Picketlink SVN: r304 - idm/trunk/picketlink-idm-spi/src/main/java/org/picketlink/idm/spi/configuration/metadata.
by picketlink-commits@lists.jboss.org
Author: shane.bryzak(a)jboss.com
Date: 2010-06-15 06:38:47 -0400 (Tue, 15 Jun 2010)
New Revision: 304
Modified:
idm/trunk/picketlink-idm-spi/src/main/java/org/picketlink/idm/spi/configuration/metadata/RelationshipMetaData.java
Log:
added javadoc
Modified: idm/trunk/picketlink-idm-spi/src/main/java/org/picketlink/idm/spi/configuration/metadata/RelationshipMetaData.java
===================================================================
--- idm/trunk/picketlink-idm-spi/src/main/java/org/picketlink/idm/spi/configuration/metadata/RelationshipMetaData.java 2010-06-11 20:06:20 UTC (rev 303)
+++ idm/trunk/picketlink-idm-spi/src/main/java/org/picketlink/idm/spi/configuration/metadata/RelationshipMetaData.java 2010-06-15 10:38:47 UTC (rev 304)
@@ -23,7 +23,10 @@
package org.picketlink.idm.spi.configuration.metadata;
/**
- * Relationship meta data
+ * Relationship meta data, used to represent a single allowed relationship type.
+ *
+ * This metadata is used by the configuration to define a set of allowable
+ * relationship types for a single identity store.
*
* @author <a href="mailto:boleslaw.dawidowicz at redhat.com">Boleslaw Dawidowicz</a>
* @version : 0.1 $
@@ -31,11 +34,16 @@
public interface RelationshipMetaData
{
/**
+ * Returns the name of the relationship type, e.g. MEMBER_OF, ROLE, etc
+ *
* @return RelationshipType name
*/
String getRelationshipTypeRef();
/**
+ * Returns the name of the allowed identity object type on the "to" side of
+ * the relationship, e.g. ORGANIZATION, GROUP.
+ *
* @return IdentityObjectType name
*/
String getIdentityObjectTypeRef();
14 years, 6 months
Picketlink SVN: r303 - federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth.
by picketlink-commits@lists.jboss.org
Author: bmozaffa(a)redhat.com
Date: 2010-06-11 16:06:20 -0400 (Fri, 11 Jun 2010)
New Revision: 303
Added:
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML20TokenProviderUnitTestCase.java
Log:
PLFED-88: junit tests for the SAML20TokenProvider and its attribute provider functions
Added: federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML20TokenProviderUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML20TokenProviderUnitTestCase.java (rev 0)
+++ federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML20TokenProviderUnitTestCase.java 2010-06-11 20:06:20 UTC (rev 303)
@@ -0,0 +1,174 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2009, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.bindings.jboss.auth;
+
+import java.net.URI;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.Unmarshaller;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextAssociation;
+import org.jboss.security.SimpleGroup;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.plugins.JBossSecurityContext;
+import org.picketlink.identity.federation.bindings.jboss.auth.SAML20TokenRoleAttributeProvider;
+import org.picketlink.identity.federation.core.wstrust.StandardSecurityToken;
+import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext;
+import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
+import org.picketlink.identity.federation.core.wstrust.wrappers.RequestSecurityToken;
+import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
+import org.picketlink.identity.federation.saml.v2.assertion.AudienceRestrictionType;
+import org.picketlink.identity.federation.saml.v2.assertion.ConditionsType;
+import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
+import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectConfirmationType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * This {@code TestCase} tests the functionalities of the {@code SAML20TokenRoleAttributeProvider} class.
+ * </p>
+ *
+ * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a>
+ */
+public class SAML20TokenProviderUnitTestCase extends TestCase
+{
+
+ private SAML20TokenProvider provider;
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ this.provider = new SAML20TokenProvider();
+ Map<String, String> properties = new HashMap<String, String>();
+ properties.put("AttributeProvider", SAML20TokenRoleAttributeProvider.class.getName());
+ properties.put(SAML20TokenRoleAttributeProvider.class.getName() + ".tokenRoleAttributeName", "roleAttributeName");
+ provider.initialize(properties);
+ }
+
+ /**
+ * <p>
+ * Tests the inclusion of the roles attributes in a SAMLV2.0 Assertion.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testIssueSAMLV20Token() throws Exception
+ {
+ // create a WSTrustRequestContext with a simple WS-Trust request.
+ RequestSecurityToken request = new RequestSecurityToken();
+ request.setLifetime(WSTrustUtil.createDefaultLifetime(3600000));
+ request.setAppliesTo(WSTrustUtil.createAppliesTo("http://services.testcorp.org/provider2"));
+ request.setTokenType(URI.create(SAMLUtil.SAML2_TOKEN_TYPE));
+
+ SecurityContext securityContext = new JBossSecurityContext("jmx-console");
+ SecurityContextAssociation.setSecurityContext(securityContext);
+
+ Principal principal = new SimplePrincipal("bmozaffa");
+ SimpleGroup group = new SimpleGroup(SAML20TokenRoleAttributeProvider.JBOSS_ROLE_PRINCIPAL_NAME);
+ group.addMember(new SimplePrincipal("myTestRole"));
+ Subject newSubject = new Subject();
+ newSubject.getPrincipals().add(principal);
+ newSubject.getPrincipals().add(group);
+ SecurityContextAssociation.getSecurityContext().getUtil().createSubjectInfo(principal, null, newSubject);
+
+ WSTrustRequestContext context = new WSTrustRequestContext(request, principal);
+ context.setTokenIssuer("PicketLinkSTS");
+
+ // call the SAML token provider and check the generated token.
