July 2011 - picketlink-commits - Jboss List Archives

Picketlink SVN: r1148 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation: web/handlers/saml2 and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 18:27:26 -0400 (Thu, 28 Jul 2011) New Revision: 1148 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java Log: merge r1147 Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces ___________________________________________________________________ Added: svn:mergeinfo + /federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces:1144-1147 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:24:59 UTC (rev 1147) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:27:26 UTC (rev 1148) @@ -20,7 +20,6 @@ * 02110-1301 USA, or see the FSF site: http://www.fsf.org. */ package org.picketlink.identity.federation.core.saml.v2.interfaces; - import org.picketlink.identity.federation.core.exceptions.ConfigurationException; import org.picketlink.identity.federation.core.exceptions.ProcessingException; @@ -31,36 +30,38 @@ * @since Sep 17, 2009 */ public interface SAML2Handler -{ +{ //Define some constants + String ASSERTION_CONSUMER_URL = "ASSERTION_CONSUMER_URL"; + String DISABLE_AUTHN_STATEMENT = "DISABLE_AUTHN_STATEMENT"; - String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES"; + + String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES"; + String DISABLE_ROLE_PICKING = "DISABLE_ROLE_PICKING"; + String ROLE_KEY = "ROLE_KEY"; - + /** * Processing Point - idp side * or service side */ - public enum HANDLER_TYPE - { - IDP,SP; + public enum HANDLER_TYPE { + IDP, SP; }; - + /** * Initialize the handler * @param handlerConfig Handler Config */ - void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) - throws ConfigurationException; - + void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException; + /** * Initialize the handler from configuration * @param options */ - void initHandlerConfig(SAML2HandlerConfig handlerConfig) - throws ConfigurationException; - + void initHandlerConfig(SAML2HandlerConfig handlerConfig) throws ConfigurationException; + /** * Generate a SAML Request to be sent to the IDP * if the handler is invoked at the SP and vice-versa @@ -68,9 +69,7 @@ * @param response * @throws ProcessingException */ - void generateSAMLRequest(SAML2HandlerRequest request, - SAML2HandlerResponse response) throws ProcessingException; - + void generateSAMLRequest(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException; /** * Get the type of handler @@ -78,25 +77,23 @@ * @return */ HANDLER_TYPE getType(); - + /** * Handle a SAML2 RequestAbstractType * @param requestAbstractType * @param resultingDocument * @return */ - void handleRequestType(SAML2HandlerRequest request, - SAML2HandlerResponse response) throws ProcessingException; - + void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException; + /** * Handle a SAML2 Status Response Type * @param statusResponseType * @param resultingDocument * @return */ - void handleStatusResponseType(SAML2HandlerRequest request, - SAML2HandlerResponse response) throws ProcessingException; - + void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException; + /** * Shed all state * @throws ProcessingException Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2 ___________________________________________________________________ Modified: svn:mergeinfo - /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1145 + /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1147 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:24:59 UTC (rev 1147) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:27:26 UTC (rev 1148) @@ -91,6 +91,7 @@ * @see SAML2Handler#DISABLE_ROLE_PICKING Setting to true will disable picking IDP attribute statements (SP Setting) * @see SAML2Handler#ROLE_KEY a csv list of strings that represent the roles coming from IDP (SP Setting) * @see GeneralConstants#NAMEID_FORMAT Setting to a value will provide the nameid format to be sent to IDP (SP Setting) + * @see SAML2Handler#ASSERTION_CONSUMER_URL: the url to be used for assertionConsumerURL * </p> * * @author Anil.Saldhana(a)redhat.com @@ -333,6 +334,12 @@ SAML2Request samlRequest = new SAML2Request(); String id = IDGenerator.create("ID_"); + String assertionConsumerURL = (String) handlerConfig.getParameter(SAML2Handler.ASSERTION_CONSUMER_URL); + if (StringUtil.isNullOrEmpty(assertionConsumerURL)) + { + assertionConsumerURL = issuerValue; + } + //Check if there is a nameid policy String nameIDFormat = (String) handlerConfig.getParameter(GeneralConstants.NAMEID_FORMAT); if (StringUtil.isNotNull(nameIDFormat)) @@ -341,8 +348,8 @@ } try { - AuthnRequestType authn = samlRequest.createAuthnRequestType(id, issuerValue, response.getDestination(), - issuerValue); + AuthnRequestType authn = samlRequest.createAuthnRequestType(id, assertionConsumerURL, + response.getDestination(), issuerValue); response.setResultingDocument(samlRequest.convert(authn)); response.setSendRequest(true);

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1147 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2 and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 18:24:59 -0400 (Thu, 28 Jul 2011) New Revision: 1147 Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java Log: PLFED-149: option for assertionConsumerURL Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:13:46 UTC (rev 1146) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:24:59 UTC (rev 1147) @@ -20,7 +20,6 @@ * 02110-1301 USA, or see the FSF site: http://www.fsf.org. */ package org.picketlink.identity.federation.core.saml.v2.interfaces; - import org.picketlink.identity.federation.core.exceptions.ConfigurationException; import org.picketlink.identity.federation.core.exceptions.ProcessingException; @@ -31,36 +30,38 @@ * @since Sep 17, 2009 */ public interface SAML2Handler -{ +{ //Define some constants + String ASSERTION_CONSUMER_URL = "ASSERTION_CONSUMER_URL"; + String DISABLE_AUTHN_STATEMENT = "DISABLE_AUTHN_STATEMENT"; - String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES"; + + String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES"; + String DISABLE_ROLE_PICKING = "DISABLE_ROLE_PICKING"; + String ROLE_KEY = "ROLE_KEY"; - + /** * Processing Point - idp side * or service side */ - public enum HANDLER_TYPE - { - IDP,SP; + public enum HANDLER_TYPE { + IDP, SP; }; - + /** * Initialize the handler * @param handlerConfig Handler Config */ - void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) - throws ConfigurationException; - + void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException; + /** * Initialize the handler from configuration * @param options */ - void initHandlerConfig(SAML2HandlerConfig handlerConfig) - throws ConfigurationException; - + void initHandlerConfig(SAML2HandlerConfig handlerConfig) throws ConfigurationException; + /** * Generate a SAML Request to be sent to the IDP * if the handler is invoked at the SP and vice-versa @@ -68,9 +69,7 @@ * @param response * @throws ProcessingException */ - void generateSAMLRequest(SAML2HandlerRequest request, - SAML2HandlerResponse response) throws ProcessingException; - + void generateSAMLRequest(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException; /** * Get the type of handler @@ -78,25 +77,23 @@ * @return */ HANDLER_TYPE getType(); - + /** * Handle a SAML2 RequestAbstractType * @param requestAbstractType * @param resultingDocument * @return */ - void handleRequestType(SAML2HandlerRequest request, - SAML2HandlerResponse response) throws ProcessingException; - + void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException; + /** * Handle a SAML2 Status Response Type * @param statusResponseType * @param resultingDocument * @return */ - void handleStatusResponseType(SAML2HandlerRequest request, - SAML2HandlerResponse response) throws ProcessingException; - + void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException; + /** * Shed all state * @throws ProcessingException Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:13:46 UTC (rev 1146) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:24:59 UTC (rev 1147) @@ -91,6 +91,7 @@ * @see SAML2Handler#DISABLE_ROLE_PICKING Setting to true will disable picking IDP attribute statements (SP Setting) * @see SAML2Handler#ROLE_KEY a csv list of strings that represent the roles coming from IDP (SP Setting) * @see GeneralConstants#NAMEID_FORMAT Setting to a value will provide the nameid format to be sent to IDP (SP Setting) + * @see SAML2Handler#ASSERTION_CONSUMER_URL: the url to be used for assertionConsumerURL * </p> * * @author Anil.Saldhana(a)redhat.com @@ -339,6 +340,12 @@ SAML2Request samlRequest = new SAML2Request(); String id = IDGenerator.create("ID_"); + String assertionConsumerURL = (String) handlerConfig.getParameter(SAML2Handler.ASSERTION_CONSUMER_URL); + if (StringUtil.isNullOrEmpty(assertionConsumerURL)) + { + assertionConsumerURL = issuerValue; + } + //Check if there is a nameid policy String nameIDFormat = (String) handlerConfig.getParameter(GeneralConstants.NAMEID_FORMAT); if (StringUtil.isNotNull(nameIDFormat)) @@ -347,8 +354,8 @@ } try { - AuthnRequestType authn = samlRequest.createAuthnRequestType(id, issuerValue, response.getDestination(), - issuerValue); + AuthnRequestType authn = samlRequest.createAuthnRequestType(id, assertionConsumerURL, + response.getDestination(), issuerValue); response.setResultingDocument(samlRequest.convert(authn)); response.setSendRequest(true);

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1146 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation: web/handlers/saml2 and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 18:13:46 -0400 (Thu, 28 Jul 2011) New Revision: 1146 Added: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java Log: merge r1145 Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions ___________________________________________________________________ Added: svn:mergeinfo + /federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions:1144-1145 Copied: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java (from rev 1145, federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java) =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java (rev 0) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java 2011-07-28 22:13:46 UTC (rev 1146) @@ -0,0 +1,53 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.picketlink.identity.federation.core.saml.v2.exceptions; + +import java.security.GeneralSecurityException; + +/** + * Indicates the failure of signature validation + * @author Anil.Saldhana(a)redhat.com + * @since Jul 28, 2011 + */ +public class SignatureValidationException extends GeneralSecurityException +{ + private static final long serialVersionUID = 1L; + + public SignatureValidationException() + { + } + + public SignatureValidationException(String message, Throwable cause) + { + super(message, cause); + } + + public SignatureValidationException(String msg) + { + super(msg); + } + + public SignatureValidationException(Throwable cause) + { + super(cause); + } +} \ No newline at end of file Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2 ___________________________________________________________________ Added: svn:mergeinfo + /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1145 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 22:09:51 UTC (rev 1145) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 22:13:46 UTC (rev 1146) @@ -26,6 +26,7 @@ import org.apache.log4j.Logger; import org.picketlink.identity.federation.core.exceptions.ProcessingException; +import org.picketlink.identity.federation.core.saml.v2.exceptions.SignatureValidationException; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerErrorCodes; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; @@ -41,61 +42,62 @@ */ public class SAML2SignatureValidationHandler extends BaseSAML2Handler { - private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class); - private boolean trace = log.isTraceEnabled(); - + private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class); + + private final boolean trace = log.isTraceEnabled(); + /** * @see {@code SAML2Handler#handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse)} */ public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException { - Map<String,Object> requestOptions = request.getOptions(); - Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); - if(ignoreSignatures == Boolean.TRUE) + Map<String, Object> requestOptions = request.getOptions(); + Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); + if (ignoreSignatures == Boolean.TRUE) return; - + Document signedDocument = request.getRequestDocument(); - - if(trace) + + if (trace) { - log.trace("Will validate :" + DocumentUtil.asString(signedDocument)); + log.trace("Will validate :" + DocumentUtil.asString(signedDocument)); } PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY); try { - boolean isValid = this.validateSender(signedDocument, publicKey); - if(!isValid) - throw new ProcessingException(); + boolean isValid = this.validateSender(signedDocument, publicKey); + if (!isValid) + throw constructSignatureException(); } - catch(ProcessingException pe) + catch (ProcessingException pe) { - response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, - "Signature Validation Failed"); - throw pe; + response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, "Signature Validation Failed"); + throw pe; } } @Override public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException - { - Map<String,Object> requestOptions = request.getOptions(); - Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); - if(ignoreSignatures == Boolean.TRUE) + { + Map<String, Object> requestOptions = request.getOptions(); + Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); + if (ignoreSignatures == Boolean.TRUE) return; - + Document signedDocument = request.getRequestDocument(); - if(trace) + if (trace) { - log.trace("Document for validation=" + DocumentUtil.asString(signedDocument)); + log.trace("Document for validation=" + DocumentUtil.asString(signedDocument)); } - + PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY); - this.validateSender(signedDocument, publicKey); + boolean isValid = this.validateSender(signedDocument, publicKey); + if (!isValid) + throw constructSignatureException(); } - - private boolean validateSender(Document signedDocument, PublicKey publicKey) - throws ProcessingException + + private boolean validateSender(Document signedDocument, PublicKey publicKey) throws ProcessingException { try { @@ -103,8 +105,14 @@ } catch (Exception e) { - log.error("Error validating signature:" , e); + log.error("Error validating signature:", e); throw new ProcessingException("Error validating signature."); - } - } + } + } + + private ProcessingException constructSignatureException() + { + SignatureValidationException sv = new SignatureValidationException("Signature Validation Failed"); + return new ProcessingException(sv); + } } \ No newline at end of file

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1145 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2 and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 18:09:51 -0400 (Thu, 28 Jul 2011) New Revision: 1145 Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java Log: PLFED-8: throw ex if sig validation fails Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java (rev 0) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java 2011-07-28 22:09:51 UTC (rev 1145) @@ -0,0 +1,53 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.picketlink.identity.federation.core.saml.v2.exceptions; + +import java.security.GeneralSecurityException; + +/** + * Indicates the failure of signature validation + * @author Anil.Saldhana(a)redhat.com + * @since Jul 28, 2011 + */ +public class SignatureValidationException extends GeneralSecurityException +{ + private static final long serialVersionUID = 1L; + + public SignatureValidationException() + { + } + + public SignatureValidationException(String message, Throwable cause) + { + super(message, cause); + } + + public SignatureValidationException(String msg) + { + super(msg); + } + + public SignatureValidationException(Throwable cause) + { + super(cause); + } +} \ No newline at end of file Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 21:41:04 UTC (rev 1144) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 22:09:51 UTC (rev 1145) @@ -26,6 +26,7 @@ import org.apache.log4j.Logger; import org.picketlink.identity.federation.core.exceptions.ProcessingException; +import org.picketlink.identity.federation.core.saml.v2.exceptions.SignatureValidationException; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerErrorCodes; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; @@ -41,61 +42,62 @@ */ public class SAML2SignatureValidationHandler extends BaseSAML2Handler { - private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class); - private boolean trace = log.isTraceEnabled(); - + private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class); + + private final boolean trace = log.isTraceEnabled(); + /** * @see {@code SAML2Handler#handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse)} */ public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException { - Map<String,Object> requestOptions = request.getOptions(); - Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); - if(ignoreSignatures == Boolean.TRUE) + Map<String, Object> requestOptions = request.getOptions(); + Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); + if (ignoreSignatures == Boolean.TRUE) return; - + Document signedDocument = request.getRequestDocument(); - - if(trace) + + if (trace) { - log.trace("Will validate :" + DocumentUtil.asString(signedDocument)); + log.trace("Will validate :" + DocumentUtil.asString(signedDocument)); } PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY); try { - boolean isValid = this.validateSender(signedDocument, publicKey); - if(!isValid) - throw new ProcessingException(); + boolean isValid = this.validateSender(signedDocument, publicKey); + if (!isValid) + throw constructSignatureException(); } - catch(ProcessingException pe) + catch (ProcessingException pe) { - response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, - "Signature Validation Failed"); - throw pe; + response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, "Signature Validation Failed"); + throw pe; } } @Override public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException - { - Map<String,Object> requestOptions = request.getOptions(); - Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); - if(ignoreSignatures == Boolean.TRUE) + { + Map<String, Object> requestOptions = request.getOptions(); + Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); + if (ignoreSignatures == Boolean.TRUE) return; - + Document signedDocument = request.getRequestDocument(); - if(trace) + if (trace) { - log.trace("Document for validation=" + DocumentUtil.asString(signedDocument)); + log.trace("Document for validation=" + DocumentUtil.asString(signedDocument)); } - + PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY); - this.validateSender(signedDocument, publicKey); + boolean isValid = this.validateSender(signedDocument, publicKey); + if (!isValid) + throw constructSignatureException(); } - - private boolean validateSender(Document signedDocument, PublicKey publicKey) - throws ProcessingException + + private boolean validateSender(Document signedDocument, PublicKey publicKey) throws ProcessingException { try { @@ -103,8 +105,14 @@ } catch (Exception e) { - log.error("Error validating signature:" , e); + log.error("Error validating signature:", e); throw new ProcessingException("Error validating signature."); - } - } + } + } + + private ProcessingException constructSignatureException() + { + SignatureValidationException sv = new SignatureValidationException("Signature Validation Failed"); + return new ProcessingException(sv); + } } \ No newline at end of file

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1144 - product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 17:41:04 -0400 (Thu, 28 Jul 2011) New Revision: 1144 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java Log: merge r1143 Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp ___________________________________________________________________ Modified: svn:mergeinfo - /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1141 + /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1143 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 21:41:04 UTC (rev 1144) @@ -37,6 +37,7 @@ import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.crypto.dsig.CanonicalizationMethod; @@ -46,6 +47,7 @@ import org.apache.catalina.authenticator.FormAuthenticator; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; +import org.apache.catalina.deploy.LoginConfig; import org.apache.log4j.Logger; import org.picketlink.identity.federation.api.saml.v2.metadata.MetaDataExtractor; import org.picketlink.identity.federation.core.config.SPType; @@ -253,54 +255,42 @@ } } - //Mock test purpose - public void testStart() throws LifecycleException + /** + * Fall back on local authentication at the service provider side + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean localAuthentication(Request request, Response response, LoginConfig loginConfig) + throws IOException { - this.saveRestoreRequest = false; - if (context == null) - throw new RuntimeException("Catalina Context not set up"); - processStart(); - } - - private void processStart() throws LifecycleException - { - Handlers handlers = null; - - //Get the chain from config - if (StringUtil.isNullOrEmpty(samlHandlerChainClass)) + if (request.getUserPrincipal() == null) { - chain = SAML2HandlerChainFactory.createChain(); - } - else - { + log.error("Falling back on local Form Authentication if available");//fallback try { - chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass); + return super.authenticate(request, response, loginConfig); } - catch (ProcessingException e1) + catch (NoSuchMethodError e) { - throw new LifecycleException(e1); + //Use Reflection + try + { + Method method = super.getClass().getMethod("authenticate", new Class[] + {HttpServletRequest.class, HttpServletResponse.class, LoginConfig.class}); + return (Boolean) method.invoke(this, new Object[] + {request.getRequest(), response.getResponse(), loginConfig}); + } + catch (Exception ex) + { + throw new IOException("Unable to fallback on local auth", ex); + } } } - - ServletContext servletContext = context.getServletContext(); - - this.processConfiguration(); - - try - { - //Get the handlers - String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; - handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName)); - chain.addAll(HandlerUtil.getHandlers(handlers)); - - this.populateChainConfig(); - this.initializeHandlerChain(); - } - catch (Exception e) - { - throw new RuntimeException(e); - } + else + return true; } /** @@ -481,6 +471,56 @@ } } + //Mock test purpose + public void testStart() throws LifecycleException + { + this.saveRestoreRequest = false; + if (context == null) + throw new RuntimeException("Catalina Context not set up"); + processStart(); + } + + private void processStart() throws LifecycleException + { + Handlers handlers = null; + + //Get the chain from config + if (StringUtil.isNullOrEmpty(samlHandlerChainClass)) + { + chain = SAML2HandlerChainFactory.createChain(); + } + else + { + try + { + chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass); + } + catch (ProcessingException e1) + { + throw new LifecycleException(e1); + } + } + + ServletContext servletContext = context.getServletContext(); + + this.processConfiguration(); + + try + { + //Get the handlers + String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; + handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName)); + chain.addAll(HandlerUtil.getHandlers(handlers)); + + this.populateChainConfig(); + this.initializeHandlerChain(); + } + catch (Exception e) + { + throw new RuntimeException(e); + } + } + private Class<?> getAuthenticatorBaseClass() { Class<?