[jboss-cvs] Picketlink SVN: r998 - in federation/trunk: picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth and 1 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Mon Jun 13 18:38:24 EDT 2011


Author: anil.saldhana at jboss.com
Date: 2011-06-13 18:38:24 -0400 (Mon, 13 Jun 2011)
New Revision: 998

Modified:
   federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java
   federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java
   federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java
Log:
make seeking roles flexible from the SAMl assertion

Modified: federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java	2011-06-13 22:37:39 UTC (rev 997)
+++ federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.java	2011-06-13 22:38:24 UTC (rev 998)
@@ -51,7 +51,9 @@
 import org.jboss.security.plugins.JaasSecurityDomain;
 import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkGroup;
 import org.picketlink.identity.federation.bindings.jboss.subject.PicketLinkPrincipal;
+import org.picketlink.identity.federation.core.constants.AttributeConstants;
 import org.picketlink.identity.federation.core.constants.PicketLinkFederationConstants;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
 import org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
 import org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory.TimeCacheExpiry;
 import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
@@ -85,7 +87,7 @@
  *  <ul>jboss.security.security_domain: name of the security domain where this login module is configured. This is only required
  *  if the cache.invalidation option is configured.
  *  </ul>
- *  <ul>groupPrincipalName: if you do not want the Roles in the subject to be "Roles", then set it to a different value</ul>
+ *  <ul>roleKey: a comma separated list of strings that define the attributes in SAML assertion for user roles</ul>
  *  <ul>localValidation: if you want to validate the assertion locally for signature and expiry</ul>
  * </li>
  * </p>
@@ -134,12 +136,12 @@
 
    protected String securityDomain = null;
 
-   protected String groupName = SecurityConstants.ROLES_IDENTIFIER;
-
    protected boolean localValidation = false;
 
    protected String localValidationSecurityDomain;
 
+   protected String roleKey = AttributeConstants.ROLE_IDENTIFIER_ASSERTION;
+
    /**
     * Options that are computed by this login module.
     * Few options are removed and the rest are set in the dispatch sts call
@@ -214,10 +216,10 @@
             throw new RuntimeException("Please configure option:" + SecurityConstants.SECURITY_DOMAIN_OPTION);
       }
 
-      String groupNameStr = (String) options.get("groupPrincipalName");
-      if (StringUtil.isNotNull(groupNameStr))
+      String roleKeyStr = (String) options.get("roleKey");
+      if (StringUtil.isNotNull(roleKeyStr))
       {
-         groupName = groupNameStr.trim();
+         roleKey = roleKeyStr.trim();
       }
 
       String localValidationStr = (String) options.get("localValidation");
@@ -423,10 +425,21 @@
             throw le;
          }
       }
+      if (trace)
+      {
+         try
+         {
+            log.trace("Assertion from where roles will be sought=" + AssertionUtil.asString(assertion));
+         }
+         catch (ProcessingException ignore)
+         {
+         }
+      }
 
       List<String> roleKeys = new ArrayList<String>();
-      roleKeys.add("Role");
+      roleKeys.addAll(StringUtil.tokenize(roleKey));
 
+      String groupName = SecurityConstants.ROLES_IDENTIFIER;
       Group rolesGroup = new PicketLinkGroup(groupName);
       List<String> roles = AssertionUtil.getRoles(assertion, roleKeys);
       for (String role : roles)

Modified: federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java	2011-06-13 22:37:39 UTC (rev 997)
+++ federation/trunk/picketlink-bindings-jboss/src/test/java/org/picketlink/test/identity/federation/bindings/jboss/auth/SAML2STSLoginModuleUnitTestCase.java	2011-06-13 22:38:24 UTC (rev 998)
@@ -79,6 +79,7 @@
             options.put("localValidation", "true");
             options.put("localValidationSecurityDomain", "someSD");
             options.put("localTestingOnly", "true");
+            options.put("roleKey", "Role,SomeAttrib");
 
             AppConfigurationEntry a2 = new AppConfigurationEntry(SAML2STSLoginModule.class.getName(),
                   LoginModuleControlFlag.REQUIRED, options);
@@ -101,6 +102,8 @@
          roles.add("test1");
          roles.add("test2");
          assertion.addStatement(StatementUtil.createAttributeStatement(roles));
+         assertion.addStatement(StatementUtil.createAttributeStatement("SomeAttrib", "testX"));
+
          try
          {
             SamlCredential cred = new SamlCredential(AssertionUtil.asString(assertion));
@@ -129,6 +132,6 @@
       Group gp = groups.iterator().next();
       assertTrue(gp.isMember(new SimplePrincipal("test1")));
       assertTrue(gp.isMember(new SimplePrincipal("test2")));
+      assertTrue(gp.isMember(new SimplePrincipal("testX")));
    }
-
 }
\ No newline at end of file

Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java	2011-06-13 22:37:39 UTC (rev 997)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java	2011-06-13 22:38:24 UTC (rev 998)
@@ -29,4 +29,7 @@
 public interface AttributeConstants
 {
    String ROLES = "roles";
+
+   /** Default identifier in the saml2 attribute statements to indicate role **/
+   String ROLE_IDENTIFIER_ASSERTION = "Role";
 }
\ No newline at end of file



More information about the jboss-cvs-commits mailing list