.v2.util.XMLTimeUtil;
+import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
import org.jboss.identity.federation.saml.v2.profiles.xacml.protocol.XACMLAuthzDecisionQueryType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
@@ -58,6 +61,8 @@
*/
public class SAML2Request
{
+ private SAMLDocumentHolder samlDocumentHolder = null;
+
/**
* Create an authentication request
* @param id
@@ -101,7 +106,7 @@
*/
public Binder<Node> getBinder() throws JAXBException
{
- JAXBContext jaxb = JAXBContext.newInstance(RequestAbstractType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(RequestAbstractType.class);
return jaxb.createBinder();
}
@@ -111,19 +116,43 @@
* @return
* @throws SAXException
* @throws JAXBException
+ * @throws IOException
+ * @throws
* @throws IllegalArgumentException inputstream is null
*/
@SuppressWarnings("unchecked")
- public RequestAbstractType getRequestType(InputStream is) throws JAXBException, SAXException
+ public RequestAbstractType getRequestType(InputStream is) throws ParsingException, IOException
{
if(is == null)
- throw new IllegalStateException("InputStream is null");
- String key = JBossIdentityFederationConstants.JAXB_SCHEMA_VALIDATION;
- boolean validate = Boolean.parseBoolean(SecurityActions.getSystemProperty(key, "false"));
+ throw new IllegalStateException("InputStream is null");
- Unmarshaller un = JBossSAMLAuthnRequestFactory.getValidatingUnmarshaller(validate);
- JAXBElement<RequestAbstractType> jaxbAuthnRequestType = (JAXBElement<RequestAbstractType>) un.unmarshal(is);
- return jaxbAuthnRequestType.getValue();
+ Document samlDocument = null;
+ //First parse the Document
+ try
+ {
+ samlDocument = DocumentUtil.getDocument(is);
+ }
+ catch (ParserConfigurationException e)
+ {
+ throw new ParsingException(e);
+ }
+ catch (SAXException e)
+ {
+ throw new ParsingException(e);
+ }
+
+ try
+ {
+ Binder<Node> binder = getBinder();
+ JAXBElement<RequestAbstractType> jaxbAuthnRequestType = (JAXBElement<RequestAbstractType>) binder.unmarshal(samlDocument);
+ RequestAbstractType requestType = jaxbAuthnRequestType.getValue();
+ samlDocumentHolder = new SAMLDocumentHolder(requestType, samlDocument);
+ return requestType;
+ }
+ catch (JAXBException e)
+ {
+ throw new ParsingException(e);
+ }
}
/**
@@ -147,7 +176,17 @@
return jaxbAuthnRequestType.getValue();
}
+
/**
+ * Get the parsed {@code SAMLDocumentHolder}
+ * @return
+ */
+ public SAMLDocumentHolder getSamlDocumentHolder()
+ {
+ return samlDocumentHolder;
+ }
+
+ /**
* Create a Logout Request
* @param issuer
* @return
@@ -199,7 +238,7 @@
String xsProto = "org.jboss.identity.federation.saml.v2.profiles.xacml.protocol";
String path = samlPath + ":" + xacmlPath + ":" + xsAssert + ":" + xsProto;
- JAXBContext jaxb = JAXBContext.newInstance(path);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(path);
Unmarshaller un = jaxb.createUnmarshaller();
JAXBElement<RequestAbstractType> jaxbRequestType = (JAXBElement<RequestAbstractType>) un.unmarshal(is);
@@ -222,7 +261,7 @@
public Document convert(RequestAbstractType rat)
throws SAXException, IOException, JAXBException, ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(RequestAbstractType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(RequestAbstractType.class);
Binder<Node> binder = jaxb.createBinder();
Document doc = DocumentUtil.createDocument();
@@ -239,7 +278,7 @@
*/
public Document convert(ResponseType responseType) throws JAXBException, ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(ResponseType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(ResponseType.class);
Binder<Node> binder = jaxb.createBinder();
Document doc = DocumentUtil.createDocument();
Modified: identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -35,12 +35,11 @@
import javax.xml.bind.Unmarshaller;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.transform.Source;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.core.constants.JBossIdentityFederationConstants;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
-import org.jboss.identity.federation.core.exceptions.ProcessingException;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.jboss.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
import org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
@@ -53,6 +52,7 @@
import org.jboss.identity.federation.core.saml.v2.util.AssertionUtil;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.JAXBElementMappingUtil;
+import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
@@ -72,8 +72,8 @@
* @since Jan 5, 2009
*/
public class SAML2Response
-{
- private Document responseDocument = null;
+{
+ private SAMLDocumentHolder samlDocumentHolder = null;
/**
* Create an assertion
@@ -206,6 +206,15 @@
JAXBElement<AssertionType> jaxb = (JAXBElement<AssertionType>) un.unmarshal(is);
return jaxb.getValue();
}
+
+ /**
+ * Get the parsed {@code SAMLDocumentHolder}
+ * @return
+ */
+ public SAMLDocumentHolder getSamlDocumentHolder()
+ {
+ return samlDocumentHolder;
+ }
/**
* Read a ResponseType from an input stream
@@ -220,10 +229,11 @@
if(is == null)
throw new IllegalArgumentException("inputstream is null");
+ Document samlResponseDocument = null;
//Read the DOM
try
{
- responseDocument = DocumentUtil.getDocument(is);
+ samlResponseDocument = DocumentUtil.getDocument(is);
}
catch (ParserConfigurationException e)
{
@@ -237,38 +247,22 @@
{
throw new ParsingException(e);
}
-
- Source domSource = DocumentUtil.getXMLSource(responseDocument);
-
- Unmarshaller un;
try
{
- un = JBossSAMLAuthnResponseFactory.getUnmarshaller();
- JAXBElement<ResponseType> jaxbAuthnRequestType = (JAXBElement<ResponseType>) un.unmarshal(domSource);
- return jaxbAuthnRequestType.getValue();
+ Binder<Node> binder = getBinder();
+ JAXBElement<ResponseType> jaxbResponseType = (JAXBElement<ResponseType>) binder.unmarshal(samlResponseDocument);
+ ResponseType responseType = jaxbResponseType.getValue();
+ samlDocumentHolder = new SAMLDocumentHolder(responseType, samlResponseDocument);
+ return responseType;
}
catch (JAXBException e)
{
throw new ParsingException(e);
- }
- catch (SAXException e)
- {
- throw new ParsingException(e);
}
}
- /**
- * Return the Parsed Document
- * @return
- * @throws ProcessingException if there is no parsed DOM
- */
- public Document getResponseDocument() throws ProcessingException
- {
- if(responseDocument == null)
- throw new ProcessingException("Response Document is null");
- return responseDocument;
- }
+
/**
* Convert an EncryptedElement into a Document
* @param encryptedElementType
@@ -279,7 +273,7 @@
public Document convert(EncryptedElementType encryptedElementType)
throws JAXBException, ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(EncryptedElementType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(EncryptedElementType.class);
Binder<Node> binder = jaxb.createBinder();
Document doc = DocumentUtil.createDocument();
@@ -294,7 +288,7 @@
*/
public Binder<Node> getBinder() throws JAXBException
{
- JAXBContext jaxb = JAXBContext.newInstance(ResponseType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(ResponseType.class);
return jaxb.createBinder();
}
@@ -307,10 +301,10 @@
*/
public Document convert(ResponseType responseType) throws JAXBException, ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(ResponseType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(ResponseType.class);
Binder<Node> binder = jaxb.createBinder();
- responseDocument = DocumentUtil.createDocument();
+ Document responseDocument = DocumentUtil.createDocument();
binder.marshal(JAXBElementMappingUtil.get(responseType), responseDocument);
return responseDocument;
}
Modified: identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -76,6 +76,10 @@
public RequestSecurityTokenResponse issue(RequestSecurityToken request, Principal callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM Document");
+
SecurityTokenProvider provider = null;
// first try to obtain the security token provider using the applies-to contents.
@@ -173,6 +177,10 @@
public RequestSecurityTokenResponse renew(RequestSecurityToken request, Principal callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM Document");
+
// TODO: implement renew logic.
throw new UnsupportedOperationException();
}
@@ -187,6 +195,10 @@
public RequestSecurityTokenResponse validate(RequestSecurityToken request, Principal callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM Document");
+
if (request.getValidateTarget() == null)
throw new WSTrustException("Unable to validate token: validate target is null");
@@ -205,7 +217,8 @@
KeyPair keyPair = this.configuration.getSTSKeyPair();
try
{
- Element tokenElement = (Element) request.getValidateTarget().getAny();
+ //Element tokenElement = (Element) request.getValidateTarget().getAny();
+ Element tokenElement = request.getValidateTargetElement();
Document tokenDocument = DocumentUtil.createDocument();
tokenDocument.appendChild(tokenDocument.importNode(tokenElement, true));
if (!XMLSignatureUtil.validate(tokenDocument, keyPair.getPublic()))
@@ -251,8 +264,11 @@
public RequestSecurityTokenResponse cancel(RequestSecurityToken request, Principal callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM Document");
+
// TODO: implement cancel logic.
throw new UnsupportedOperationException();
}
-
-}
+}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -21,6 +21,7 @@
*/
package org.jboss.identity.federation.api.wstrust;
+import javax.xml.bind.Binder;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
@@ -28,6 +29,8 @@
import javax.xml.transform.Source;
import javax.xml.transform.dom.DOMSource;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
+import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.core.wstrust.BaseRequestSecurityToken;
@@ -57,8 +60,12 @@
private Marshaller marshaller;
private Unmarshaller unmarshaller;
+
+ private Binder<Node> binder;
private final ObjectFactory objectFactory;
+
+ private ThreadLocal<SAMLDocumentHolder> holders = new ThreadLocal<SAMLDocumentHolder>();
/**
* <p>
@@ -71,6 +78,7 @@
{
this.marshaller = JAXBUtil.getMarshaller(this.getPackages());
this.unmarshaller = JAXBUtil.getUnmarshaller(this.getPackages());
+ this.binder = JAXBUtil.getJAXBContext(this.getPackages()).createBinder();
this.objectFactory = new ObjectFactory();
}
catch (JAXBException e)
@@ -112,14 +120,32 @@
* @return the constructed {@code BaseRequestSecurityToken} instance. It will be an instance of {@code
* RequestSecurityToken} the message contains a single token request, and an instance of {@code
* RequestSecurityTokenCollection} if multiples requests are being made in the same message.