> myClass = getClass(); Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 21:41:04 UTC (rev 1144) @@ -46,6 +46,7 @@ import org.picketlink.identity.federation.core.exceptions.ProcessingException; import org.picketlink.identity.federation.core.interfaces.TrustKeyManager; import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; +import org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException; import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException; import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler; @@ -118,8 +119,6 @@ { Session session = request.getSessionInternal(true); - SPUtil spUtil = new SPUtil(); - //Eagerly look for Local LogOut String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT); boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr); @@ -150,189 +149,256 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; + //General User Request + if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + { + return generalUserRequest(request, response, loginConfig); + } + + //Handle a SAML Response from IDP + if (isNotNull(samlResponse)) + { + return handleSAMLResponse(request, response, loginConfig); + } + + //Handle SAML Requests from IDP + if (isNotNull(samlRequest)) + { + return handleSAMLRequest(request, response, loginConfig); + }//end if + + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle the IDP Request + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY); + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + Set<SAML2Handler> handlers = chain.handlers(); + + try + { + ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true, + this.serviceURL); + requestProcessor.setTrustKeyManager(keyManager); + requestProcessor.setSupportSignatures(supportSignatures); + boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); + + if (result) + return result; + } + catch (Exception e) + { + if (trace) + log.trace("Server Exception:", e); + throw new IOException("Server Exception"); + } + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle IDP Response + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException + { + SPUtil spUtil = new SPUtil(); + boolean isValid = false; + Session session = request.getSessionInternal(true); + String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - boolean willSendRequest = false; HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); Set<SAML2Handler> handlers = chain.handlers(); - //General User Request - if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + Principal principal = request.getUserPrincipal(); + try { - //Neither saml request nor response from IDP - //So this is a user request - SAML2HandlerResponse saml2HandlerResponse = null; - try - { - ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL); - if (issuerID != null) - baseProcessor.setIssuer(issuerID); + isValid = this.validate(request); + } + catch (Exception e) + { + log.error("Exception:", e); + throw new IOException(); + } + if (!isValid) + throw new IOException("Validity check failed"); - baseProcessor.setIdentityURL(identityURL); + //deal with SAML response from IDP + try + { + ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true, + serviceURL); + responseProcessor.setValidateSignature(validateSignature); + responseProcessor.setTrustKeyManager(keyManager); - saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); - } - catch (ProcessingException pe) - { - log.error("Processing Exception:", pe); - throw new RuntimeException(pe); - } - catch (ParsingException pe) - { - log.error("Parsing Exception:", pe); - throw new RuntimeException(pe); - } - catch (ConfigurationException pe) - { - log.error("Config Exception:", pe); - throw new RuntimeException(pe); - } + SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, + chainLock); - willSendRequest = saml2HandlerResponse.getSendRequest(); - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); String destination = saml2HandlerResponse.getDestination(); + willSendRequest = saml2HandlerResponse.getSendRequest(); + if (destination != null && samlResponseDocument != null) { - try + sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); + } + else + { + //See if the session has been invalidated + + boolean sessionValidity = session.isValid(); + if (!sessionValidity) { - if (saveRestoreRequest) - { - this.saveRequest(request, session); - } - sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); + sendToLogoutPage(request, response, session); return false; } - catch (Exception e) + + //We got a response with the principal + List<String> roles = saml2HandlerResponse.getRoles(); + if (principal == null) + principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); + + String username = principal.getName(); + String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; + if (trace) + log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray())); + + //Map to JBoss specific principal + if ((new ServerDetector()).isJboss() || jbossEnv) { - if (trace) - log.trace("Exception:", e); - throw new IOException("Server Error"); + //Push a context + ServiceProviderSAMLContext.push(username, roles); + principal = context.getRealm().authenticate(username, password); + ServiceProviderSAMLContext.clear(); } + else + { + //tomcat env + principal = spUtil.createGenericPrincipal(request, username, roles); + } + + session.setNote(Constants.SESS_USERNAME_NOTE, username); + session.setNote(Constants.SESS_PASSWORD_NOTE, password); + request.setUserPrincipal(principal); + //Get the original saved request + if (saveRestoreRequest) + { + this.restoreRequest(request, session); + } + register(request, response, principal, Constants.FORM_METHOD, username, password); + + return true; } } - - //Handle a SAML Response from IDP - if (isNotNull(samlResponse)) + catch (ProcessingException pe) { - boolean isValid = false; - try + Throwable t = pe.getCause(); + if (t != null && t instanceof AssertionExpiredException) { - isValid = this.validate(request); + log.error("Assertion has expired. Asking IDP for reissue"); + //Just issue a fresh request back to IDP + return generalUserRequest(request, response, loginConfig); } - catch (Exception e) - { - log.error("Exception:", e); - throw new IOException(); - } - if (!isValid) - throw new IOException("Validity check failed"); + throw new IOException("Server Exception:" + pe.getLocalizedMessage()); + } + catch (Exception e) + { + log.error("Server Exception:", e); + throw new IOException("Server Exception"); + } + return localAuthentication(request, response, loginConfig); + } - //deal with SAML response from IDP - try - { - ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true, - serviceURL); - responseProcessor.setValidateSignature(validateSignature); - responseProcessor.setTrustKeyManager(keyManager); + /** + * Handle the user invocation for the first time + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + Session session = request.getSessionInternal(true); + boolean willSendRequest = false; + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + Set<SAML2Handler> handlers = chain.handlers(); - SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, - chainLock); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); - relayState = saml2HandlerResponse.getRelayState(); + //Neither saml request nor response from IDP + //So this is a user request + SAML2HandlerResponse saml2HandlerResponse = null; + try + { + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL); + if (issuerID != null) + baseProcessor.setIssuer(issuerID); - String destination = saml2HandlerResponse.getDestination(); + baseProcessor.setIdentityURL(identityURL); - willSendRequest = saml2HandlerResponse.getSendRequest(); + saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); + } + catch (ProcessingException pe) + { + log.error("Processing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ParsingException pe) + { + log.error("Parsing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ConfigurationException pe) + { + log.error("Config Exception:", pe); + throw new RuntimeException(pe); + } - if (destination != null && samlResponseDocument != null) - { - sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); - } - else - { - //See if the session has been invalidated + willSendRequest = saml2HandlerResponse.getSendRequest(); - boolean sessionValidity = session.isValid(); - if (!sessionValidity) - { - sendToLogoutPage(request, response, session); - return false; - } + Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); + relayState = saml2HandlerResponse.getRelayState(); - //We got a response with the principal - List<String> roles = saml2HandlerResponse.getRoles(); - if (principal == null) - principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); + String destination = saml2HandlerResponse.getDestination(); - String username = principal.getName(); - String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; - if (trace) - log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray())); - - //Map to JBoss specific principal - if ((new ServerDetector()).isJboss() || jbossEnv) - { - //Push a context - ServiceProviderSAMLContext.push(username, roles); - principal = context.getRealm().authenticate(username, password); - ServiceProviderSAMLContext.clear(); - } - else - { - //tomcat env - principal = spUtil.createGenericPrincipal(request, username, roles); - } - - session.setNote(Constants.SESS_USERNAME_NOTE, username); - session.setNote(Constants.SESS_PASSWORD_NOTE, password); - request.setUserPrincipal(principal); - //Get the original saved request - if (saveRestoreRequest) - { - this.restoreRequest(request, session); - } - register(request, response, principal, Constants.FORM_METHOD, username, password); - - return true; - } - } - catch (Exception e) - { - log.error("Server Exception:", e); - throw new IOException("Server Exception"); - } - } - - //Handle SAML Requests from IDP - if (isNotNull(samlRequest)) + if (destination != null && samlResponseDocument != null) { try { - ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true, - this.serviceURL); - requestProcessor.setTrustKeyManager(keyManager); - requestProcessor.setSupportSignatures(supportSignatures); - boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); - - if (result) - return result; + if (saveRestoreRequest) + { + this.saveRequest(request, session); + } + sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); + return false; } catch (Exception e) { if (trace) - log.trace("Server Exception:", e); - throw new IOException("Server Exception"); + log.trace("Exception:", e); + throw new IOException("Server Error"); } - }//end if + } - log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available"); - //fallback - return super.authenticate(request, response, loginConfig); + return localAuthentication(request, response, loginConfig); } @Override Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 21:41:04 UTC (rev 1144) @@ -141,42 +141,120 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; + //General User Request + if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + { + return generalUserRequest(request, response, loginConfig); + } + + //See if we got a response from IDP + if (isNotNull(samlResponse)) + { + return handleSAMLResponse(request, response, loginConfig); + } + + //Handle SAML Requests from IDP + if (isNotNull(samlRequest)) + { + return handleSAMLRequest(request, response, loginConfig); + }//end if + + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle the SAML Request message from IDP + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY); + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + + Set<SAML2Handler> handlers = chain.handlers(); + + //we got a logout request + try + { + ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false, + this.serviceURL); + boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); + + if (result) + return result; + } + catch (Exception e) + { + log.error("Server Exception:", e); + throw new IOException("Server Exception"); + } + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle the IDP Response + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException + { + Session session = request.getSessionInternal(true); + + String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY); + + Principal principal = request.getUserPrincipal(); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); Set<SAML2Handler> handlers = chain.handlers(); + boolean isValid = false; + try + { + isValid = this.validate(request); + } + catch (Exception e) + { + log.error("Exception:", e); + throw new IOException(); + } + if (!isValid) + throw new IOException("Validity check failed"); - //General User Request - if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + try { - //Neither saml request nor response from IDP - //So this is a user request + ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false, + serviceURL); + initializeSAMLProcessor(responseProcessor); + SAML2HandlerResponse saml2HandlerResponse = null; + try { - ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); - - initializeSAMLProcessor(baseProcessor); - - saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); - saml2HandlerResponse.setDestination(identityURL); + saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock); } catch (ProcessingException pe) { - log.error("Processing Exception:", pe); - throw new RuntimeException(pe); + Throwable te = pe.getCause(); + if (te instanceof AssertionExpiredException) + { + //We need to reissue redirect to IDP + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); + initializeSAMLProcessor(baseProcessor); + + saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); + saml2HandlerResponse.setDestination(identityURL); + } + else + throw pe; } - catch (ParsingException pe) - { - log.error("Parsing Exception:", pe); - throw new RuntimeException(pe); - } - catch (ConfigurationException pe) - { - log.error("Config Exception:", pe); - throw new RuntimeException(pe); - } - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); @@ -184,188 +262,175 @@ if (destination != null && samlResponseDocument != null) { - try - { - String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); - if (trace) - log.trace("SAML Document=" + samlMsg); + boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); + String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); - boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); + String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); - String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); + String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); - String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); + RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); + holder.setDestination(destination).setDestinationQueryString(destinationQuery); - RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); - holder.setDestination(destination).setDestinationQueryString(destinationQuery); + String destinationURL = RedirectBindingUtil.getDestinationURL(holder); - String destinationURL = RedirectBindingUtil.getDestinationURL(holder); + HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); + } + else + { + //See if the session has been invalidated + boolean sessionValidity = session.isValid(); + if (!sessionValidity) + { + sendToLogoutPage(request, response, session); + return false; + } - if (trace) - { - log.trace("URL used for sending:" + destinationURL); - } + //We got a response with the principal + List<String> roles = saml2HandlerResponse.getRoles(); + if (principal == null) + principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); - if (saveRestoreRequest) - { - this.saveRequest(request, session); - } + String username = principal.getName(); + String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; - HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); - return false; + //Map to JBoss specific principal + if ((new ServerDetector()).isJboss() || jbossEnv) + { + //Push a context + ServiceProviderSAMLContext.push(username, roles); + principal = context.getRealm().authenticate(username, password); + ServiceProviderSAMLContext.clear(); } - catch (Exception e) + else { - if (trace) - log.trace("Exception:", e); - throw new IOException("Server Error"); + //tomcat env + SPUtil spUtil = new SPUtil(); + principal = spUtil.createGenericPrincipal(request, principal.getName(), roles); } + + session.setNote(Constants.SESS_USERNAME_NOTE, username); + session.setNote(Constants.SESS_PASSWORD_NOTE, password); + request.setUserPrincipal(principal); + + if (saveRestoreRequest) + { + this.restoreRequest(request, session); + } + register(request, response, principal, Constants.FORM_METHOD, username, password); + + return true; } } - - //See if we got a response from IDP - if (isNotNull(samlResponse)) + catch (ProcessingException pe) { - boolean isValid = false; - try + Throwable t = pe.getCause(); + if (t != null && t instanceof AssertionExpiredException) { - isValid = this.validate(request); + log.error("Assertion has expired. Asking IDP for reissue"); + //Just issue a fresh request back to IDP + return generalUserRequest(request, response, loginConfig); } - catch (Exception e) - { - log.error("Exception:", e); - throw new IOException(); - } - if (!isValid) - throw new IOException("Validity check failed"); + throw new IOException("Server Exception:" + pe.getLocalizedMessage()); + } + catch (Exception e) + { + if (trace) + log.trace("Server Exception:", e); + throw new IOException("Server Exception:" + e.getLocalizedMessage()); + } + return localAuthentication(request, response, loginConfig); + } - try - { - ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false, - serviceURL); - initializeSAMLProcessor(responseProcessor); + /** + * Handle the user invocation for the first time + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + Session session = request.getSessionInternal(true); + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + Set<SAML2Handler> handlers = chain.handlers(); - SAML2HandlerResponse saml2HandlerResponse = null; + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - try - { - saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock); - } - catch (ProcessingException pe) - { - Throwable te = pe.getCause(); - if (te instanceof AssertionExpiredException) - { - //We need to reissue redirect to IDP - ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); - initializeSAMLProcessor(baseProcessor); + //Neither saml request nor response from IDP + //So this is a user request + SAML2HandlerResponse saml2HandlerResponse = null; + try + { + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); - saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); - saml2HandlerResponse.setDestination(identityURL); - } - else - throw pe; - } - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); - relayState = saml2HandlerResponse.getRelayState(); + initializeSAMLProcessor(baseProcessor); - String destination = saml2HandlerResponse.getDestination(); + saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); + saml2HandlerResponse.setDestination(identityURL); + } + catch (ProcessingException pe) + { + log.error("Processing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ParsingException pe) + { + log.error("Parsing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ConfigurationException pe) + { + log.error("Config Exception:", pe); + throw new RuntimeException(pe); + } - if (destination != null && samlResponseDocument != null) - { - boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); - String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); + Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); + relayState = saml2HandlerResponse.getRelayState(); - String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); + String destination = saml2HandlerResponse.getDestination(); - String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); + if (destination != null && samlResponseDocument != null) + { + try + { + String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); + if (trace) + log.trace("SAML Document=" + samlMsg); - RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); - holder.setDestination(destination).setDestinationQueryString(destinationQuery); + boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); - String destinationURL = RedirectBindingUtil.getDestinationURL(holder); + String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); - HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); - } - else - { - //See if the session has been invalidated - boolean sessionValidity = session.isValid(); - if (!sessionValidity) - { - sendToLogoutPage(request, response, session); - return false; - } + String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); - //We got a response with the principal - List<String> roles = saml2HandlerResponse.getRoles(); - if (principal == null) - principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); + RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); + holder.setDestination(destination).setDestinationQueryString(destinationQuery); - String username = principal.getName(); - String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; + String destinationURL = RedirectBindingUtil.getDestinationURL(holder); - //Map to JBoss specific principal - if ((new ServerDetector()).isJboss() || jbossEnv) - { - //Push a context - ServiceProviderSAMLContext.push(username, roles); - principal = context.getRealm().authenticate(username, password); - ServiceProviderSAMLContext.clear(); - } - else - { - //tomcat env - SPUtil spUtil = new SPUtil(); - principal = spUtil.createGenericPrincipal(request, principal.getName(), roles); - } + if (trace) + { + log.trace("URL used for sending:" + destinationURL); + } - session.setNote(Constants.SESS_USERNAME_NOTE, username); - session.setNote(Constants.SESS_PASSWORD_NOTE, password); - request.setUserPrincipal(principal); + if (saveRestoreRequest) + { + this.saveRequest(request, session); + } - if (saveRestoreRequest) - { - this.restoreRequest(request, session); - } - register(request, response, principal, Constants.FORM_METHOD, username, password); - - return true; - } + HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); + return false; } catch (Exception e) { - e.printStackTrace(); if (trace) - log.trace("Server Exception:", e); - throw new IOException("Server Exception:" + e.getLocalizedMessage()); + log.trace("Exception:", e); + throw new IOException("Server Error"); } } - - //Handle SAML Requests from IDP - if (isNotNull(samlRequest)) - { - //we got a logout request - try - { - ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false, - this.serviceURL); - boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); - - if (result) - return result; - } - catch (Exception e) - { - log.error("Server Exception:", e); - throw new IOException("Server Exception"); - } - - }//end if - - log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available"); - //fallback - return super.authenticate(request, response, loginConfig); + return localAuthentication(request, response, loginConfig); } protected String createSAMLRequestMessage(String relayState, Response response) throws ServletException,

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1143 - federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 17:38:57 -0400 (Thu, 28 Jul 2011) New Revision: 1143 Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java Log: PLFED-197: refactor the sp methods Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143) @@ -37,6 +37,7 @@ import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.crypto.dsig.CanonicalizationMethod; @@ -46,6 +47,7 @@ import org.apache.catalina.authenticator.FormAuthenticator; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; +import org.apache.catalina.deploy.LoginConfig; import org.apache.log4j.Logger; import org.picketlink.identity.federation.api.saml.v2.metadata.MetaDataExtractor; import org.picketlink.identity.federation.core.config.SPType; @@ -253,54 +255,42 @@ } } - //Mock test purpose - public void testStart() throws LifecycleException + /** + * Fall back on local authentication at the service provider side + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean localAuthentication(Request request, Response response, LoginConfig loginConfig) + throws IOException { - this.saveRestoreRequest = false; - if (context == null) - throw new RuntimeException("Catalina Context not set up"); - processStart(); - } - - private void processStart() throws LifecycleException - { - Handlers handlers = null; - - //Get the chain from config - if (StringUtil.isNullOrEmpty(samlHandlerChainClass)) + if (request.getUserPrincipal() == null) { - chain = SAML2HandlerChainFactory.createChain(); - } - else - { + log.error("Falling back on local Form Authentication if available");//fallback try { - chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass); + return super.authenticate(request, response, loginConfig); } - catch (ProcessingException e1) + catch (NoSuchMethodError e) { - throw new LifecycleException(e1); + //Use Reflection + try + { + Method method = super.getClass().getMethod("authenticate", new Class[] + {HttpServletRequest.class, HttpServletResponse.class, LoginConfig.class}); + return (Boolean) method.invoke(this, new Object[] + {request.getRequest(), response.getResponse(), loginConfig}); + } + catch (Exception ex) + { + throw new IOException("Unable to fallback on local auth", ex); + } } } - - ServletContext servletContext = context.getServletContext(); - - this.processConfiguration(); - - try - { - //Get the handlers - String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; - handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName)); - chain.addAll(HandlerUtil.getHandlers(handlers)); - - this.populateChainConfig(); - this.initializeHandlerChain(); - } - catch (Exception e) - { - throw new RuntimeException(e); - } + else + return true; } /** @@ -481,6 +471,56 @@ } } + //Mock test purpose + public void testStart() throws LifecycleException + { + this.saveRestoreRequest = false; + if (context == null) + throw new RuntimeException("Catalina Context not set up"); + processStart(); + } + + private void processStart() throws LifecycleException + { + Handlers handlers = null; + + //Get the chain from config + if (StringUtil.isNullOrEmpty(samlHandlerChainClass)) + { + chain = SAML2HandlerChainFactory.createChain(); + } + else + { + try + { + chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass); + } + catch (ProcessingException e1) + { + throw new LifecycleException(e1); + } + } + + ServletContext servletContext = context.getServletContext(); + + this.processConfiguration(); + + try + { + //Get the handlers + String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; + handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName)); + chain.addAll(HandlerUtil.getHandlers(handlers)); + + this.populateChainConfig(); + this.initializeHandlerChain(); + } + catch (Exception e) + { + throw new RuntimeException(e); + } + } + private Class<?