This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 3_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/3_0_X by this push:
new 924262083e [SYNCOPE-1794] Supporting maximum-authentication-lifetime
configuration for Console, Enduser and SRA (#576)
924262083e is described below
commit 924262083e8326555a92f113b11eaffb466e1fc5
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Thu Dec 14 14:20:17 2023 +0100
[SYNCOPE-1794] Supporting maximum-authentication-lifetime configuration for
Console, Enduser and SRA (#576)
---
.../syncope/client/ui/commons/BaseSession.java | 9 +--
.../ui/commons/SyncopeUIRequestCycleListener.java | 70 ++++++++++++++--------
.../core/logic/AbstractSAML2SP4UILogic.java | 3 +-
.../syncope/core/logic/SAML2SP4UIProperties.java | 20 +++++--
.../src/main/resources/core-saml2sp4ui.properties | 3 +-
.../src/main/resources/core-all.properties | 3 +-
.../src/test/resources/sra-saml2.properties | 3 +-
.../java/org/apache/syncope/sra/SRAProperties.java | 20 +++++--
.../org/apache/syncope/sra/SecurityConfig.java | 3 +-
sra/src/test/resources/debug/sra-debug.properties | 3 +-
.../asciidoc/reference-guide/howto/keystore.adoc | 1 -
11 files changed, 89 insertions(+), 49 deletions(-)
diff --git
a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseSession.java
b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseSession.java
index 3187116192..44fad9b0e9 100644
---
a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseSession.java
+++
b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseSession.java
@@ -23,6 +23,7 @@ import java.util.Locale;
import java.util.concurrent.Callable;
import java.util.concurrent.Future;
import org.apache.syncope.client.lib.SyncopeAnonymousClient;
+import org.apache.wicket.model.ResourceModel;
public interface BaseSession {
@@ -40,12 +41,8 @@ public interface BaseSession {
this.fallback = fallback;
}
- public String key() {
- return key;
- }
-
- public String fallback() {
- return fallback;
+ public String message() {
+ return new ResourceModel(key, fallback).getObject();
}
}
diff --git
a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/SyncopeUIRequestCycleListener.java
b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/SyncopeUIRequestCycleListener.java
index 05cce591c3..07e0a93e27 100644
---
a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/SyncopeUIRequestCycleListener.java
+++
b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/SyncopeUIRequestCycleListener.java
@@ -19,11 +19,14 @@
package org.apache.syncope.client.ui.commons;
import java.security.AccessControlException;
+import java.util.Optional;
+import java.util.stream.Collectors;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.ForbiddenException;
import javax.xml.ws.WebServiceException;
import org.apache.commons.lang3.StringUtils;
import org.apache.syncope.common.lib.SyncopeClientException;
+import org.apache.syncope.common.lib.types.ClientExceptionType;
import org.apache.wicket.authorization.UnauthorizedInstantiationException;
import org.apache.wicket.core.request.handler.PageProvider;
import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
@@ -41,15 +44,23 @@ public abstract class SyncopeUIRequestCycleListener
implements IRequestCycleList
private static final Logger LOG =
LoggerFactory.getLogger(SyncopeUIRequestCycleListener.class);
- private static Throwable instanceOf(final Exception e, final Class<?