+ * @throws ParsingException
*/
- public BaseRequestSecurityToken parseRequestSecurityToken(Source request)
+ @SuppressWarnings("unchecked")
+ public BaseRequestSecurityToken parseRequestSecurityToken(Source request) throws ParsingException
{
// if the request contains a validate, cancel, or renew target, we must preserve it from JAXB unmarshalling.
Node documentNode = ((DOMSource) request).getNode();
Document document = documentNode instanceof Document ? (Document) documentNode : documentNode.getOwnerDocument();
- Element targetElement = this.getValidateOrRenewOrCancelTarget(document);
+
+ JAXBElement<RequestSecurityTokenType> jaxbRST;
+ try
+ {
+ jaxbRST = (JAXBElement<RequestSecurityTokenType>) binder.unmarshal(document);
+ RequestSecurityTokenType rstt = jaxbRST.getValue();
+ holders.set(new SAMLDocumentHolder(rstt, document));
+ return new RequestSecurityToken(rstt);
+ }
+ catch (JAXBException e)
+ {
+ throw new ParsingException(e);
+ }
+
+
+ /*Element targetElement = this.getValidateOrRenewOrCancelTarget(document);
+
try
{
Object object = this.unmarshaller.unmarshal(request);
@@ -151,7 +177,7 @@
catch (Exception e)
{
throw new RuntimeException("Failed to unmarshall security token request", e);
- }
+ }*/
}
/**
@@ -308,6 +334,15 @@
}
return DocumentUtil.getXMLSource(result);
}
+
+ /**
+ * Return the {@code SAMLDocumentHolder} for the thread
+ * @return
+ */
+ public SAMLDocumentHolder getSAMLDocumentHolderOnThread()
+ {
+ return holders.get();
+ }
/**
* <p>
@@ -342,7 +377,7 @@
* the {@code Document} upon which the search is to be made.
* @return an {@code Element} representing the validate, renew, or cancel target.
*/
- private Element getValidateOrRenewOrCancelTarget(Document document)
+ /*private Element getValidateOrRenewOrCancelTarget(Document document)
{
Node target = this.findNodeByNameNS(document, "ValidateTarget", WSTrustConstants.BASE_NAMESPACE);
if (target != null)
@@ -354,5 +389,5 @@
if (target != null)
return (Element) target.getFirstChild();
return null;
- }
+ }*/
}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -22,6 +22,7 @@
package org.jboss.identity.federation.core.util;
import java.net.URL;
+import java.util.HashMap;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
@@ -46,7 +47,14 @@
public static final String W3C_XML_SCHEMA_NS_URI = "http://www.w3.org/2001/XMLSchema";
-
+ private static HashMap<String,JAXBContext> jaxbContextHash = new HashMap<String, JAXBContext>();
+
+ static
+ {
+ //Useful on Sun VMs. Harmless on other VMs.
+ SecurityActions.setSystemProperty("com.sun.xml.bind.v2.runtime.JAXBContextImpl.fastBoot", "true");
+ }
+
/**
* Get the JAXB Marshaller
* @param pkgName The package name for the jaxb context
@@ -78,7 +86,7 @@
if(pkgName == null)
throw new IllegalArgumentException("pkgName is null");
- JAXBContext jc = JAXBContext.newInstance(pkgName);
+ JAXBContext jc = getJAXBContext(pkgName);
Marshaller marshaller = jc.createMarshaller();
marshaller.setProperty(Marshaller.JAXB_ENCODING, "UTF-8");
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.FALSE); //Breaks signatures
@@ -95,7 +103,7 @@
{
if(pkgName == null)
throw new IllegalArgumentException("pkgName is null");
- JAXBContext jc = JAXBContext.newInstance(pkgName);
+ JAXBContext jc = getJAXBContext(pkgName);
return jc.createUnmarshaller();
}
@@ -170,4 +178,28 @@
Schema schema = scFact.newSchema(schemaURL);
return schema;
}
+
+ public static JAXBContext getJAXBContext(String path) throws JAXBException
+ {
+ JAXBContext jx = jaxbContextHash.get(path);
+ if(jx == null)
+ {
+ jx = JAXBContext.newInstance(path);
+ jaxbContextHash.put(path, jx);
+ }
+ return jx;
+ }
+
+ public static JAXBContext getJAXBContext(Class<?> clazz) throws JAXBException
+ {
+ String clazzName = clazz.getName();
+
+ JAXBContext jx = jaxbContextHash.get(clazzName);
+ if(jx == null)
+ {
+ jx = JAXBContext.newInstance(clazz);
+ jaxbContextHash.put(clazzName, jx);
+ }
+ return jx;
+ }
}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java 2009-08-11 21:17:11 UTC (rev 692)
+++ identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java 2009-08-14 00:20:17 UTC (rev 693)
@@ -49,6 +49,9 @@
import org.jboss.identity.federation.ws.trust.RequestSecurityTokenType;
import org.jboss.identity.federation.ws.trust.UseKeyType;
import org.jboss.identity.federation.ws.trust.ValidateTargetType;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
/**
* <p>
@@ -160,6 +163,8 @@
private final ObjectFactory factory = new ObjectFactory();
+ private Document rstDocument;
+
/**
* <p>
* Creates an instance of {@code RequestSecurityToken}.
@@ -260,6 +265,17 @@
}
}
}
+
+ /**
+ * Creates an instance of {@code RequestSecurityTokenType} and {@code Document}
+ * @param delegate
+ * @param rstDocument
+ */
+ public RequestSecurityToken(RequestSecurityTokenType delegate, Document rstDocument)
+ {
+ this(delegate);
+ this.rstDocument = rstDocument;
+ }
/**
* <p>
@@ -1034,6 +1050,26 @@
{
return this.validateTarget;
}
+
+ /**
+ * Return the element in the document that represents
+ * the validate type
+ * @return
+ */
+ public Element getValidateTargetElement()
+ {
+ if(rstDocument == null)
+ throw new IllegalStateException("RST Document is null");
+
+ String ns = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
+ String localPart = "ValidateTarget";
+
+ NodeList nodeList = rstDocument.getElementsByTagNameNS(ns,localPart);
+ if(nodeList != null && nodeList.getLength() > 0)
+ return (Element) nodeList.item(0);
+ else
+ return null;
+ }
/**
* <p>
@@ -1086,4 +1122,18 @@
{
return this.delegate;
}
-}
+
+ /**
+ * Get the {@code Document} document representing the request
+ * @return
+ */
+ public Document getRSTDocument()
+ {
+ return this.rstDocument;
+ }
+
+ public void setRSTDocument(Document rstDocument)
+ {
+ this.rstDocument = rstDocument;
+ }
+}
\ No newline at end of file
14 years, 8 months
JBoss Identity SVN: r692 - in identity-federation/trunk: jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp and 2 other directories.
