Picketlink SVN: r1349 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat: idp and 1 other directories.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2012-01-31 16:31:53 -0500 (Tue, 31 Jan 2012)
New Revision: 1349
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
Log:
merge in -r1324
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1144-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1144-1173,1192-1228,1321-1324
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat:1152-1173
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-01-31 21:17:54 UTC (rev 1348)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-01-31 21:31:53 UTC (rev 1349)
@@ -28,7 +28,9 @@
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
+import java.net.MalformedURLException;
import java.net.URI;
+import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
@@ -154,6 +156,11 @@
private Boolean ignoreIncomingSignatures = false;
private Boolean signOutgoingMessages = true;
+
+ /**
+ * Defines how the token's signature will be validated. If true is used the token's issuer, otherwise the request.getRemoteAddr. Default false.
+ */
+ private Boolean validatingAliasToTokenIssuer = false;
private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager();
@@ -220,6 +227,20 @@
}
/**
+ * PLFED-248
+ * Allows to validate the token's signature against the keystore using the token's issuer.
+ */
+ public void setValidatingAliasToTokenIssuer(Boolean validatingAliasToTokenIssuer)
+ {
+ this.validatingAliasToTokenIssuer = validatingAliasToTokenIssuer;
+ }
+
+ public Boolean getValidatingAliasToTokenIssuer()
+ {
+ return validatingAliasToTokenIssuer;
+ }
+
+ /**
* IDP should not do any attributes such as generation of roles etc
* @param ignoreAttributes
*/
@@ -489,8 +510,6 @@
Boolean requestedPostProfile = null;
- //Get the SAML Request Message
- RequestAbstractType requestAbstractType = null;
String samlRequestMessage = (String) session.getNote(GeneralConstants.SAML_REQUEST_KEY);
String relayState = (String) session.getNote(GeneralConstants.RELAY_STATE);
@@ -511,15 +530,23 @@
{
samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage);
samlObject = samlDocumentHolder.getSamlObject();
+
+ if (!(samlObject instanceof RequestAbstractType)) {
+ throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
+ }
+ //Get the SAML Request Message
+ RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
+ String issuer = requestAbstractType.getIssuer().getValue();
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
- boolean isValid = validate(request.getRemoteAddr(), request.getQueryString(), new SessionHolder(
+ String tokenSignatureValidatingAlias = getTokenSignatureValidatingAlias(request, issuer);
+ boolean isValid = validate(tokenSignatureValidatingAlias, request.getQueryString(), new SessionHolder(
samlRequestMessage, signature, sigAlg), isPost);
if (!isValid)
throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
- String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext());
//Create the request/response
@@ -545,12 +572,13 @@
if (this.keyManager != null)
{
- String remoteHost = request.getRemoteAddr();
if (trace)
{
- log.trace("Remote Host=" + remoteHost);
+ log.trace("Remote Host=" + request.getRemoteAddr());
+ log.trace("Validating Alias=" + tokenSignatureValidatingAlias);
}
- PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost);
+
+ PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, tokenSignatureValidatingAlias);
requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey);
requestOptions.put(GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey());
}
@@ -572,31 +600,24 @@
log.trace("Handlers are=" + handlers);
}
- if (samlObject instanceof RequestAbstractType)
+ webRequestUtil.isTrusted(issuer);
+
+ if (handlers != null)
{
- requestAbstractType = (RequestAbstractType) samlObject;
- issuer = requestAbstractType.getIssuer().getValue();
- webRequestUtil.isTrusted(issuer);
-
- if (handlers != null)
+ try
{
- try
+ chainLock.lock();
+ for (SAML2Handler handler : handlers)
{
- chainLock.lock();
- for (SAML2Handler handler : handlers)
- {
- handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse);
- willSendRequest = saml2HandlerResponse.getSendRequest();
- }
+ handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse);
+ willSendRequest = saml2HandlerResponse.getSendRequest();
}
- finally
- {
- chainLock.unlock();
- }
}
+ finally
+ {
+ chainLock.unlock();
+ }
}
- else
- throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
@@ -654,6 +675,34 @@
return;
}
+ /**
+ * Returns the alias to be used for the token's signature verification.
+ * If <code>validatingAliasToTokenIssuer</code> is true the token issuer will be returned.
+ *
+ * @param request
+ * @param issuer
+ * @return
+ */
+ private String getTokenSignatureValidatingAlias(Request request, String issuer)
+ {
+ String issuerHost = request.getRemoteAddr();
+
+ if (this.validatingAliasToTokenIssuer) {
+ try
+ {
+ issuerHost = new URL(issuer).getHost();
+ }
+ catch (MalformedURLException e)
+ {
+ if (trace) {
+ log.trace("Token issuer is not a valid URL: " + issuer + ". Using the requester address instead.", e);
+ }
+ }
+ }
+
+ return issuerHost;
+ }
+
protected void processSAMLResponseMessage(IDPWebRequestUtil webRequestUtil, Request request, Response response)
throws ServletException, IOException
{
@@ -678,17 +727,22 @@
cleanUpSessionNote(request);
- StatusResponseType statusResponseType = null;
try
{
samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlResponseMessage);
samlObject = samlDocumentHolder.getSamlObject();
-
+
+ if (!(samlObject instanceof StatusResponseType))
+ {
+ throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
+ }
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
boolean isValid = false;
-
- String remoteAddress = request.getRemoteAddr();
-
+ StatusResponseType statusResponseType = (StatusResponseType) samlObject;
+ String issuer = statusResponseType.getIssuer().getValue();
+ String tokenValidatingAlias = getTokenSignatureValidatingAlias(request, issuer);
+
if (isPost)
{
//Validate
@@ -696,7 +750,7 @@
if (ignoreIncomingSignatures == false && signOutgoingMessages == true)
{
- PublicKey publicKey = keyManager.getValidatingKey(remoteAddress);
+ PublicKey publicKey = keyManager.getValidatingKey(tokenValidatingAlias);
isValid = samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey);
