Picketlink SVN: r1574 - in product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation: bindings/tomcat/sp and 4 other directories.
10:08 a.m.
Author: dehort
Date: 2012-08-17 11:08:14 -0400 (Fri, 17 Aug 2012)
New Revision: 1574
Modified:
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
Log:
Backport PLFED-271 to EAP 5.1.2
[JBPAPP-9710]
Modified:
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
---
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-08-17
14:22:19 UTC (rev 1573)
+++
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-08-17
15:08:14 UTC (rev 1574)
@@ -181,6 +181,13 @@
* A Lock for Handler operations in the chain
*/
private final Lock chainLock = new ReentrantLock();
+
+ /**
+ * SAML Web Browser SSO Profile has a requirement that the IDP does not respond
+ * back in Redirect Binding. Set this to true if you want the IDP to adhere to
+ * this requirement via
+ */
+ private boolean strictPostBinding = false;
//Set a list of attributes we are interested in separated by comma
public void setAttributeList(String attribList)
@@ -209,6 +216,11 @@
}
}
+ public void setStrictPostBinding(Boolean strictPostBinding)
+ {
+ this.strictPostBinding = strictPostBinding;
+ }
+
public Boolean getIgnoreIncomingSignatures()
{
return ignoreIncomingSignatures;
@@ -338,10 +350,10 @@
if (this.signOutgoingMessages)
{
holder.setSupportSignature(true).setPrivateKey(keyManager.getSigningKey());
- webRequestUtil.send(holder);
- //webRequestUtil.send(samlErrorResponse, referer, relayState, response,
true,
- //this.keyManager.getSigningKey(), false);
}
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (GeneralSecurityException e)
@@ -627,6 +639,9 @@
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState)
.setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false)
.setServletResponse(response);
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
if (requestedPostProfile != null)
holder.setPostBindingRequested(requestedPostProfile);
@@ -638,6 +653,8 @@
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
}
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e)
@@ -790,6 +807,9 @@
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
}
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e)
@@ -872,6 +892,9 @@
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
}
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e1)
Modified:
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
---
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-08-17
14:22:19 UTC (rev 1573)
+++
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-08-17
15:08:14 UTC (rev 1574)
@@ -80,6 +80,22 @@
protected static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);
protected boolean jbossEnv = false;
+
+ /**
+ * The SAML Web Browser SSO Profile says that the IDP cannot send
+ * response back in Redirect Binding. The user should use this
+ * parameter to adhere to that requirement.
+ */
+ protected boolean idpPostBinding = false;
+
+ /**
+ * Set the Authenticator to expect a post response from IDP
+ * @param idpPostBinding
+ */
+ public void setIdpPostBinding(Boolean idpPostBinding)
+ {
+ this.idpPostBinding = idpPostBinding;
+ }
public SPRedirectFormAuthenticator()
{
@@ -233,6 +249,8 @@
{
ServiceProviderSAMLResponseProcessor responseProcessor = new
ServiceProviderSAMLResponseProcessor(false,
serviceURL);
+ if(idpPostBinding)
+ responseProcessor.setIdpPostBinding(true);
initializeSAMLProcessor(responseProcessor);
SAML2HandlerResponse saml2HandlerResponse = null;
Modified:
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
---
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-08-17
14:22:19 UTC (rev 1573)
+++
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-08-17
15:08:14 UTC (rev 1574)
@@ -90,6 +90,8 @@
String SAML_RESPONSE_KEY = "SAMLResponse";
+ String SAML_IDP_STRICT_POST_BINDING = "SAML_IDP_STRICT_POST_BINDING";
+
String DECRYPTING_KEY = "DECRYPTING_KEY";
String SENDER_PUBLIC_KEY = "SENDER_PUBLIC_KEY";
@@ -101,4 +103,4 @@
String USERNAME_FIELD = "JBID_USERNAME";
String PASS_FIELD = "JBID_PASSWORD";
-}
\ No newline at end of file
+}
Modified:
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
===================================================================
---
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2012-08-17
14:22:19 UTC (rev 1573)
+++
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2012-08-17
15:08:14 UTC (rev 1574)
@@ -67,6 +67,13 @@
public class ServiceProviderSAMLResponseProcessor extends ServiceProviderBaseProcessor
{
private boolean validateSignature = false;
+
+ private boolean idpPostBinding = false;
+
+ public void setIdpPostBinding(boolean idpPostBinding)