> getAuthenticatorBaseClass() { Class<?> myClass = getClass(); Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143) @@ -46,6 +46,7 @@ import org.picketlink.identity.federation.core.exceptions.ProcessingException; import org.picketlink.identity.federation.core.interfaces.TrustKeyManager; import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; +import org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException; import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException; import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler; @@ -118,8 +119,6 @@ { Session session = request.getSessionInternal(true); - SPUtil spUtil = new SPUtil(); - //Eagerly look for Local LogOut String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT); boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr); @@ -150,189 +149,256 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; + //General User Request + if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + { + return generalUserRequest(request, response, loginConfig); + } + + //Handle a SAML Response from IDP + if (isNotNull(samlResponse)) + { + return handleSAMLResponse(request, response, loginConfig); + } + + //Handle SAML Requests from IDP + if (isNotNull(samlRequest)) + { + return handleSAMLRequest(request, response, loginConfig); + }//end if + + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle the IDP Request + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY); + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + Set<SAML2Handler> handlers = chain.handlers(); + + try + { + ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true, + this.serviceURL); + requestProcessor.setTrustKeyManager(keyManager); + requestProcessor.setSupportSignatures(supportSignatures); + boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); + + if (result) + return result; + } + catch (Exception e) + { + if (trace) + log.trace("Server Exception:", e); + throw new IOException("Server Exception"); + } + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle IDP Response + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException + { + SPUtil spUtil = new SPUtil(); + boolean isValid = false; + Session session = request.getSessionInternal(true); + String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - boolean willSendRequest = false; HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); Set<SAML2Handler> handlers = chain.handlers(); - //General User Request - if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + Principal principal = request.getUserPrincipal(); + try { - //Neither saml request nor response from IDP - //So this is a user request - SAML2HandlerResponse saml2HandlerResponse = null; - try - { - ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL); - if (issuerID != null) - baseProcessor.setIssuer(issuerID); + isValid = this.validate(request); + } + catch (Exception e) + { + log.error("Exception:", e); + throw new IOException(); + } + if (!isValid) + throw new IOException("Validity check failed"); - baseProcessor.setIdentityURL(identityURL); + //deal with SAML response from IDP + try + { + ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true, + serviceURL); + responseProcessor.setValidateSignature(validateSignature); + responseProcessor.setTrustKeyManager(keyManager); - saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); - } - catch (ProcessingException pe) - { - log.error("Processing Exception:", pe); - throw new RuntimeException(pe); - } - catch (ParsingException pe) - { - log.error("Parsing Exception:", pe); - throw new RuntimeException(pe); - } - catch (ConfigurationException pe) - { - log.error("Config Exception:", pe); - throw new RuntimeException(pe); - } + SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, + chainLock); - willSendRequest = saml2HandlerResponse.getSendRequest(); - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); String destination = saml2HandlerResponse.getDestination(); + willSendRequest = saml2HandlerResponse.getSendRequest(); + if (destination != null && samlResponseDocument != null) { - try + sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); + } + else + { + //See if the session has been invalidated + + boolean sessionValidity = session.isValid(); + if (!sessionValidity) { - if (saveRestoreRequest) - { - this.saveRequest(request, session); - } - sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); + sendToLogoutPage(request, response, session); return false; } - catch (Exception e) + + //We got a response with the principal + List<String> roles = saml2HandlerResponse.getRoles(); + if (principal == null) + principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); + + String username = principal.getName(); + String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; + if (trace) + log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray())); + + //Map to JBoss specific principal + if ((new ServerDetector()).isJboss() || jbossEnv) { - if (trace) - log.trace("Exception:", e); - throw new IOException("Server Error"); + //Push a context + ServiceProviderSAMLContext.push(username, roles); + principal = context.getRealm().authenticate(username, password); + ServiceProviderSAMLContext.clear(); } + else + { + //tomcat env + principal = spUtil.createGenericPrincipal(request, username, roles); + } + + session.setNote(Constants.SESS_USERNAME_NOTE, username); + session.setNote(Constants.SESS_PASSWORD_NOTE, password); + request.setUserPrincipal(principal); + //Get the original saved request + if (saveRestoreRequest) + { + this.restoreRequest(request, session); + } + register(request, response, principal, Constants.FORM_METHOD, username, password); + + return true; } } - - //Handle a SAML Response from IDP - if (isNotNull(samlResponse)) + catch (ProcessingException pe) { - boolean isValid = false; - try + Throwable t = pe.getCause(); + if (t != null && t instanceof AssertionExpiredException) { - isValid = this.validate(request); + log.error("Assertion has expired. Asking IDP for reissue"); + //Just issue a fresh request back to IDP + return generalUserRequest(request, response, loginConfig); } - catch (Exception e) - { - log.error("Exception:", e); - throw new IOException(); - } - if (!isValid) - throw new IOException("Validity check failed"); + throw new IOException("Server Exception:" + pe.getLocalizedMessage()); + } + catch (Exception e) + { + log.error("Server Exception:", e); + throw new IOException("Server Exception"); + } + return localAuthentication(request, response, loginConfig); + } - //deal with SAML response from IDP - try - { - ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true, - serviceURL); - responseProcessor.setValidateSignature(validateSignature); - responseProcessor.setTrustKeyManager(keyManager); + /** + * Handle the user invocation for the first time + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + Session session = request.getSessionInternal(true); + boolean willSendRequest = false; + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + Set<SAML2Handler> handlers = chain.handlers(); - SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, - chainLock); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); - relayState = saml2HandlerResponse.getRelayState(); + //Neither saml request nor response from IDP + //So this is a user request + SAML2HandlerResponse saml2HandlerResponse = null; + try + { + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL); + if (issuerID != null) + baseProcessor.setIssuer(issuerID); - String destination = saml2HandlerResponse.getDestination(); + baseProcessor.setIdentityURL(identityURL); - willSendRequest = saml2HandlerResponse.getSendRequest(); + saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); + } + catch (ProcessingException pe) + { + log.error("Processing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ParsingException pe) + { + log.error("Parsing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ConfigurationException pe) + { + log.error("Config Exception:", pe); + throw new RuntimeException(pe); + } - if (destination != null && samlResponseDocument != null) - { - sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); - } - else - { - //See if the session has been invalidated + willSendRequest = saml2HandlerResponse.getSendRequest(); - boolean sessionValidity = session.isValid(); - if (!sessionValidity) - { - sendToLogoutPage(request, response, session); - return false; - } + Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); + relayState = saml2HandlerResponse.getRelayState(); - //We got a response with the principal - List<String> roles = saml2HandlerResponse.getRoles(); - if (principal == null) - principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); + String destination = saml2HandlerResponse.getDestination(); - String username = principal.getName(); - String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; - if (trace) - log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray())); - - //Map to JBoss specific principal - if ((new ServerDetector()).isJboss() || jbossEnv) - { - //Push a context - ServiceProviderSAMLContext.push(username, roles); - principal = context.getRealm().authenticate(username, password); - ServiceProviderSAMLContext.clear(); - } - else - { - //tomcat env - principal = spUtil.createGenericPrincipal(request, username, roles); - } - - session.setNote(Constants.SESS_USERNAME_NOTE, username); - session.setNote(Constants.SESS_PASSWORD_NOTE, password); - request.setUserPrincipal(principal); - //Get the original saved request - if (saveRestoreRequest) - { - this.restoreRequest(request, session); - } - register(request, response, principal, Constants.FORM_METHOD, username, password); - - return true; - } - } - catch (Exception e) - { - log.error("Server Exception:", e); - throw new IOException("Server Exception"); - } - } - - //Handle SAML Requests from IDP - if (isNotNull(samlRequest)) + if (destination != null && samlResponseDocument != null) { try { - ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true, - this.serviceURL); - requestProcessor.setTrustKeyManager(keyManager); - requestProcessor.setSupportSignatures(supportSignatures); - boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); - - if (result) - return result; + if (saveRestoreRequest) + { + this.saveRequest(request, session); + } + sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); + return false; } catch (Exception e) { if (trace) - log.trace("Server Exception:", e); - throw new IOException("Server Exception"); + log.trace("Exception:", e); + throw new IOException("Server Error"); } - }//end if + } - log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available"); - //fallback - return super.authenticate(request, response, loginConfig); + return localAuthentication(request, response, loginConfig); } @Override Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143) @@ -141,42 +141,120 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; + //General