changeset 5944:d6f13dba21fe

Adapt WAS Response to new SAML validation code. Fixes the XML Signature validation part of issue830.
author Bernhard Herzog <bh@intevation.de>
date Wed, 08 May 2013 17:56:14 +0200
parents a96350a1c160
children 6ffd11046d61
files gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/Response.java gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/User.java
diffstat 2 files changed, 37 insertions(+), 41 deletions(-) [+]
line wrap: on
line diff
--- a/gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/Response.java	Wed May 08 17:56:14 2013 +0200
+++ b/gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/Response.java	Wed May 08 17:56:14 2013 +0200
@@ -18,16 +18,19 @@
 
 import org.apache.log4j.Logger;
 
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.JDOMException;
-import org.jdom.input.SAXBuilder;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 
+import org.dive4elements.artifacts.httpclient.utils.XMLUtils;
 import org.dive4elements.river.client.server.auth.Authentication;
 import org.dive4elements.river.client.server.auth.AuthenticationException;
+import org.dive4elements.river.client.server.auth.saml.Assertion;
+import org.dive4elements.river.client.server.auth.saml.XPathUtils;
+import org.dive4elements.river.client.server.auth.saml.TicketValidator;
 
 import org.dive4elements.river.client.server.features.Features;
 
+
 public class Response implements Authentication {
 
     private static Logger logger = Logger.getLogger(Response.class);
@@ -37,6 +40,7 @@
     private String username;
     private String password;
     private Features features;
+    private String trustedKeyFile;
 
 
     public Response(HttpEntity entity, String username, String password,
@@ -49,32 +53,27 @@
 
         String contenttype = entity.getContentType().getValue();
 
-        try {
-            InputStream in = entity.getContent();
-
-            if (!contenttype.equals("application/vnd.ogc.se_xml")) {
-                // XXX: Assume base64 encoded content.
-                in = new Base64InputStream(in);
-            }
-
-            SAXBuilder builder = new SAXBuilder();
-            Document doc = builder.build(in);
-            Element root = doc.getRootElement();
-            String rname = root.getName();
+        InputStream in = entity.getContent();
 
-            if (rname != null && rname.equals("ServiceExceptionReport")) {
-                throw new ServiceException(root.getChildText("ServiceException"));
-            }
+        if (!contenttype.equals("application/vnd.ogc.se_xml")) {
+            // XXX: Assume base64 encoded content.
+            in = new Base64InputStream(in);
+        }
 
-            this.root = root;
-            this.username = username;
-            this.password = password;
-            this.features = features;
+        Document doc = XMLUtils.readDocument(in);
+        Element root = doc.getDocumentElement();
+        String rname = root.getTagName();
 
+        if (rname != null && rname.equals("ServiceExceptionReport")) {
+            throw new ServiceException(XPathUtils.xpathString(root,
+                                                          "ServiceException"));
         }
-        catch(JDOMException e) {
-            throw new AuthenticationException(e);
-        }
+
+        this.root = root;
+        this.username = username;
+        this.password = password;
+        this.features = features;
+        this.trustedKeyFile = trustedKeyFile;
     }
 
     @Override
@@ -84,24 +83,20 @@
     }
 
     public String getStatus() {
-        Element status = this.root.getChild("Status", Namespaces.SAML_NS_PROTO);
-        if (status == null) {
-            return null;
-        }
-        Element statuscode = status.getChild("StatusCode",
-                Namespaces.SAML_NS_PROTO);
-        if (statuscode == null) {
-            return null;
-        }
-        return statuscode.getAttributeValue("Value");
+        return XPathUtils.xpathString(this.root,
+                                      "./samlp:Status/samlp:StatusCode/@Value");
     }
 
+
     public Assertion getAssertion() {
         if (this.assertion == null && this.root != null) {
-            Element assertion = this.root.getChild("Assertion",
-                    Namespaces.SAML_NS_ASSERT);
-            if (assertion != null) {
-                this.assertion = new Assertion(assertion);
+            try {
+                TicketValidator validator =
+                    new TicketValidator(this.trustedKeyFile);
+                this.assertion = validator.checkTicket(this.root);
+            }
+            catch (Exception e) {
+                logger.error(e.getLocalizedMessage(), e);
             }
         }
         return this.assertion;
@@ -118,7 +113,7 @@
         logger.debug("User " + this.username + " with features " + features +
                      " successfully authenticated.");
         return new User(this.username, this.password, assertion.getNameID(),
-                this.assertion.getRoles(), assertion, features);
+                        this.assertion.getRoles(), assertion, features);
     }
 }
 // vim: set si et fileencoding=utf-8 ts=4 sw=4 tw=80:
--- a/gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/User.java	Wed May 08 17:56:14 2013 +0200
+++ b/gwt-client/src/main/java/org/dive4elements/river/client/server/auth/was/User.java	Wed May 08 17:56:14 2013 +0200
@@ -12,6 +12,7 @@
 import java.util.List;
 
 import org.dive4elements.river.client.server.auth.DefaultUser;
+import org.dive4elements.river.client.server.auth.saml.Assertion;
 
 public class User
 extends DefaultUser

http://dive4elements.wald.intevation.org