[jboss-identity-commits] JBoss Identity SVN: r871 - in identity-federation/trunk: jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp and 7 other directories.

Author: anil.saldhana(a)jboss.com Date: 2009-10-26 17:04:11 -0400 (Mon, 26 Oct 2009) New Revision: 871 Added: identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java Removed: identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectWorkflowUnitTestCase.java Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/mock/MockCatalinaSession.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/constants/GeneralConstants.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/RolesGenerationHandler.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPLoginServlet.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPServlet.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/util/RedirectBindingSignatureUtil.java identity-federation/trunk/jboss-identity-web/src/test/java/org/jboss/test/identity/federation/web/workflow/saml2/SAML2LogoutWorkflowUnitTestCase.java Log: JBID-40: saml logout profile Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-10-26 21:04:11 UTC (rev 871) @@ -64,6 +64,7 @@ import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType; import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType; import org.jboss.identity.federation.saml.v2.protocol.ResponseType; +import org.jboss.identity.federation.web.constants.GeneralConstants; import org.jboss.identity.federation.web.util.ConfigurationUtil; import org.jboss.identity.federation.web.util.HTTPRedirectUtil; import org.jboss.identity.federation.web.util.RedirectBindingUtil; @@ -131,7 +132,8 @@ ResponseType errorResponseType = this.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get()); try { - send(errorResponseType, request.getParameter("RelayState"), response); + send(errorResponseType, + request.getParameter(GeneralConstants.RELAY_STATE), response); } catch (ParsingException e) { @@ -162,7 +164,7 @@ this.isTrusted(requestAbstractType.getIssuer().getValue()); ResponseType responseType = this.getResponse(request, userPrincipal); - send(responseType, request.getParameter("RelayState"), response); + send(responseType, request.getParameter(GeneralConstants.RELAY_STATE), response); } catch (Exception e) { @@ -172,7 +174,7 @@ ResponseType errorResponseType = this.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_RESPONDER.get()); try { - send(errorResponseType, request.getParameter("RelayState"), response); + send(errorResponseType, request.getParameter(GeneralConstants.RELAY_STATE), response); } catch (ParsingException e1) { Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-10-26 21:04:11 UTC (rev 871) @@ -177,7 +177,7 @@ public void invoke(Request request, Response response) throws IOException, ServletException { String referer = request.getHeader("Referer"); - String relayState = request.getParameter("RelayState"); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); if(isNotNull(relayState)) relayState = RedirectBindingUtil.urlDecode(relayState); @@ -201,7 +201,7 @@ if(isNotNull(samlResponseMessage)) session.setNote("SAMLResponse", samlResponseMessage); if(isNotNull(relayState)) - session.setNote("RelayState", relayState.trim()); + session.setNote(GeneralConstants.RELAY_STATE, relayState.trim()); if(isNotNull(signature)) session.setNote("Signature", signature.trim()); if(isNotNull(sigAlg)) @@ -266,7 +266,7 @@ samlRequestMessage = (String) session.getNote("SAMLRequest"); samlResponseMessage = (String) session.getNote("SAMLResponse"); - relayState = (String) session.getNote("RelayState"); + relayState = (String) session.getNote(GeneralConstants.RELAY_STATE); signature = (String) session.getNote("Signature"); sigAlg = (String) session.getNote("sigAlg"); @@ -288,7 +288,7 @@ session.removeNote("SAMLResponse"); if(isNotNull(relayState)) - session.removeNote("RelayState"); + session.removeNote(GeneralConstants.RELAY_STATE); if(isNotNull(signature)) session.removeNote("Signature"); Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-10-26 21:04:11 UTC (rev 871) @@ -54,6 +54,7 @@ import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType; import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType; import org.jboss.identity.federation.saml.v2.protocol.ResponseType; +import org.jboss.identity.federation.web.constants.GeneralConstants; import org.jboss.identity.federation.web.util.PostBindingUtil; import org.jboss.identity.federation.web.util.ServerDetector; import org.xml.sax.SAXException; @@ -96,7 +97,7 @@ } Session session = request.getSessionInternal(true); - String relayState = request.getParameter("RelayState"); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); //Try to get the username try Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-10-26 21:04:11 UTC (rev 