+ this.provider.issueToken(context);
+ assertNotNull("Unexpected null security token", context.getSecurityToken());
+
+ SecurityContextAssociation.clearSecurityContext();
+
+ JAXBContext jaxbContext = JAXBContext.newInstance("org.picketlink.identity.federation.saml.v2.assertion");
+ Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
+ JAXBElement<?> parsedElement = (JAXBElement<?>) unmarshaller.unmarshal((Element) context.getSecurityToken()
+ .getTokenValue());
+ assertNotNull("Unexpected null element", parsedElement);
+ assertEquals("Unexpected element type", AssertionType.class, parsedElement.getDeclaredType());
+
+ AssertionType assertion = (AssertionType) parsedElement.getValue();
+ StandardSecurityToken securityToken = (StandardSecurityToken) context.getSecurityToken();
+ assertEquals("Unexpected token id", securityToken.getTokenID(), assertion.getID());
+ assertEquals("Unexpected token issuer", "PicketLinkSTS", assertion.getIssuer().getValue());
+
+ // check the contents of the assertion conditions.
+ ConditionsType conditions = assertion.getConditions();
+ assertNotNull("Unexpected null conditions", conditions);
+ assertNotNull("Unexpected null value for NotBefore attribute", conditions.getNotBefore());
+ assertNotNull("Unexpected null value for NotOnOrAfter attribute", conditions.getNotOnOrAfter());
+ assertEquals("Unexpected number of conditions", 1, conditions.getConditionOrAudienceRestrictionOrOneTimeUse()
+ .size());
+ assertTrue("Unexpected condition type",
+ conditions.getConditionOrAudienceRestrictionOrOneTimeUse().get(0) instanceof AudienceRestrictionType);
+ AudienceRestrictionType restrictionType = (AudienceRestrictionType) conditions
+ .getConditionOrAudienceRestrictionOrOneTimeUse().get(0);
+ assertNotNull("Unexpected null audience list", restrictionType.getAudience());
+ assertEquals("Unexpected number of audience elements", 1, restrictionType.getAudience().size());
+ assertEquals("Unexpected audience value", "http://services.testcorp.org/provider2", restrictionType.getAudience()
+ .get(0));
+
+ // check the contents of the assertion subject.
+ SubjectType subject = assertion.getSubject();
+ assertNotNull("Unexpected null subject", subject);
+ assertEquals("Unexpected subject content size", 2, subject.getContent().size());
+ JAXBElement<?> content = subject.getContent().get(0);
+ assertEquals("Unexpected content type", NameIDType.class, content.getDeclaredType());
+ NameIDType nameID = (NameIDType) content.getValue();
+ assertEquals("Unexpected name id qualifier", "urn:picketlink:identity-federation", nameID.getNameQualifier());
+ assertEquals("Unexpected name id", "bmozaffa", nameID.getValue());
+ content = subject.getContent().get(1);
+ assertEquals("Unexpected content type", SubjectConfirmationType.class, content.getDeclaredType());
+ SubjectConfirmationType confirmation = (SubjectConfirmationType) content.getValue();
+ assertEquals("Unexpected confirmation method", SAMLUtil.SAML2_BEARER_URI, confirmation.getMethod());
+
+ StatementAbstractType statementAbstractType = assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0);
+ assertNotNull("Unexpected null StatementAbstractType", statementAbstractType);
+ assertTrue("Unexpected type instead of AttributeStatement: " + statementAbstractType.getClass().getSimpleName(), statementAbstractType instanceof AttributeStatementType);
+ AttributeStatementType attributeStatement = (AttributeStatementType)statementAbstractType;
+ List<Object> attributes = attributeStatement.getAttributeOrEncryptedAttribute();
+ assertFalse("Unexpected empty list of attributes", attributes.isEmpty());
+ assertEquals("Unexpected number of attributes", 1, attributes.size());
+ Object attributeObject = attributes.iterator().next();
+ assertTrue("Unexpected type instead of AttributeStatement: " + attributeObject.getClass().getSimpleName(), attributeObject instanceof AttributeType);
+ AttributeType attribute = (AttributeType)attributeObject;
+ assertEquals("Unexpected name for the role attribute", "roleAttributeName", attribute.getName() );
+ assertEquals("Unexpected number of roles", 1, attribute.getAttributeValue().size());
+ assertEquals("Unexpected user role", "myTestRole", attribute.getAttributeValue().get(0));
+ }
+}
14 years, 6 months
Picketlink SVN: r302 - in federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink: test and 5 other directories.
by picketlink-commits@lists.jboss.org
Author: bmozaffa(a)redhat.com
Date: 2010-06-11 16:05:12 -0400 (Fri, 11 Jun 2010)
New Revision: 302
Added:
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java
Log:
Test class moved to org.picketlink.test
Added: federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java (rev 0)
+++ federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java 2010-06-11 20:05:12 UTC (rev 302)
@@ -0,0 +1,139 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2009, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.bindings.jboss.auth;
+
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.mapping.MappingProvider;
+import org.jboss.security.mapping.MappingResult;
+import org.picketlink.identity.federation.bindings.jboss.auth.SAML20TokenRoleAttributeProvider;
+import org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider;
+import org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider;
+import org.picketlink.identity.federation.core.wstrust.WSTrustConstants;
+import org.picketlink.identity.federation.core.wstrust.auth.AbstractSTSLoginModule;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
+import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
+import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * This {@code TestCase} tests the functionalities of {@code STSPrincipalMappingProvider} and {@code STSGroupMappingProvider}.