by jboss-identity-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2009-08-11 17:17:11 -0400 (Tue, 11 Aug 2009)
New Revision: 692
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/PostBindingUtil.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/RedirectBindingSignatureUtil.java
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java
Log:
JBID-162: fix the saml post binding signature
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -53,7 +53,6 @@
import org.jboss.identity.federation.core.exceptions.ProcessingException;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
-import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
import org.jboss.identity.federation.core.util.XMLEncryptionUtil;
import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
@@ -137,20 +136,6 @@
if(sigValue == null)
return false;
- //Construct the url again
- String reqFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SAMLRequest");
- String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "RelayState");
- String sigAlgFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SigAlg");
-
- StringBuilder sb = new StringBuilder();
- sb.append("SAMLRequest=").append(reqFromURL);
-
- if(relayStateFromURL != null && relayStateFromURL.length() > 0)
- {
- sb.append("&RelayState=").append(relayStateFromURL);
- }
- sb.append("&SigAlg=").append(sigAlgFromURL);
-
PublicKey validatingKey;
try
{
@@ -164,8 +149,8 @@
{
throw new GeneralSecurityException(e.getCause());
}
- boolean isValid = SignatureUtil.validate(sb.toString().getBytes("UTF-8"), sigValue, validatingKey);
- return isValid;
+
+ return RedirectBindingSignatureUtil.validateSignature(queryString, validatingKey, sigValue);
}
@Override
@@ -231,8 +216,7 @@
}
catch (MalformedURLException e)
{
- // TODO Auto-generated catch block
- e.printStackTrace();
+ throw new ParsingException(e);
}
catch (JAXBException e)
{
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -25,6 +25,7 @@
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.Principal;
+import java.security.PublicKey;
import java.util.List;
import javax.servlet.ServletException;
@@ -43,9 +44,11 @@
import org.jboss.identity.federation.bindings.config.IDPType;
import org.jboss.identity.federation.bindings.config.KeyProviderType;
import org.jboss.identity.federation.bindings.interfaces.RoleGenerator;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyConfigurationException;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyProcessingException;
import org.jboss.identity.federation.bindings.tomcat.TomcatRoleGenerator;
-import org.jboss.identity.federation.bindings.util.PostBindingUtil;
+import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
@@ -58,6 +61,10 @@
/**
* Generic Web Browser SSO valve for the IDP
+ *
+ * Handles both the SAML Redirect as well as Post Bindings
+ *
+ * Note: Most of the work is done by {@code IDPWebRequestUtil}
* @author Anil.Saldhana(a)redhat.com
* @since May 18, 2009
*/
@@ -205,8 +212,10 @@
try
{
requestAbstractType = webRequestUtil.getSAMLRequest(samlMessage);
+ boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
boolean isValid = validate(request.getRemoteAddr(),
- new SessionHolder(samlMessage, signature, sigAlg));
+ request.getQueryString(),
+ new SessionHolder(samlMessage, signature, sigAlg), isPost);
if(!isValid)
throw new GeneralSecurityException("Validation check failed");
@@ -327,14 +336,15 @@
}
protected boolean validate(String remoteAddress,
- SessionHolder holder) throws IOException, GeneralSecurityException
+ String queryString,
+ SessionHolder holder, boolean isPost) throws IOException, GeneralSecurityException
{
if (holder.samlRequest == null || holder.samlRequest.length() == 0)
{
return false;
}
- if (!this.ignoreIncomingSignatures)
+ if (!this.ignoreIncomingSignatures && !isPost)
{
String sig = holder.signature;
if (sig == null || sig.length() == 0)
@@ -342,12 +352,31 @@
log.error("Signature received from SP is null:" + remoteAddress);
return false;
}
-
- return PostBindingUtil.validateSignature(holder.samlRequest.getBytes("UTF-8"), sig, keyManager
- .getValidatingKey(remoteAddress));
+
+ //Check if there is a signature
+ byte[] sigValue = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
+ if(sigValue == null)
+ return false;
+
+ PublicKey validatingKey;
+ try
+ {
+ validatingKey = keyManager.getValidatingKey(remoteAddress);
+ }
+ catch (TrustKeyConfigurationException e)
+ {
+ throw new GeneralSecurityException(e.getCause());
+ }
+ catch (TrustKeyProcessingException e)
+ {
+ throw new GeneralSecurityException(e.getCause());
+ }
+
+ return RedirectBindingSignatureUtil.validateSignature(queryString, validatingKey, sigValue);
}
else
{
+ //Post binding no signature verification. The SAML message signature is verified
return true;
}
}
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -56,7 +56,6 @@
import org.jboss.identity.federation.core.saml.v2.holders.IDPInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.SPInfoHolder;
-import org.jboss.identity.federation.core.saml.v2.holders.SignatureInfoHolder;
import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
@@ -294,21 +293,17 @@
*/
response.recycle();
String samlResponse = PostBindingUtil.base64Encode(baos.toString());
-
- SignatureInfoHolder signatureHolder = null;
+
if(supportSignature)
{
//SigAlg
String algo = signingKey.getAlgorithm();
String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
- sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
-
- byte[] signedValue = SignatureUtil.sign(samlResponse, signingKey);
- signatureHolder = new SignatureInfoHolder(signedValue,sigAlg);
+ sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
}
PostBindingUtil.sendPost(new DestinationInfoHolder(responseType.getDestination(),
- samlResponse, relayState), signatureHolder, response, false);
+ samlResponse, relayState), response, false);
}
}
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -154,7 +154,7 @@
String samlMessage = PostBindingUtil.base64Encode(baos.toString());
String destination = authnRequest.getDestination();
PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage, relayState),
- null,response, true);
+ response, true);
}
protected AuthnRequestType createSAMLRequestMessage(String relayState, Response response)
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -23,14 +23,11 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
-import java.net.URLEncoder;
import java.security.GeneralSecurityException;
-import java.security.PrivateKey;
import javax.xml.bind.JAXBException;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
@@ -38,8 +35,6 @@
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
-import org.jboss.identity.federation.core.saml.v2.holders.SignatureInfoHolder;
-import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.xml.sax.SAXException;
@@ -54,7 +49,19 @@
private static Logger log = Logger.getLogger(SPPostSignatureFormAuthenticator.class);
private TrustKeyManager keyManager;
+
+ private boolean signAssertions = false;
+
+ public boolean isSignAssertions()
+ {
+ return signAssertions;
+ }
+ public void setSignAssertions(boolean signAssertions)
+ {
+ this.signAssertions = signAssertions;
+ }
+
@Override
public void start() throws LifecycleException
{
@@ -92,45 +99,7 @@
String samlMessage = PostBindingUtil.base64Encode(baos.toString());
String destination = authnRequest.getDestination();
- //Get the signing key
- PrivateKey signingKey = keyManager.getSigningKey();
-
- //SigAlg
- String algo = signingKey.getAlgorithm();
- String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
-
- sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
-
- byte[] signedValue = SignatureUtil.sign(samlMessage, signingKey);
-
PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage, relayState),
- new SignatureInfoHolder(signedValue,sigAlg),response, true);
- }
-
- @Override
- protected boolean validate(Request request) throws IOException, GeneralSecurityException
- {
- boolean result = super.validate(request);
- if( result == false)
- return result;
-
- String samlMessage = request.getParameter("SAMLResponse");
-
- //Check if there is a signature
- String sig = request.getParameter("Signature");
- if(sig == null || sig.length() == 0)
- {
- log.error("Signature Value missing in response from IDP");
- return false;
- }
- String sigAlg = request.getParameter("sigAlg");
- if(sigAlg == null || sigAlg.length() == 0)
- {
- log.error("Signature Algorithm missing in the response from IDP");
- return false;
- }
-
- return PostBindingUtil.validateSignature(samlMessage.getBytes("UTF-8"), sig,
- keyManager.getValidatingKey(request.getRemoteAddr()));
- }
+ response, true);
+ }
}
\ No newline at end of file
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/PostBindingUtil.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/PostBindingUtil.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/PostBindingUtil.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -23,16 +23,12 @@
import java.io.IOException;
import java.io.PrintWriter;
-import java.security.GeneralSecurityException;
-import java.security.PublicKey;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.util.Base64;
import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
-import org.jboss.identity.federation.core.saml.v2.holders.SignatureInfoHolder;
-import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
/**
* Utility for the HTTP/Post binding
@@ -62,7 +58,6 @@
* @throws IOException
*/
public static void sendPost(DestinationInfoHolder holder,
- SignatureInfoHolder sigHolder,
HttpServletResponse response,
boolean sendToIDP)
throws IOException
@@ -95,16 +90,7 @@
{
builder.append("<INPUT TYPE=\"HIDDEN\" NAME=\"RelayState\" " +
"VALUE=\"" + relayState + "\"/>");
- }
- if(sigHolder != null)
- {
- byte[] sigValue = sigHolder.getSignatureValue();
-
- builder.append("<INPUT TYPE=\"HIDDEN\" NAME=\"Signature\" " +
- "VALUE=\"" + Base64.encodeBytes(sigValue, Base64.DONT_BREAK_LINES) + "\"/>");
- builder.append("<INPUT TYPE=\"HIDDEN\" NAME=\"sigAlg\" " +
- "VALUE=\"" + sigHolder.getSigAlg() + "\"/>");
- }
+ }
builder.append("</FORM></BODY></HTML>");
String str = builder.toString();
@@ -113,23 +99,6 @@
out.close();
}
- public static boolean validateSignature(byte[] message, String base64encodedSigValue, PublicKey validatingKey)
- throws GeneralSecurityException
- {
- byte[] sigValue = null;
- if(base64encodedSigValue != null && base64encodedSigValue.length() > 0)
- {
- sigValue = Base64.decode(base64encodedSigValue);
- }
-
- if(sigValue == null)
- {
- log.error("Signature missing");
- return false;
- }
- return SignatureUtil.validate(message, sigValue, validatingKey);
- }
-
private static void common(String destination, HttpServletResponse response)
{
response.setCharacterEncoding("UTF-8");
Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/RedirectBindingSignatureUtil.java
===================================================================
--- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/RedirectBindingSignatureUtil.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/RedirectBindingSignatureUtil.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -23,9 +23,11 @@
import java.io.IOException;
import java.io.StringWriter;
+import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
+import java.security.PublicKey;
import javax.xml.bind.JAXBException;
import javax.xml.parsers.ParserConfigurationException;
@@ -217,6 +219,27 @@
return getTokenValue(getToken(queryString, token));
}
+ public static boolean validateSignature(String queryString,
+ PublicKey validatingKey, byte[] sigValue ) throws UnsupportedEncodingException, GeneralSecurityException
+ {
+ //Construct the url again
+ String reqFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SAMLRequest");
+ String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "RelayState");
+ String sigAlgFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SigAlg");
+
+ StringBuilder sb = new StringBuilder();
+ sb.append("SAMLRequest=").append(reqFromURL);
+
+ if(relayStateFromURL != null && relayStateFromURL.length() > 0)
+ {
+ sb.append("&RelayState=").append(relayStateFromURL);
+ }
+ sb.append("&SigAlg=").append(sigAlgFromURL);
+
+
+ return SignatureUtil.validate(sb.toString().getBytes("UTF-8"), sigValue, validatingKey);
+ }
+
//***************** Private Methods **************
private static byte[] computeSignature(
Modified: identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java
===================================================================
--- identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java 2009-08-10 19:39:12 UTC (rev 691)
+++ identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java 2009-08-11 21:17:11 UTC (rev 692)
@@ -57,6 +57,7 @@
import org.jboss.identity.federation.bindings.tomcat.sp.SPUtil;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
+import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
import org.jboss.identity.federation.bindings.util.RedirectBindingUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
@@ -110,6 +111,7 @@
* </dl>
*
* @author Marcel Kolsteren
+ * @author Anil Saldhana
*/
@Scope(APPLICATION)
@Name("org.jboss.identity.seam.federation.samlAuthenticationFilter")
@@ -170,7 +172,7 @@
{
// Received an authentication response from the IDP.
- AuthenticatedUser user = processIDPResponse(request);
+ AuthenticatedUser user = processIDPResponse((HttpServletRequest) request);
if (user != null)
{
// Login the user. This ends with a redirect to the URL that was requested by the user.