871) @@ -103,21 +103,27 @@ @Override public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException { + //Eagerly look for Global LogOut + String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); + boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); + + String samlRequest = request.getParameter("SAMLRequest"); + String samlResponse = request.getParameter("SAMLResponse"); + Principal principal = request.getUserPrincipal(); + //If we have already authenticated the user and there is no request from IDP or logout from user + if(principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse) ) ) + return true; + SAML2Request saml2Request = new SAML2Request(); Session session = request.getSessionInternal(true); - String relayState = request.getParameter("RelayState"); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - String samlRequest = request.getParameter("SAMLRequest"); - String samlResponse = request.getParameter("SAMLResponse"); - //Eagerly look for Global LogOut - String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); - boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); - + /* if(!logOutRequest) {*/ /* if (principal != null) @@ -242,6 +248,7 @@ getDestination(base64Request, relayState, saml2HandlerResponse.getSendRequest()); HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); + return false; } catch (Exception e) { @@ -249,7 +256,6 @@ log.trace("Exception:",e); throw new IOException("Server Error"); } - return true; } } @@ -327,6 +333,21 @@ } else { + //See if the session has been invalidated + + boolean sessionValidity = session.isValid(); + if(!sessionValidity) + { + //we are invalidated. + RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); + if(dispatch == null) + log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); + else + dispatch.forward(request, response); + return false; + } + + //We got a response with the principal List<String> roles = saml2HandlerResponse.getRoles(); if(principal == null) @@ -359,19 +380,7 @@ return true; } - //See if the session has been invalidated - - boolean sessionValidity = session.isValid(); - if(!sessionValidity) - { - //we are invalidated. - RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); - if(dispatch == null) - log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); - else - dispatch.forward(request, response); - return false; - } + } catch (Exception e) { Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-10-26 21:04:11 UTC (rev 871) @@ -46,6 +46,7 @@ import org.jboss.identity.federation.core.util.XMLEncryptionUtil; import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType; import org.jboss.identity.federation.saml.v2.protocol.ResponseType; +import org.jboss.identity.federation.web.constants.GeneralConstants; import org.jboss.identity.federation.web.util.RedirectBindingSignatureUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -113,7 +114,8 @@ //Construct the url again String reqFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SAMLResponse"); - String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "RelayState"); + String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, + GeneralConstants.RELAY_STATE); String sigAlgFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SigAlg"); StringBuilder sb = new StringBuilder(); Modified: identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/mock/MockCatalinaSession.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/mock/MockCatalinaSession.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/mock/MockCatalinaSession.java 2009-10-26 21:04:11 UTC (rev 871) @@ -114,7 +114,7 @@ public boolean isValid() { - return false; + return this.valid; } public void recycle() Added: identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java (rev 0) +++ identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java 2009-10-26 21:04:11 UTC (rev 871) @@ -0,0 +1,151 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.test.identity.federation.bindings.workflow; + +import java.net.URL; +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; + +import junit.framework.TestCase; + +import org.apache.catalina.realm.GenericPrincipal; +import org.jboss.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve; +import org.jboss.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator; +import org.jboss.identity.federation.web.constants.GeneralConstants; +import org.jboss.identity.federation.web.util.RedirectBindingUtil; +import org.jboss.test.identity.federation.bindings.mock.