Author: anil.saldhana(a)jboss.com
Date: 2011-03-15 18:31:14 -0400 (Tue, 15 Mar 2011)
New Revision: 820
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2LoginModule.java
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java
Log:
PLFED-163: customize group principal name
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2LoginModule.java
===================================================================
---
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2LoginModule.java 2011-03-15
22:29:20 UTC (rev 819)
+++
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2LoginModule.java 2011-03-15
22:31:14 UTC (rev 820)
@@ -24,13 +24,17 @@
import java.security.Principal;
import java.security.acl.Group;
import java.util.List;
+import java.util.Map;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
-import
org.picketlink.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
+import
org.picketlink.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext;
+import org.picketlink.identity.federation.core.util.StringUtil;
/**
* Login Module that is capable of dealing with SAML2 cases
@@ -48,27 +52,47 @@
* @since Feb 13, 2009
*/
public class SAML2LoginModule extends UsernamePasswordLoginModule
-{
+{
+
+ protected String groupName = "Roles";
+
+ /*
+ * (non-Javadoc)
+ * @see
org.jboss.security.auth.spi.AbstractServerLoginModule#initialize(javax.security.auth.Subject,
javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)
+ */
@Override
+ public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState,
+ Map<String, ?> options)
+ {
+ super.initialize(subject, callbackHandler, sharedState, options);
+ String groupNameStr = (String) options.get("groupPrincipalName");
+ if (StringUtil.isNotNull(groupNameStr))
+ {
+ groupName = groupNameStr.trim();
+ }
+ }
+
+ @Override
protected Principal getIdentity()
- {
+ {
return new SimplePrincipal(ServiceProviderSAMLContext.getUserName());
}
@Override
protected Group[] getRoleSets() throws LoginException
{
- Group group = new SimpleGroup("Roles");
-
+ Group group = new SimpleGroup(groupName);
+
List<String> roles = ServiceProviderSAMLContext.getRoles();
- if(roles != null)
+ if (roles != null)
{
- for(String role: roles)
+ for (String role : roles)
{
group.addMember(new SimplePrincipal(role));
}
}
- return new Group[] {group};
+ return new Group[]
+ {group};
}
@Override
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java
===================================================================
---
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java 2011-03-15
22:29:20 UTC (rev 819)
+++
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java 2011-03-15
22:31:14 UTC (rev 820)
@@ -44,19 +44,20 @@
import
org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
import
org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory.TimeCacheExpiry;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
+import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.core.wstrust.STSClient;
+import org.picketlink.identity.federation.core.wstrust.STSClientConfig.Builder;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
-import org.picketlink.identity.federation.core.wstrust.STSClientConfig.Builder;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
+import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.BaseIDAbstractType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.NameIDType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.StatementAbstractType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.SubjectType;
-import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
import org.w3c.dom.Element;
/**
@@ -76,6 +77,7 @@
* <ul>jboss.security.security_domain: name of the security domain where this
login module is configured. This is only required
* if the cache.invalidation option is configured.
* </ul>
+ * <ul>groupPrincipalName: if you do not want the Roles in the subject to be
"Roles", then set it to a different value</ul>
* </li>
* </p>
* <p>
@@ -117,9 +119,11 @@
protected AssertionType assertion;
protected boolean enableCacheInvalidation = false;
-
+
protected String securityDomain = null;
-
+
+ protected String groupName = "Roles";
+
protected Map<String, ?> options = null;
/*
@@ -131,19 +135,24 @@
Map<String, ?> options)
{
super.initialize(subject, callbackHandler, sharedState, options);
- this.options = options;
+ // check if the options contain the name of the STS configuration file.
+ this.stsConfigurationFile = (String) options.get("configFile");
- // save the config file and cache validation options, removing them from the map -
all remainig properties will
- // be set in the request context of the Dispatch instance used to send requests to
the STS.