@@ -235,7 +237,7 @@
}.run();
}
- private AuthenticatedUser processIDPResponse(ServletRequest request)
+ private AuthenticatedUser processIDPResponse(HttpServletRequest request)
{
String samlResponse = request.getParameter("SAMLResponse");
@@ -378,10 +380,8 @@
return user;
}
- private boolean validateSignature(ServletRequest request)
- {
- String samlMessage = request.getParameter("SAMLResponse");
-
+ private boolean validateSignature(HttpServletRequest request)
+ {
// Check if there is a signature
String signature = request.getParameter("Signature");
if (signature == null || signature.length() == 0)
@@ -398,7 +398,14 @@
try
{
- return PostBindingUtil.validateSignature(samlMessage.getBytes("UTF-8"), signature, publicKeyOfIDP);
+ if("GET".equalsIgnoreCase(request.getMethod()))
+ {
+ String queryString = request.getQueryString();
+ byte[] sigValue = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
+
+ return RedirectBindingSignatureUtil.validateSignature(queryString, this.publicKeyOfIDP, sigValue);
+ }
+ return true;
}
catch (UnsupportedEncodingException e)
{
@@ -408,6 +415,10 @@
{
throw new RuntimeException(e);
}
+ catch (IOException e)
+ {
+ throw new RuntimeException(e);
+ }
}
private PublicKey getPublicKeyOfIDP()
@@ -471,7 +482,7 @@
{
DestinationInfoHolder destinationInfoHolder = new DestinationInfoHolder(destination, samlMessage, Integer
.toString(relayState));
- PostBindingUtil.sendPost(destinationInfoHolder, null, response, true);
+ PostBindingUtil.sendPost(destinationInfoHolder, response, true);
}
}
catch (ConfigurationException e)
14 years, 8 months
JBoss Identity SVN: r691 - identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants.
by jboss-identity-commits@lists.jboss.org
Author: marcelkolsteren
Date: 2009-08-10 15:39:12 -0400 (Mon, 10 Aug 2009)
New Revision: 691
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLConstants.java
Log:
JBID-163: fill ProtocolBinding attribute of AuthnRequest messages (2nd part)
Modified: identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLConstants.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLConstants.java 2009-08-10 19:34:09 UTC (rev 690)
+++ identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLConstants.java 2009-08-10 19:39:12 UTC (rev 691)
@@ -32,7 +32,8 @@
METADATA_MIME("application/samlmetadata+xml"),
SIGNATURE_SHA1_WITH_DSA("SHA1withDSA"),
SIGNATURE_SHA1_WITH_RSA("SHA1withRSA"),
- VERSION_2_0("2.0");
+ VERSION_2_0("2.0"),
+ HTTP_POST_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
private String val;
14 years, 8 months
JBoss Identity SVN: r690 - identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories.
by jboss-identity-commits@lists.jboss.org
Author: marcelkolsteren
Date: 2009-08-10 15:34:09 -0400 (Mon, 10 Aug 2009)
New Revision: 690
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnRequestFactory.java
Log:
JBID-163: fill ProtocolBinding attribute of AuthnRequest messages
Modified: identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnRequestFactory.java
===================================================================
--- identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnRequestFactory.java 2009-08-10 13:32:36 UTC (rev 689)
+++ identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnRequestFactory.java 2009-08-10 19:34:09 UTC (rev 690)
@@ -72,6 +72,7 @@
authnRequest.setID(id);
authnRequest.setVersion(JBossSAMLConstants.VERSION_2_0.get());
authnRequest.setAssertionConsumerServiceURL(assertionConsumerURL);
+ authnRequest.setProtocolBinding(JBossSAMLConstants.HTTP_POST_BINDING.get());
authnRequest.setDestination(destination);
authnRequest.setIssueInstant(issueInstant);
14 years, 8 months
JBoss Identity SVN: r689 - in idm/trunk/idm-testsuite: src/test/java/org/jboss/identity/idm/impl and 1 other directories.
by jboss-identity-commits@lists.jboss.org
Author: bdaw
Date: 2009-08-10 09:32:36 -0400 (Mon, 10 Aug 2009)
New Revision: 689
Added:
idm/trunk/idm-testsuite/src/test/resources/dev44-msad.truststore
Modified:
idm/trunk/idm-testsuite/pom.xml
idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java
idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad.xml
Log:
some hacks for hudson setup
Modified: idm/trunk/idm-testsuite/pom.xml
===================================================================
--- idm/trunk/idm-testsuite/pom.xml 2009-08-10 12:08:19 UTC (rev 688)
+++ idm/trunk/idm-testsuite/pom.xml 2009-08-10 13:32:36 UTC (rev 689)
@@ -181,6 +181,14 @@
<name>directoryName</name>
<value>${directoryName}</value>
</property>
+ <property>
+ <name>trustStorePath</name>
+ <value>${trustStorePath}</value>
+ </property>
+ <property>
+ <name>trustStorePassword</name>
+ <value>${trustStorePassword}</value>
+ </property>
</systemProperties>
</configuration>
</plugin>
Modified: idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java
===================================================================
--- idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java 2009-08-10 12:08:19 UTC (rev 688)
+++ idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java 2009-08-10 13:32:36 UTC (rev 689)
@@ -108,6 +108,20 @@
setDirectoryName(dirName);
}
+ String trustStorePath = System.getProperties().getProperty("trustStorePath");
+
+ if (trustStorePath != null && !trustStorePath.startsWith("$"))
+ {
+ System.setProperty("javax.net.ssl.trustStore", trustStorePath);
+ }
+
+ String trustStorePassword = System.getProperties().getProperty("trustStorePassword");
+
+ if (trustStorePassword != null && !trustStorePassword.startsWith("$"))
+ {
+ System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
+ }
+
}
@Parameter
Added: idm/trunk/idm-testsuite/src/test/resources/dev44-msad.truststore
===================================================================
(Binary files differ)
Property changes on: idm/trunk/idm-testsuite/src/test/resources/dev44-msad.truststore
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Modified: idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad.xml
===================================================================
--- idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad.xml 2009-08-10 12:08:19 UTC (rev 688)
+++ idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad.xml 2009-08-10 13:32:36 UTC (rev 689)
@@ -901,7 +901,7 @@
<options>
<option>
<name>providerURL</name>
- <value>ldap://dev44.qa.atl.jboss.com:389</value>
+ <value>ldaps://dev44.qa.atl.jboss.com:636</value>
</option>
<option>
<name>adminDN</name>
@@ -917,7 +917,7 @@
<!--</option>-->
<!--<option>-->
<!--<name>customSystemProperties</name>-->
- <!--<value>javax.net.ssl.trustStore=d:\Workshop\msad.truststore</value>-->
+ <!--<value>javax.net.ssl.trustStore=d:\Workshop\dev44-msad.truststore</value>-->
<!--<value>javax.net.ssl.trustStorePassword=password</value>-->
<!--</option>-->
<option>
14 years, 8 months
JBoss Identity SVN: r688 - idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api.
by jboss-identity-commits@lists.jboss.org
Author: bdaw
Date: 2009-08-10 08:08:19 -0400 (Mon, 10 Aug 2009)
New Revision: 688
Modified:
idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java
Log:
toto
Modified: idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java
===================================================================
--- idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java 2009-08-10 11:37:39 UTC (rev 687)
+++ idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java 2009-08-10 12:08:19 UTC (rev 688)
@@ -76,14 +76,14 @@
orgTest.testRedHatOrganization(getSampleOrganizationRealmName());
}
-// @Test
-// public void testSamplePortal() throws Exception
-// {
-//
-// orgTest.testSamplePortal(getSamplePortalRealmName());
-//
-// }
+ @Test
+ public void testSamplePortal() throws Exception
+ {
+ orgTest.testSamplePortal(getSamplePortalRealmName());
+
+ }
+
public String getSamplePortalRealmName()
{
return samplePortalRealmName;
14 years, 8 months
JBoss Identity SVN: r687 - in idm/trunk: idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap and 3 other directories.