+ * </p>
+ *
+ * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a>
+ */
+public class STSMappingProviderUnitTestCase extends TestCase
+{
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ }
+
+ /**
+ * <p>
+ * Tests that {@code STSGroupMappingProvider} correctly maps and returns a {@code RoleGroup}
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testSTSGroupMappingProvider() throws Exception
+ {
+ String roleAttributeName = "roleAttributeName";
+ String role1 = "userRole1";
+ String role2 = "userRole2";
+
+ AssertionType assertion = new AssertionType();
+ AttributeStatementType attributeStatementType = new AttributeStatementType();
+ assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(attributeStatementType);
+ AttributeType attributeType = new AttributeType();
+ attributeStatementType.getAttributeOrEncryptedAttribute().add(attributeType);
+ attributeType.setName(roleAttributeName);
+ attributeType.getAttributeValue().add(role1);
+ attributeType.getAttributeValue().add(role2);
+
+ MappingResult<RoleGroup> mappingResult = new MappingResult<RoleGroup>();
+ Map<String, Object> contextMap = new HashMap<String, Object>();
+ contextMap.put("token-role-attribute-name", roleAttributeName);
+ contextMap.put(AbstractSTSLoginModule.SHARED_TOKEN, SAMLUtil.toElement(assertion));
+
+ MappingProvider<RoleGroup> mappingProvider = new STSGroupMappingProvider();
+ mappingProvider.init(contextMap);
+ mappingProvider.setMappingResult(mappingResult);
+ mappingProvider.performMapping(contextMap, null);
+
+ RoleGroup roleGroup = mappingResult.getMappedObject();
+ assertNotNull("Unexpected null mapped role", roleGroup);
+ assertEquals("RoleGroup name has unexpected value", SAML20TokenRoleAttributeProvider.JBOSS_ROLE_PRINCIPAL_NAME, roleGroup.getRoleName());
+ assertEquals("RoleGroup has unexpected first role", role1, roleGroup.getRoles().get(0).getRoleName());
+ assertEquals("RoleGroup has unexpected second role", role2, roleGroup.getRoles().get(1).getRoleName());
+ }
+
+ /**
+ * <p>
+ * Tests that {@code STSPrincipalMappingProvider} correctly maps and returns a {@code Principal}
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testSTSPrincipalMappingProvider() throws Exception
+ {
+ String userId = "babak";
+
+ AssertionType assertion = new AssertionType();
+ SubjectType subjectType = new SubjectType();
+ assertion.setSubject(subjectType);
+ QName name = new QName(WSTrustConstants.SAML2_ASSERTION_NS, "NameID");
+ Class<NameIDType> declaredType = NameIDType.class;
+ NameIDType nameIDType = new NameIDType();
+ nameIDType.setValue(userId);
+ JAXBElement<NameIDType> jaxbElement = new JAXBElement<NameIDType>(name, declaredType, JAXBElement.GlobalScope.class, nameIDType);
+ subjectType.getContent().add(jaxbElement);
+
+ MappingResult<Principal> mappingResult = new MappingResult<Principal>();
+ Map<String, Object> contextMap = new HashMap<String, Object>();
+ Element assertionElement = SAMLUtil.toElement(assertion);
+ contextMap.put(AbstractSTSLoginModule.SHARED_TOKEN, assertionElement);
+
+ MappingProvider<Principal> mappingProvider = new STSPrincipalMappingProvider();
+ mappingProvider.init(contextMap);
+ mappingProvider.setMappingResult(mappingResult);
+ mappingProvider.performMapping(contextMap, null);
+
+ Principal principal = mappingResult.getMappedObject();
+ assertNotNull("Unexpected null mapped principal", principal);
+ assertEquals("Principal has unexpected value", userId, principal.getName());
+ }
+}
14 years, 6 months
Picketlink SVN: r299 - federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth.
by picketlink-commits@lists.jboss.org
Author: bmozaffa(a)redhat.com
Date: 2010-06-11 15:59:18 -0400 (Fri, 11 Jun 2010)
New Revision: 299
Added:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java
Log:
PLFED-88: Provided an OOTB attribute provider for the SAML20TokenProvider for a JBoss server environment. This attribute provider looks at the currently authenticated JAAS Subject and returns any available user roles in the form of a SAML token multi-valued Attribute. The attribute name defaults to role but is configurable
Added: federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java (rev 0)
+++ federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java 2010-06-11 19:59:18 UTC (rev 299)
@@ -0,0 +1,112 @@
+package org.picketlink.identity.federation.bindings.jboss.auth;
+
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+
+import org.apache.log4j.Logger;
+import org.jboss.security.SecurityContextAssociation;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenAttributeProvider;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
+
+/**
+ * <p>
+ * An implementation of the SAML20TokenAttributeProvider for JBoss which looks at the authenticated Subject
+ * and creates an Attribute containing the user's roles.
+ * </p>
+ *
+ * <h3>Configuration</h3>
+ * <pre>{@code
+ * <TokenProviders>
+ * <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
+ * TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
+ * TokenElement="Assertion"
+ * TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion">
+ * <Property Key="AttributeProvider" Value="org.picketlink.identity.federation.bindings.jboss.auth.SAML20TokenRoleAttributeProvider"/>
+ * <Property Key="org.picketlink.identity.federation.bindings.jboss.auth.SAML20TokenRoleAttributeProvider.tokenRoleAttributeName" Value="role"/>
+ * </TokenProvider>
+ * </TokenProviders>
+ * }
+ * </pre>
+ *
+ * When configured, this attribute provider will be called by the {@code SAML20TokenProvider} to return an {@code AttributeStatement}
+ * from the STS token and supply them for insertion into the JAAS Subject.