}
else
@@ -704,14 +758,13 @@
}
else
{
- isValid = validate(remoteAddress, request.getQueryString(), new SessionHolder(samlResponseMessage,
+ isValid = validate(tokenValidatingAlias, request.getQueryString(), new SessionHolder(samlResponseMessage,
signature, sigAlg), isPost);
}
if (!isValid)
throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
- String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext());
//Create the request/response
@@ -723,32 +776,25 @@
Set<SAML2Handler> handlers = chain.handlers();
- if (samlObject instanceof StatusResponseType)
+ webRequestUtil.isTrusted(issuer);
+
+ if (handlers != null)
{
- statusResponseType = (StatusResponseType) samlObject;
- issuer = statusResponseType.getIssuer().getValue();
- webRequestUtil.isTrusted(issuer);
-
- if (handlers != null)
+ try
{
- try
+ chainLock.lock();
+ for (SAML2Handler handler : handlers)
{
- chainLock.lock();
- for (SAML2Handler handler : handlers)
- {
- handler.reset();
- handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse);
- willSendRequest = saml2HandlerResponse.getSendRequest();
- }
+ handler.reset();
+ handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse);
+ willSendRequest = saml2HandlerResponse.getSendRequest();
}
- finally
- {
- chainLock.unlock();
- }
}
+ finally
+ {
+ chainLock.unlock();
+ }
}
- else
- throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1173,1192-1228,1302-1319
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1173,1192-1228,1302-1319,1321-1324
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2012-01-31 21:17:54 UTC (rev 1348)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2012-01-31 21:31:53 UTC (rev 1349)
@@ -84,11 +84,23 @@
{
this.idpAddress = idpAddress;
}
-
+
@Override
+ public void testStart() throws LifecycleException
+ {
+ super.testStart();
+ this.init();
+ }
+
+ @Override
public void start() throws LifecycleException
{
super.start();
+ this.init();
+ }
+
+ private void init() throws LifecycleException
+ {
Context context = (Context) getContainer();
KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
12 years, 6 months
- 1
- 0
Picketlink SVN: r1348 - in federation/trunk/picketlink-bindings/src/test/resources: responseIDP and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2012-01-31 16:17:54 -0500 (Tue, 31 Jan 2012)
New Revision: 1348
Added:
federation/trunk/picketlink-bindings/src/test/resources/responseIDP/
federation/trunk/picketlink-bindings/src/test/resources/responseIDP/casidp.xml
federation/trunk/picketlink-bindings/src/test/resources/responseIDP/pingidp.xml
Removed:
federation/trunk/picketlink-bindings/src/test/resources/responseIDP/
Log:
merge in -r1318, 1319, 1320
Added: federation/trunk/picketlink-bindings/src/test/resources/responseIDP/casidp.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/responseIDP/casidp.xml (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/responseIDP/casidp.xml 2012-01-31 21:17:54 UTC (rev 1348)
@@ -0,0 +1,47 @@
+<samlp:Response ID="pmilcfianoapejannhabalcfdlmlpbhbhifalhph"
+ IssueInstant="2011-11-04T09:42:04Z" InResponseTo="ID_8b7b580b-592a-49ba-b55e-b2ef2bbefb51"
+ Destination="http://localhost:8080/sales/" Version="2.0"
+ xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+ <Issuer>https://localhost:8443</Issuer>
+ <samlp:Status>
+ <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+ </samlp:Status>
+ <Assertion ID="bndkhciapdbmobheooakhphogocfnljcnkejpgcf"
+ IssueInstant="2011-11-04T09:42:04Z" Version="2.0"
+ xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+ <Issuer>https://localhost:8443</Issuer>
+ <Subject>
+ <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">velias</NameID>
+ <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+ <SubjectConfirmationData Recipient="http://localhost:8080/sales/"
+ NotBefore="2011-11-04T09:42:04Z" NotOnOrAfter="2011-11-05T09:42:04Z"
+ InResponseTo="ID_8b7b580b-592a-49ba-b55e-b2ef2bbefb51" />
+ </SubjectConfirmation>
+ </Subject>
+ <Conditions NotBefore="2011-11-04T09:42:04Z" NotOnOrAfter="2051-11-05T09:42:04Z" />
+ <AuthnStatement AuthnInstant="2011-11-04T09:42:04Z">
+ <AuthnContext>
+ <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+ </AuthnContextClassRef>
+ </AuthnContext>
+ </AuthnStatement>
+ <AttributeStatement>
+ <Attribute Name="Role">
+ <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">employee
+ </AttributeValue>
+ </Attribute>
+ <Attribute Name="Role">
+ <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manager
+ </AttributeValue>
+ </Attribute>
+ <Attribute Name="Role">
+ <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">sales
+ </AttributeValue>
+ </Attribute>
+ </AttributeStatement>
+ </Assertion>
+</samlp:Response>
\ No newline at end of file
Added: federation/trunk/picketlink-bindings/src/test/resources/responseIDP/pingidp.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/responseIDP/pingidp.xml (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/responseIDP/pingidp.xml 2012-01-31 21:17:54 UTC (rev 1348)
@@ -0,0 +1,229 @@
+<samlp:Response Destination="https://201.000.000.00/gctxyz" InResponseTo="ID_76b05a86-993e-4ba4-83b6-e0fe7d292e78"
+
+ IssueInstant="2011-02-21T17:35:08.182Z" ID="o5x7YnbyTo.XL_47-oLmZwgUgpP" Version="2.0"
+
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+
+ <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.xyz.com</saml:Issuer>
+
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+
+ <ds:SignedInfo>
+
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+
+ <ds:Reference URI="#o5x7YnbyTo.XL_47-oLmZwgUgpP">
+
+ <ds:Transforms>
+
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+
+ </ds:Transforms>
+
+ <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+
+ <ds:DigestValue>joOnzlFL1squOg8uAb5fLcA9x0s=</ds:DigestValue>
+
+ </ds:Reference>
+
+ </ds:SignedInfo>
+
+ <ds:SignatureValue>
+
+ ...
+
+ </ds:SignatureValue>
+
+ <ds:KeyInfo>
+
+ <ds:X509Data>
+
+ <ds:X509Certificate>
+
+ ...
+
+ </ds:X509Certificate>
+
+ </ds:X509Data>
+
+ <ds:KeyValue>
+
+ <ds:RSAKeyValue>
+
+ <ds:Modulus>
+
+ ...
+
+ </ds:Modulus>
+
+ <ds:Exponent>AQAB</ds:Exponent>
+
+ </ds:RSAKeyValue>
+
+ </ds:KeyValue>
+
+ </ds:KeyInfo>
+
+ </ds:Signature>
+
+ <samlp:Status>
+
+ <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+
+ </samlp:Status>
+
+ <saml:Assertion Version="2.0" IssueInstant="2011-02-21T17:35:08.196Z" ID="RM9ViMLu.M-ejey1FVNCeeIBws."
