Author: anil.saldhana(a)jboss.com
Date: 2011-06-13 18:38:24 -0400 (Mon, 13 Jun 2011)
New Revision: 998
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java
Log:
make seeking roles flexible from the SAMl assertion
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java
===================================================================
---
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java 2011-06-13
22:37:39 UTC (rev 997)
+++
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java 2011-06-13
22:38:24 UTC (rev 998)
@@ -51,7 +51,9 @@
import org.jboss.security.plugins.JaasSecurityDomain;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkGroup;
import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkPrincipal;
+import org.picketlink.identity.federation.core.constants.AttributeConstants;
import org.picketlink.identity.federation.core.constants.PicketLinkFederationConstants;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import
org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
import
org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory.TimeCacheExpiry;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
@@ -85,7 +87,7 @@
* <ul>jboss.security.security_domain: name of the security domain where this
login module is configured. This is only required
* if the cache.invalidation option is configured.
* </ul>
- * <ul>groupPrincipalName: if you do not want the Roles in the subject to be
"Roles", then set it to a different value</ul>
+ * <ul>roleKey: a comma separated list of strings that define the attributes in
SAML assertion for user roles</ul>
* <ul>localValidation: if you want to validate the assertion locally for
signature and expiry</ul>
* </li>
* </p>
@@ -134,12 +136,12 @@
protected String securityDomain = null;
- protected String groupName = SecurityConstants.ROLES_IDENTIFIER;
-
protected boolean localValidation = false;
protected String localValidationSecurityDomain;
+ protected String roleKey = AttributeConstants.ROLE_IDENTIFIER_ASSERTION;
+
/**
* Options that are computed by this login module.
* Few options are removed and the rest are set in the dispatch sts call
@@ -214,10 +216,10 @@
throw new RuntimeException("Please configure option:" +
SecurityConstants.SECURITY_DOMAIN_OPTION);
}
- String groupNameStr = (String) options.get("groupPrincipalName");
- if (StringUtil.isNotNull(groupNameStr))
+ String roleKeyStr = (String) options.get("roleKey");
+ if (StringUtil.isNotNull(roleKeyStr))
{
- groupName = groupNameStr.trim();
+ roleKey = roleKeyStr.trim();
}
String localValidationStr = (String) options.get("localValidation");
@@ -423,10 +425,21 @@
throw le;
}
}
+ if (trace)
+ {
+ try
+ {
+ log.trace("Assertion from where roles will be sought=" +
AssertionUtil.asString(assertion));
+ }
+ catch (ProcessingException ignore)
+ {
+ }
+ }
List<String> roleKeys = new ArrayList<String>();
- roleKeys.add("Role");
+ roleKeys.addAll(StringUtil.tokenize(roleKey));
+ String groupName = SecurityConstants.ROLES_IDENTIFIER;
Group rolesGroup = new PicketLinkGroup(groupName);
List<String> roles = AssertionUtil.getRoles(assertion, roleKeys);
for (String role : roles)
Modified:
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java
===================================================================
---
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java 2011-06-13
22:37:39 UTC (rev 997)
+++
federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java 2011-06-13
22:38:24 UTC (rev 998)
@@ -79,6 +79,7 @@
options.put("localValidation", "true");
options.put("localValidationSecurityDomain", "someSD");
options.put("localTestingOnly", "true");
+ options.put("roleKey", "Role,SomeAttrib");
AppConfigurationEntry a2 = new
AppConfigurationEntry(SAML2STSLoginModule.class.getName(),
LoginModuleControlFlag.REQUIRED, options);
@@ -101,6 +102,8 @@
roles.add("test1");
roles.add("test2");
assertion.addStatement(StatementUtil.createAttributeStatement(roles));
+
assertion.addStatement(StatementUtil.createAttributeStatement("SomeAttrib",
"testX"));
+
try
{
SamlCredential cred = new SamlCredential(AssertionUtil.asString(assertion));
@@ -129,6 +132,6 @@
Group gp = groups.iterator().next();
assertTrue(gp.isMember(new SimplePrincipal("test1")));
assertTrue(gp.isMember(new SimplePrincipal("test2")));
+ assertTrue(gp.isMember(new SimplePrincipal("testX")));
}
-
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java 2011-06-13
22:37:39 UTC (rev 997)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java 2011-06-13
22:38:24 UTC (rev 998)
@@ -29,4 +29,7 @@
public interface AttributeConstants
{
String ROLES = "roles";
+
+ /** Default identifier in the saml2 attribute statements to indicate role **/
+ String ROLE_IDENTIFIER_ASSERTION = "Role";
}
\ No newline at end of file
Show replies by date