+ {
+ this.idpPostBinding = idpPostBinding;
+ }
/**
* Construct
@@ -106,24 +113,22 @@
SAMLDocumentHolder documentHolder = null;
SAML2Object samlObject = null;
- if (this.postBinding)
- {
- //we got a logout request
+ InputStream dataStream = null;
+
+ if (this.postBinding || idpPostBinding )
+ {
//deal with SAML response from IDP
- InputStream is = PostBindingUtil.base64DecodeAsStream(samlResponse);
-
- samlObject = saml2Response.getSAML2ObjectFromStream(is);
- documentHolder = saml2Response.getSamlDocumentHolder();
+ dataStream = PostBindingUtil.base64DecodeAsStream(samlResponse);
}
else
{
//deal with SAML response from IDP
- InputStream base64DecodedResponse =
RedirectBindingUtil.base64DeflateDecode(samlResponse);
-
- samlObject = saml2Response.getSAML2ObjectFromStream(base64DecodedResponse);
- documentHolder = saml2Response.getSamlDocumentHolder();
+ dataStream = RedirectBindingUtil.base64DeflateDecode(samlResponse);
}
+ samlObject = saml2Response.getSAML2ObjectFromStream(dataStream);
+ documentHolder = saml2Response.getSamlDocumentHolder();
+
if (this.validateSignature)
try
{
Modified:
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
===================================================================
---
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2012-08-17
14:22:19 UTC (rev 1573)
+++
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2012-08-17
15:08:14 UTC (rev 1574)
@@ -130,7 +130,22 @@
protected transient ServletContext context = null;
protected transient SAML2HandlerChain chain = null;
+
+ //Cater to SAML Web Browser SSO Profile demand that we do not reply in Redirect
Binding
+ private boolean strictPostBinding = false;
+
+ public boolean isStrictPostBinding()
+ {
+ return strictPostBinding;
+ }
+
+ public void setStrictPostBinding(boolean strictPostBinding)
+ {
+ this.strictPostBinding = strictPostBinding;
+ }
+
+
/**
* If the user wants to set a particular {@link IdentityParticipantStack}
*/
@@ -163,6 +178,13 @@
throw new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION, e);
}
}
+
+ String strictPostBindingStr =
config.getInitParameter(GeneralConstants.SAML_IDP_STRICT_POST_BINDING);
+ if(StringUtil.isNotNull(strictPostBindingStr))
+ {
+ strictPostBinding = Boolean.parseBoolean(strictPostBindingStr);
+ }
+
context = config.getServletContext();
if (idpConfiguration == null)
@@ -572,12 +594,10 @@
if (this.signOutgoingMessages)
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
- /*webRequestUtil.send(samlResponse, destination,relayState, response,
true,
- this.keyManager.getSigningKey(), willSendRequest);*/
}
- /*
- else
- webRequestUtil.send(samlResponse, destination, relayState, response,
false,null, willSendRequest);*/
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(strictPostBinding);
webRequestUtil.send(holder);
}
catch (ParsingException e)
@@ -614,12 +634,10 @@
if (this.signOutgoingMessages)
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
- /*webRequestUtil.send(samlResponse, referrer, relayState, response, true,
- this.keyManager.getSigningKey(), false);*/
}
- /* else
- webRequestUtil.send(samlResponse, referrer, relayState, response,
false,null, false);*/
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e1)
Modified:
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
===================================================================
---
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2012-08-17
14:22:19 UTC (rev 1573)
+++
product/branches/2.0.2_JBPAPP-9710/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2012-08-17
15:08:14 UTC (rev 1574)
@@ -81,6 +81,7 @@
private final TrustKeyManager keyManager;
+
protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager
keym)
@@ -232,7 +233,7 @@
boolean sendRequest = holder.isAreWeSendingRequest();
HttpServletResponse response = holder.getServletResponse();
- if (holder.isPostBindingRequested() == false)
+ if (holder.isPostBindingRequested() == false &&
!holder.isStrictPostBinding())
{
byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
@@ -432,7 +433,20 @@
private boolean postBindingRequested;
private boolean areWeSendingRequest;
+
+ //Cater to SAML Web Browser SSO Profile demand that we do not reply in Redirect
Binding
+ private boolean strictPostBinding = false;
+
+ public boolean isStrictPostBinding()
+ {
+ return strictPostBinding;
+ }
+ public void setStrictPostBinding(boolean strictPostBinding)
+ {
+ this.strictPostBinding = strictPostBinding;
+ }
+
public Document getResponseDoc()
{
return responseDoc;
4509
days inactive
4509
days old
picketlink-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
picketlink-commits@lists.jboss.org