+
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+
+ <saml:Issuer>https://test.xyz.com</saml:Issuer>
+
+ <saml:Subject>
+
+ <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">asptest</saml:NameID>
+
+ <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+
+ <saml:SubjectConfirmationData InResponseTo="ID_76b05a86-993e-4ba4-83b6-e0fe7d292e78"
+
+ NotOnOrAfter="2023-02-21T17:40:08.196Z"
+
+ Recipient="https://201.000.000.00/gctxyz"/>
+
+ </saml:SubjectConfirmation>
+
+ </saml:Subject>
+
+ <saml:Conditions NotOnOrAfter="2023-02-21T17:40:08.196Z" NotBefore="2011-02-21T17:30:08.196Z">
+
+ <saml:AudienceRestriction>
+
+ <saml:Audience>https://201.000.000.00/gctxyz</saml:Audience>
+
+ </saml:AudienceRestriction>
+
+ </saml:Conditions>
+
+ <saml:AuthnStatement AuthnInstant="2011-02-21T17:35:08.195Z" SessionIndex="RM9ViMLu.M-ejey1FVNCeeIBws.">
+
+ <saml:AuthnContext>
+
+ <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
+
+ </saml:AuthnContextClassRef>
+
+ </saml:AuthnContext>
+
+ </saml:AuthnStatement>
+
+ <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="street">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_street
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="zipcode">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_zipcode
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="state">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_state
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="lastname">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_lastname
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="firstname">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_firstname
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="billtoid">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_billtoid
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="telephonenumber">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_telephonenumber
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="city">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_city
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="email">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_email
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="contractnumber">
+
+ <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ asptest_contractnumber
+
+ </saml:AttributeValue>
+
+ </saml:Attribute>
+
+ </saml:AttributeStatement>
+
+ </saml:Assertion>
+
+</samlp:Response>
\ No newline at end of file
12 years, 6 months
- 1
- 0
Picketlink SVN: r1347 - in product/trunk/picketlink-core/src: main/java/org/picketlink/identity/federation/web/util and 5 other directories.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2012-01-31 16:14:29 -0500 (Tue, 31 Jan 2012)
New Revision: 1347
Added:
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SPRedirectFormAuthenticatorResponseTestCase.java
product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/
product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/
product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml
product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml
Removed:
product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/
product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml
product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/ServerDetector.java
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/
product/trunk/picketlink-core/src/test/resources/
Log:
merge in -r1318, 1319, 1320 and a change to ServerDetector.java to look for a different class in AS: org.jboss.Main
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1173,1192-1228,1302-1319
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1152-1173
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2012-01-27 13:54:16 UTC (rev 1346)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2012-01-31 21:14:29 UTC (rev 1347)
@@ -198,8 +198,7 @@
}
catch (Exception e)
{
- if (trace)
- log.trace("Server Exception:", e);
+ log.error("Server Exception:", e);
throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION);
}
return localAuthentication(request, response, loginConfig);
@@ -317,6 +316,7 @@
//Just issue a fresh request back to IDP
return generalUserRequest(request, response, loginConfig);
}
+ log.error("Server Exception:", pe);
throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION + pe.getLocalizedMessage());
}
catch (Exception e)
@@ -393,8 +393,7 @@
}
catch (Exception e)
{
- if (trace)
- log.trace("Exception:", e);
+ log.error("Server Exception:", e);
throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION);
}
}
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-01-27 13:54:16 UTC (rev 1346)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-01-31 21:14:29 UTC (rev 1347)
@@ -332,12 +332,12 @@
//Just issue a fresh request back to IDP
return generalUserRequest(request, response, loginConfig);
}
+ log.error("Server Exception:", pe);
throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION + pe.getLocalizedMessage());
}
catch (Exception e)
{
- if (trace)
- log.trace("Server Exception:", e);
+ log.error("Server Exception:", e);
throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION + e.getLocalizedMessage());
}
return localAuthentication(request, response, loginConfig);
@@ -426,8 +426,7 @@
}
catch (Exception e)
{
- if (trace)
- log.trace("Exception:", e);
+ log.error("Server Exception:", e);
throw new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION);
}
}
@@ -529,4 +528,4 @@
{
throw new RuntimeException(ErrorCodes.AUTHENTICATOR_DOES_NOT_HANDLE_ENC);
}
-}
\ No newline at end of file
+}
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/util:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/util:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/util:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/util:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/util:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util:1152-1173,1302-1320
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/ServerDetector.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/ServerDetector.java 2012-01-27 13:54:16 UTC (rev 1346)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/ServerDetector.java 2012-01-31 21:14:29 UTC (rev 1347)
@@ -51,10 +51,11 @@
private void detectServer()
{
//Detect JBoss
-
+ Class<?> me = getClass();
+ Class<?> clazz = null;
try
{
- Class<?> clazz = SecurityActions.loadClass(getClass(), "org.jboss.system.Service");
+ clazz = SecurityActions.loadClass(me, "org.jboss.Main");
if (clazz != null)
{
jboss = true;
@@ -63,13 +64,21 @@
}
catch (Exception e)
{
- //ignore
+ try
+ {
+ clazz = SecurityActions.loadClass(me, "org.jboss.as.server.Bootstrap");
+ jboss = true;
+ return;
+ }
+ catch (Exception ee)
+ {
+ }
}
//Tomcat
try
{
- Class<?> clazz = SecurityActions.loadClass(getClass(), "org.apache.cataline.Server");
+ clazz = SecurityActions.loadClass(getClass(), "org.apache.cataline.Server");
if (clazz != null)
{
tomcat = true;
Property changes on: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1140-1173,1307-1318
/federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1192-1228
/federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1152-1154,1159-1173,1192-1228
Copied: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SPRedirectFormAuthenticatorResponseTestCase.java (from rev 1318, federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SPRedirectFormAuthenticatorResponseTestCase.java)
===================================================================
--- product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SPRedirectFormAuthenticatorResponseTestCase.java (rev 0)
+++ product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SPRedirectFormAuthenticatorResponseTestCase.java 2012-01-31 21:14:29 UTC (rev 1347)
@@ -0,0 +1,139 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.bindings.workflow;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+import java.net.URL;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.catalina.deploy.LoginConfig;
+import org.junit.Test;
+import org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator;
+import org.picketlink.identity.federation.web.constants.GeneralConstants;
+import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContext;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContextClassLoader;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRequest;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaResponse;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaSession;
