From picketlink-commits at lists.jboss.org Wed Apr 13 01:08:25 2011
Content-Type: multipart/mixed; boundary="===============4801693421074719959=="
MIME-Version: 1.0
From: picketlink-commits at lists.jboss.org
To: picketlink-commits at lists.jboss.org
Subject: [picketlink-commits] Picketlink SVN: r883 -
 federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/auth.
Date: Wed, 13 Apr 2011 01:08:25 -0400
Message-ID: <201104130508.p3D58Pho017283@svn01.web.mwc.hst.phx2.redhat.com>

--===============4801693421074719959==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Author: anil.saldhana(a)jboss.com
Date: 2011-04-13 01:08:24 -0400 (Wed, 13 Apr 2011)
New Revision: 883

Modified:
   federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identi=
ty/federation/core/wstrust/auth/AbstractSTSLoginModule.java
Log:
add option to inject CallerPrincipal group

Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink=
/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/ident=
ity/federation/core/wstrust/auth/AbstractSTSLoginModule.java	2011-04-13 05:=
07:51 UTC (rev 882)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/ident=
ity/federation/core/wstrust/auth/AbstractSTSLoginModule.java	2011-04-13 05:=
08:24 UTC (rev 883)
@@ -22,7 +22,9 @@
 =

 import java.io.IOException;
 import java.security.Principal;
+import java.security.acl.Group;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 =

@@ -154,12 +156,15 @@
  *  <p>jboss.security.security_domain: name of the security domain where t=
his login module is configured. This is only required
  *  if the cache.invalidation option is configured.</p>
  * =

+ * <p>inject.callerprincipal: set it to true if you want to add a group pr=
incipal called "CallerPrincipal" with the roles
+ * from the assertion, into the subject</p>
+ * =

  * @author <a href=3D"mailto:dbevenius(a)jboss.com">Daniel Bevenius</a>
  * @author Anil.Saldhana(a)redhat.com
  */
 public abstract class AbstractSTSLoginModule implements LoginModule
 {
-   private Logger log =3D Logger.getLogger(AbstractSTSLoginModule.class);
+   private final Logger log =3D Logger.getLogger(AbstractSTSLoginModule.cl=
ass);
 =

    /**
     * Key used in share state map when LMs are stacked. =

@@ -181,7 +186,7 @@
     * file for WSTrustClient. =

     */
    public static final String STS_CONFIG_FILE =3D "configFile";
-   =

+
    /**
     * Historically, JBoss has used the "Roles" as the group principal name=
 in the subject
     * to represent the subject roles. Users can customize this name with t=
his option.
@@ -232,14 +237,20 @@
     * Indicates whether the 'useOptionsCredentials' was configured.
     */
    protected boolean useOptionsCredentials;
-   =

+
    /**
     * Name of the group principal. If unconfigured, will be "null"
     */
-   protected String groupPrincipalName =3D null; =

-   =

+   protected String groupPrincipalName =3D null;
+
    protected boolean enableCacheInvalidation =3D false;
-   =

+
+   /**
+    * Should a separate Group Principal called "CallerPrincipal" be inject=
ed into subject
+    * with the roles from the assertion?
+    */
+   protected boolean injectCallerPrincipalGroup =3D false;
+
    protected String securityDomain =3D null;
 =

    /**
@@ -273,19 +284,25 @@
       final Boolean useOptionsCreds =3D Boolean.valueOf((String) options.g=
et(OPTIONS_CREDENTIALS));
       if (useOptionsCreds !=3D null)
          useOptionsCredentials =3D useOptionsCreds.booleanValue();
-      =

-      final String gpPrincipalName =3D (String) options.get( GROUP_PRINCIP=
AL_NAME );
-      if( gpPrincipalName !=3D null && gpPrincipalName.length() > 0 )
+
+      final String gpPrincipalName =3D (String) options.get(GROUP_PRINCIPA=
L_NAME);
+      if (gpPrincipalName !=3D null && gpPrincipalName.length() > 0)
          groupPrincipalName =3D gpPrincipalName;
-      =

-      String cacheInvalidation =3D (String) options.get( "cache.invalidati=
on" );
-      if( cacheInvalidation !=3D null && !cacheInvalidation.isEmpty() )
+
+      String cacheInvalidation =3D (String) options.get("cache.invalidatio=
n");
+      if (cacheInvalidation !=3D null && !cacheInvalidation.isEmpty())
       {
-         enableCacheInvalidation =3D Boolean.parseBoolean( cacheInvalidati=
on );
-         securityDomain =3D (String) options.get( SecurityConstants.SECURI=
TY_DOMAIN_OPTION );
-         if( securityDomain =3D=3D null || securityDomain.isEmpty() )
-            throw new RuntimeException( "Please configure option:" + Secur=
ityConstants.SECURITY_DOMAIN_OPTION );
+         enableCacheInvalidation =3D Boolean.parseBoolean(cacheInvalidatio=
n);
+         securityDomain =3D (String) options.get(SecurityConstants.SECURIT=
Y_DOMAIN_OPTION);
+         if (securityDomain =3D=3D null || securityDomain.isEmpty())
+            throw new RuntimeException("Please configure option:" + Securi=
tyConstants.SECURITY_DOMAIN_OPTION);
       }
+
+      String callerPrincipalGroup =3D (String) options.get("inject.callerp=
rincipal");
+      if (callerPrincipalGroup !=3D null && !callerPrincipalGroup.isEmpty(=
))
+      {
+         this.injectCallerPrincipalGroup =3D Boolean.parseBoolean(callerPr=
incipalGroup);
+      }
    }
 =