extends Exception> clazz) {
- return clazz.isAssignableFrom(e.getClass())
- ? e
- : e.getCause() != null &&
clazz.isAssignableFrom(e.getCause().getClass())
- ? e.getCause()
- : e.getCause() != null && e.getCause().getCause() != null
- && clazz.isAssignableFrom(e.getCause().getCause().getClass())
- ? e.getCause().getCause()
- : null;
+ @SuppressWarnings("unchecked")
+ private static <T extends Exception> Optional<T> instanceOf(final
Exception e, final Class<T> clazz) {
+ if (clazz.isAssignableFrom(e.getClass())) {
+ return Optional.of((T) e);
+ }
+
+ if (e.getCause() != null &&
clazz.isAssignableFrom(e.getCause().getClass())) {
+ return Optional.of((T) e.getCause());
+ }
+
+ if (e.getCause() != null && e.getCause().getCause() != null
+ && clazz.isAssignableFrom(e.getCause().getCause().getClass()))
{
+
+ return Optional.of((T) e.getCause().getCause());
+ }
+
+ return Optional.empty();
}
@Override
@@ -59,33 +70,40 @@ public abstract class SyncopeUIRequestCycleListener
implements IRequestCycleList
PageParameters errorParameters = new PageParameters();
IRequestablePage errorPage;
- if (instanceOf(e, UnauthorizedInstantiationException.class) != null) {
- errorParameters.add("errorMessage",
BaseSession.Error.AUTHORIZATION.fallback());
+ if (instanceOf(e,
UnauthorizedInstantiationException.class).isPresent()) {
+ errorParameters.add("errorMessage",
BaseSession.Error.AUTHORIZATION.message());
errorPage = getErrorPage(errorParameters);
- } else if (instanceOf(e, AccessControlException.class) != null) {
- if (StringUtils.containsIgnoreCase(instanceOf(e,
AccessControlException.class).getMessage(), "expired")) {
- errorParameters.add("errorMessage",
BaseSession.Error.SESSION_EXPIRED.fallback());
+ } else if (instanceOf(e, AccessControlException.class).isPresent()) {
+ AccessControlException ace = instanceOf(e,
AccessControlException.class).get();
+ if (StringUtils.containsIgnoreCase(ace.getMessage(), "expired")) {
+ errorParameters.add("errorMessage",
BaseSession.Error.SESSION_EXPIRED.message());
} else {
- errorParameters.add("errorMessage",
BaseSession.Error.AUTHORIZATION.fallback());
+ errorParameters.add("errorMessage",
BaseSession.Error.AUTHORIZATION.message());
}
errorPage = getErrorPage(errorParameters);
- } else if (instanceOf(e, PageExpiredException.class) != null ||
!isSignedIn()) {
- errorParameters.add("errorMessage",
BaseSession.Error.SESSION_EXPIRED.fallback());
+ } else if (instanceOf(e, SyncopeClientException.class).isPresent()) {
+ SyncopeClientException sce = instanceOf(e,
SyncopeClientException.class).get();
+ String errorMessage = sce.getType() == ClientExceptionType.Unknown
+ ? sce.getElements().stream().collect(Collectors.joining())
+ : sce.getMessage();
+ errorParameters.add("errorMessage", errorMessage);
errorPage = getErrorPage(errorParameters);
- } else if (instanceOf(e, BadRequestException.class) != null
- || instanceOf(e, WebServiceException.class) != null
- || instanceOf(e, SyncopeClientException.class) != null) {
+ } else if (instanceOf(e, BadRequestException.class).isPresent()
+ || instanceOf(e, WebServiceException.class).isPresent()) {
- errorParameters.add("errorMessage",
BaseSession.Error.REST.fallback());
+ errorParameters.add("errorMessage",
BaseSession.Error.REST.message());
+ errorPage = getErrorPage(errorParameters);
+ } else if (instanceOf(e, PageExpiredException.class).isPresent() ||
!isSignedIn()) {
+ errorParameters.add("errorMessage",
BaseSession.Error.SESSION_EXPIRED.message());
errorPage = getErrorPage(errorParameters);
} else {
- Throwable cause = instanceOf(e, ForbiddenException.class);
- if (cause == null) {
+ Optional<ForbiddenException> cause = instanceOf(e,
ForbiddenException.class);
+ if (cause.isPresent()) {
+ errorParameters.add("errorMessage", cause.get().getMessage());
+ errorPage = getErrorPage(errorParameters);