+
+/**
+ * Test to validate the handling of a saml response by the
+ * {@link SPRedirectFormAuthenticator}
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Nov 4, 2011
+ */
+public class SPRedirectFormAuthenticatorResponseTestCase
+{
+ private final String profile = "saml2/redirect";
+
+ private final ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testSP() throws Exception
+ {
+ MockCatalinaSession session = new MockCatalinaSession();
+ //First we go to the employee application
+ MockCatalinaContextClassLoader mclSPEmp = setupTCL(profile + "/responses");
+ Thread.currentThread().setContextClassLoader(mclSPEmp);
+ SPRedirectFormAuthenticator spEmpl = new SPRedirectFormAuthenticator();
+
+ MockCatalinaContext context = new MockCatalinaContext();
+ spEmpl.setContainer(context);
+ spEmpl.testStart();
+
+ MockCatalinaRequest catalinaRequest = new MockCatalinaRequest();
+ catalinaRequest.setSession(session);
+ catalinaRequest.setContext(context);
+
+ byte[] samlResponse = readIDPResponse();
+
+ String idpResponse = RedirectBindingUtil.deflateBase64Encode(samlResponse);
+
+ catalinaRequest.setParameter(GeneralConstants.SAML_RESPONSE_KEY, idpResponse);
+
+ MockCatalinaResponse catalinaResponse = new MockCatalinaResponse();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ catalinaResponse.setWriter(new PrintWriter(baos));
+
+ LoginConfig loginConfig = new LoginConfig();
+ assertTrue(spEmpl.authenticate(catalinaRequest, catalinaResponse, loginConfig));
+
+ Map<String, List<Object>> sessionMap = (Map<String, List<Object>>) session
+ .getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP);
+ assertNotNull(sessionMap);
+ assertEquals("sales", sessionMap.get("Role").get(0));
+ }
+
+ private byte[] readIDPResponse() throws IOException
+ {
+ File file = new File(tcl.getResource("responseIDP/casidp.xml").getPath());
+ InputStream is = new FileInputStream(file);
+ assertNotNull(is);
+
+ long length = file.length();
+
+ // Create the byte array to hold the data
+ byte[] bytes = new byte[(int) length];
+
+ // Read in the bytes
+ int offset = 0;
+ int numRead = 0;
+ while (offset < bytes.length && (numRead = is.read(bytes, offset, bytes.length - offset)) >= 0)
+ {
+ offset += numRead;
+ }
+
+ // Ensure all the bytes have been read in
+ if (offset < bytes.length)
+ {
+ throw new IOException("Could not completely read file " + file.getName());
+ }
+
+ // Close the input stream and return bytes
+ is.close();
+ return bytes;
+ }
+
+ private MockCatalinaContextClassLoader setupTCL(String resource)
+ {
+ URL[] urls = new URL[]
+ {tcl.getResource(resource)};
+
+ MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls);
+ mcl.setDelegate(tcl);
+ mcl.setProfile(resource);
+ return mcl;
+ }
+
+}
\ No newline at end of file
Property changes on: product/trunk/picketlink-core/src/test/resources
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-bindings/src/test/resources:1302-1318
Deleted: product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml 2011-11-04 18:19:34 UTC (rev 1318)
+++ product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml 2012-01-31 21:14:29 UTC (rev 1347)
@@ -1,6 +0,0 @@
-<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>
- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler"/>
-</Handlers>
\ No newline at end of file
Copied: product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml (from rev 1318, federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml)
===================================================================
--- product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml (rev 0)
+++ product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-handlers.xml 2012-01-31 21:14:29 UTC (rev 1347)
@@ -0,0 +1,6 @@
+<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler"/>
+</Handlers>
\ No newline at end of file
Deleted: product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml 2011-11-04 18:19:34 UTC (rev 1318)
+++ product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml 2012-01-31 21:14:29 UTC (rev 1347)
@@ -1,37 +0,0 @@
-<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">
-
- <IdentityURL>https://fedtst.company.com/idp/SSO.saml2</IdentityURL>
-
- <ServiceURL>https://201.000.000.00/gctxyz</ServiceURL>
- <Trust>
-
- <Domains>localhost,jboss.com,jboss.org,fedtst.company.com,201.000.000.00</Domains>
-
- </Trust>
- <KeyProvider
-
- ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
-
-
-
- <Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
-
- <Auth Key="KeyStorePass" Value="store123" />
-
- <Auth Key="SigningKeyPass" Value="test123" />
-
- <Auth Key="SigningKeyAlias" Value="servercert" />
-
-
-
- <ValidatingAlias Key="localhost" Value="picketlink"/>
-
- <ValidatingAlias Key="127.0.0.1" Value="picketlink"/>
-
- <ValidatingAlias Key="fedtst.company.com" Value="test"/>
-
- </KeyProvider>
-
-
-
-</PicketLinkSP>
\ No newline at end of file
Copied: product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml (from rev 1318, federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml)
===================================================================
--- product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml (rev 0)
+++ product/trunk/picketlink-core/src/test/resources/saml2/redirect/responses/WEB-INF/picketlink-idfed.xml 2012-01-31 21:14:29 UTC (rev 1347)
@@ -0,0 +1,37 @@
+<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">
+
+ <IdentityURL>https://fedtst.company.com/idp/SSO.saml2</IdentityURL>
+
+ <ServiceURL>https://201.000.000.00/gctxyz</ServiceURL>
+ <Trust>
+
+ <Domains>localhost,jboss.com,jboss.org,fedtst.company.com,201.000.000.00</Domains>
+
+ </Trust>
+ <KeyProvider
+
+ ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
+
+
+
+ <Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
+
+ <Auth Key="KeyStorePass" Value="store123" />
+
+ <Auth Key="SigningKeyPass" Value="test123" />
+
+ <Auth Key="SigningKeyAlias" Value="servercert" />
+
+
+
+ <ValidatingAlias Key="localhost" Value="picketlink"/>
+
+ <ValidatingAlias Key="127.0.0.1" Value="picketlink"/>
+
+ <ValidatingAlias Key="fedtst.company.com" Value="test"/>
+
+ </KeyProvider>
+
+
+
+</PicketLinkSP>
\ No newline at end of file
12 years, 6 months
- 1
- 0
Picketlink SVN: r1346 - federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust.
by picketlink-commits@lists.jboss.org
Author: mposolda
Date: 2012-01-27 08:54:16 -0500 (Fri, 27 Jan 2012)
New Revision: 1346
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSClient.java
Log:
PLFED-260 Avoid to use null ID for UsernameToken in STSClient.issueTokenOnBehalfOf
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSClient.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSClient.java 2012-01-20 17:57:40 UTC (rev 1345)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSClient.java 2012-01-27 13:54:16 UTC (rev 1346)
@@ -258,7 +258,7 @@
private RequestSecurityToken setOnBehalfOf(Principal principal, RequestSecurityToken request)
{
if (principal != null)
- request.setOnBehalfOf(WSTrustUtil.createOnBehalfOfWithUsername(principal.getName(), null));
+ request.setOnBehalfOf(WSTrustUtil.createOnBehalfOfWithUsername(principal.getName(), "ID"));
return request;
}
12 years, 6 months
- 1
- 0
Picketlink SVN: r1345 - federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp.
by picketlink-commits@lists.jboss.org
Author: mposolda
Date: 2012-01-20 12:57:40 -0500 (Fri, 20 Jan 2012)
New Revision: 1345
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
Log:
PLFED-259 Possibility to have logOutPage URL configurable
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2012-01-19 09:55:50 UTC (rev 1344)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2012-01-20 17:57:40 UTC (rev 1345)
@@ -121,7 +121,7 @@
protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
- protected final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
+ protected String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
/**
* The user can inject a fully qualified name of a {@link SAMLConfigurationProvider}
@@ -198,6 +198,11 @@
this.issuerID = issuerID;
}
+ public void setLogOutPage(String logOutPage)
+ {
+ this.logOutPage = logOutPage;
+ }
+
/**
* Perform validation os the request object
* @param request
12 years, 6 months
- 1
- 0
Picketlink SVN: r1344 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants and 2 other directories.