- this.stsConfigurationFile = (String) this.options.remove("configFile");
- String cacheInvalidation = (String) this.options.remove(
"cache.invalidation" );
- if( cacheInvalidation != null && !cacheInvalidation.isEmpty() )
+ String groupNameStr = (String) options.get("groupPrincipalName");
+ if (StringUtil.isNotNull(groupNameStr))
{
- this.enableCacheInvalidation = Boolean.parseBoolean( cacheInvalidation );
- this.securityDomain = (String) this.options.remove(
SecurityConstants.SECURITY_DOMAIN_OPTION );
- if( this.securityDomain == null || this.securityDomain.isEmpty() )
- throw new RuntimeException( "Please configure option:" +
SecurityConstants.SECURITY_DOMAIN_OPTION );
+ groupName = groupNameStr.trim();
}
+
+ String cacheInvalidation = (String) options.get("cache.invalidation");
+ if (cacheInvalidation != null && !cacheInvalidation.isEmpty())
+ {
+ enableCacheInvalidation = Boolean.parseBoolean(cacheInvalidation);
+ securityDomain = (String)
options.get(SecurityConstants.SECURITY_DOMAIN_OPTION);
+ if (securityDomain == null || securityDomain.isEmpty())
+ throw new RuntimeException("Please configure option:" +
SecurityConstants.SECURITY_DOMAIN_OPTION);
+ }
+
}
/*
@@ -188,7 +197,8 @@
Element assertionElement = null;
try
{
- super.callbackHandler.handle(new Callback[]{callback});
+ super.callbackHandler.handle(new Callback[]
+ {callback});
if (callback.getCredential() instanceof SamlCredential == false)
throw new IllegalArgumentException("Supplied credential is not a SAML
credential");
this.credential = (SamlCredential) callback.getCredential();
@@ -202,7 +212,7 @@
}
// send the assertion to the STS for validation.
- STSClient client = this.getSTSClient() ;
+ STSClient client = this.getSTSClient();
try
{
boolean isValid = client.validateToken(assertionElement);
@@ -225,23 +235,23 @@
if (subject != null)
{
BaseIDAbstractType baseID = subject.getSubType().getBaseID();
- if( baseID instanceof NameIDType )
+ if (baseID instanceof NameIDType)
{
NameIDType nameID = (NameIDType) baseID;
- this.principal = new PicketLinkPrincipal(nameID.getValue());
-
+ this.principal = new PicketLinkPrincipal(nameID.getValue());
+
//If the user has configured cache invalidation of subject based on saml
token expiry
- if( enableCacheInvalidation )
+ if (enableCacheInvalidation)
{
TimeCacheExpiry cacheExpiry =
JBossAuthCacheInvalidationFactory.getCacheExpiry();
- XMLGregorianCalendar expiry = AssertionUtil.getExpiration( assertion
);
- if( expiry != null )
+ XMLGregorianCalendar expiry = AssertionUtil.getExpiration(assertion);
+ if (expiry != null)
{
- cacheExpiry.register( securityDomain,
expiry.toGregorianCalendar().getTime() , principal );
- }
+ cacheExpiry.register(securityDomain,
expiry.toGregorianCalendar().getTime(), principal);
+ }
else
{
- log.warn( "SAML Assertion has been found to have no expiration:
ID = " + assertion.getID() );
+ log.warn("SAML Assertion has been found to have no expiration:
ID = " + assertion.getID());
}
}
}
@@ -300,10 +310,10 @@
{
Set<Principal> roles = new HashSet<Principal>();
List<ASTChoiceType> attributeList = attributeStatement.getAttributes();
- for ( ASTChoiceType obj : attributeList )
+ for (ASTChoiceType obj : attributeList)
{
AttributeType attribute = obj.getAttribute();
- if( attribute != null )
+ if (attribute != null)
{
// if this is a role attribute, get its values and add them to the role
set.
if (attribute.getName().equals("role"))
@@ -313,14 +323,15 @@
}
}
}
- Group rolesGroup = new PicketLinkGroup("Roles");
+ Group rolesGroup = new PicketLinkGroup(groupName);
for (Principal role : roles)
rolesGroup.addMember(role);
- return new Group[]{rolesGroup};
+ return new Group[]
+ {rolesGroup};
}
return new Group[0];
}
-
+
/**
* <p>
* Checks if the specified SAML assertion contains a {@code AttributeStatementType}
and returns this type when it
@@ -344,7 +355,7 @@
}
return null;
}
-
+
/**
* Get the {@link STSClient} object with which we can make calls to the STS
* @return