User Request + if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + { + return generalUserRequest(request, response, loginConfig); + } + + //See if we got a response from IDP + if (isNotNull(samlResponse)) + { + return handleSAMLResponse(request, response, loginConfig); + } + + //Handle SAML Requests from IDP + if (isNotNull(samlRequest)) + { + return handleSAMLRequest(request, response, loginConfig); + }//end if + + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle the SAML Request message from IDP + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY); + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + + Set<SAML2Handler> handlers = chain.handlers(); + + //we got a logout request + try + { + ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false, + this.serviceURL); + boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); + + if (result) + return result; + } + catch (Exception e) + { + log.error("Server Exception:", e); + throw new IOException("Server Exception"); + } + return localAuthentication(request, response, loginConfig); + } + + /** + * Handle the IDP Response + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException + { + Session session = request.getSessionInternal(true); + + String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY); + + Principal principal = request.getUserPrincipal(); + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); Set<SAML2Handler> handlers = chain.handlers(); + boolean isValid = false; + try + { + isValid = this.validate(request); + } + catch (Exception e) + { + log.error("Exception:", e); + throw new IOException(); + } + if (!isValid) + throw new IOException("Validity check failed"); - //General User Request - if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) + try { - //Neither saml request nor response from IDP - //So this is a user request + ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false, + serviceURL); + initializeSAMLProcessor(responseProcessor); + SAML2HandlerResponse saml2HandlerResponse = null; + try { - ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); - - initializeSAMLProcessor(baseProcessor); - - saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); - saml2HandlerResponse.setDestination(identityURL); + saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock); } catch (ProcessingException pe) { - log.error("Processing Exception:", pe); - throw new RuntimeException(pe); + Throwable te = pe.getCause(); + if (te instanceof AssertionExpiredException) + { + //We need to reissue redirect to IDP + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); + initializeSAMLProcessor(baseProcessor); + + saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); + saml2HandlerResponse.setDestination(identityURL); + } + else + throw pe; } - catch (ParsingException pe) - { - log.error("Parsing Exception:", pe); - throw new RuntimeException(pe); - } - catch (ConfigurationException pe) - { - log.error("Config Exception:", pe); - throw new RuntimeException(pe); - } - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); @@ -184,188 +262,175 @@ if (destination != null && samlResponseDocument != null) { - try - { - String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); - if (trace) - log.trace("SAML Document=" + samlMsg); + boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); + String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); - boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); + String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); - String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); + String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); - String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); + RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); + holder.setDestination(destination).setDestinationQueryString(destinationQuery); - RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); - holder.setDestination(destination).setDestinationQueryString(destinationQuery); + String destinationURL = RedirectBindingUtil.getDestinationURL(holder); - String destinationURL = RedirectBindingUtil.getDestinationURL(holder); + HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); + } + else + { + //See if the session has been invalidated + boolean sessionValidity = session.isValid(); + if (!sessionValidity) + { + sendToLogoutPage(request, response, session); + return false; + } - if (trace) - { - log.trace("URL used for sending:" + destinationURL); - } + //We got a response with the principal + List<String> roles = saml2HandlerResponse.getRoles(); + if (principal == null) + principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); - if (saveRestoreRequest) - { - this.saveRequest(request, session); - } + String username = principal.getName(); + String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; - HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); - return false; + //Map to JBoss specific principal + if ((new ServerDetector()).isJboss() || jbossEnv) + { + //Push a context + ServiceProviderSAMLContext.push(username, roles); + principal = context.getRealm().authenticate(username, password); + ServiceProviderSAMLContext.clear(); } - catch (Exception e) + else { - if (trace) - log.trace("Exception:", e); - throw new IOException("Server Error"); + //tomcat env + SPUtil spUtil = new SPUtil(); + principal = spUtil.createGenericPrincipal(request, principal.getName(), roles); } + + session.setNote(Constants.SESS_USERNAME_NOTE, username); + session.setNote(Constants.SESS_PASSWORD_NOTE, password); + request.setUserPrincipal(principal); + + if (saveRestoreRequest) + { + this.restoreRequest(request, session); + } + register(request, response, principal, Constants.FORM_METHOD, username, password); + + return true; } } - - //See if we got a response from IDP - if (isNotNull(samlResponse)) + catch (ProcessingException pe) { - boolean isValid = false; - try + Throwable t = pe.getCause(); + if (t != null && t instanceof AssertionExpiredException) { - isValid = this.validate(request); + log.error("Assertion has expired. Asking IDP for reissue"); + //Just issue a fresh request back to IDP + return generalUserRequest(request, response, loginConfig); } - catch (Exception e) - { - log.error("Exception:", e); - throw new IOException(); - } - if (!isValid) - throw new IOException("Validity check failed"); + throw new IOException("Server Exception:" + pe.getLocalizedMessage()); + } + catch (Exception e) + { + if (trace) + log.trace("Server Exception:", e); + throw new IOException("Server Exception:" + e.getLocalizedMessage()); + } + return localAuthentication(request, response, loginConfig); + } - try - { - ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false, - serviceURL); - initializeSAMLProcessor(responseProcessor); + /** + * Handle the user invocation for the first time + * @param request + * @param response + * @param loginConfig + * @return + * @throws IOException + */ + protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException + { + Session session = request.getSessionInternal(true); + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + Set<SAML2Handler> handlers = chain.handlers(); - SAML2HandlerResponse saml2HandlerResponse = null; + String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - try - { - saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock); - } - catch (ProcessingException pe) - { - Throwable te = pe.getCause(); - if (te instanceof AssertionExpiredException) - { - //We need to reissue redirect to IDP - ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); - initializeSAMLProcessor(baseProcessor); + //Neither saml request nor response from IDP + //So this is a user request + SAML2HandlerResponse saml2HandlerResponse = null; + try + { + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); - saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); - saml2HandlerResponse.setDestination(identityURL); - } - else - throw pe; - } - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); - relayState = saml2HandlerResponse.getRelayState(); + initializeSAMLProcessor(baseProcessor); - String destination = saml2HandlerResponse.getDestination(); + saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); + saml2HandlerResponse.setDestination(identityURL); + } + catch (ProcessingException pe) + { + log.error("Processing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ParsingException pe) + { + log.error("Parsing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ConfigurationException pe) + { + log.error("Config Exception:", pe); + throw new RuntimeException(pe); + } - if (destination != null && samlResponseDocument != null) - { - boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); - String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); + Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); + relayState = saml2HandlerResponse.getRelayState(); - String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); + String destination = saml2HandlerResponse.getDestination(); - String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); + if (destination != null && samlResponseDocument != null) + { + try + { + String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); + if (trace) + log.trace("SAML Document=" + samlMsg); - RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); - holder.setDestination(destination).setDestinationQueryString(destinationQuery); + boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest(); - String destinationURL = RedirectBindingUtil.getDestinationURL(holder); + String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); - HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); - } - else - { - //See if the session has been invalidated - boolean sessionValidity = session.isValid(); - if (!sessionValidity) - { - sendToLogoutPage(request, response, session); - return false; - } + String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest); - //We got a response with the principal - List<String> roles = saml2HandlerResponse.getRoles(); - if (principal == null) - principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); + RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder(); + holder.setDestination(destination).setDestinationQueryString(destinationQuery); - String username = principal.getName(); - String password = ServiceProviderSAMLContext.EMPTY_PASSWORD; + String destinationURL = RedirectBindingUtil.getDestinationURL(holder); - //Map to JBoss specific principal - if ((new ServerDetector()).isJboss() || jbossEnv) - { - //Push a context - ServiceProviderSAMLContext.push(username, roles); - principal = context.getRealm().authenticate(username, password); - ServiceProviderSAMLContext.clear(); - } - else - { - //tomcat env - SPUtil spUtil = new SPUtil(); - principal = spUtil.createGenericPrincipal(request, principal.getName(), roles); - } + if (trace) + { + log.trace("URL used for sending:" + destinationURL); + } - session.setNote(Constants.SESS_USERNAME_NOTE, username); - session.setNote(Constants.SESS_PASSWORD_NOTE, password); - request.setUserPrincipal(principal); + if (saveRestoreRequest) + { + this.saveRequest(request, session); + } - if (saveRestoreRequest) - { - this.restoreRequest(request, session); - } - register(request, response, principal, Constants.FORM_METHOD, username, password); - - return true; - } + HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); + return false; } catch (Exception e) { - e.printStackTrace(); if (trace) - log.trace("Server Exception:", e); - throw new IOException("Server Exception:" + e.getLocalizedMessage()); + log.trace("Exception:", e); + throw new IOException("Server Error"); } } - - //Handle SAML Requests from IDP - if (isNotNull(samlRequest)) - { - //we got a logout request - try - { - ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false, - this.serviceURL); - boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); - - if (result) - return result; - } - catch (Exception e) - { - log.error("Server Exception:", e); - throw new IOException("Server Exception"); - } - - }//end if - - log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available"); - //fallback - return super.authenticate(request, response, loginConfig); + return localAuthentication(request, response, loginConfig); } protected String createSAMLRequestMessage(String relayState, Response response) throws ServletException,