by picketlink-commits@lists.jboss.org
Author: mposolda
Date: 2012-01-19 04:55:50 -0500 (Thu, 19 Jan 2012)
New Revision: 1344
Added:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2InResponseToVerificationHandler.java
federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2InResponseToVerificationHandlerUnitTestCase.java
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/ErrorCodes.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
PLFED-258 Handler for verification InResponseTo
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/ErrorCodes.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/ErrorCodes.java 2012-01-19 09:28:24 UTC (rev 1343)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/ErrorCodes.java 2012-01-19 09:55:50 UTC (rev 1344)
@@ -32,6 +32,8 @@
String AUTHENTICATOR_DOES_NOT_HANDLE_ENC = "PL00027: Authenticator does not handle encryption";
+ String AUTHN_REQUEST_ID_VERIFICATION_FAILED = "PL00104:Authn Request ID verification failed:";
+
String CLASS_NOT_LOADED = "PL00085: Class Not Loaded:";
String CANNOT_CREATE_INSTANCE = "PL00086: Cannot create instance of:";
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-01-19 09:28:24 UTC (rev 1343)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-01-19 09:55:50 UTC (rev 1344)
@@ -105,4 +105,6 @@
String USERNAME_FIELD = "JBID_USERNAME";
String PASS_FIELD = "JBID_PASSWORD";
+
+ String AUTH_REQUEST_ID = "AUTH_REQUEST_ID";
}
\ No newline at end of file
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2012-01-19 09:28:24 UTC (rev 1343)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2012-01-19 09:55:50 UTC (rev 1344)
@@ -363,6 +363,9 @@
response.setResultingDocument(samlRequest.convert(authn));
response.setSendRequest(true);
+
+ // Save AuthnRequest ID into sharedState, so that we can later process it by another handler
+ request.addOption(GeneralConstants.AUTH_REQUEST_ID, id);
}
catch (Exception e)
{
Added: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2InResponseToVerificationHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2InResponseToVerificationHandler.java (rev 0)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2InResponseToVerificationHandler.java 2012-01-19 09:55:50 UTC (rev 1344)
@@ -0,0 +1,110 @@
+/*
+ * JBoss, a division of Red Hat
+ * Copyright 2012, Red Hat Middleware, LLC, and individual
+ * contributors as indicated by the @authors tag. See the
+ * copyright.txt in the distribution for a full listing of
+ * individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.picketlink.identity.federation.web.handlers.saml2;
+
+import org.apache.log4j.Logger;
+import org.picketlink.identity.federation.core.ErrorCodes;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
+import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
+import org.picketlink.identity.federation.web.constants.GeneralConstants;
+
+import javax.servlet.http.HttpSession;
+
+/**
+ * Handler is useful on SP side. It's used for verification that InResponseId from SAML Authentication Response is same
+ * as ID of previously sent SAML Authentication request
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class SAML2InResponseToVerificationHandler extends BaseSAML2Handler
+{
+ private static Logger log = Logger.getLogger(SAML2InResponseToVerificationHandler.class);
+
+ private final boolean trace = log.isTraceEnabled();
+
+ @Override
+ public void generateSAMLRequest(SAML2HandlerRequest request, SAML2HandlerResponse response)
+ throws ProcessingException
+ {
+ if (SAML2HandlerRequest.GENERATE_REQUEST_TYPE.AUTH != request.getTypeOfRequestToBeGenerated())
+ return;
+
+ if (getType() == HANDLER_TYPE.IDP)
+ return;
+
+ // Determine Id of of request, which is saved into session thanks to SAML2AuthenticationHandler
+ String authnRequestId = (String)request.getOptions().get(GeneralConstants.AUTH_REQUEST_ID);
+
+ // Save it into session for later use
+ HttpSession session = BaseSAML2Handler.getHttpSession(request);
+ session.setAttribute(GeneralConstants.AUTH_REQUEST_ID, authnRequestId);
+
+ if (trace)
+ {
+ log.trace("ID of authentication request " + authnRequestId + " saved into HTTP session.");
+ }
+ }
+
+ @Override
+ public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException
+ {
+ }
+
+ @Override
+ public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException
+ {
+ if (request.getSAML2Object() instanceof ResponseType == false)
+ return;
+
+ if (getType() == HANDLER_TYPE.IDP)
+ return;
+
+ // Obtain inResponseTo ID from Authentication response
+ ResponseType responseType = (ResponseType) request.getSAML2Object();
+ String inResponseTo = responseType.getInResponseTo();
+
+ // Obtain ID from session, which was saved before sending AuthnRequest
+ HttpSession session = BaseSAML2Handler.getHttpSession(request);
+ String authnRequestId = (String)session.getAttribute(GeneralConstants.AUTH_REQUEST_ID);
+
+ // Remove it from session now
+ session.removeAttribute(GeneralConstants.AUTH_REQUEST_ID);
+
+ // Compare both ID
+ if (inResponseTo != null && inResponseTo.equals(authnRequestId))
+ {
+ if (trace)
+ {
+ log.trace("Successful verification of InResponseTo for request " + inResponseTo);
+ }
+ }
+ else
+ {
+ log.error("Verification of InResponseTo failed. InResponseTo from SAML response is " + inResponseTo + ". Value of request Id from HTTP session is " + authnRequestId);
+ throw new ProcessingException(ErrorCodes.AUTHN_REQUEST_ID_VERIFICATION_FAILED);
+ }
+ }
+}
Added: federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2InResponseToVerificationHandlerUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2InResponseToVerificationHandlerUnitTestCase.java (rev 0)
+++ federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2InResponseToVerificationHandlerUnitTestCase.java 2012-01-19 09:55:50 UTC (rev 1344)
@@ -0,0 +1,298 @@
+/*
+ * JBoss, a division of Red Hat
+ * Copyright 2012, Red Hat Middleware, LLC, and individual
+ * contributors as indicated by the @authors tag. See the
+ * copyright.txt in the distribution for a full listing of
+ * individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.picketlink.test.identity.federation.web.saml.handlers;
+
+import junit.framework.TestCase;
+import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
+import org.picketlink.identity.federation.core.ErrorCodes;
+import org.picketlink.identity.federation.core.config.IDPType;
+import org.picketlink.identity.federation.core.config.SPType;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.parsers.saml.SAMLParser;
+import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
+import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
+import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig;
+import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerConfig;
+import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest;
+import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChainConfig;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerConfig;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
+import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
+import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
+import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