+ * This returns a multi-valued Attribute to be included in the Assertion, where each value of the attribute is a JBoss user role.
+ * The name of this attribute defaults to {@code DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME} but
+ * may be set to any value through an optional property as shown above.
+ *
+ * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a>
+ */
+public class SAML20TokenRoleAttributeProvider implements SAML20TokenAttributeProvider
+{
+ private static Logger logger = Logger.getLogger(SAML20TokenRoleAttributeProvider.class);
+
+ /**
+ * The name of the principal in JBoss that is expected to include user roles
+ */
+ public static final String JBOSS_ROLE_PRINCIPAL_NAME = "Roles";
+
+ /**
+ * The default attribute name in the SAML Token that will carry the user's roles, if not configured otherwise
+ */
+ public static final String DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME = "role";
+
+ /**
+ * The name of the attribute in the SAML Token that will carry the user's roles
+ */
+ private String tokenRoleAttributeName;
+
+ @Override
+ public void setProperties(Map<String, String> properties)
+ {
+ String roleAttrKey = this.getClass().getName() + ".tokenRoleAttributeName";
+ tokenRoleAttributeName = properties.get(roleAttrKey);
+ if( tokenRoleAttributeName == null )
+ {
+ tokenRoleAttributeName = DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME;
+ }
+ }
+
+ @Override
+ public AttributeStatementType getAttributeStatement()
+ {
+ Subject subject = SecurityContextAssociation.getSecurityContext().getSubjectInfo().getAuthenticatedSubject();
+ if( subject == null )
+ {
+ if (logger.isDebugEnabled())
+ logger.debug("No authentication Subject found, cannot provide any user roles!");
+ return null;
+ }
+ else
+ {
+ AttributeStatementType attributeStatement = new AttributeStatementType();
+ AttributeType rolesAttribute = new AttributeType();
+ rolesAttribute.setName(tokenRoleAttributeName);
+ attributeStatement.getAttributeOrEncryptedAttribute().add(rolesAttribute);
+
+ List<Object> roles = rolesAttribute.getAttributeValue();
+ for( Principal rolePrincipal : subject.getPrincipals() )
+ {
+ if( JBOSS_ROLE_PRINCIPAL_NAME.equalsIgnoreCase( rolePrincipal.getName() ) )
+ {
+ Group simpleGroup = (Group)rolePrincipal;
+ Enumeration<? extends Principal> members = simpleGroup.members();
+ while( members.hasMoreElements() )
+ {
+ Principal role = (Principal)members.nextElement();
+ roles.add( role.getName() );
+ }
+ }
+ }
+ if (logger.isDebugEnabled())
+ logger.debug("Returning an AttributeStatement with a [" + tokenRoleAttributeName + "] attribute containing: " + rolesAttribute.getAttributeValue());
+ return attributeStatement;
+ }
+ }
+
+}
14 years, 6 months
Picketlink SVN: r298 - federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml.
by picketlink-commits@lists.jboss.org
Author: bmozaffa(a)redhat.com
Date: 2010-06-11 15:51:14 -0400 (Fri, 11 Jun 2010)
New Revision: 298
Added:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenAttributeProvider.java
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java
Log:
PLFED-88: Provided a pluggable interface for the SAML20TokenProvider that if configured, it calls to retrieve and include any potential attributes in the token
Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenAttributeProvider.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenAttributeProvider.java (rev 0)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenAttributeProvider.java 2010-06-11 19:51:14 UTC (rev 298)
@@ -0,0 +1,31 @@
+package org.picketlink.identity.federation.core.wstrust.plugins.saml;
+
+import java.util.Map;
+
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+
+/**
+ * <p>
+ * An interface used by {@code SAML20TokenProvider} to retrieve an environment specific attribute that will be
+ * inserted into the Assertion.
+ * </p>
+ *
+ * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a>
+ */
+public interface SAML20TokenAttributeProvider
+{
+ /**
+ * Sets properties on the Attribute Provider that may affect its behavior
+ *
+ * @param properties A set of string properties, some or all of which might impact the provider's behavior
+ */
+ void setProperties( Map<String, String> properties );
+
+ /**
+ * Given the security context, environment or other static or non-static criteria, returns an attribute statement
+ * to be included in the SAML v2 Assertion
+ *
+ * @return An Attribute Statement to be inserted in the SAML v2 Assertion
+ */
+ AttributeStatementType getAttributeStatement();
+}
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java 2010-06-11 19:40:21 UTC (rev 297)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java 2010-06-11 19:51:14 UTC (rev 298)
@@ -44,11 +44,12 @@
import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext;
import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
import org.picketlink.identity.federation.core.wstrust.plugins.DefaultRevocationRegistry;
-import org.picketlink.identity.federation.core.wstrust.plugins.RevocationRegistry;
import org.picketlink.identity.federation.core.wstrust.plugins.FileBasedRevocationRegistry;
import org.picketlink.identity.federation.core.wstrust.plugins.JPABasedRevocationRegistry;
+import org.picketlink.identity.federation.core.wstrust.plugins.RevocationRegistry;
import org.picketlink.identity.federation.core.wstrust.wrappers.Lifetime;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AudienceRestrictionType;
import org.picketlink.identity.federation.saml.v2.assertion.ConditionsType;
import org.picketlink.identity.federation.saml.v2.assertion.KeyInfoConfirmationDataType;
@@ -79,11 +80,15 @@
private static final String REVOCATION_REGISTRY_FILE = "RevocationRegistryFile";
private static final String REVOCATION_REGISTRY_JPA_CONFIG = "RevocationRegistryJPAConfig";
-
+
+ private static final String ATTRIBUTE_PROVIDER = "AttributeProvider";
+
private RevocationRegistry revocationRegistry;
private Map<String, String> properties;
+ private SAML20TokenAttributeProvider attributeProvider;
+
/*
* (non-Javadoc)
*
@@ -145,6 +150,29 @@
}
}
}
+
+ // Check if an attribute provider has been set.