+ } else {
// redirect to default Wicket error page
errorPage = new ExceptionErrorPage(e, null);
- } else {
- errorParameters.add("errorMessage", cause.getMessage());
- errorPage = getErrorPage(errorParameters);
}
}
diff --git
a/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/AbstractSAML2SP4UILogic.java
b/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/AbstractSAML2SP4UILogic.java
index 8afffd18de..87bdbb1b1a 100644
---
a/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/AbstractSAML2SP4UILogic.java
+++
b/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/AbstractSAML2SP4UILogic.java
@@ -74,7 +74,8 @@ abstract class AbstractSAML2SP4UILogic extends
AbstractTransactionalLogic<Entity
cfg.setWantsAssertionsSigned(true);
cfg.setAuthnRequestSigned(true);
cfg.setSpLogoutRequestSigned(true);
- cfg.setAcceptedSkew(props.getSkew());
+
cfg.setMaximumAuthenticationLifetime(props.getMaximumAuthenticationLifetime());
+ cfg.setAcceptedSkew(props.getAcceptedSkew());
cfg.setLogoutHandler(new NoOpLogoutHandler());
return cfg;
diff --git
a/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/SAML2SP4UIProperties.java
b/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/SAML2SP4UIProperties.java
index 7f941ec6ab..6e117bd7af 100644
---
a/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/SAML2SP4UIProperties.java
+++
b/ext/saml2sp4ui/logic/src/main/java/org/apache/syncope/core/logic/SAML2SP4UIProperties.java
@@ -33,7 +33,9 @@ public class SAML2SP4UIProperties {
private String keystoreAlias;
- private long skew;
+ private long maximumAuthenticationLifetime = 3600;
+
+ private long acceptedSkew = 300;
public String getKeystore() {
return keystore;
@@ -75,11 +77,19 @@ public class SAML2SP4UIProperties {
this.keystoreAlias = keystoreAlias;
}
- public long getSkew() {
- return skew;
+ public long getMaximumAuthenticationLifetime() {
+ return maximumAuthenticationLifetime;
+ }
+
+ public void setMaximumAuthenticationLifetime(final long
maximumAuthenticationLifetime) {
+ this.maximumAuthenticationLifetime = maximumAuthenticationLifetime;
+ }
+
+ public long getAcceptedSkew() {
+ return acceptedSkew;
}
- public void setSkew(final long skew) {
- this.skew = skew;
+ public void setAcceptedSkew(final long acceptedSkew) {
+ this.acceptedSkew = acceptedSkew;
}
}
diff --git a/ext/saml2sp4ui/logic/src/main/resources/core-saml2sp4ui.properties
b/ext/saml2sp4ui/logic/src/main/resources/core-saml2sp4ui.properties
index 475ba7f2c5..ddc058a3ea 100644
--- a/ext/saml2sp4ui/logic/src/main/resources/core-saml2sp4ui.properties
+++ b/ext/saml2sp4ui/logic/src/main/resources/core-saml2sp4ui.properties
@@ -14,8 +14,9 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
-saml2.sp4ui.skew=300
saml2.sp4ui.keystore=file://${syncope.conf.dir}/saml.keystore.jks
saml2.sp4ui.keystore.type=jks
saml2.sp4ui.keystore.storepass=changeit
saml2.sp4ui.keystore.keypass=changeit
+saml2.sp4ui.maximum-authentication-lifetime=3600
+saml2.sp4ui.accepted-skew=300
diff --git a/fit/core-reference/src/main/resources/core-all.properties
b/fit/core-reference/src/main/resources/core-all.properties
index 584df2005d..3a13cbf963 100644
--- a/fit/core-reference/src/main/resources/core-all.properties
+++ b/fit/core-reference/src/main/resources/core-all.properties
@@ -19,4 +19,5 @@
saml2.sp4ui.keystore=file://${syncope.conf.dir}/saml.keystore.jks
saml2.sp4ui.keystore-type=jks
saml2.sp4ui.keystore-storepass=changeit
saml2.sp4ui.keystore-keypass=changeit
-saml2.sp4ui.skew=300
+saml2.sp4ui.maximum-authentication-lifetime=3600
+saml2.sp4ui.accepted-skew=300
diff --git a/fit/wa-reference/src/test/resources/sra-saml2.properties
b/fit/wa-reference/src/test/resources/sra-saml2.properties
index b4af1d4fc8..8b70f367be 100644
--- a/fit/wa-reference/src/test/resources/sra-saml2.properties