by jboss-identity-commits@lists.jboss.org
Author: bdaw
Date: 2009-08-10 07:37:39 -0400 (Mon, 10 Aug 2009)
New Revision: 687
Modified:
idm/trunk/idm-core/src/test/java/org/jboss/identity/idm/impl/store/CommonIdentityStoreTest.java
idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreConfiguration.java
idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreImpl.java
idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreSessionImpl.java
idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/SimpleLDAPIdentityStoreConfiguration.java
idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java
idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationTest.java
idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreTestCase.java
idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad-local.xml
Log:
More LDAP test/support fixes
Modified: idm/trunk/idm-core/src/test/java/org/jboss/identity/idm/impl/store/CommonIdentityStoreTest.java
===================================================================
--- idm/trunk/idm-core/src/test/java/org/jboss/identity/idm/impl/store/CommonIdentityStoreTest.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-core/src/test/java/org/jboss/identity/idm/impl/store/CommonIdentityStoreTest.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -304,8 +304,8 @@
IdentityObject user1 = testContext.getStore().createIdentityObject(testContext.getCtx(), "Adam", IdentityTypeEnum.USER);
IdentityObject user2 = testContext.getStore().createIdentityObject(testContext.getCtx(), "Eva", IdentityTypeEnum.USER);
- IdentityObjectCredential passwordCredential1 = new PasswordCredential("SamplePasswordOne");
- IdentityObjectCredential passwordCredential2 = new PasswordCredential("SamplePasswordTwo");
+ IdentityObjectCredential passwordCredential1 = new PasswordCredential("Password2000");
+ IdentityObjectCredential passwordCredential2 = new PasswordCredential("Password2001");
// If PASSWORD is supported
assertTrue(testContext.getStore().getSupportedFeatures().isCredentialSupported(IdentityTypeEnum.USER, passwordCredential1.getType()));
Modified: idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreConfiguration.java
===================================================================
--- idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreConfiguration.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreConfiguration.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -44,6 +44,8 @@
String getAdminPassword();
+ String getAuthenticationMethod();
+
int getSearchTimeLimit();
LDAPIdentityObjectTypeConfiguration getTypeConfiguration(String typeName);
Modified: idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreImpl.java
===================================================================
--- idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreImpl.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreImpl.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -1549,11 +1549,12 @@
{
additionalAttr.add(val);
}
+ attrs.put(additionalAttr);
}
- attrs.put(attr);
+
}
- ldapContext.modifyAttributes(ldapIO.getDn(), DirContext.REPLACE_ATTRIBUTE,attrs);
+ ldapContext.modifyAttributes(ldapIO.getDn(), DirContext.REPLACE_ATTRIBUTE, attrs);
}
catch (NamingException e)
{
Modified: idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreSessionImpl.java
===================================================================
--- idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreSessionImpl.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreSessionImpl.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -92,7 +92,14 @@
}
- env.put(Context.SECURITY_AUTHENTICATION, "simple");
+ if (storeConfig.getAuthenticationMethod() != null)
+ {
+ env.put(Context.SECURITY_AUTHENTICATION, storeConfig.getAuthenticationMethod());
+ }
+ else
+ {
+ env.put(Context.SECURITY_AUTHENTICATION, "simple");
+ }
if (storeConfig.getCustomJNDIConnectionParameters() != null &&
storeConfig.getCustomJNDIConnectionParameters().size() > 0)
Modified: idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/SimpleLDAPIdentityStoreConfiguration.java
===================================================================
--- idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/SimpleLDAPIdentityStoreConfiguration.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-ldap/src/main/java/org/jboss/identity/idm/impl/store/ldap/SimpleLDAPIdentityStoreConfiguration.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -48,6 +48,8 @@
private final String adminPassword;
+ private final String authenticationMethod;
+
private final int searchTimeLimit;
private final Map<String, LDAPIdentityObjectTypeConfiguration> typesConfiguration;
@@ -87,6 +89,8 @@
public static final String ADMIN_DN = "adminDN";
+ public static final String AUTHENTICATION_METHOD = "authenticationMethod";
+
public static final String ADMIN_PASSWORD = "adminPassword";
public static final String SEARCH_TIME_LIMIT = "searchTimeLimit";
@@ -132,6 +136,7 @@
this.configurationMetaData = storeMD;
this.providerURL = storeMD.getOptionSingleValue(PROVIDER_URL);
this.adminDN = storeMD.getOptionSingleValue(ADMIN_DN);
+ this.authenticationMethod = storeMD.getOptionSingleValue(AUTHENTICATION_METHOD);
this.adminPassword = storeMD.getOptionSingleValue(ADMIN_PASSWORD);
this.externalJNDIContext = storeMD.getOptionSingleValue(EXTERNAL_JNDI_CONTEXT);
this.membershipToRelationshipTypeMapping = storeMD.getOptionSingleValue(MEMBERSHIP_TO_RELATIONSHIP_TYPE_MAPPING);
@@ -450,4 +455,9 @@
{
return namedRelationshipMemberAttributeName;
}
+
+ public String getAuthenticationMethod()
+ {
+ return authenticationMethod;
+ }
}
Modified: idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java
===================================================================
--- idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationLDAPTestCase.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -22,14 +22,13 @@
package org.jboss.identity.idm.impl.api;
-import org.jboss.identity.idm.impl.IdentityTestPOJO;
+import org.jboss.identity.idm.api.IdentitySessionFactory;
import org.jboss.identity.idm.impl.LDAPTestPOJO;
import org.jboss.identity.idm.impl.configuration.IdentityConfigurationImpl;
-import org.jboss.identity.idm.api.IdentitySessionFactory;
import org.jboss.unit.api.pojo.annotations.Create;
import org.jboss.unit.api.pojo.annotations.Destroy;
-import org.jboss.unit.api.pojo.annotations.Test;
import org.jboss.unit.api.pojo.annotations.Parameter;
+import org.jboss.unit.api.pojo.annotations.Test;
/**
* @author <a href="mailto:boleslaw.dawidowicz at redhat.com">Boleslaw Dawidowicz</a>
@@ -77,14 +76,14 @@
orgTest.testRedHatOrganization(getSampleOrganizationRealmName());
}
- @Test
- public void testSamplePortal() throws Exception
- {
+// @Test
+// public void testSamplePortal() throws Exception
+// {
+//
+// orgTest.testSamplePortal(getSamplePortalRealmName());
+//
+// }
- orgTest.testSamplePortal(getSamplePortalRealmName());
-
- }
-
public String getSamplePortalRealmName()
{
return samplePortalRealmName;
Modified: idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationTest.java
===================================================================
--- idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationTest.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/OrganizationTest.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -356,28 +356,37 @@
if (session.getAttributesManager().isCredentialTypeSupported(PasswordCredential.TYPE))
{
+ // There is a known issue that on some LDAP servers (MSAD at least) old password can
+ // still be used for some time together with the new one. Because of this testsuite cannot
+ // assert previously set password values
+
// #1
- session.getAttributesManager().updatePassword(anotherOne, "secret");
- assertTrue(session.getAttributesManager().validatePassword(anotherOne, "secret"));
- assertFalse(session.getAttributesManager().validatePassword(anotherOne, "secret2"));
- assertFalse(session.getAttributesManager().validatePassword(anotherOne, "secret3"));
+ session.getAttributesManager().updatePassword(anotherOne, "Password2000");
+ assertTrue(session.getAttributesManager().validatePassword(anotherOne, "Password2000"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2001"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2002"));
// #1
- session.getAttributesManager().updatePassword(anotherOne, "secret2");
- assertTrue(session.getAttributesManager().validatePassword(anotherOne, "secret2"));
- assertFalse(session.getAttributesManager().validatePassword(anotherOne, "secret"));
- assertFalse(session.getAttributesManager().validatePassword(anotherOne, "secret3"));
+ session.getAttributesManager().updatePassword(anotherOne, "Password2002");
+ assertTrue(session.getAttributesManager().validatePassword(anotherOne, "Password2002"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2001"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "wirdPasswordValue"));
+// assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2000"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2003"));
// #1
- session.getAttributesManager().updatePassword(anotherOne, "secret3");
- assertTrue(session.getAttributesManager().validatePassword(anotherOne, "secret3"));
- assertFalse(session.getAttributesManager().validatePassword(anotherOne, "secret"));
- assertFalse(session.getAttributesManager().validatePassword(anotherOne, "secret2"));
+ session.getAttributesManager().updatePassword(anotherOne, "Password2003");
+ assertTrue(session.getAttributesManager().validatePassword(anotherOne, "Password2003"));
+// assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2000"));
+// assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2002"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2005"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2006"));
+ assertFalse(session.getAttributesManager().validatePassword(anotherOne, "Password2007"));
// #2
- Credential password = new PasswordCredential("secretPhrase");
+ Credential password = new PasswordCredential("SuperPassword2345");
session.getAttributesManager().updateCredential(anotherOne, password);
assertTrue(session.getAttributesManager().validateCredentials(anotherOne, new Credential[]{password}));
Modified: idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreTestCase.java
===================================================================
--- idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreTestCase.java 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/store/ldap/LDAPIdentityStoreTestCase.java 2009-08-10 11:37:39 UTC (rev 687)
@@ -22,7 +22,6 @@
package org.jboss.identity.idm.impl.store.ldap;
-import org.jboss.identity.idm.common.exception.IdentityException;
import org.jboss.identity.idm.impl.LDAPTestPOJO;
import org.jboss.identity.idm.impl.configuration.IdentityConfigurationImpl;
import org.jboss.identity.idm.impl.configuration.IdentityStoreConfigurationContextImpl;
@@ -94,69 +93,21 @@
IdentityStoreConfigurationContext context = new IdentityStoreConfigurationContextImpl(configurationMD, registry, storeMD);
- ctx = new IdentityStoreInvocationContext()
- {
- public IdentityStoreSession getIdentityStoreSession()
- {
- return new IdentityStoreSession(){
- public Object getSessionContext() throws IdentityException
- {
- try
- {
- return getLdapContext();
- }
- catch (Exception e)
- {
- throw new IdentityException("Failed to obtain LDAP connection: ", e);
- }
- }
- public void close() throws IdentityException
- {
+ //populate();
- }
+ store = new LDAPIdentityStoreImpl("LDAP Identity Store");
- public void save() throws IdentityException
- {
+ store.bootstrap(context);
- }
+ final IdentityStoreSession storeSession = store.createIdentityStoreSession();
- public void clear() throws IdentityException
- {
-
- }
-
- public boolean isOpen()
- {
- return false;
- }
-
- public boolean isTransactionSupported()
- {
- return false;
- }
-
- public void startTransaction()
- {
-
- }
-
- public void commitTransaction()
- {
-
- }
-
- public void rollbackTransaction()
- {
-
- }
-
- public boolean isTransactionActive()
- {
- return false;
- }
- };
+ ctx = new IdentityStoreInvocationContext()
+ {
+ public IdentityStoreSession getIdentityStoreSession()
+ {
+ return storeSession;
}
public String getRealmId()
@@ -164,12 +115,6 @@
return "testRealm";
}
};
-
- //populate();
-
- store = new LDAPIdentityStoreImpl("LDAP Identity Store");
-
- store.bootstrap(context);
}
@Destroy
Modified: idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad-local.xml
===================================================================
--- idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad-local.xml 2009-08-10 08:45:17 UTC (rev 686)
+++ idm/trunk/idm-testsuite/src/test/resources/test-identity-config-msad-local.xml 2009-08-10 11:37:39 UTC (rev 687)
@@ -577,6 +577,7 @@
<value>objectClass=top</value>
<value>objectClass=inetOrgPerson</value>
<value>sn= </value>
+ <value>userAccountControl=514</value>
<!--<value>cn= </value>-->
</option>
<option>
@@ -901,7 +902,7 @@
<options>
<option>
<name>providerURL</name>
- <value>ldap://192.168.56.101:636</value>
+ <value>ldaps://192.168.56.101:636</value>
</option>
<option>
<name>adminDN</name>
@@ -912,8 +913,8 @@
<value>!Q2w3e4r</value>
</option>
<option>
- <name>customJNDIConnectionParameters</name>
- <value>java.naming.security.protocol=ssl</value>
+ <name>authenticationMethod</name>
+ <value>simple</value>
</option>
<option>
<name>customSystemProperties</name>
14 years, 8 months
JBoss Identity SVN: r686 - in idm/trunk/idm-testsuite/src/test: java/org/jboss/identity/idm/impl/api and 1 other directories.