*; + +/** + * Unit test for the Workflow for the SAML2 Redirect Binding + * @author Anil.Saldhana(a)redhat.com + * @since Oct 20, 2009 + */ +public class SAML2RedirectTomcatWorkflowUnitTestCase extends TestCase +{ + private String profile = "saml2/redirect"; + private ClassLoader tcl = Thread.currentThread().getContextClassLoader(); + private String employee = "http://localhost:8080/employee/"; + + private String SAML_REQUEST_KEY = "SAMLRequest="; + + private String SAML_RESPONSE_KEY = "SAMLResponse="; + + public void testSAML2Redirect() throws Exception + { + MockCatalinaContextClassLoader mclSPEmp = setupTCL(profile + "/sp/employee"); + Thread.currentThread().setContextClassLoader(mclSPEmp); + + SPRedirectFormAuthenticator sp = new SPRedirectFormAuthenticator(); + + MockCatalinaContext context = new MockCatalinaContext(); + MockCatalinaRequest request = new MockCatalinaRequest(); + + request.setParameter(GeneralConstants.RELAY_STATE, null); + + MockCatalinaResponse response = new MockCatalinaResponse(); + MockCatalinaLoginConfig loginConfig = new MockCatalinaLoginConfig(); + + sp.setContainer(context); + sp.testStart(); + + sp.authenticate(request, response, loginConfig); + + String redirectStr = response.redirectString; + assertNotNull("Redirect String is null?", redirectStr); + String saml = redirectStr.substring(redirectStr.indexOf(SAML_REQUEST_KEY) + + SAML_REQUEST_KEY.length()); + + MockCatalinaSession session = new MockCatalinaSession(); + + //Now send it to IDP + MockCatalinaRealm realm = new MockCatalinaRealm("anil", "test", new Principal() + { + public String getName() + { + return "anil"; + } + }); + + List<String> roles = new ArrayList<String>(); + roles.add("manager"); + roles.add("employee"); + + MockCatalinaContextClassLoader mclIDP = setupTCL(profile + "/idp/"); + Thread.currentThread().setContextClassLoader(mclIDP); + + request = new MockCatalinaRequest(); + request.setRemoteAddr(employee); + request.setSession(session); + request.setParameter("SAMLRequest", RedirectBindingUtil.urlDecode(saml)); + request.setUserPrincipal(new GenericPrincipal(realm, "anil", "test", roles) ); + request.setMethod("GET"); + + response = new MockCatalinaResponse(); + + IDPWebBrowserSSOValve idp = new IDPWebBrowserSSOValve(); + + idp.setSignOutgoingMessages(false); + + idp.setContainer(context); + idp.start(); + idp.invoke(request, response); + + redirectStr = response.redirectString; + String samlResponse = RedirectBindingUtil.urlDecode(redirectStr.substring(redirectStr.indexOf(SAML_RESPONSE_KEY) + + SAML_RESPONSE_KEY.length())); + + mclSPEmp = setupTCL(profile + "/sp/employee"); + Thread.currentThread().setContextClassLoader(mclSPEmp); + + sp = new SPRedirectFormAuthenticator(); + + context = new MockCatalinaContext(); + + context.setRealm(realm); + request = new MockCatalinaRequest(); + request.setContext(context); + + request.setMethod("GET"); + request.setParameter("SAMLResponse", samlResponse); + request.setParameter("RelayState", null); + request.setSession(session); + + response = new MockCatalinaResponse(); + loginConfig = new MockCatalinaLoginConfig(); + + sp.setContainer(context); + sp.testStart(); + + assertTrue("Employee app auth success", sp.authenticate(request, response, loginConfig) ); + } + + private MockCatalinaContextClassLoader setupTCL(String resource) + { + URL[] urls = new URL[] {tcl.getResource(resource)}; + + MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls); + mcl.setDelegate(tcl); + mcl.setProfile(resource); + return mcl; + } +} \ No newline at end of file Deleted: identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectWorkflowUnitTestCase.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectWorkflowUnitTestCase.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/workflow/SAML2RedirectWorkflowUnitTestCase.java 2009-10-26 21:04:11 UTC (rev 871) @@ -1,149 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2008, Red Hat Middleware LLC, and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. - * - * This is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this software; if not, write to the Free - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. - */ -package org.jboss.test.identity.federation.bindings.workflow; - -import java.net.URL; -import java.security.Principal; -import java.util.ArrayList; -import java.util.List; - -import junit.framework.TestCase; - -import org.apache.catalina.realm.GenericPrincipal; -import org.jboss.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve; -import org.jboss.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator; -import org.jboss.identity.federation.web.util.RedirectBindingUtil; -import org.jboss.test.identity.federation.bindings.mock.