+ String attributeProviderClassName = this.properties.get(ATTRIBUTE_PROVIDER);
+ if (attributeProviderClassName == null)
+ {
+ if (logger.isDebugEnabled())
+ logger.debug("No attribute provider set");
+ }
+ else
+ {
+ try
+ {
+ @SuppressWarnings("unchecked")
+ Class<SAML20TokenAttributeProvider> attributeProviderClass = (Class<SAML20TokenAttributeProvider>) Class
+ .forName(attributeProviderClassName);
+ attributeProvider = attributeProviderClass.newInstance();
+ attributeProvider.setProperties(properties);
+ }
+ catch (Exception e)
+ {
+ throw new IllegalStateException(e);
+ }
+ }
}
/*
@@ -230,6 +258,15 @@
AssertionType assertion = SAMLAssertionFactory.createAssertion(assertionID, issuerID, lifetime.getCreated(),
conditions, subject, statements);
+ if (attributeProvider != null)
+ {
+ AttributeStatementType attributeStatement = attributeProvider.getAttributeStatement();
+ if (attributeStatement != null)
+ {
+ assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(attributeStatement);
+ }
+ }
+
// convert the constructed assertion to element.
Element assertionElement = null;
try
14 years, 6 months
Picketlink SVN: r296 - in federation/trunk/picketlink-bindings-jboss: src/main/java/org/picketlink/identity/federation/bindings/jboss/auth and 9 other directories.
by picketlink-commits@lists.jboss.org
Author: bmozaffa(a)redhat.com
Date: 2010-06-11 15:25:03 -0400 (Fri, 11 Jun 2010)
New Revision: 296
Added:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSGroupMappingProvider.java
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSPrincipalMappingProvider.java
federation/trunk/picketlink-bindings-jboss/src/test/java/org/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/bindings/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/bindings/jboss/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/bindings/jboss/auth/
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java
Modified:
federation/trunk/picketlink-bindings-jboss/pom.xml
Log:
PLFED-87: STS Login Modules now look for any configured principal and role mapping providers in the security domain and use them to obtain user id and role and populate the Subject with them. These two OOTB mapping providers extract and return the user's id and roles for use in a JBoss environment.
Modified: federation/trunk/picketlink-bindings-jboss/pom.xml
===================================================================
--- federation/trunk/picketlink-bindings-jboss/pom.xml 2010-06-11 19:13:30 UTC (rev 295)
+++ federation/trunk/picketlink-bindings-jboss/pom.xml 2010-06-11 19:25:03 UTC (rev 296)
@@ -81,6 +81,12 @@
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.jboss.javaee</groupId>
+ <artifactId>jboss-javaee</artifactId>
+ <version>5.0.0.CR1</version>
+ <scope>provided</scope>
+ </dependency>
</dependencies>
<reporting>
Added: federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSGroupMappingProvider.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSGroupMappingProvider.java (rev 0)
+++ federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSGroupMappingProvider.java 2010-06-11 19:25:03 UTC (rev 296)
@@ -0,0 +1,186 @@
+package org.picketlink.identity.federation.bindings.jboss.auth.mapping;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.xml.bind.JAXBException;
+
+import org.apache.log4j.Logger;
+import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.identity.plugins.SimpleRole;
+import org.jboss.security.identity.plugins.SimpleRoleGroup;
+import org.jboss.security.mapping.MappingProvider;
+import org.jboss.security.mapping.MappingResult;
+import org.picketlink.identity.federation.bindings.jboss.auth.SAML20TokenRoleAttributeProvider;
+import org.picketlink.identity.federation.core.wstrust.auth.AbstractSTSLoginModule;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
+import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
+import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * This mapping provider looks at the role attributes in the Assertion and
+ * returns corresponding JBoss RoleGroup objects for insertion into the Subject.
+ * </p>
+ *
+ * <h3>Configuration</h3>
+ * <pre>{@code
+ * <application-policy name="saml-issue-token">
+ * <authentication>
+ * <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
+ * <module-option name="configFile">/sts-client.properties</module-option>
+ * <module-option name="password-stacking">useFirstPass</module-option>
+ * </login-module>
+ * </authentication>
+ * <mapping>
+ * <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider" type="principal"/>
+ * <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider" type="role">
+ * <module-option name="token-role-attribute-name">role</module-option>
+ * </mapping-module>
+ * </mapping>
+ * </application-policy>
+ * }
+ * </pre>
+ *
+ * As demonstrated above, this mapping provider is typically configured for an STS Login Module to extract user roles
+ * from the STS token and supply them for insertion into the JAAS Subject.
+ *
+ * This mapping provider looks for a multi-valued Attribute in the Assertion, where each value is a user role.
+ * The name of this attribute defaults to {@code SAML20TokenRoleAttributeProvider.DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME} but
+ * may be set to any value through the "token-role-attribute-name" module option.