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1142 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation: web/constants and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 14:57:30 -0400 (Thu, 28 Jul 2011) New Revision: 1142 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java Log: merge in r1141 Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp ___________________________________________________________________ Added: svn:mergeinfo + /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1141 Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142) @@ -34,11 +34,14 @@ import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; +import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import javax.xml.crypto.dsig.CanonicalizationMethod; import org.apache.catalina.LifecycleException; +import org.apache.catalina.Session; import org.apache.catalina.authenticator.AuthenticatorBase; import org.apache.catalina.authenticator.FormAuthenticator; import org.apache.catalina.connector.Request; @@ -114,6 +117,8 @@ protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS; + protected final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME; + /** * Servlet3 related changes forced Tomcat to change the authenticate method * signature in the FormAuthenticator. For now, we use reflection for forward @@ -454,6 +459,28 @@ chainConfigOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "false"); //No validator as tomcat realm does validn } + protected void sendToLogoutPage(Request request, Response response, Session session) throws IOException, + ServletException + { + //we are invalidated. + RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); + if (dispatch == null) + log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); + else + { + session.expire(); + try + { + dispatch.forward(request, response); + } + catch (Exception e) + { + //JBAS5.1 and 6 quirkiness + dispatch.forward(request.getRequest(), response); + } + } + } + private Class<?> getAuthenticatorBaseClass() { Class<?> myClass = getClass(); Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142) @@ -29,7 +29,7 @@ import java.util.List; import java.util.Set; -import javax.servlet.RequestDispatcher; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import org.apache.catalina.Session; @@ -77,8 +77,6 @@ private boolean jbossEnv = false; - private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME; - protected boolean supportSignatures = false; protected TrustKeyManager keyManager; @@ -118,8 +116,27 @@ @Override public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException { + Session session = request.getSessionInternal(true); + SPUtil spUtil = new SPUtil(); + //Eagerly look for Local LogOut + String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT); + boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr); + if (localLogout) + { + try + { + sendToLogoutPage(request, response, session); + } + catch (ServletException e) + { + log.error("Exception in logout::", e); + throw new IOException(e); + } + return false; + } + //Eagerly look for Global LogOut String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); @@ -133,7 +150,6 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; - Session session = request.getSessionInternal(true); String relayState = request.getParameter(GeneralConstants.RELAY_STATE); boolean willSendRequest = false; @@ -244,23 +260,7 @@ boolean sessionValidity = session.isValid(); if (!sessionValidity) { - //we are invalidated. - RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); - if (dispatch == null) - log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); - else - { - session.expire(); - try - { - dispatch.forward(request, response); - } - catch (Exception e) - { - //JBAS5.1 and 6 quirkiness - dispatch.forward(request.getRequest(), response); - } - } + sendToLogoutPage(request, response, session); return false; } Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142) @@ -31,7 +31,6 @@ import java.util.Set; import java.util.StringTokenizer; -import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; @@ -81,8 +80,6 @@ protected boolean jbossEnv = false; - private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME; - public SPRedirectFormAuthenticator() { super(); @@ -112,6 +109,25 @@ @Override public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException { + Session session = request.getSessionInternal(true); + + //Eagerly look for Local LogOut + String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT); + boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr); + if (localLogout) + { + try + { + sendToLogoutPage(request, response, session); + } + catch (ServletException e) + { + log.error("Exception in logout::", e); + throw new IOException(e); + } + return false; + } + //Eagerly look for Global LogOut String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); @@ -125,7 +141,6 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; - Session session = request.getSessionInternal(true); String relayState = request.getParameter(GeneralConstants.RELAY_STATE); HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); @@ -278,23 +293,7 @@ boolean sessionValidity = session.isValid(); if (!sessionValidity) { - //we are invalidated. - RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); - if (dispatch == null) - log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); - else - { - session.expire(); - try - { - dispatch.forward(request, response); - } - catch (Exception e) - { - //JBAS5.1 and 6 quirkiness - dispatch.forward(request.getRequest(), response); - } - } + sendToLogoutPage(request, response, session); return false; } Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java =================================================================== --- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 18:23:56 UTC (rev 1141) +++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 18:57:30 UTC (rev 1142) @@ -48,6 +48,8 @@ String CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-idfed.xml"; + String LOCAL_LOGOUT = "LLO"; + String GLOBAL_LOGOUT = "GLO"; String HANDLER_CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-handlers.xml"; @@ -60,6 +62,8 @@ String KEYPAIR = "KEYPAIR"; + String LOGIN_TYPE = "LOGIN_TYPE"; + String LOGOUT_PAGE = "LOGOUT_PAGE"; String LOGOUT_PAGE_NAME = "/logout.jsp"; Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java ___________________________________________________________________ Added: svn:mergeinfo + /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1138-1141

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1141 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 14:23:56 -0400 (Thu, 28 Jul 2011) New Revision: 1141 Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java Log: PLFED-196: sp local log out Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 16:17:34 UTC (rev 1140) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141) @@ -34,11 +34,14 @@ import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; +import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import javax.xml.crypto.dsig.CanonicalizationMethod; import org.apache.catalina.LifecycleException; +import org.apache.catalina.Session; import org.apache.catalina.authenticator.AuthenticatorBase; import org.apache.catalina.authenticator.FormAuthenticator; import org.apache.catalina.connector.Request; @@ -114,6 +117,8 @@ protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS; + protected final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME; + /** * Servlet3 related changes forced Tomcat to change the authenticate method * signature in the FormAuthenticator. For now, we use reflection for forward @@ -454,6 +459,28 @@ chainConfigOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "false"); //No validator as tomcat realm does validn } + protected void sendToLogoutPage(Request request, Response response, Session session) throws IOException, + ServletException + { + //we are invalidated. + RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); + if (dispatch == null) + log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); + else + { + session.expire(); + try + { + dispatch.forward(request, response); + } + catch (Exception e) + { + //JBAS5.1 and 6 quirkiness + dispatch.forward(request.getRequest(), response); + } + } + } + private Class<?> getAuthenticatorBaseClass() { Class<?> myClass = getClass(); Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 16:17:34 UTC (rev 1140) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141) @@ -29,7 +29,7 @@ import java.util.List; import java.util.Set; -import javax.servlet.RequestDispatcher; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import org.apache.catalina.Session; @@ -77,8 +77,6 @@ private boolean jbossEnv = false; - private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME; - protected boolean supportSignatures = false; protected TrustKeyManager keyManager; @@ -118,8 +116,27 @@ @Override public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException { + Session session = request.getSessionInternal(true); + SPUtil spUtil = new SPUtil(); + //Eagerly look for Local LogOut + String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT); + boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr); + if (localLogout) + { + try + { + sendToLogoutPage(request, response, session); + } + catch (ServletException e) + { + log.error("Exception in logout::", e); + throw new IOException(e); + } + return false; + } + //Eagerly look for Global LogOut String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); @@ -133,7 +150,6 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; - Session session = request.getSessionInternal(true); String relayState = request.getParameter(GeneralConstants.RELAY_STATE); boolean willSendRequest = false; @@ -244,23 +260,7 @@ boolean sessionValidity = session.isValid(); if (!sessionValidity) { - //we are invalidated. - RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); - if (dispatch == null) - log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); - else - { - session.expire(); - try - { - dispatch.forward(request, response); - } - catch (Exception e) - { - //JBAS5.1 and 6 quirkiness - dispatch.forward(request.getRequest(), response); - } - } + sendToLogoutPage(request, response, session); return false; } Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 16:17:34 UTC (rev 1140) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141) @@ -31,7 +31,6 @@ import java.util.Set; import java.util.StringTokenizer; -import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; @@ -81,8 +80,6 @@ protected boolean jbossEnv = false; - private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME; - public SPRedirectFormAuthenticator() { super(); @@ -112,6 +109,25 @@ @Override public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException { + Session session = request.getSessionInternal(true); + + //Eagerly look for Local LogOut + String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT); + boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr); + if (localLogout) + { + try + { + sendToLogoutPage(request, response, session); + } + catch (ServletException e) + { + log.error("Exception in logout::", e); + throw new IOException(e); + } + return false; + } + //Eagerly look for Global LogOut String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); @@ -125,7 +141,6 @@ if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse))) return true; - Session session = request.getSessionInternal(true); String relayState = request.getParameter(GeneralConstants.RELAY_STATE); HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); @@ -278,23 +293,7 @@ boolean sessionValidity = session.isValid(); if (!sessionValidity) { - //we are invalidated. - RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage); - if (dispatch == null) - log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage); - else - { - session.expire(); - try - { - dispatch.forward(request, response); - } - catch (Exception e) - { - //JBAS5.1 and 6 quirkiness - dispatch.forward(request.getRequest(), response); - } - } + sendToLogoutPage(request, response, session); return false; } Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 16:17:34 UTC (rev 1140) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 18:23:56 UTC (rev 1141) @@ -48,6 +48,8 @@ String CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-idfed.xml"; + String LOCAL_LOGOUT = "LLO"; + String GLOBAL_LOGOUT = "GLO"; String HANDLER_CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-handlers.xml";

