Repository: cxf-fediz Updated Branches: refs/heads/master 2d42d674a -> e6a2d15ff
Return 500 from the IdP if the STS URL is configured incorrectly instead of the default 401 Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e6a2d15f Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e6a2d15f Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e6a2d15f Branch: refs/heads/master Commit: e6a2d15ff834f29b7ff3223ba20450387406bf5e Parents: 2d42d67 Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Apr 7 18:23:51 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Apr 7 18:23:51 2017 +0100 ---------------------------------------------------------------------- .../fediz/service/idp/BasicAuthEntryPoint.java | 57 ++++++++++++++++++++ .../idp/STSUPAuthenticationProvider.java | 8 +++ .../WEB-INF/config/security-up-config.xml | 4 +- 3 files changed, 68 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e6a2d15f/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java ---------------------------------------------------------------------- diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java new file mode 100644 index 0000000..7058988 --- /dev/null +++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthEntryPoint.java @@ -0,0 +1,57 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.service.idp; + +import java.io.IOException; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.security.authentication.AuthenticationServiceException; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint; +import org.springframework.stereotype.Component; + + +/** + * The entry point for BasicAuthentication. If the exception thrown is an AuthenticationServiceException, which + * is thrown if the URL for the STS is incorrect for example, it returns 500. Otherwise 401. + */ +@Component +public class BasicAuthEntryPoint extends BasicAuthenticationEntryPoint { + + public void commence(HttpServletRequest request, HttpServletResponse response, + AuthenticationException ex) throws IOException, ServletException { + if (ex instanceof AuthenticationServiceException) { + response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + response.flushBuffer(); + } else { + super.commence(request, response, ex); + } + } + + @Override + public void afterPropertiesSet() throws Exception { + setRealmName("Fediz"); + super.afterPropertiesSet(); + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e6a2d15f/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java index 54fb24e..7c47f63 100644 --- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java +++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java @@ -25,11 +25,13 @@ import javax.servlet.http.HttpServletResponse; import javax.xml.namespace.QName; import org.apache.cxf.Bus; +import org.apache.cxf.service.factory.ServiceConstructionException; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.wss4j.dom.WSConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -114,6 +116,12 @@ public class STSUPAuthenticationProvider extends STSAuthenticationProvider { LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName()); return upat; + } catch (ServiceConstructionException ex) { + // Explictly catch ServiceConstructionException here - this allows us to handle the case of + // the STS being down separately + LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex); + throw new AuthenticationServiceException("Failed to authenticate user '" + + usernamePasswordToken.getName(), ex); } catch (Exception ex) { LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex); return null; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e6a2d15f/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml index 2ba5f86..657360d 100644 --- a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml +++ b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml @@ -35,6 +35,8 @@ <!-- DISABLE in production as it might log confidential information about the user --> <!-- <security:debug /> --> + + <bean id="basicAuthEntryPoint" class="org.apache.cxf.fediz.service.idp.BasicAuthEntryPoint" /> <!-- HTTP/BA entry point for WS-Federation --> <security:http pattern="/federation/up/**" use-expressions="true"> @@ -42,7 +44,7 @@ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:http-basic /> + <security:http-basic entry-point-ref="basicAuthEntryPoint"/> <!--security:form-login login-page='/federation/up/login' login-processing-url="/federation/up/login.do" authentication-failure-url="/federation/up/login?error"