+ * <p/>
+ *
+ *
+ * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a>
+ */
+public class STSGroupMappingProvider implements MappingProvider<RoleGroup>
+{
+ private Logger log = Logger.getLogger(STSGroupMappingProvider.class);
+
+ private MappingResult<RoleGroup> result;
+
+ private String tokenRoleAttributeName;
+
+ @Override
+ public void init(Map<String, Object> contextMap)
+ {
+ Object tokenRoleAttributeObject = contextMap.get("token-role-attribute-name");
+ if (tokenRoleAttributeObject != null)
+ {
+ tokenRoleAttributeName = (String) tokenRoleAttributeObject;
+ }
+ else
+ {
+ tokenRoleAttributeName = SAML20TokenRoleAttributeProvider.DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME;
+ }
+
+ //No initialization needed
+ if (log.isDebugEnabled())
+ {
+ log.debug("Initialized with " + contextMap);
+ }
+ }
+
+ @Override
+ public void performMapping(Map<String, Object> contextMap, RoleGroup Group)
+ {
+ if (log.isDebugEnabled())
+ {
+ log.debug("performMapping with map as " + contextMap);
+ }
+ if (contextMap == null)
+ {
+ throw new IllegalArgumentException(
+ "Empty context map. SAML Token must be provided in the context map to extract a Principal");
+ }
+
+ Object tokenObject = contextMap.get(AbstractSTSLoginModule.SHARED_TOKEN);
+ if (!(tokenObject instanceof Element))
+ {
+ throw new IllegalArgumentException("Did not find a token " + Element.class.getClass().getName() + " under "
+ + AbstractSTSLoginModule.SHARED_TOKEN + " in the map");
+ }
+
+ try
+ {
+ Element tokenElement = (Element) tokenObject;
+ AssertionType assertion = SAMLUtil.fromElement(tokenElement);
+
+ // check the assertion statements and look for role attributes.
+ AttributeStatementType attributeStatement = this.getAttributeStatement(assertion);
+ if (attributeStatement != null)
+ {
+ RoleGroup rolesGroup = new SimpleRoleGroup(SAML20TokenRoleAttributeProvider.JBOSS_ROLE_PRINCIPAL_NAME);
+ List<Object> attributeList = attributeStatement.getAttributeOrEncryptedAttribute();
+ for (Object obj : attributeList)
+ {
+ if (obj instanceof AttributeType)
+ {
+ AttributeType attribute = (AttributeType) obj;
+ // if this is a role attribute, get its values and add them to the role set.
+ if (tokenRoleAttributeName.equals(attribute.getName()))
+ {
+ for (Object value : attribute.getAttributeValue())
+ {
+ rolesGroup.addRole(new SimpleRole((String) value));
+ }
+ }
+ }
+ }
+ result.setMappedObject(rolesGroup);
+ if (log.isDebugEnabled())
+ {
+ log.debug("Mapped roles to " + rolesGroup);
+ }
+ }
+ }
+ catch (JAXBException e)
+ {
+ throw new IllegalArgumentException(e);
+ }
+ }
+
+ @Override
+ public void setMappingResult(MappingResult<RoleGroup> mappingResult)
+ {
+ this.result = mappingResult;
+ }
+
+ /**
+ * @see MappingProvider#supports(Class)
+ */
+ public boolean supports(Class<?> p)
+ {
+ if (RoleGroup.class.isAssignableFrom(p))
+ return true;
+
+ return false;
+ }
+
+ /**
+ * <p>
+ * Checks if the specified SAML assertion contains a {@code AttributeStatementType} and returns this type when it
+ * is available.
+ * </p>
+ *
+ * @param assertion a reference to the {@code AssertionType} that may contain an {@code AttributeStatementType}.
+ * @return the assertion's {@code AttributeStatementType}, or {@code null} if no such type can be found in the SAML
+ * assertion.
+ */
+ private AttributeStatementType getAttributeStatement(AssertionType assertion)
+ {
+ List<StatementAbstractType> statementList = assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement();
+ if (statementList.size() != 0)
+ {
+ for (StatementAbstractType statement : statementList)
+ {
+ if (statement instanceof AttributeStatementType)
+ return (AttributeStatementType) statement;
+ }
+ }
+ return null;
+ }
+}
Added: federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSPrincipalMappingProvider.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSPrincipalMappingProvider.java (rev 0)
+++ federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/mapping/STSPrincipalMappingProvider.java 2010-06-11 19:25:03 UTC (rev 296)
@@ -0,0 +1,107 @@
+package org.picketlink.identity.federation.bindings.jboss.auth.mapping;
+
+import java.security.Principal;
+import java.util.Map;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+
+import org.apache.log4j.Logger;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.mapping.MappingResult;
+import org.jboss.security.mapping.providers.principal.AbstractPrincipalMappingProvider;
+import org.picketlink.identity.federation.core.wstrust.auth.AbstractSTSLoginModule;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
+import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * This mapping provider looks at the NameID in the Assertion and
+ * returns a corresponding JBoss Principal for insertion into the Subject.