    /**
@@ -398,10 +415,11 @@
       }
    }
 =

-   @SuppressWarnings({"rawtypes", "unchecked"})
+   @SuppressWarnings(
+   {"rawtypes", "unchecked"})
    private void setPasswordStackingCredentials(final Builder builder)
    {
-      final Map sharedState =3D (Map) this.sharedState;
+      final Map sharedState =3D this.sharedState;
       sharedState.put("javax.security.auth.login.name", builder.getUsernam=
e());
       sharedState.put("javax.security.auth.login.password", builder.getPas=
sword());
    }
@@ -485,7 +503,8 @@
       this.samlToken =3D samlToken;
    }
 =

-   @SuppressWarnings({"unchecked", "rawtypes"})
+   @SuppressWarnings(
+   {"unchecked", "rawtypes"})
    protected void setSharedToken(final Object token)
    {
       if (sharedState =3D=3D null)
@@ -497,7 +516,7 @@
        * without bypassing generics. =

        */
       // Cast the shartState to a raw map
-      final Map state =3D (Map) sharedState;
+      final Map state =3D sharedState;
       // Put the Token into the shared state map
       state.put(SHARED_TOKEN, token);
    }
@@ -593,33 +612,35 @@
       Map<String, Object> contextMap =3D new HashMap<String, Object>();
       contextMap.put(SHARED_TOKEN, this.samlToken);
 =

+      AssertionType assertion =3D null;
+      try
+      {
+         assertion =3D SAMLUtil.fromElement(samlToken);
+      }
+      catch (Exception e)
+      {
+         throw new RuntimeException(e);
+      }
+
       if (principalMappingContext !=3D null)
       {
          principalMappingContext.performMapping(contextMap, null);
          Principal principal =3D principalMappingContext.getMappingResult(=
).getMappedObject();
          subject.getPrincipals().add(principal);
-         =

+
          //If the user has configured cache invalidation of subject based =
on saml token expiry
-         if( enableCacheInvalidation )
+         if (enableCacheInvalidation)
          {
             TimeCacheExpiry cacheExpiry =3D JBossAuthCacheInvalidationFact=
ory.getCacheExpiry();
-            AssertionType assertion =3D null;
-            try
+
+            XMLGregorianCalendar expiry =3D AssertionUtil.getExpiration(as=
sertion);
+            if (expiry !=3D null)
             {
-               assertion =3D SAMLUtil.fromElement( samlToken );
+               cacheExpiry.register(securityDomain, expiry.toGregorianCale=
ndar().getTime(), principal);
             }
-            catch ( Exception e)
-            {
-               throw new RuntimeException( e );
-            } =

-            XMLGregorianCalendar expiry =3D AssertionUtil.getExpiration( a=
ssertion );
-            if( expiry !=3D null )
-            {
-               cacheExpiry.register( securityDomain, expiry.toGregorianCal=
endar().getTime() , principal );
-            } =

             else
             {
-               log.warn( "SAML Assertion has been found to have no expirat=
ion: ID =3D " + assertion.getID() );
+               log.warn("SAML Assertion has been found to have no expirati=
on: ID =3D " + assertion.getID());
             }
          }
       }
@@ -628,24 +649,35 @@
       {
          roleMappingContext.performMapping(contextMap, null);
          RoleGroup group =3D roleMappingContext.getMappingResult().getMapp=
edObject();
-         =

+
          SimpleGroup rolePrincipal =3D null;
-         =

-         if( groupPrincipalName !=3D null )
+
+         if (groupPrincipalName !=3D null)
          {
-            rolePrincipal =3D new SimpleGroup( groupPrincipalName );
+            rolePrincipal =3D new SimpleGroup(groupPrincipalName);
          }
          else
          {
-            rolePrincipal=3D new SimpleGroup( group.getRoleName() ); =

+            rolePrincipal =3D new SimpleGroup(group.getRoleName());
          }
-         =

+
          for (Role role : group.getRoles())
          {
             rolePrincipal.addMember(new SimplePrincipal(role.getRoleName()=
));
          }
          subject.getPrincipals().add(rolePrincipal);
       }
+
+      if (injectCallerPrincipalGroup)
+      {
+         Group callerPrincipal =3D new SimpleGroup("CallerPrincipal");
+         List<String> roles =3D AssertionUtil.getRoles(assertion, null);
+         for (String role : roles)
+         {
+            callerPrincipal.addMember(new SimplePrincipal(role));
+         }
+         subject.getPrincipals().add(callerPrincipal);
+      }
    }
 =

    protected MappingManager getMappingManager()


--===============4801693421074719959==--