+import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.picketlink.identity.federation.web.constants.GeneralConstants;
+import org.picketlink.identity.federation.web.core.HTTPContext;
+import org.picketlink.identity.federation.web.core.IdentityServer;
+import org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler;
+import org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler;
+import org.picketlink.identity.federation.web.handlers.saml2.SAML2InResponseToVerificationHandler;
+import org.picketlink.test.identity.federation.web.mock.MockHttpServletRequest;
+import org.picketlink.test.identity.federation.web.mock.MockHttpServletResponse;
+import org.picketlink.test.identity.federation.web.mock.MockHttpSession;
+import org.picketlink.test.identity.federation.web.mock.MockServletContext;
+import org.w3c.dom.Document;
+
+import javax.servlet.http.HttpSession;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Unit test the {@link org.picketlink.identity.federation.web.handlers.saml2.SAML2InResponseToVerificationHandler}
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class SAML2InResponseToVerificationHandlerUnitTestCase extends TestCase
+{
+
+ public void testResponseIdVerification() throws Exception
+ {
+ // 1) CONFIGURATION AND INITIALIZATION OF TEST
+
+ // Create handlers
+ SAML2AuthenticationHandler authenticationHandler = new SAML2AuthenticationHandler();
+ SAML2InResponseToVerificationHandler verificationHandler = new SAML2InResponseToVerificationHandler();
+
+ // Create configuration for handlers
+ SAML2HandlerChainConfig chainConfig = new DefaultSAML2HandlerChainConfig();
+ SAML2HandlerConfig handlerConfig = new DefaultSAML2HandlerConfig();
+ handlerConfig.addParameter(GeneralConstants.NAMEID_FORMAT, JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
+ handlerConfig.addParameter(SAML2Handler.DISABLE_SENDING_ROLES, "true");
+
+ Map<String, Object> chainOptions = new HashMap<String, Object>();
+ SPType spType = new SPType();
+ chainOptions.put(GeneralConstants.CONFIGURATION, spType);
+ chainOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "true");
+ chainConfig.set(chainOptions);
+
+ // Initialize the handlers
+ authenticationHandler.initChainConfig(chainConfig);
+ authenticationHandler.initHandlerConfig(handlerConfig);
+ verificationHandler.initChainConfig(chainConfig);
+ verificationHandler.initHandlerConfig(handlerConfig);
+
+ // Create a Protocol Context
+ MockHttpSession session = new MockHttpSession();
+ MockServletContext servletContext = new MockServletContext();
+ MockHttpServletRequest servletRequest = new MockHttpServletRequest(session, "POST");
+ MockHttpServletResponse servletResponse = new MockHttpServletResponse();
+ HTTPContext httpContext = new HTTPContext(servletRequest, servletResponse, servletContext);
+
+ // Create handler request and response
+ IssuerInfoHolder issuerInfo = new IssuerInfoHolder("http://localhost:8080/sales/");
+ SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), null,
+ SAML2Handler.HANDLER_TYPE.SP);
+ request.setTypeOfRequestToBeGenerated(SAML2HandlerRequest.GENERATE_REQUEST_TYPE.AUTH);
+ SAML2HandlerResponse response = new DefaultSAML2HandlerResponse();
+
+
+
+ // 2) GENERATE SAML AUTHENTICATION REQUEST
+
+ // Generate SAML AuthnRequest with handlers
+ authenticationHandler.generateSAMLRequest(request, response);
+ verificationHandler.generateSAMLRequest(request, response);
+
+ // Parse document and verify that ID is saved in Http session
+ Document samlReqDoc = response.getResultingDocument();
+ SAMLParser parser = new SAMLParser();
+ AuthnRequestType authnRequest = (AuthnRequestType) parser.parse(DocumentUtil.getNodeAsStream(samlReqDoc));
+ assertEquals(authnRequest.getID(), servletRequest.getSession().getAttribute(GeneralConstants.AUTH_REQUEST_ID));
+
+
+
+ // 3) SEND SAML AUTHENTICATION REQUEST TO IDP
+
+ // Generate request and response for IDP
+ SAML2HandlerResponse handlerResponseFromIdp = sendRequestToIdp(authnRequest, samlReqDoc, httpContext, handlerConfig);
+
+ // Parse SAML response from IDP
+ Document doc2response = handlerResponseFromIdp.getResultingDocument();
+ assertNotNull(doc2response);
+ String responseString = DocumentUtil.asString(doc2response);
+
+
+ // 4) PROCESS SAML RESPONSE FROM IDP. VERIFICATION OF InResponseId SHOULD BE SUCCESSFUL
+
+ HandlerContext handlerContext = getHandlerRequestAndResponse(httpContext, issuerInfo, responseString);
+
+ // Assert that ID from session is not null
+ String inResponseIdFromSession = (String)servletRequest.getSession().getAttribute(GeneralConstants.AUTH_REQUEST_ID);
+ assertNotNull(inResponseIdFromSession);
+
+ // Handle response from IDP
+ authenticationHandler.handleStatusResponseType(handlerContext.request, handlerContext.response);
+ verificationHandler.handleStatusResponseType(handlerContext.request, handlerContext.response);
+
+ // Verify that Id is not in session anymore. Becaue it was removed by SAML2ResponseIdVerificationHandler
+ assertNull(servletRequest.getSession().getAttribute(GeneralConstants.AUTH_REQUEST_ID));
+
+
+
+ // 5) CHANGE InResponseId IN SAML RESPONSE. VALIDATION MUST FAIL NOW.
+
+ // Change InResponseId
+ String responseStringChangedId = responseString.replaceAll("InResponseTo=\"" + inResponseIdFromSession + "\"", "InResponseTo=\"ID_101dcb5e-f432-4f45-87cb-47daff92edef\"");
+ HandlerContext handlerContextChangedId = getHandlerRequestAndResponse(httpContext, issuerInfo, responseStringChangedId);
+
+ // Set Id to session again as it was removed in previous processing
+ servletRequest.getSession().setAttribute(GeneralConstants.AUTH_REQUEST_ID, inResponseIdFromSession);
+
+ // Handle response with changed Id. This time it should fail
+ try
+ {
+ authenticationHandler.handleStatusResponseType(handlerContextChangedId.request, handlerContextChangedId.response);
+ verificationHandler.handleStatusResponseType(handlerContextChangedId.request, handlerContextChangedId.response);
+
+ fail("Verification of InResponseTo should fail.");
+ }
+ catch (ProcessingException pe)
+ {
+ assertEquals(ErrorCodes.AUTHN_REQUEST_ID_VERIFICATION_FAILED, pe.getMessage());
+ }
+
+
+ // 6) REMOVE InResponseId FROM SAML RESPONSE. VALIDATION MUST FAIL NOW.
+
+ // Remove inResponseId
+ String responseStringRemovedId = responseString.replaceAll("InResponseTo=\"" + inResponseIdFromSession + "\"", "");
+ HandlerContext handlerContextRemovedId = getHandlerRequestAndResponse(httpContext, issuerInfo, responseStringRemovedId);
+
+ // Set Id to session again as it was removed in previous processing
+ servletRequest.getSession().setAttribute(GeneralConstants.AUTH_REQUEST_ID, inResponseIdFromSession);
+
+ // Now handle again response from IDP. This time it should also fail as InResponseTo is null
+ try
+ {
+ authenticationHandler.handleStatusResponseType(handlerContextRemovedId.request, handlerContextRemovedId.response);
+ verificationHandler.handleStatusResponseType(handlerContextRemovedId.request, handlerContextRemovedId.response);
+
+ fail("Verification of InResponseTo should fail.");
+ }
+ catch (ProcessingException pe)
+ {
+ assertEquals(ErrorCodes.AUTHN_REQUEST_ID_VERIFICATION_FAILED, pe.getMessage());
+ }
+ }
+
+ /**
+ * Sending SAML Request to IDP and receiving SAML response.