+++ b/fit/wa-reference/src/test/resources/sra-saml2.properties
@@ -23,7 +23,8 @@ sra.saml2.authn-request-binding=POST
sra.saml2.logout-request-binding=POST
sra.saml2.logout-response-binding=REDIRECT
sra.saml2.entityId=http://127.0.0.1:8080
-sra.saml2.skew=300
+sra.saml2.maximum-authentication-lifetime=3600
+sra.saml2.accepted-skew=300
sra.saml2.sp-metadata-file-path=/tmp/saml2-sp-metadata.xml
sra.saml2.idp-metadata=https://localhost:9443/syncope-wa/idp/metadata
sra.saml2.keystore=classpath:/saml.keystore.jks
diff --git a/sra/src/main/java/org/apache/syncope/sra/SRAProperties.java
b/sra/src/main/java/org/apache/syncope/sra/SRAProperties.java
index df14f85039..a42878e9ef 100644
--- a/sra/src/main/java/org/apache/syncope/sra/SRAProperties.java
+++ b/sra/src/main/java/org/apache/syncope/sra/SRAProperties.java
@@ -228,7 +228,9 @@ public class SRAProperties extends SyncopeProperties {
private String entityId;
- private long skew;
+ private long maximumAuthenticationLifetime = 3600;
+
+ private long acceptedSkew = 300;
private String spMetadataFilePath;
@@ -274,12 +276,20 @@ public class SRAProperties extends SyncopeProperties {
this.entityId = entityId;
}
- public long getSkew() {
- return skew;
+ public long getMaximumAuthenticationLifetime() {
+ return maximumAuthenticationLifetime;
+ }
+
+ public void setMaximumAuthenticationLifetime(final long
maximumAuthenticationLifetime) {
+ this.maximumAuthenticationLifetime = maximumAuthenticationLifetime;
+ }
+
+ public long getAcceptedSkew() {
+ return acceptedSkew;
}
- public void setSkew(final int skew) {
- this.skew = skew;
+ public void setAcceptedSkew(final int acceptedSkew) {
+ this.acceptedSkew = acceptedSkew;
}
public String getSpMetadataFilePath() {
diff --git a/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java
b/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java
index 8929324e9a..5d486b7cd7 100644
--- a/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java
+++ b/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java
@@ -272,7 +272,8 @@ public class SecurityConfig {
cfg.setAuthnRequestSigned(true);
cfg.setSpLogoutRequestSigned(true);
cfg.setServiceProviderMetadataResourceFilepath(props.getSaml2().getSpMetadataFilePath());
- cfg.setAcceptedSkew(props.getSaml2().getSkew());
+
cfg.setMaximumAuthenticationLifetime(props.getSaml2().getMaximumAuthenticationLifetime());
+ cfg.setAcceptedSkew(props.getSaml2().getAcceptedSkew());
cfg.setLogoutHandler(new NoOpLogoutHandler());
diff --git a/sra/src/test/resources/debug/sra-debug.properties
b/sra/src/test/resources/debug/sra-debug.properties
index a95b6b9538..3d6bcc7f35 100644
--- a/sra/src/test/resources/debug/sra-debug.properties
+++ b/sra/src/test/resources/debug/sra-debug.properties
@@ -40,7 +40,8 @@ sra.oidc.scopes=openid,profile,email
#sra.saml2.logout-request-binding=POST
#sra.saml2.logout-response-binding=REDIRECT
#sra.saml2.entityId=http://localhost:8080
-#sra.saml2.skew=300
+#sra.saml2.maximum-authentication-lifetime=3600
+#sra.saml2.accepted-skew=300
#sra.saml2.sp-metadata-file-path=/tmp/saml2-sp-metadata.xml
#sra.saml2.idp-metadata=https://localhost:9443/syncope-wa/idp/metadata
#sra.saml2.keystore=classpath:/saml.keystore.jks
diff --git a/src/main/asciidoc/reference-guide/howto/keystore.adoc
b/src/main/asciidoc/reference-guide/howto/keystore.adoc
index d1decbae5a..9584785b7e 100644
--- a/src/main/asciidoc/reference-guide/howto/keystore.adoc
+++ b/src/main/asciidoc/reference-guide/howto/keystore.adoc
@@ -115,7 +115,6 @@ The keystore file `saml2sp4ui.jks` can now be placed in the
<<properties-files-l
relevant part of the `core.properties` file should be:
....
-saml2.sp4ui.skew=300
saml2.sp4ui.keystore=file://${syncope.conf.dir}/saml2sp4ui.jks
saml2.sp4ui.keystore.type=jks
saml2.sp4ui.keystore.storepass=astorepass