by jboss-identity-commits@lists.jboss.org
Author: bdaw
Date: 2009-08-10 04:45:17 -0400 (Mon, 10 Aug 2009)
New Revision: 686
Modified:
idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java
idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/APITestCase.java
idm/trunk/idm-testsuite/src/test/resources/datasources/datasources.xml
Log:
small test fixes
Modified: idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java
===================================================================
--- idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java 2009-08-09 15:53:59 UTC (rev 685)
+++ idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/LDAPTestPOJO.java 2009-08-10 08:45:17 UTC (rev 686)
@@ -144,9 +144,15 @@
"-w", directoryConfig.getAdminPassword(),
"-a", "-f", ldifURL.toURI().getPath()};
-// System.out.println("Populate success: " + (LDAPModify.mainModify(cmd, false, System.out, System.err) == 0));
- System.out.println("Populate success: " + (LDAPModify.mainModify(cmd) == 0));
-
+ //Not sure why... but it actually does make a difference...
+ if (directoryName.equals(EMBEDDED_OPEN_DS_DIRECTORY_NAME))
+ {
+ System.out.println("Populate success: " + (LDAPModify.mainModify(cmd, false, System.out, System.err) == 0));
+ }
+ else
+ {
+ System.out.println("Populate success: " + (LDAPModify.mainModify(cmd) == 0));
+ }
}
protected void cleanUp(DirContext ldapCtx) throws Exception
Modified: idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/APITestCase.java
===================================================================
--- idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/APITestCase.java 2009-08-09 15:53:59 UTC (rev 685)
+++ idm/trunk/idm-testsuite/src/test/java/org/jboss/identity/idm/impl/api/APITestCase.java 2009-08-10 08:45:17 UTC (rev 686)
@@ -22,26 +22,13 @@
package org.jboss.identity.idm.impl.api;
-import junit.framework.TestCase;
-import org.jboss.identity.idm.impl.HibernateTestSupport;
+import org.jboss.identity.idm.api.IdentitySessionFactory;
import org.jboss.identity.idm.impl.IdentityTestPOJO;
import org.jboss.identity.idm.impl.configuration.IdentityConfigurationImpl;
-import org.jboss.identity.idm.api.IdentitySessionFactory;
-import org.jboss.identity.idm.api.cfg.IdentityConfiguration;
-import org.jboss.identity.idm.opends.OpenDSService;
import org.jboss.unit.api.pojo.annotations.Create;
import org.jboss.unit.api.pojo.annotations.Destroy;
import org.jboss.unit.api.pojo.annotations.Test;
-import org.opends.server.tools.LDAPModify;
-import javax.naming.directory.DirContext;
-import javax.naming.Context;
-import javax.naming.NamingEnumeration;
-import javax.naming.Binding;
-import javax.naming.ldap.InitialLdapContext;
-import java.util.Hashtable;
-import java.io.File;
-
/**
* @author <a href="mailto:boleslaw.dawidowicz at redhat.com">Boleslaw Dawidowicz</a>
* @version : 0.1 $
Modified: idm/trunk/idm-testsuite/src/test/resources/datasources/datasources.xml
===================================================================
--- idm/trunk/idm-testsuite/src/test/resources/datasources/datasources.xml 2009-08-09 15:53:59 UTC (rev 685)
+++ idm/trunk/idm-testsuite/src/test/resources/datasources/datasources.xml 2009-08-10 08:45:17 UTC (rev 686)
@@ -81,7 +81,7 @@
<datasource>
<datasource-name>hsqldb</datasource-name>
- <connection-url>jdbc:hsqldb:file:test</connection-url>
+ <connection-url>jdbc:hsqldb:mem:test</connection-url>
<driver-class>org.hsqldb.jdbcDriver</driver-class>
<user-name>sa</user-name>
<password></password>
14 years, 8 months
JBoss Identity SVN: r685 - in identity-federation/trunk/jboss-identity-seam: src/main/java and 6 other directories.
by jboss-identity-commits@lists.jboss.org
Author: marcelkolsteren
Date: 2009-08-09 11:53:59 -0400 (Sun, 09 Aug 2009)
New Revision: 685
Added:
identity-federation/trunk/jboss-identity-seam/src/main/java/org/
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/RelayStates.java
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlEnabledPages.java
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlIdentity.java
identity-federation/trunk/jboss-identity-seam/src/main/resources/seam.properties
Modified:
identity-federation/trunk/jboss-identity-seam/pom.xml
Log:
JBID-161: Support for Seam Service Providers
Modified: identity-federation/trunk/jboss-identity-seam/pom.xml
===================================================================
--- identity-federation/trunk/jboss-identity-seam/pom.xml 2009-08-08 11:15:22 UTC (rev 684)
+++ identity-federation/trunk/jboss-identity-seam/pom.xml 2009-08-09 15:53:59 UTC (rev 685)
@@ -1,105 +1,131 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <parent>
- <groupId>org.jboss.identity</groupId>
- <artifactId>jboss-identity-fed-parent</artifactId>
- <version>1.0.0.alpha5-SNAPSHOT</version>
- <relativePath>../parent</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <artifactId>jboss-identity-seam</artifactId>
- <packaging>jar</packaging>
- <name>JBoss Identity Federation Bindings for Seam</name>
- <url>http://labs.jboss.org/portal/jbossidentity/</url>
- <description>JBoss Identity Seam bindings contain the default bindings needed for Seam web applications.</description>
- <licenses>
- <license>
- <name>lgpl</name>
- <url>http://repository.jboss.com/licenses/lgpl.txt</url>
- </license>
- </licenses>
- <organization>
- <name>JBoss Inc.</name>
- <url>http://www.jboss.org</url>
- </organization>
-
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-surefire-plugin</artifactId>
- <version>2.4.3</version>
- <configuration>
- <printSummary>true</printSummary>
- <disableXmlReport>false</disableXmlReport>
- <testFailureIgnore>false</testFailureIgnore>
- <includes>
- <include>**/**TestCase.java</include>
- </includes>
- <forkMode>pertest</forkMode>
- <argLine>-Djava.endorsed.dirs=${basedir}/src/test/resources/endorsed</argLine>
- <useFile>false</useFile>
- <trimStackTrace>false</trimStackTrace>
- </configuration>
- </plugin>
- </plugins>
- </build>
-
- <dependencies>
- <dependency>
- <groupId>org.jboss.identity</groupId>
- <artifactId>jboss-identity-fed-model</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.jboss.identity</groupId>
- <artifactId>jboss-identity-fed-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>servlet-api</artifactId>
- <version>2.4</version>
- <optional>true</optional>
- </dependency>
- <dependency>
- <groupId>sun-jaf</groupId>
- <artifactId>activation</artifactId>
- <version>1.1</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <reporting>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-javadoc-plugin</artifactId>
- <configuration>
- <doclet>org.jboss.apiviz.APIviz</doclet>
- <docletArtifact>
- <groupId>org.jboss.apiviz</groupId>
- <artifactId>apiviz</artifactId>
- <version>1.2.5.GA</version>
- </docletArtifact>
- <additionalparam>
- -charset UTF-8
- -docencoding UTF-8
- -version
- -author
- -breakiterator
- -windowtitle "${project.name} ${project.version} API Reference"
- -doctitle "${project.name} ${project.version} API Reference"
- -bottom "Copyright © ${project.inceptionYear}-Present ${project.organization.name}. All Rights Reserved."