+ *
+ * @param authnRequest Generated SAML Request object
+ * @param samlReqDoc Document for generated SAML Request object
+ * @param httpContext httpContext
+ * @param handlerConfig handlerConfig
+ * @return SAML2HandlerResponse after receiving response from IDP
+ * @throws Exception
+ */
+ private SAML2HandlerResponse sendRequestToIdp(AuthnRequestType authnRequest, Document samlReqDoc,
+ HTTPContext httpContext, SAML2HandlerConfig handlerConfig) throws Exception
+ {
+ // Generate handler request and handler response for IDP
+ IssuerInfoHolder issuerInfo = new IssuerInfoHolder("http://localhost:8080/idp/");
+ SAMLDocumentHolder docHolder = new SAMLDocumentHolder(authnRequest, samlReqDoc);
+ SAML2HandlerRequest idpHandlerRequest = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), docHolder,
+ SAML2Handler.HANDLER_TYPE.IDP);
+ idpHandlerRequest.addOption(GeneralConstants.ASSERTIONS_VALIDITY, 10000l);
+ SAML2HandlerResponse idpHandlerResponse = new DefaultSAML2HandlerResponse();
+
+ // Create chainConfig for IDP
+ Map<String, Object> chainOptionsIdp = new HashMap<String, Object>();
+ IDPType idpType = new IDPType();
+ chainOptionsIdp.put(GeneralConstants.CONFIGURATION, idpType);
+ chainOptionsIdp.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "true");
+ SAML2HandlerChainConfig chainConfigIdp = new DefaultSAML2HandlerChainConfig(chainOptionsIdp);
+
+ // Create and init handlers for IDP
+ SAML2AuthenticationHandler authenticationHandlerIdp = new SAML2AuthenticationHandler();
+ SAML2InResponseToVerificationHandler verificationHandlerIdp = new SAML2InResponseToVerificationHandler();
+ authenticationHandlerIdp.initChainConfig(chainConfigIdp);
+ authenticationHandlerIdp.initHandlerConfig(handlerConfig);
+ verificationHandlerIdp.initChainConfig(chainConfigIdp);
+ verificationHandlerIdp.initHandlerConfig(handlerConfig);
+
+ HttpSession session = BaseSAML2Handler.getHttpSession(idpHandlerRequest);
+ session.setAttribute(GeneralConstants.PRINCIPAL_ID, new Principal()
+ {
+ @Override
+ public String getName()
+ {
+ return "testPrincipal";
+ }
+ });
+
+ // Init Picketlink Core STS
+ PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
+ sts.installDefaultConfiguration();
+
+ // Init identityServer
+ IdentityServer identityServer = new IdentityServer();
+ httpContext.getServletContext().setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer);
+
+ // Handle request by IDP
+ authenticationHandlerIdp.handleRequestType(idpHandlerRequest, idpHandlerResponse);
+ verificationHandlerIdp.handleRequestType(idpHandlerRequest, idpHandlerResponse);
+
+ return idpHandlerResponse;
+ }
+
+ private ResponseType getResponseTypeFromString(String responseString) throws Exception
+ {
+ InputStream is = new ByteArrayInputStream(responseString.getBytes());
+ SAML2Response saml2Response = new SAML2Response();
+ return saml2Response.getResponseType(is);
+ }
+
+ private HandlerContext getHandlerRequestAndResponse(HTTPContext httpContext, IssuerInfoHolder issuerInfo, String responseString) throws Exception
+ {
+ ResponseType responseType = getResponseTypeFromString(responseString);
+ SAML2Response saml2Response = new SAML2Response();
+ Document doc = saml2Response.convert(responseType);
+ SAMLDocumentHolder docHolder = new SAMLDocumentHolder(responseType, doc);
+
+ SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), docHolder, SAML2Handler.HANDLER_TYPE.SP);
+ SAML2HandlerResponse response = new DefaultSAML2HandlerResponse();
+ return new HandlerContext(request, response);
+ }
+
+ private class HandlerContext
+ {
+ private SAML2HandlerRequest request;
+ private SAML2HandlerResponse response;
+
+ private HandlerContext(SAML2HandlerRequest request, SAML2HandlerResponse response)
+ {
+ this.request = request;
+ this.response = response;
+ }
+ }
+
+}
12 years, 6 months
- 1
- 0
Picketlink SVN: r1343 - in federation/trunk/picketlink-bindings/src: test/java/org/picketlink/test/identity/federation/bindings/mock and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: mposolda
Date: 2012-01-19 04:28:24 -0500 (Thu, 19 Jan 2012)
New Revision: 1343
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaResponse.java
Log:
PLFED-255 method authenticate should return false when being redirected to Identity Provider
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2012-01-17 12:03:40 UTC (rev 1342)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2012-01-19 09:28:24 UTC (rev 1343)
@@ -193,6 +193,10 @@
requestProcessor.setSupportSignatures(supportSignatures);
boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
+ // If response is already commited, we need to stop with processing of HTTP request
+ if (response.isCommitted() || response.isAppCommitted())
+ return false;
+
if (result)
return result;
}
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-01-17 12:03:40 UTC (rev 1342)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-01-19 09:28:24 UTC (rev 1343)
@@ -185,6 +185,10 @@
this.serviceURL);
boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
+ // If response is already commited, we need to stop with processing of HTTP request
+ if (response.isCommitted() || response.isAppCommitted())
+ return false;
+
if (result)
return result;
}
Modified: federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaResponse.java
===================================================================
--- federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaResponse.java 2012-01-17 12:03:40 UTC (rev 1342)
+++ federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaResponse.java 2012-01-19 09:28:24 UTC (rev 1343)
@@ -29,6 +29,8 @@
import org.apache.catalina.connector.Response;
+import javax.servlet.http.HttpServletResponse;
+
/**
* Mock catalina response
* @author Anil.Saldhana(a)redhat.com
@@ -75,7 +77,14 @@
{
return false;
}
-
+
+ @Override
+ public boolean isAppCommitted()
+ {
+ boolean redirected = getStatus() == HttpServletResponse.SC_MOVED_TEMPORARILY;
+ return redirected;
+ }
+
public void setWriter(Writer w)
{
this.mywriter = (PrintWriter) w;
12 years, 6 months
- 1
- 0
Picketlink SVN: r1342 - federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2.
