Author: bmozaffa(a)redhat.com Date: 2010-06-11 15:59:18 -0400 (Fri, 11 Jun 2010) New Revision: 299 Added: federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java Log: PLFED-88: Provided an OOTB attribute provider for the SAML20TokenProvider for a JBoss server environment. This attribute provider looks at the currently authenticated JAAS Subject and returns any available user roles in the form of a SAML token multi-valued Attribute. The attribute name defaults to role but is configurable Added: federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java =================================================================== --- federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java (rev 0) +++ federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java 2010-06-11 19:59:18 UTC (rev 299) @@ -0,0 +1,112 @@ +package org.picketlink.identity.federation.bindings.jboss.auth; + +import java.security.Principal; +import java.security.acl.Group; +import java.util.Enumeration; +import java.util.List; +import java.util.Map; + +import javax.security.auth.Subject; + +import org.apache.log4j.Logger; +import org.jboss.security.SecurityContextAssociation; +import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenAttributeProvider; +import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType; +import org.picketlink.identity.federation.saml.v2.assertion.AttributeType; + +/** + * <p> + * An implementation of the SAML20TokenAttributeProvider for JBoss which looks at the authenticated Subject + * and creates an Attribute containing the user's roles. + * </p> + * + * <h3>Configuration</h3> + * <pre>{@code + * <TokenProviders> + * <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider" + * TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profi... + * TokenElement="Assertion" + * TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"> + * <Property Key="AttributeProvider" Value="org.picketlink.identity.federation.bindings.jboss.auth.SAML20TokenRoleAttributeProvider"/> + * <Property Key="org.picketlink.identity.federation.bindings.jboss.auth.SAML20TokenRoleAttributeProvider.tokenRoleAttributeName" Value="role"/> + * </TokenProvider> + * </TokenProviders> + * } + * </pre> + * + * When configured, this attribute provider will be called by the {@code SAML20TokenProvider} to return an {@code AttributeStatement} + * from the STS token and supply them for insertion into the JAAS Subject. + * This returns a multi-valued Attribute to be included in the Assertion, where each value of the attribute is a JBoss user role. + * The name of this attribute defaults to {@code DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME} but + * may be set to any value through an optional property as shown above. + * + * @author <a href="mailto:Babak@redhat.com">Babak Mozaffari</a> + */ +public class SAML20TokenRoleAttributeProvider implements SAML20TokenAttributeProvider +{ + private static Logger logger = Logger.getLogger(SAML20TokenRoleAttributeProvider.class); + + /** + * The name of the principal in JBoss that is expected to include user roles + */ + public static final String JBOSS_ROLE_PRINCIPAL_NAME = "Roles"; + + /** + * The default attribute name in the SAML Token that will carry the user's roles, if not configured otherwise + */ + public static final String DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME = "role"; + + /** + * The name of the attribute in the SAML Token that will carry the user's roles + */ + private String tokenRoleAttributeName; + + @Override + public void setProperties(Map<String, String> properties) + { + String roleAttrKey = this.getClass().getName() + ".tokenRoleAttributeName"; + tokenRoleAttributeName = properties.get(roleAttrKey); + if( tokenRoleAttributeName == null ) + { + tokenRoleAttributeName = DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME; + } + } + + @Override + public AttributeStatementType getAttributeStatement() + { + Subject subject = SecurityContextAssociation.getSecurityContext().getSubjectInfo().getAuthenticatedSubject(); + if( subject == null ) + { + if (logger.isDebugEnabled()) + logger.debug("No authentication Subject found, cannot provide any user roles!"); + return null; + } + else + { + AttributeStatementType attributeStatement = new AttributeStatementType(); + AttributeType rolesAttribute = new AttributeType(); + rolesAttribute.setName(tokenRoleAttributeName); + attributeStatement.getAttributeOrEncryptedAttribute().add(rolesAttribute); + + List<Object> roles = rolesAttribute.getAttributeValue(); + for( Principal rolePrincipal : subject.getPrincipals() ) + { + if( JBOSS_ROLE_PRINCIPAL_NAME.equalsIgnoreCase( rolePrincipal.getName() ) ) + { + Group simpleGroup = (Group)rolePrincipal; + Enumeration<? extends Principal> members = simpleGroup.members(); + while( members.hasMoreElements() ) + { + Principal role = (Principal)members.nextElement(); + roles.add( role.getName() ); + } + } + } + if (logger.isDebugEnabled()) + logger.debug("Returning an AttributeStatement with a [" + tokenRoleAttributeName + "] attribute containing: " + rolesAttribute.getAttributeValue()); + return attributeStatement; + } + } + +}