+ * </p>
+ *
+ * <h3>Configuration</h3>
+ * <pre>{@code
+ * <application-policy name="saml-issue-token">
+ * <authentication>
+ * <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
+ * <module-option name="configFile">/sts-client.properties</module-option>
+ * <module-option name="password-stacking">useFirstPass</module-option>
+ * </login-module>
+ * </authentication>
+ * <mapping>
+ * <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider" type="principal"/>
+ * <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider" type="role"/>
+ * </mapping>
+ * </application-policy>
+ * }
+ * </pre>
+ *
+ * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a>
+ */
+public class STSPrincipalMappingProvider extends AbstractPrincipalMappingProvider
+{
+ private Logger log = Logger.getLogger(STSPrincipalMappingProvider.class);
+
+ private MappingResult<Principal> result;
+
+ @Override
+ public void init(Map<String, Object> contextMap)
+ {
+ //No initialization needed
+ }
+
+ @Override
+ public void performMapping(Map<String, Object> contextMap, Principal principal)
+ {
+ if (contextMap == null)
+ {
+ throw new IllegalArgumentException(
+ "Empty context map. SAML Token must be provided in the context map to extract a Principal");
+ }
+
+ Object tokenObject = contextMap.get(AbstractSTSLoginModule.SHARED_TOKEN);
+ if (!(tokenObject instanceof Element))
+ {
+ throw new IllegalArgumentException("Did not find a token " + Element.class.getClass().getName() + " under "
+ + AbstractSTSLoginModule.SHARED_TOKEN + " in the map");
+ }
+
+ try
+ {
+ Element tokenElement = (Element) tokenObject;
+ AssertionType assertion = SAMLUtil.fromElement(tokenElement);
+ SubjectType subject = assertion.getSubject();
+ if (subject != null)
+ {
+ for (JAXBElement<?> element : subject.getContent())
+ {
+ if (element.getDeclaredType().equals(NameIDType.class))
+ {
+ NameIDType nameID = (NameIDType) element.getValue();
+ Principal mappedPrincipal = new SimplePrincipal(nameID.getValue());
+ result.setMappedObject(mappedPrincipal);
+ if (log.isDebugEnabled())
+ {
+ log.debug("Mapped principal to " + mappedPrincipal);
+ }
+ return;
+ }
+ }
+ }
+ }
+ catch (JAXBException e)
+ {
+ throw new IllegalArgumentException(e);
+ }
+ }
+
+ @Override
+ public void setMappingResult(MappingResult<Principal> mappingResult)
+ {
+ this.result = mappingResult;
+ }
+}
Added: federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java (rev 0)
+++ federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/identity/federation/bindings/jboss/auth/STSMappingProviderUnitTestCase.java 2010-06-11 19:25:03 UTC (rev 296)
@@ -0,0 +1,138 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2009, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.identity.federation.bindings.jboss.auth;
+
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.mapping.MappingProvider;
+import org.jboss.security.mapping.MappingResult;
+import org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider;
+import org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider;
+import org.picketlink.identity.federation.core.wstrust.WSTrustConstants;
+import org.picketlink.identity.federation.core.wstrust.auth.AbstractSTSLoginModule;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
+import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
+import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * This {@code TestCase} tests the functionalities of {@code STSPrincipalMappingProvider} and {@code STSGroupMappingProvider}.
+ * </p>
+ *
+ * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a>
+ */
+public class STSMappingProviderUnitTestCase extends TestCase
+{
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ }
+
+ /**
+ * <p>
+ * Tests that {@code STSGroupMappingProvider} correctly maps and returns a {@code RoleGroup}
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testSTSGroupMappingProvider() throws Exception
+ {
+ String roleAttributeName = "roleAttributeName";
+ String role1 = "userRole1";
+ String role2 = "userRole2";
+
+ AssertionType assertion = new AssertionType();
+ AttributeStatementType attributeStatementType = new AttributeStatementType();
+ assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(attributeStatementType);
+ AttributeType attributeType = new AttributeType();
+ attributeStatementType.getAttributeOrEncryptedAttribute().add(attributeType);
+ attributeType.setName(roleAttributeName);
+ attributeType.getAttributeValue().add(role1);
+ attributeType.getAttributeValue().add(role2);
+
+ MappingResult<RoleGroup> mappingResult = new MappingResult<RoleGroup>();
+ Map<String, Object> contextMap = new HashMap<String, Object>();
+ contextMap.put("token-role-attribute-name", roleAttributeName);
+ contextMap.put(AbstractSTSLoginModule.SHARED_TOKEN, SAMLUtil.toElement(assertion));
+
+ MappingProvider<RoleGroup> mappingProvider = new STSGroupMappingProvider();
+ mappingProvider.init(contextMap);
+ mappingProvider.setMappingResult(mappingResult);
+ mappingProvider.performMapping(contextMap, null);
+
+ RoleGroup roleGroup = mappingResult.getMappedObject();
+ assertNotNull("Unexpected null mapped role", roleGroup);
+ assertEquals("RoleGroup name has unexpected value", SAML20TokenRoleAttributeProvider.JBOSS_ROLE_PRINCIPAL_NAME, roleGroup.getRoleName());
+ assertEquals("RoleGroup has unexpected first role", role1, roleGroup.getRoles().get(0).getRoleName());
+ assertEquals("RoleGroup has unexpected second role", role2, roleGroup.getRoles().get(1).getRoleName());
+ }
+
+ /**
+ * <p>
+ * Tests that {@code STSPrincipalMappingProvider} correctly maps and returns a {@code Principal}
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testSTSPrincipalMappingProvider() throws Exception
+ {
+ String userId = "babak";
+
+ AssertionType assertion = new AssertionType();
+ SubjectType subjectType = new SubjectType();
+ assertion.setSubject(subjectType);
+ QName name = new QName(WSTrustConstants.SAML2_ASSERTION_NS, "NameID");
+ Class<NameIDType> declaredType = NameIDType.class;
+ NameIDType nameIDType = new NameIDType();
+ nameIDType.setValue(userId);
+ JAXBElement<NameIDType> jaxbElement = new JAXBElement<NameIDType>(name, declaredType, JAXBElement.GlobalScope.class, nameIDType);