by picketlink-commits@lists.jboss.org
Author: mposolda
Date: 2012-01-17 07:03:40 -0500 (Tue, 17 Jan 2012)
New Revision: 1342
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
PLFED-254 - Fix nonSerializable exception during cluster profile
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2012-01-11 18:16:30 UTC (rev 1341)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2012-01-17 12:03:40 UTC (rev 1342)
@@ -21,6 +21,7 @@
*/
package org.picketlink.identity.federation.web.handlers.saml2;
+import java.io.Serializable;
import java.io.StringWriter;
import java.security.Principal;
import java.security.PrivateKey;
@@ -518,13 +519,7 @@
response.setRoles(roles);
- Principal principal = new Principal()
- {
- public String getName()
- {
- return userName;
- }
- };
+ Principal principal = new SerializablePrincipal(userName);
if (handlerChainConfig.getParameter(GeneralConstants.ROLE_VALIDATOR_IGNORE) == null)
{
@@ -605,4 +600,21 @@
return roles;
}
}
+
+ private class SerializablePrincipal implements Principal, Serializable
+ {
+ private static final long serialVersionUID = 7701951188631723253L;
+
+ private String userName;
+
+ private SerializablePrincipal(String userName)
+ {
+ this.userName = userName;
+ }
+
+ public String getName()
+ {
+ return userName;
+ }
+ }
}
\ No newline at end of file
12 years, 6 months
- 1
- 0
Picketlink SVN: r1340 - in social/trunk: assembly and 9 other directories.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2012-01-10 18:57:36 -0500 (Tue, 10 Jan 2012)
New Revision: 1340
Modified:
social/trunk/assembly/pom.xml
social/trunk/facebook/pom.xml
social/trunk/openid/pom.xml
social/trunk/openid/src/main/java/org/picketlink/social/openid/api/OpenIDManager.java
social/trunk/parent/pom.xml
social/trunk/pom.xml
social/trunk/social/pom.xml
social/trunk/webapps/openid-consumer/pom.xml
social/trunk/webapps/openid-provider/pom.xml
social/trunk/webapps/picketlink-reg/pom.xml
social/trunk/webapps/pom.xml
Log:
post beta1
Modified: social/trunk/assembly/pom.xml
===================================================================
--- social/trunk/assembly/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/assembly/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -2,7 +2,7 @@
<parent>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-social-parent</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../parent</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
Modified: social/trunk/facebook/pom.xml
===================================================================
--- social/trunk/facebook/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/facebook/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -1,8 +1,8 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>org.picketlink</groupId>
- <artifactId>picketlink-fed-parent</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <artifactId>picketlink-social-parent</artifactId>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../parent</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
Modified: social/trunk/openid/pom.xml
===================================================================
--- social/trunk/openid/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/openid/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -1,8 +1,8 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>org.picketlink</groupId>
- <artifactId>picketlink-fed-parent</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <artifactId>picketlink-social-parent</artifactId>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../parent</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
@@ -106,6 +106,7 @@
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty</artifactId>
+ <version>6.1.18</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -139,9 +140,9 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>commons-httpclient</groupId>
- <artifactId>commons-httpclient</artifactId>
- <version>3.1</version>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpclient</artifactId>
+ <version>4.1.2</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -153,6 +154,7 @@
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
+ <version>4.4</version>
<scope>test</scope>
</dependency>
</dependencies>
Modified: social/trunk/openid/src/main/java/org/picketlink/social/openid/api/OpenIDManager.java
===================================================================
--- social/trunk/openid/src/main/java/org/picketlink/social/openid/api/OpenIDManager.java 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/openid/src/main/java/org/picketlink/social/openid/api/OpenIDManager.java 2012-01-10 23:57:36 UTC (rev 1340)
@@ -82,18 +82,10 @@
public OpenIDManager(OpenIDRequest theReq)
{
this.request = theReq;
- try
- {
- consumerManager = new ConsumerManager();
- consumerManager.setAssociations(new InMemoryConsumerAssociationStore());
- consumerManager.setNonceVerifier(new InMemoryNonceVerifier(5000));
-
- userString = request.getURL();
- }
- catch(ConsumerException ce)
- {
- throw new RuntimeException(ce);
- }
+ consumerManager = new ConsumerManager();
+ consumerManager.setAssociations(new InMemoryConsumerAssociationStore());
+ consumerManager.setNonceVerifier(new InMemoryNonceVerifier(5000));
+ userString = request.getURL();
}
/**
@@ -430,4 +422,4 @@
return this.providers != null ? providers.size() : 0;
}
}
-}
\ No newline at end of file
+}
Modified: social/trunk/parent/pom.xml
===================================================================
--- social/trunk/parent/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/parent/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -8,7 +8,7 @@
<groupId>org.picketlink</groupId>
<artifactId>picketlink-social-parent</artifactId>
<packaging>pom</packaging>
- <version>2.0.0-SNAPSHOT</version>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<name>PicketLink Social - Parent</name>
<url>http://labs.jboss.org/portal/picketlink/</url>
<description>PicketLink Social Parent</description>
@@ -102,6 +102,29 @@
<artifactId>openid4java-nodeps</artifactId>
<version>0.9.6</version>
</dependency>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.4</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.mortbay.jetty</groupId>
+ <artifactId>jetty</artifactId>
+ <version>6.1.18</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.mortbay.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ <version>6.1.18</version>
+ <scope>test</scope>
+ </dependency>
+
+
</dependencies>
</dependencyManagement>
Modified: social/trunk/pom.xml
===================================================================
--- social/trunk/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -2,7 +2,7 @@
<parent>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-social-parent</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>parent</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
Modified: social/trunk/social/pom.xml
===================================================================
--- social/trunk/social/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/social/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -1,8 +1,8 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>org.picketlink</groupId>
- <artifactId>picketlink-fed-parent</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <artifactId>picketlink-social-parent</artifactId>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../parent</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
Modified: social/trunk/webapps/openid-consumer/pom.xml
===================================================================
--- social/trunk/webapps/openid-consumer/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/webapps/openid-consumer/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -2,7 +2,7 @@
<parent>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-social-webapps</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../</relativePath>
</parent>
Modified: social/trunk/webapps/openid-provider/pom.xml
===================================================================
--- social/trunk/webapps/openid-provider/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/webapps/openid-provider/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -2,7 +2,7 @@
<parent>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-social-webapps</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../</relativePath>
</parent>
Modified: social/trunk/webapps/picketlink-reg/pom.xml
===================================================================
--- social/trunk/webapps/picketlink-reg/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/webapps/picketlink-reg/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -2,7 +2,7 @@
<parent>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-social-webapps</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../</relativePath>
</parent>
Modified: social/trunk/webapps/pom.xml
===================================================================
--- social/trunk/webapps/pom.xml 2012-01-02 16:55:08 UTC (rev 1339)
+++ social/trunk/webapps/pom.xml 2012-01-10 23:57:36 UTC (rev 1340)
@@ -2,7 +2,7 @@
<parent>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-social-parent</artifactId>
- <version>2.0.0-SNAPSHOT</version>
+ <version>2.0.0.Beta1-SNAPSHOT</version>
<relativePath>../parent</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
12 years, 6 months
- 1
- 0
Picketlink SVN: r1338 - product.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2012-01-02 11:48:58 -0500 (Mon, 02 Jan 2012)
New Revision: 1338
Added:
product/branches/
Log:
branches for patches
12 years, 6 months
- 1
- 0