FEDIZ-171 - Add a configuration option to add the "Authenticated" role to the list of roles of the authenticated user
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
index d9ff3de..fc8ef33 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
@@ -76,7 +76,6 @@
throw new IllegalArgumentException("ContextConfig cannot be null!");
}
this.config = config;
-
}
public void init() {
@@ -372,6 +371,8 @@
this.classloader = classloader;
}
-
+ public boolean isAddAuthenticatedRole() {
+ return config.isAddAuthenticatedRole();
+ }
}
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index d8a6ff3..b556e8b 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -17,6 +17,7 @@
<xs:element ref="certificateValidation" />
<xs:element ref="certificateStores" />
<xs:element ref="tokenExpirationValidation" minOccurs="0" />
+ <xs:element ref="addAuthenticatedRole" minOccurs="0" />
<xs:element ref="maximumClockSkew" />
<xs:element ref="tokenReplayCache" />
<xs:element ref="serviceCertificate" />
@@ -93,6 +94,17 @@
</xs:documentation>
</xs:annotation>
</xs:element>
+
+ <xs:element name="addAuthenticatedRole" type="xs:boolean" default="false" >
+ <xs:annotation>
+ <xs:documentation>Whether to add the "Authenticated" role to the list of roles associated
+ with the "authenticated" user. This could be useful if you don't care about authorizing
+ the user, only about authentication. A role is required to activate authentication, and it
+ may be problematic to list all relevant roles in web.xml. Note that if the user has no
+ roles, then the "Authenticated" role is added automatically.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
<xs:element name="tokenReplayCache" type="xs:string" />
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
index 731b24a..7bb8ab7 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
@@ -22,6 +22,7 @@
import java.io.InputStream;
import java.net.URI;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.List;
@@ -163,9 +164,13 @@
String webAppDomain = getWebAppDomain();
String token = DOM2Writer.nodeToString(wfRes.getToken());
+ // Add "Authenticated" role
List<String> roles = wfRes.getRoles();
if (roles == null || roles.size() == 0) {
roles = Collections.singletonList("Authenticated");
+ } else if (fedConfig.isAddAuthenticatedRole()) {
+ roles = new ArrayList<>(roles);
+ roles.add("Authenticated");
}
String webAppContext = getWebAppContext(m);
diff --git a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationLoginService.java b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationLoginService.java
index 629f43d..d5daa5c 100644
--- a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationLoginService.java
+++ b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationLoginService.java
@@ -19,6 +19,7 @@
package org.apache.cxf.fediz.jetty8;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.List;
@@ -114,9 +115,13 @@
}
}
+ // Add "Authenticated" role
List<String> roles = wfRes.getRoles();
if (roles == null || roles.size() == 0) {
roles = Collections.singletonList("Authenticated");
+ } else if (config.isAddAuthenticatedRole()) {
+ roles = new ArrayList<>(roles);
+ roles.add("Authenticated");
}
FederationUserPrincipal user = new FederationUserPrincipal(wfRes.getUsername(), wfRes);
diff --git a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationLoginService.java b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationLoginService.java
index f058002..17bafad 100644
--- a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationLoginService.java
+++ b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationLoginService.java
@@ -19,6 +19,7 @@
package org.apache.cxf.fediz.jetty9;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.List;
@@ -115,9 +116,13 @@
}
}
+ // Add "Authenticated" role
List<String> roles = wfRes.getRoles();
if (roles == null || roles.size() == 0) {
roles = Collections.singletonList("Authenticated");
+ } else if (config.isAddAuthenticatedRole()) {
+ roles = new ArrayList<>(roles);
+ roles.add("Authenticated");
}
FederationUserPrincipal user = new FederationUserPrincipal(wfRes.getUsername(), wfRes);
diff --git a/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/handler/TomcatSigninHandler.java b/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/handler/TomcatSigninHandler.java
index 476fbbf..56fd6b8 100644
--- a/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/handler/TomcatSigninHandler.java
+++ b/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/handler/TomcatSigninHandler.java
@@ -19,6 +19,7 @@
package org.apache.cxf.fediz.tomcat7.handler;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -49,10 +50,13 @@
@Override
protected FedizPrincipal createPrincipal(HttpServletRequest request, HttpServletResponse response,
FedizResponse wfRes) {
-
+ // Add "Authenticated" role
List<String> roles = wfRes.getRoles();
if (roles == null || roles.size() == 0) {
roles = Collections.singletonList("Authenticated");
+ } else if (getFedizContext().isAddAuthenticatedRole()) {
+ roles = new ArrayList<>(roles);
+ roles.add("Authenticated");
}
// proceed creating the JAAS Subject
diff --git a/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java b/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java
index 27d353a..66239ce 100644
--- a/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java
+++ b/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java
@@ -19,6 +19,7 @@
package org.apache.cxf.fediz.tomcat8.handler;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -50,9 +51,13 @@
protected FedizPrincipal createPrincipal(HttpServletRequest request, HttpServletResponse response,
FedizResponse wfRes) {
+ // Add "Authenticated" role
List<String> roles = wfRes.getRoles();
if (roles == null || roles.size() == 0) {
roles = Collections.singletonList("Authenticated");
+ } else if (getFedizContext().isAddAuthenticatedRole()) {
+ roles = new ArrayList<>(roles);
+ roles.add("Authenticated");
}
// proceed creating the JAAS Subject
diff --git a/services/oidc/src/main/conf/fediz_config.xml b/services/oidc/src/main/conf/fediz_config.xml
index 9fbbc55..5987462 100644
--- a/services/oidc/src/main/conf/fediz_config.xml
+++ b/services/oidc/src/main/conf/fediz_config.xml
@@ -36,6 +36,7 @@
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
+ <addAuthenticatedRole>true</addAuthenticatedRole>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<realm>urn:org:apache:cxf:fediz:oidc</realm>