+ subjectType.getContent().add(jaxbElement);
+
+ MappingResult<Principal> mappingResult = new MappingResult<Principal>();
+ Map<String, Object> contextMap = new HashMap<String, Object>();
+ Element assertionElement = SAMLUtil.toElement(assertion);
+ contextMap.put(AbstractSTSLoginModule.SHARED_TOKEN, assertionElement);
+
+ MappingProvider<Principal> mappingProvider = new STSPrincipalMappingProvider();
+ mappingProvider.init(contextMap);
+ mappingProvider.setMappingResult(mappingResult);
+ mappingProvider.performMapping(contextMap, null);
+
+ Principal principal = mappingResult.getMappedObject();
+ assertNotNull("Unexpected null mapped principal", principal);
+ assertEquals("Principal has unexpected value", userId, principal.getName());
+ }
+}
14 years, 6 months
Picketlink SVN: r295 - in federation/trunk/picketlink-fed-core: src/main/java/org/picketlink/identity/federation/core/wstrust/auth and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: bmozaffa(a)redhat.com
Date: 2010-06-11 15:13:30 -0400 (Fri, 11 Jun 2010)
New Revision: 295
Modified:
federation/trunk/picketlink-fed-core/pom.xml
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java
Log:
PLFED-87: STS Login Modules now look for any configured principal and role mapping providers in the security domain and use them to obtain user id and role and populate the Subject with them
Modified: federation/trunk/picketlink-fed-core/pom.xml
===================================================================
--- federation/trunk/picketlink-fed-core/pom.xml 2010-06-11 18:50:46 UTC (rev 294)
+++ federation/trunk/picketlink-fed-core/pom.xml 2010-06-11 19:13:30 UTC (rev 295)
@@ -73,6 +73,18 @@
<artifactId>jbossxacml</artifactId>
</dependency>
<dependency>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-security-spi</artifactId>
+ <version>2.0.4</version>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jbosssx</artifactId>
+ <version>2.0.4</version>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
<groupId>javax.persistence</groupId>
<artifactId>persistence-api</artifactId>
</dependency>
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java 2010-06-11 18:50:46 UTC (rev 294)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java 2010-06-11 19:13:30 UTC (rev 295)
@@ -21,6 +21,8 @@
package org.picketlink.identity.federation.core.wstrust.auth;
import java.io.IOException;
+import java.security.Principal;
+import java.util.HashMap;
import java.util.Map;
import java.util.Set;
@@ -34,6 +36,15 @@
import javax.security.auth.spi.LoginModule;
import org.apache.log4j.Logger;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextAssociation;
+import org.jboss.security.SimpleGroup;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.identity.Role;
+import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.mapping.MappingContext;
+import org.jboss.security.mapping.MappingManager;
+import org.jboss.security.mapping.MappingType;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.wstrust.STSClient;
import org.picketlink.identity.federation.core.wstrust.STSClientConfig;
@@ -99,7 +110,30 @@
* will set the username and password in the shared state map. Login modules that come after can set 'password-stacking'
* to 'useFirstPass' which means that that login module will use the username and password from the shared map.
* <p/>
+ * </pre>
+ * 4. Mapping Provider configuration:
+ * <pre>{@code
+ * <application-policy name="saml-issue-token">
+ * <authentication>
+ * <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
+ * <module-option name="configFile">/sts-client.properties</module-option>
+ * <module-option name="password-stacking">useFirstPass</module-option>
+ * </login-module>
+ * <mapping>
+ * <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider" type="principal"/>
+ * <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider" type="role"/>
+ * </mapping>
+ * </authentication>
+ * </application-policy>
+ * }
+ * </pre>
*
+ * <h3>Mapping Providers</h3>
+ * Principal and Role mapping providers may be configured on subclasses of this login module and be leveraged to
+ * populate the JAAS Subject with appropriate user id and roles. The token is made available to the mapping providers
+ * so that identity information may be extracted.
+ * <p/>
+ *
* Subclasses can define more configuration options by overriding initialize.
* Also note that subclasses are not forced to put configuration options in a file. They
* can all be set as options just like the 'configFile' is specified above.
@@ -271,6 +305,7 @@
{
final SamlCredential samlCredential = new SamlCredential(samlToken);
final boolean added = subject.getPublicCredentials().add(samlCredential);
+ populateSubject();
if (added && log.isDebugEnabled())
log.debug("Added Credential :" + samlCredential);
@@ -498,4 +533,52 @@
}
}
+ protected void populateSubject()
+ {
+ MappingManager mappingManager = getMappingManager();
+ if (mappingManager == null)
+ {
+ return;
+ }
+
+ MappingContext<Principal> principalMappingContext = mappingManager.getMappingContext(MappingType.PRINCIPAL
+ .toString());
+ MappingContext<RoleGroup> roleMappingContext = mappingManager.getMappingContext(MappingType.ROLE.toString());
+
+ Map<String, Object> contextMap = new HashMap<String, Object>();
+ contextMap.put(SHARED_TOKEN, this.samlToken);
+
+ if (principalMappingContext != null)
+ {
+ principalMappingContext.performMapping(contextMap, null);
+ Principal principal = principalMappingContext.getMappingResult().getMappedObject();
+ subject.getPrincipals().add(principal);
+ }
+
+ if (roleMappingContext != null)
+ {
+ roleMappingContext.performMapping(contextMap, null);
+ RoleGroup group = roleMappingContext.getMappingResult().getMappedObject();
+ SimpleGroup rolePrincipal = new SimpleGroup(group.getRoleName());
+ for (Role role : group.getRoles())
+ {
+ rolePrincipal.addMember(new SimplePrincipal(role.getRoleName()));
+ }
+ subject.getPrincipals().add(rolePrincipal);
+ }
+ }
+
+ protected MappingManager getMappingManager()
+ {
+ SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
+ if (securityContext == null)
+ {
+ return null;
+ }
+ else
+ {
+ return securityContext.getMappingManager();
+ }
+ }
+
}
14 years, 6 months