- -link http://java.sun.com/javase/6/docs/api/
- -sourceclasspath ${project.build.outputDirectory}
- </additionalparam>
- <encoding>UTF-8</encoding>
- </configuration>
- </plugin>
- </plugins>
- </reporting>
-</project>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <parent>
+ <groupId>org.jboss.identity</groupId>
+ <artifactId>jboss-identity-fed-parent
+ </artifactId>
+ <version>1.0.0.alpha5-SNAPSHOT</version>
+ <relativePath>../parent</relativePath>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>jboss-identity-seam</artifactId>
+ <packaging>jar</packaging>
+ <name>JBoss Identity Federation Bindings for Seam</name>
+ <url>http://labs.jboss.org/portal/jbossidentity/
+ </url>
+ <description>JBoss Identity Seam bindings contain the default
+ bindings needed for Seam web applications.</description>
+ <licenses>
+ <license>
+ <name>lgpl</name>
+ <url>http://repository.jboss.com/licenses/lgpl.txt
+ </url>
+ </license>
+ </licenses>
+ <organization>
+ <name>JBoss Inc.</name>
+ <url>http://www.jboss.org</url>
+ </organization>
+ <build>
+ <plugins>
+ <plugin>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <version>2.4.3</version>
+ <configuration>
+ <printSummary>true</printSummary>
+ <disableXmlReport>false</disableXmlReport>
+ <testFailureIgnore>false</testFailureIgnore>
+ <includes>
+ <include>**/**TestCase.java</include>
+ </includes>
+ <forkMode>pertest</forkMode>
+ <argLine>
+ -Djava.endorsed.dirs=${basedir}/src/test/resources/endorsed
+ </argLine>
+ <useFile>false</useFile>
+ <trimStackTrace>false</trimStackTrace>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ <dependencies>
+ <dependency>
+ <groupId>org.jboss.identity</groupId>
+ <artifactId>jboss-identity-fed-model
+ </artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.identity</groupId>
+ <artifactId>jboss-identity-fed-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.identity</groupId>
+ <artifactId>jboss-identity-bindings
+ </artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>2.4</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.seam</groupId>
+ <artifactId>jboss-seam</artifactId>
+ <version>2.1.2.GA</version>
+ <type>ejb</type>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>sun-jaf</groupId>
+ <artifactId>activation</artifactId>
+ <version>1.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>sun-jaf</groupId>
+ <artifactId>activation</artifactId>
+ <version>1.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.faces</groupId>
+ <artifactId>jsf-api</artifactId>
+ <version>1.2</version>
+ <scope>provided</scope>
+ </dependency>
+ </dependencies>
+ <reporting>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-javadoc-plugin</artifactId>
+ <configuration>
+ <doclet>org.jboss.apiviz.APIviz</doclet>
+ <docletArtifact>
+ <groupId>org.jboss.apiviz</groupId>
+ <artifactId>apiviz</artifactId>
+ <version>1.2.5.GA</version>
+ </docletArtifact>
+ <additionalparam> -charset UTF-8 -docencoding UTF-8 -version
+ -author -breakiterator -windowtitle "${project.name}
+ ${project.version} API Reference" -doctitle "${project.name}
+ ${project.version} API Reference" -bottom "Copyright ©
+ ${project.inceptionYear}-Present ${project.organization.name}. All
+ Rights Reserved." -link http://java.sun.com/javase/6/docs/api/
+ -sourceclasspath ${project.build.outputDirectory}
+ </additionalparam>
+ <encoding>UTF-8</encoding>
+ </configuration>
+ </plugin>
+ </plugins>
+ </reporting>
+</project>
\ No newline at end of file
Added: identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/RelayStates.java
===================================================================
--- identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/RelayStates.java (rev 0)
+++ identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/RelayStates.java 2009-08-09 15:53:59 UTC (rev 685)
@@ -0,0 +1,80 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.seam.federation;
+
+import static org.jboss.seam.ScopeType.SESSION;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.Startup;
+
+/**
+ * Session scoped component that stores relay states. Each relay state corresponds to an uncompleted authorization request
+ * that has been sent to the IDP. The state is used to store the URL of the page that has been requested by the user.
+ * Each state has an integer number that can be used as the RelayState parameter in the SAMLv2 authentication protocol.
+ *
+ * @author Marcel Kolsteren
+ */
+@Scope(SESSION)
+@Name("org.jboss.identity.seam.federation.relayStates")
+@Startup
+public class RelayStates
+{
+ private Map<Integer, String> states = new HashMap<Integer, String>();
+
+ private int nextIndex = 0;
+
+ public int saveState(HttpServletRequest request)
+ {
+ int index = nextIndex++;
+
+ StringBuffer requestURL = request.getRequestURL();
+ if (request.getQueryString() != null)
+ {
+ requestURL.append("?" + request.getQueryString());
+ }
+
+ states.put(index, requestURL.toString());
+ return index;
+ }
+
+ public void restoreState(int index, HttpServletResponse response)
+ {
+ String requestURL = states.get(index);
+ try
+ {
+ response.sendRedirect(requestURL);
+ }
+ catch (IOException e)
+ {
+ throw new RuntimeException(e);
+ }
+ states.remove(index);
+ }
+}
Added: identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java
===================================================================
--- identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java (rev 0)
+++ identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java 2009-08-09 15:53:59 UTC (rev 685)
@@ -0,0 +1,494 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.seam.federation;
+
+import static org.jboss.seam.ScopeType.APPLICATION;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.login.LoginException;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+
+import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
+import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
+import org.jboss.identity.federation.bindings.tomcat.sp.SPUtil;
+import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
+import org.jboss.identity.federation.bindings.util.PostBindingUtil;
+import org.jboss.identity.federation.bindings.util.RedirectBindingUtil;
+import org.jboss.identity.federation.core.exceptions.ConfigurationException;
+import org.jboss.identity.federation.core.exceptions.ParsingException;
+import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
+import org.jboss.identity.federation.core.saml.v2.util.AssertionUtil;
+import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
+import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
+import org.jboss.identity.federation.saml.v2.assertion.StatementAbstractType;
+import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.jboss.identity.federation.saml.v2.protocol.StatusType;
+import org.jboss.seam.annotations.Logger;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+import org.jboss.seam.annotations.web.Filter;
+import org.jboss.seam.contexts.Context;
+import org.jboss.seam.contexts.SessionContext;
+import org.jboss.seam.log.Log;
+import org.jboss.seam.security.Credentials;
+import org.jboss.seam.security.Identity;
+import org.jboss.seam.servlet.ContextualHttpServletRequest;
+import org.jboss.seam.servlet.ServletRequestSessionMap;
+import org.jboss.seam.util.Base64;
+import org.jboss.seam.web.AbstractFilter;
+import org.xml.sax.SAXException;
+
+/**
+ * Seam Servlet Filter supporting SAMLv2 authentication. It implements the Web Browser SSO
+ * Profile. For outgoing authentication requests it can use either HTTP Post or HTTP Redirect
+ * binding. For the responses, it uses HTTP Post binding, with signature validation.
+ *
+ * Properties that configure this component:
+ *
+ * <dl>
+ * <dt>identityProviderURL</dt>
+ * <dd>URL of the identity provider.</dd>
+ * <dt>keyStoreURL</dt>
+ * <dd>URL of the keystore.</dd>
+ * <dt>keyStorePass</dt>
+ * <dd>Password that gives access to the keystore.</dd>
+ * <dt>idpCertificateAlias</dt>
+ * <dd>The alias of the keystore entry that contains the certificate of the IDP.</dd>
+ * <dt>binding</dt>
+ * <dd>Method for sending the authentication request: HTTP_Redirect or HTTP_Post. Default: HTTP_Post.</dd>
+ * <dt>signatureRequired</dt>
+ * <dd>Specifies whether IDP responses are required to have a valid signature. Default: true.</dd>
+ * </dl>
+ *
+ * @author Marcel Kolsteren
+ */
+@Scope(APPLICATION)
+@Name("org.jboss.identity.seam.federation.samlAuthenticationFilter")
+@BypassInterceptors
+@Filter(within = "org.jboss.seam.web.exceptionFilter")
+public class SamlAuthenticationFilter extends AbstractFilter
+{
+ enum Binding {
+ HTTP_Redirect, HTTP_Post
+ };
+
+ private String identityProviderURL;
+
+ private String keyStoreURL;
+
+ private String keyStorePass;
+
+ private String idpCertificateAlias;
+
+ private PublicKey publicKeyOfIDP;
+
+ private Binding binding = Binding.HTTP_Post;
+
+ private boolean signatureRequired = true;
+
+ protected class AuthenticatedUser
+ {
+ String userName;
+
+ Map<String, List<String>> attributes = new HashMap<String, List<String>>();
+ }
+
+ @Logger
+ private Log log;
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException
+ {
+ super.init(filterConfig);
+ if (signatureRequired)
+ {
+ publicKeyOfIDP = getPublicKeyOfIDP();
+ }
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+ ServletException
+ {
+ if (!(request instanceof HttpServletRequest))
+ {
+ throw new ServletException("This filter can only process HttpServletRequest requests");
+ }
+
+ HttpServletRequest httpRequest = (HttpServletRequest) request;
+ HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+ if (request.getParameter("SAMLResponse") != null)
+ {
+ // Received an authentication response from the IDP.
+
+ AuthenticatedUser user = processIDPResponse(request);
+ if (user != null)
+ {
+ // Login the user. This ends with a redirect to the URL that was requested by the user.
+ loginUser(httpRequest, httpResponse, user);
+ }
+ }
+ else if (request.getParameter("newRelayState") != null)
+ {
+ // User requested a page for which login is required. Return a page that instructs the browser to post an
+ // authentication request to the IDP.
+ sendRequestToIDP(httpRequest, httpResponse);
+ }
+ else
+ {
+ // Request is not related to SAMLv2 authentication. Pass it on to the next chain.