*; - -/** - * @author Anil.Saldhana(a)redhat.com - * @since Oct 20, 2009 - */ -public class SAML2RedirectWorkflowUnitTestCase extends TestCase -{ - private String profile = "saml2/redirect"; - private ClassLoader tcl = Thread.currentThread().getContextClassLoader(); - private String employee = "http://localhost:8080/employee/"; - - private String SAML_REQUEST_KEY = "SAMLRequest="; - - private String SAML_RESPONSE_KEY = "SAMLResponse="; - - public void testSAML2Redirect() throws Exception - { - MockCatalinaContextClassLoader mclSPEmp = setupTCL(profile + "/sp/employee"); - Thread.currentThread().setContextClassLoader(mclSPEmp); - - SPRedirectFormAuthenticator sp = new SPRedirectFormAuthenticator(); - - MockCatalinaContext context = new MockCatalinaContext(); - MockCatalinaRequest request = new MockCatalinaRequest(); - - request.setParameter("RelayState", null); - - MockCatalinaResponse response = new MockCatalinaResponse(); - MockCatalinaLoginConfig loginConfig = new MockCatalinaLoginConfig(); - - sp.setContainer(context); - sp.testStart(); - - sp.authenticate(request, response, loginConfig); - - String redirectStr = response.redirectString; - assertNotNull("Redirect String is null?", redirectStr); - String saml = redirectStr.substring(redirectStr.indexOf(SAML_REQUEST_KEY) + - SAML_REQUEST_KEY.length()); - - MockCatalinaSession session = new MockCatalinaSession(); - - //Now send it to IDP - MockCatalinaRealm realm = new MockCatalinaRealm("anil", "test", new Principal() - { - public String getName() - { - return "anil"; - } - }); - - List<String> roles = new ArrayList<String>(); - roles.add("manager"); - roles.add("employee"); - - MockCatalinaContextClassLoader mclIDP = setupTCL(profile + "/idp/"); - Thread.currentThread().setContextClassLoader(mclIDP); - - request = new MockCatalinaRequest(); - request.setRemoteAddr(employee); - request.setSession(session); - request.setParameter("SAMLRequest", RedirectBindingUtil.urlDecode(saml)); - request.setUserPrincipal(new GenericPrincipal(realm, "anil", "test", roles) ); - request.setMethod("GET"); - - response = new MockCatalinaResponse(); - - IDPWebBrowserSSOValve idp = new IDPWebBrowserSSOValve(); - - idp.setSignOutgoingMessages(false); - - idp.setContainer(context); - idp.start(); - idp.invoke(request, response); - - redirectStr = response.redirectString; - String samlResponse = RedirectBindingUtil.urlDecode(redirectStr.substring(redirectStr.indexOf(SAML_RESPONSE_KEY) + - SAML_RESPONSE_KEY.length())); - - mclSPEmp = setupTCL(profile + "/sp/employee"); - Thread.currentThread().setContextClassLoader(mclSPEmp); - - sp = new SPRedirectFormAuthenticator(); - - context = new MockCatalinaContext(); - - context.setRealm(realm); - request = new MockCatalinaRequest(); - request.setContext(context); - - request.setMethod("GET"); - request.setParameter("SAMLResponse", samlResponse); - request.setParameter("RelayState", null); - request.setSession(session); - - response = new MockCatalinaResponse(); - loginConfig = new MockCatalinaLoginConfig(); - - sp.setContainer(context); - sp.testStart(); - - assertTrue("Employee app auth success", sp.authenticate(request, response, loginConfig) ); - } - - private MockCatalinaContextClassLoader setupTCL(String resource) - { - URL[] urls = new URL[] {tcl.getResource(resource)}; - - MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls); - mcl.setDelegate(tcl); - mcl.setProfile(resource); - return mcl; - } -} \ No newline at end of file Modified: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/constants/GeneralConstants.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/constants/GeneralConstants.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/constants/GeneralConstants.java 2009-10-26 21:04:11 UTC (rev 871) @@ -45,7 +45,8 @@ String LOGOUT_PAGE = "LOGOUT_PAGE"; - String PRINCIPAL_ID = "jboss_identity.principal"; + String PRINCIPAL_ID = "jboss_identity.principal"; + String RELAY_STATE = "RelayState"; String ROLES = "ROLES"; String ROLES_ID = "jboss_identity.roles"; Modified: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/RolesGenerationHandler.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/RolesGenerationHandler.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/RolesGenerationHandler.java 2009-10-26 21:04:11 UTC (rev 871) @@ -41,7 +41,7 @@ import org.jboss.identity.federation.web.core.HTTPContext; /** - * Handles the generation of roles + * Handles the generation of roles on the IDP Side * @author Anil.Saldhana(a)redhat.com * @since Oct 7, 2009 */ Modified: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2009-10-26 21:04:11 UTC (rev 871) @@ -294,7 +294,7 @@ responseType = this.decryptAssertion(responseType); } - Principal userPrincipal = handleSAMLResponse(responseType); + Principal userPrincipal = handleSAMLResponse(responseType, response); if(userPrincipal == null) { response.setError(403, "User Principal not determined: Forbidden"); @@ -318,7 +318,7 @@ } @SuppressWarnings("unchecked") - private Principal handleSAMLResponse(ResponseType responseType) + private Principal handleSAMLResponse(ResponseType responseType, SAML2HandlerResponse response) throws ProcessingException { if(responseType == null) @@ -368,6 +368,8 @@ roles.add(roleName); } + response.setRoles(roles); + Principal principal = new Principal() { public String getName() Modified: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java 2009-10-26 21:04:11 UTC (rev 871) @@ -223,7 +223,7 @@ HttpSession session = httpContext.getRequest().getSession(false); String sessionID = session.getId(); - String relayState = httpContext.getRequest().getParameter("RelayState"); + String relayState = httpContext.getRequest().getParameter(GeneralConstants.RELAY_STATE); LogoutRequestType logOutRequest = (LogoutRequestType) request.getSAML2Object(); String issuer = logOutRequest.getIssuer().getValue(); Modified: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPLoginServlet.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPLoginServlet.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPLoginServlet.java 2009-10-26 21:04:11 UTC (rev 871) @@ -148,9 +148,9 @@ session.setAttribute("SAMLRequest", request.getParameter("SAMLRequest")); session.setAttribute("SAMLResponse", request.getParameter("SAMLResponse")); - String relayState = request.getParameter("RelayState"); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); if(relayState != null && !"".equals(relayState)) - session.setAttribute("RelayState", relayState ); + session.setAttribute(GeneralConstants.RELAY_STATE, relayState ); session.setAttribute("Referer", request.getHeader("Referer")); } Modified: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPServlet.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPServlet.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/servlets/IDPServlet.java 2009-10-26 21:04:11 UTC (rev 871) @@ -246,7 +246,7 @@ String samlRequestMessage = (String) session.getAttribute("SAMLRequest"); String samlResponseMessage = (String) session.getAttribute("SAMLResponse"); - String relayState = (String) session.getAttribute("RelayState"); + String relayState = (String) session.getAttribute(GeneralConstants.RELAY_STATE); String referer = request.getHeader("Referer"); @@ -280,7 +280,7 @@ session.removeAttribute("SAMLResponse"); if(isNotNull(relayState)) - session.removeAttribute("RelayState"); + session.removeAttribute(GeneralConstants.RELAY_STATE); SAMLDocumentHolder samlDocumentHolder = null; SAML2Object samlObject = null; Modified: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/util/RedirectBindingSignatureUtil.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/util/RedirectBindingSignatureUtil.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/util/RedirectBindingSignatureUtil.java 2009-10-26 21:04:11 UTC (rev 871) @@ -43,6 +43,7 @@ import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil; import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType; import org.jboss.identity.federation.saml.v2.protocol.ResponseType; +import org.jboss.identity.federation.web.constants.GeneralConstants; import org.w3c.dom.Document; import org.xml.sax.SAXException; @@ -226,7 +227,8 @@ { //Construct the url again String reqFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SAMLRequest"); - String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "RelayState"); + String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, + GeneralConstants.RELAY_STATE); String sigAlgFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SigAlg"); StringBuilder sb = new StringBuilder(); Modified: identity-federation/trunk/jboss-identity-web/src/test/java/org/jboss/test/identity/federation/web/workflow/saml2/SAML2LogoutWorkflowUnitTestCase.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/test/java/org/jboss/test/identity/federation/web/workflow/saml2/SAML2LogoutWorkflowUnitTestCase.java 2009-10-22 17:18:41 UTC (rev 870) +++ identity-federation/trunk/jboss-identity-web/src/test/java/org/jboss/test/identity/federation/web/workflow/saml2/SAML2LogoutWorkflowUnitTestCase.java 2009-10-26 21:04:11 UTC (rev 871) @@ -127,6 +127,20 @@ assertEquals("Match Employee URL", employee, lor.getIssuer().getValue()); } + /** + * In this test case, we preload the IDP with 2 active participants + * namely the Sales app and Employee App. After this, the employee app + * issues a logout request. The IDP is supposed to receive this logout request, + * a) note that there are 2 session participants + * b) issue a logout request to the sales app + * c) the sales app invalidates its session + * d) the sales app issues a logout response (status response type) to the IDP + * e) the IDP sees that we have 1 participant left and because it is the same as the + * original logout requestor, invalidates its session and sends the logout success + * to the employee app. + * f) employee app invalidates its session + * @throws Exception + */ public void testSAML2LogOutFromIDPServlet() throws Exception { MockHttpSession session = new MockHttpSession();