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1140 - in federation/trunk: picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock and 2 other directories.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 12:17:34 -0400 (Thu, 28 Jul 2011) New Revision: 1140 Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java Log: PLFED-202: set the auth context type Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-07-28 15:54:08 UTC (rev 1139) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-07-28 16:17:34 UTC (rev 1140) @@ -53,6 +53,7 @@ import org.apache.catalina.Session; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; +import org.apache.catalina.deploy.LoginConfig; import org.apache.catalina.realm.GenericPrincipal; import org.apache.catalina.util.LifecycleSupport; import org.apache.catalina.valves.ValveBase; @@ -478,6 +479,10 @@ cleanUpSessionNote(request); + //Determine the transport mechanism + boolean isSecure = request.isSecure(); + String loginType = determineLoginType(isSecure); + try { samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage); @@ -497,6 +502,10 @@ SAML2HandlerRequest saml2HandlerRequest = new DefaultSAML2HandlerRequest(protocolContext, idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP); saml2HandlerRequest.setRelayState(relayState); + if (StringUtil.isNotNull(loginType)) + { + saml2HandlerRequest.addOption(GeneralConstants.LOGIN_TYPE, loginType); + } String assertionID = (String) session.getSession().getAttribute(GeneralConstants.ASSERTION_ID); @@ -972,6 +981,7 @@ String configFile = GeneralConstants.CONFIG_FILE_LOCATION; context = (Context) getContainer(); + InputStream is = context.getServletContext().getResourceAsStream(configFile); if (is == null) throw new RuntimeException(configFile + " missing"); @@ -1157,6 +1167,25 @@ response.recycle(); } + protected String determineLoginType(boolean isSecure) + { + String result = JBossSAMLURIConstants.AC_PASSWORD.get(); + LoginConfig loginConfig = context.getLoginConfig(); + if (loginConfig != null) + { + String auth = loginConfig.getAuthMethod(); + if (StringUtil.isNotNull(auth)) + { + if ("CLIENT-CERT".equals(auth)) + result = JBossSAMLURIConstants.AC_TLS_CLIENT.get(); + else if (isSecure) + result = JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get(); + } + } + + return result; + } + /** * Given a set of roles, create an attribute statement * @param roles Modified: federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java =================================================================== --- federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java 2011-07-28 15:54:08 UTC (rev 1139) +++ federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java 2011-07-28 16:17:34 UTC (rev 1140) @@ -30,8 +30,8 @@ import java.util.HashMap; import java.util.Iterator; import java.util.Map; +import java.util.Map.Entry; import java.util.Set; -import java.util.Map.Entry; import javax.naming.directory.DirContext; import javax.servlet.RequestDispatcher; @@ -42,10 +42,9 @@ import javax.servlet.ServletResponse; import org.apache.catalina.Cluster; -import org.apache.catalina.Context; - import org.apache.catalina.Container; import org.apache.catalina.ContainerListener; +import org.apache.catalina.Context; import org.apache.catalina.Loader; import org.apache.catalina.Manager; import org.apache.catalina.Pipeline; @@ -62,20 +61,21 @@ import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.util.CharsetMapper; import org.apache.juli.logging.Log; -import org.apache.tomcat.util.http.mapper.Mapper; +import org.apache.tomcat.util.http.mapper.Mapper; /** * Mock Catalina Context * @author Anil.Saldhana(a)redhat.com * @since Oct 20, 2009 */ -@SuppressWarnings({ "unchecked", "rawtypes"}) -public class MockCatalinaContext -implements Context, Container, ServletContext -{ +@SuppressWarnings( +{"unchecked", "rawtypes"}) +public class MockCatalinaContext implements Context, Container, ServletContext +{ private Realm realm; + public void addChild(Container arg0) - { + { } public void addContainerListener(ContainerListener arg0) @@ -97,136 +97,136 @@ public Container[] findChildren() { - + throw new RuntimeException("NYI"); } public ContainerListener[] findContainerListeners() { - + throw new RuntimeException("NYI"); } public int getBackgroundProcessorDelay() { - + return 0; } public Cluster getCluster() { - + throw new RuntimeException("NYI"); } public String getInfo() { - + throw new RuntimeException("NYI"); } public Loader getLoader() { - + throw new RuntimeException("NYI"); } public Log getLogger() { - + throw new RuntimeException("NYI"); } public Manager getManager() { - + throw new RuntimeException("NYI"); } public Object getMappingObject() { - + throw new RuntimeException("NYI"); } public String getName() - { + { throw new RuntimeException("NYI"); } public String getObjectName() { - + throw new RuntimeException("NYI"); } public Container getParent() - { + { return this; } public ClassLoader getParentClassLoader() - { + { throw new RuntimeException("NYI"); } public Pipeline getPipeline() - { + { throw new RuntimeException("NYI"); } public DirContext getResources() - { + { throw new RuntimeException("NYI"); } public void invoke(Request arg0, Response arg1) throws IOException, ServletException - { + { } public void removeChild(Container arg0) - { + { } public void removeContainerListener(ContainerListener arg0) - { + { } public void removePropertyChangeListener(PropertyChangeListener arg0) - { + { } public void setBackgroundProcessorDelay(int arg0) - { + { } public void setCluster(Cluster arg0) - { + { } public void setLoader(Loader arg0) - { + { } public void setManager(Manager arg0) - { + { } public void setName(String arg0) - { + { } public void setParent(Container arg0) - { + { } public void setParentClassLoader(ClassLoader arg0) - { + { } public void setRealm(Realm arg0) - { - this.realm = arg0; + { + this.realm = arg0; } public void setResources(DirContext arg0) @@ -526,7 +526,9 @@ public LoginConfig getLoginConfig() { - throw new RuntimeException("NYI"); + LoginConfig loginConfig = new LoginConfig(); + loginConfig.setAuthMethod("BASIC"); + return loginConfig; } public Mapper getMapper() @@ -757,54 +759,54 @@ } public void setSessionTimeout(int arg0) - { + { } public void setSwallowOutput(boolean arg0) - { + { } public void setTldNamespaceAware(boolean arg0) - { + { } public void setTldValidation(boolean arg0) - { + { } public void setWrapperClass(String arg0) - { + { } public void setXmlNamespaceAware(boolean arg0) - { + { } public void setXmlValidation(boolean arg0) { } - + public Realm getRealm() - { + { return realm; } - - //Copied from MockServletContext - private Map params = new HashMap(); - private Map attribs = new HashMap(); - + //Copied from MockServletContext + private final Map params = new HashMap(); + + private final Map attribs = new HashMap(); + public Object getAttribute(String arg0) - { + { return attribs.get(arg0); } public Enumeration getAttributeNames() - { - return new Enumeration() + { + return new Enumeration() { - private Iterator iter = attribs.entrySet().iterator(); - + private final Iterator iter = attribs.entrySet().iterator(); + public boolean hasMoreElements() { return iter.hasNext(); @@ -812,33 +814,33 @@ public Object nextElement() { - Entry<String,Object> entry = (Entry<String, Object>) iter.next(); + Entry<String, Object> entry = (Entry<String, Object>) iter.next(); return entry.getValue(); } }; } public ServletContext getContext(String arg0) - { + { throw new RuntimeException("NYI"); } public String getContextPath() - { + { throw new RuntimeException("NYI"); } public String getInitParameter(String arg0) - { + { return (String) params.get(arg0); } public Enumeration getInitParameterNames() - { - return new Enumeration() + { + return new Enumeration() { - private Iterator iter = params.entrySet().iterator(); - + private final Iterator iter = params.entrySet().iterator(); + public boolean hasMoreElements() { return iter.hasNext(); @@ -846,85 +848,85 @@ public Object nextElement() { - Entry<String,Object> entry = (Entry<String, Object>) iter.next(); + Entry<String, Object> entry = (Entry<String, Object>) iter.next(); return entry.getKey(); } }; } public int getMajorVersion() - { + { return 0; } public String getMimeType(String arg0) - { + { throw new RuntimeException("NYI"); } public int getMinorVersion() - { + { return 0; } public RequestDispatcher getNamedDispatcher(String arg0) - { + { throw new RuntimeException("NYI"); } public String getRealPath(String arg0) - { + { return null; } public RequestDispatcher getRequestDispatcher(String arg0) - { + { return new RequestDispatcher() { - + public void include(ServletRequest arg0, ServletResponse arg1) throws ServletException, IOException - { + { } - + public void forward(ServletRequest arg0, ServletResponse arg1) throws ServletException, IOException - { + { } }; } public URL getResource(String arg0) throws MalformedURLException - { + { throw new RuntimeException("NYI"); } public InputStream getResourceAsStream(String arg0) { - ClassLoader tcl = Thread.currentThread().getContextClassLoader(); - return tcl.getResourceAsStream( arg0 ); + ClassLoader tcl = Thread.currentThread().getContextClassLoader(); + return tcl.getResourceAsStream(arg0); } public Set getResourcePaths(String arg0) - { + { throw new RuntimeException("NYI"); } public String getServerInfo() - { + { throw new RuntimeException("NYI"); } public Servlet getServlet(String arg0) throws ServletException - { + { throw new RuntimeException("NYI"); } public String getServletContextName() - { + { throw new RuntimeException("NYI"); } public Enumeration getServletNames() - { + { throw new RuntimeException("NYI"); } @@ -934,15 +936,15 @@ } public void log(String arg0) - { + { } public void log(Exception arg0, String arg1) - { + { } public void log(String arg0, Throwable arg1) - { + { } public void removeAttribute(String arg0) @@ -951,7 +953,7 @@ } public void setAttribute(String arg0, Object arg1) - { + { this.attribs.put(arg0, arg1); } } \ No newline at end of file Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 15:54:08 UTC (rev 1139) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 16:17:34 UTC (rev 1140) @@ -60,6 +60,8 @@ String KEYPAIR = "KEYPAIR"; + String LOGIN_TYPE = "LOGIN_TYPE"; + String LOGOUT_PAGE = "LOGOUT_PAGE"; String LOGOUT_PAGE_NAME = "/logout.jsp"; Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 15:54:08 UTC (rev 1139) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 16:17:34 UTC (rev 1140) @@ -238,6 +238,8 @@ Document samlResponseDocument = null; + String authMethod = (String) request.getOptions().get(GeneralConstants.LOGIN_TYPE); + if (trace) log.trace("AssertionConsumerURL=" + assertionConsumerURL + "::assertion validity=" + assertionValidity); ResponseType responseType = null; @@ -275,8 +277,12 @@ //Create an AuthnStatementType if (handlerConfig.getParameter(DISABLE_AUTHN_STATEMENT) == null) { + String authContextRef = JBossSAMLURIConstants.AC_PASSWORD.get(); + if (StringUtil.isNotNull(authMethod)) + authContextRef = authMethod; + AuthnStatementType authnStatement = StatementUtil.createAuthnStatement(XMLTimeUtil.getIssueInstant(), - JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get()); + authContextRef); assertion.addStatement(authnStatement); }

12 years, 8 months

1
0
0 / 0

Picketlink SVN: r1139 - integration-tests/trunk/ant-scripts.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-07-28 11:54:08 -0400 (Thu, 28 Jul 2011) New Revision: 1139 Modified: integration-tests/trunk/ant-scripts/ant-build.xml Log: add claims war to tc Modified: integration-tests/trunk/ant-scripts/ant-build.xml =================================================================== --- integration-tests/trunk/ant-scripts/ant-build.xml 2011-07-28 15:26:45 UTC (rev 1138) +++ integration-tests/trunk/ant-scripts/ant-build.xml 2011-07-28 15:54:08 UTC (rev 1139) @@ -52,6 +52,9 @@ </fileset> </move> + <copy file="${basedir}/../picketlink-int-webapps/claims/target/claims.war" todir="${TOMCAT6_DEPLOY}"/> + + <copy file="${basedir}/../common-dist/tomcat/tomcat-users.xml" todir="${TOMCAT6}/conf" /> <copy file="${basedir}/../common-dist/tomcat/log4j.xml"

12 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

picketlink-commits July 2011