+ chain.doFilter(request, response);
+ }
+ }
+
+ private void loginUser(HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthenticatedUser user)
+ throws ServletException, IOException
+ {
+ // Force session creation
+ httpRequest.getSession();
+
+ Context ctx = new SessionContext(new ServletRequestSessionMap(httpRequest));
+
+ // Only reauthenticate if username doesn't match Identity.username
+ // and user isn't authenticated
+ Credentials credentials = (Credentials) ctx.get(Credentials.class);
+ Identity identity = (Identity) ctx.get(Identity.class);
+
+ if (identity.isLoggedIn())
+ {
+ throw new RuntimeException("User is already logged in.");
+ }
+
+ credentials.setPassword("");
+ authenticate(httpRequest, user);
+ RelayStates relayStates = (RelayStates) ctx.get(RelayStates.class);
+ String relayState = httpRequest.getParameter("RelayState");
+ if (relayState == null)
+ {
+ throw new RuntimeException("RelayState parameter is missing");
+ }
+ relayStates.restoreState(Integer.parseInt(relayState), httpResponse);
+ }
+
+ private void authenticate(HttpServletRequest request, final AuthenticatedUser user) throws ServletException,
+ IOException
+ {
+ new ContextualHttpServletRequest(request)
+ {
+ @Override
+ public void process() throws ServletException, IOException, LoginException
+ {
+ SamlIdentity identity = (SamlIdentity) Identity.instance();
+ identity.getCredentials().setUsername(user.userName);
+ identity.setAttributes(user.attributes);
+ identity.authenticate();
+ }
+ }.run();
+ }
+
+ private AuthenticatedUser processIDPResponse(ServletRequest request)
+ {
+ String samlResponse = request.getParameter("SAMLResponse");
+
+ if (signatureRequired && !validateSignature(request))
+ {
+ log.error("Invalid signature");
+ throw new RuntimeException("Validity Checks failed");
+ }
+
+ // deal with SAML response from IDP
+ byte[] base64DecodedResponse = Base64.decode(samlResponse);
+ InputStream is = new ByteArrayInputStream(base64DecodedResponse);
+
+ SAML2Response saml2Response = new SAML2Response();
+
+ ResponseType responseType;
+ try
+ {
+ responseType = saml2Response.getResponseType(is);
+ }
+ catch (ParsingException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (ConfigurationException e)
+ {
+ throw new RuntimeException(e);
+ }
+
+ StatusType statusType = responseType.getStatus();
+ if (statusType == null)
+ {
+ throw new RuntimeException("Status Type from the IDP is null");
+ }
+
+ String statusValue = statusType.getStatusCode().getValue();
+ if (JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(statusValue) == false)
+ {
+ throw new RuntimeException("IDP forbid the user");
+ }
+
+ List<Object> assertions = responseType.getAssertionOrEncryptedAssertion();
+ if (assertions.size() == 0)
+ {
+ throw new RuntimeException("IDP response does not contain assertions");
+ }
+
+ AuthenticatedUser user = null;
+
+ for (Object assertion : responseType.getAssertionOrEncryptedAssertion())
+ {
+ if (assertion instanceof AssertionType)
+ {
+ AuthenticatedUser userInAssertion = handleAssertion((AssertionType) assertion);
+ if (user == null)
+ {
+ user = userInAssertion;
+ }
+ else
+ {
+ log.warn("Multiple authenticated users found in assertions. Using the first one.");
+ }
+ }
+ else
+ {
+ /* assertion instanceof EncryptedElementType */
+ log.warn("Encountered encrypted assertion. Skipping it because decryption is not yet supported.");
+ }
+ }
+ if (user == null)
+ {
+ log.warn("No authenticated users found in assertions.");
+ }
+
+ return user;
+ }
+
+ private AuthenticatedUser handleAssertion(AssertionType assertion)
+ {
+ try
+ {
+ if (AssertionUtil.hasExpired(assertion))
+ {
+ log.warn("Received assertion will not be processed because it has expired.");
+ return null;
+ }
+ }
+ catch (ConfigurationException e)
+ {
+ throw new RuntimeException(e);
+ }
+
+ AuthenticatedUser user = null;
+
+ for (JAXBElement<?> contentElement : assertion.getSubject().getContent())
+ {
+ if (contentElement.getName().getLocalPart().equals("NameID"))
+ {
+ user = new AuthenticatedUser();
+ user.userName = ((NameIDType) contentElement.getValue()).getValue();
+ }
+ }
+
+ if (user != null)
+ {
+ for (StatementAbstractType statement : assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement())
+ {
+ if (statement instanceof AttributeStatementType)
+ {
+ AttributeStatementType attributeStatement = (AttributeStatementType) statement;
+ for (Object object : attributeStatement.getAttributeOrEncryptedAttribute())
+ {
+ if (object instanceof AttributeType)
+ {
+ AttributeType attr = (AttributeType) object;
+ List<String> values = user.attributes.get(attr.getName());
+ if (values == null)
+ {
+ values = new LinkedList<String>();
+ }
+ for (Object value : attr.getAttributeValue())
+ {
+ values.add((String) value);
+ }
+ user.attributes.put(attr.getName(), values);
+ }
+ else
+ {
+ log.warn("Encrypted attributes are not supported. Ignoring the attribute.");
+ }
+ }
+ }
+ }
+ }
+ else
+ {
+ log.warn("Subject is not specified using the NameID element. Ignoring the assertion.");
+ }
+
+ return user;
+ }
+
+ private boolean validateSignature(ServletRequest request)
+ {
+ String samlMessage = request.getParameter("SAMLResponse");
+
+ // Check if there is a signature
+ String signature = request.getParameter("Signature");
+ if (signature == null || signature.length() == 0)
+ {
+ log.error("Signature Value missing in response from IDP");
+ return false;
+ }
+ String sigAlg = request.getParameter("sigAlg");
+ if (sigAlg == null || sigAlg.length() == 0)
+ {
+ log.error("Signature Algorithm missing in the response from IDP");
+ return false;
+ }
+
+ try
+ {
+ return PostBindingUtil.validateSignature(samlMessage.getBytes("UTF-8"), signature, publicKeyOfIDP);
+ }
+ catch (UnsupportedEncodingException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (GeneralSecurityException e)
+ {
+ throw new RuntimeException(e);
+ }
+ }
+
+ private PublicKey getPublicKeyOfIDP()
+ {
+ try
+ {
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ keyStore.load(new URL(keyStoreURL).openStream(), keyStorePass.toCharArray());
+ return keyStore.getCertificate(idpCertificateAlias).getPublicKey();
+ }
+ catch (KeyStoreException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (NoSuchAlgorithmException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (CertificateException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (MalformedURLException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (IOException e)
+ {
+ throw new RuntimeException(e);
+ }
+ }
+
+ private void sendRequestToIDP(HttpServletRequest request, HttpServletResponse response)
+ {
+ Integer relayState = Integer.parseInt(request.getParameter("newRelayState"));
+
+ try
+ {
+ /* Derive the service provider URL from the current request URL. Replace the last part with a place holder,
+ * because we do not want the IDP to know what page the user requested. */
+ String serviceProviderURL = request.getScheme() + "://" + request.getServerName() + ":"
+ + request.getServerPort() + request.getContextPath() + "/SamlAuthenticationFilter.seam";
+
+ AuthnRequestType authnRequest = new SPUtil().createSAMLRequest(serviceProviderURL, identityProviderURL);
+
+ SAML2Request saml2Request = new SAML2Request();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ saml2Request.marshall(authnRequest, baos);
+
+ String samlMessage = PostBindingUtil.base64Encode(baos.toString());
+ String destination = authnRequest.getDestination();
+ if (binding == Binding.HTTP_Redirect)
+ {
+ String deflatedRequest = RedirectBindingUtil.deflateBase64URLEncode(baos.toByteArray());
+ StringBuilder sb = new StringBuilder();
+ sb.append("?SAMLRequest=").append(deflatedRequest);
+ sb.append("&RelayState=").append(relayState);
+ HTTPRedirectUtil.sendRedirectForRequestor(destination + sb.toString(), response);
+ }
+ else
+ {
+ DestinationInfoHolder destinationInfoHolder = new DestinationInfoHolder(destination, samlMessage, Integer
+ .toString(relayState));
+ PostBindingUtil.sendPost(destinationInfoHolder, null, response, true);
+ }
+ }
+ catch (ConfigurationException e)
+ {
+ throw new RuntimeException();
+ }
+ catch (SAXException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (JAXBException e)
+ {
+ throw new RuntimeException(e);
+ }
+ catch (IOException e)
+ {
+ throw new RuntimeException(e);
+ }
+ }
+}
Added: identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlEnabledPages.java
===================================================================
--- identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlEnabledPages.java (rev 0)
+++ identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlEnabledPages.java 2009-08-09 15:53:59 UTC (rev 685)
@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.seam.federation;
+
+import javax.faces.context.FacesContext;
+import javax.servlet.http.HttpServletRequest;
+
+import org.jboss.seam.Component;
+import org.jboss.seam.ScopeType;
+import org.jboss.seam.annotations.Install;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.Startup;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+import org.jboss.seam.faces.FacesManager;
+import org.jboss.seam.navigation.Pages;
+
+/**
+ * Override of Seam's Pages component. It replaces the login page redirection method with a version
+ * that redirects to an URL that is filtered by the SamlAuthenticationFilter.
+ *
+ * @author Marcel Kolsteren
+ */
+(a)Scope(ScopeType.APPLICATION)
+@BypassInterceptors
+@Name("org.jboss.seam.navigation.pages")
+@Install(precedence = Install.FRAMEWORK, classDependencies = "javax.faces.context.FacesContext")
+@Startup
+public class SamlEnabledPages extends Pages
+{
+ @Override
+ public void redirectToLoginView()
+ {
+ notLoggedIn();
+
+ HttpServletRequest httpRequest = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext()
+ .getRequest();
+
+ RelayStates relayStates = (RelayStates) Component.getInstance(RelayStates.class);
+ int relayState = relayStates.saveState(httpRequest);
+
+ String authenticationFilterURL = httpRequest.getScheme() + "://" + httpRequest.getServerName() + ":"
+ + httpRequest.getServerPort() + httpRequest.getContextPath() + "/SamlAuthenticationFilter.seam";
+ FacesManager.instance().redirectToExternalURL(authenticationFilterURL + "?newRelayState=" + relayState);
+ }
+}
Added: identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlIdentity.java
===================================================================
--- identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlIdentity.java (rev 0)
+++ identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlIdentity.java 2009-08-09 15:53:59 UTC (rev 685)
@@ -0,0 +1,72 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.seam.federation;
+
+import static org.jboss.seam.ScopeType.SESSION;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.jboss.seam.annotations.Install;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.Startup;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+import org.jboss.seam.security.Identity;
+
+/**
+ * Identity that has been establised using SAMLv2 authentication.
+ *
+ * @author Marcel Kolsteren
+ */
+@Name("org.jboss.seam.security.identity")
+@Scope(SESSION)
+@Install(precedence = Install.FRAMEWORK)
+@BypassInterceptors
+@Startup
+public class SamlIdentity extends Identity
+{
+ private static final long serialVersionUID = 7042249176714812268L;
+
+ private Map<String, List<String>> attributes = new HashMap<String, List<String>>();
+
+ public Map<String, List<String>> getAttributes()
+ {
+ return attributes;
+ }
+
+ public void setAttributes(Map<String, List<String>> attributes)
+ {
+ this.attributes = attributes;
+ }
+
+ public String getAttributeValue(String attributeName)
+ {
+ return attributes.get(attributeName).get(0);
+ }
+
+ public List<String> getAttributeValues(String attributeName)
+ {
+ return attributes.get(attributeName);
+ }
+}
Added: identity-federation/trunk/jboss-identity-seam/src/main/resources/seam.properties
===================================================================
14 years, 8 months