You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/01/19 16:10:30 UTC
[cxf] branch master updated: CXF-7617 - Support Derived keys policy
validation for endorsing IssuedTokens/SamlTokens
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new f2c3216 CXF-7617 - Support Derived keys policy validation for endorsing IssuedTokens/SamlTokens
f2c3216 is described below
commit f2c321689ab3253d2705db6b2a1c57badaf23930
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jan 19 15:15:27 2018 +0000
CXF-7617 - Support Derived keys policy validation for endorsing IssuedTokens/SamlTokens
---
.../policyhandlers/AsymmetricBindingHandler.java | 3 +-
.../AbstractSupportingTokenPolicyValidator.java | 33 ++++++++++++++++++----
.../ConcreteSupportingTokenPolicyValidator.java | 4 +--
.../EncryptedTokenPolicyValidator.java | 4 +--
.../EndorsingEncryptedTokenPolicyValidator.java | 4 +--
.../EndorsingTokenPolicyValidator.java | 4 +--
.../SignedEncryptedTokenPolicyValidator.java | 4 +--
...gnedEndorsingEncryptedTokenPolicyValidator.java | 4 +--
.../SignedEndorsingTokenPolicyValidator.java | 4 +--
.../SignedTokenPolicyValidator.java | 4 +--
.../apache/cxf/systest/sts/transport/DoubleIt.wsdl | 2 +-
.../systest/wssec/examples/saml/DoubleItSaml.wsdl | 2 +-
12 files changed, 48 insertions(+), 24 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 11624cb..788afdb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -817,11 +817,12 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
for (WSSecurityEngineResult wser : wsSecEngineResults) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- String id = (String)wser.get(WSSecurityEngineResult.TAG_ID);
if (actInt.intValue() == WSConstants.ST_SIGNED
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+
+ String id = (String)wser.get(WSSecurityEngineResult.TAG_ID);
SecurityToken tempTok = new SecurityToken(id, created, expires);
tempTok.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
tempTok.setX509Certificate(
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index a664d49..2bf0d89 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -141,28 +141,51 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
/**
* Process SAML Tokens. Only signed results are supported.
*/
- protected boolean processSAMLTokens(PolicyValidatorParameters parameters) {
+ protected boolean processSAMLTokens(PolicyValidatorParameters parameters, boolean derived) {
if (parameters.getSamlResults().isEmpty()) {
return false;
}
- if (isSigned() && !areTokensSigned(parameters.getSamlResults(), parameters.getSignedResults(),
+ List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
+ tokenResults.addAll(parameters.getSamlResults());
+
+
+ if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
parameters.getEncryptedResults(),
parameters.getMessage())) {
return false;
}
- if (isEncrypted() && !areTokensEncrypted(parameters.getSamlResults(),
+ if (isEncrypted() && !areTokensEncrypted(tokenResults,
parameters.getEncryptedResults(),
parameters.getMessage())) {
return false;
}
- if (isEndorsing() && !checkEndorsed(parameters.getSamlResults(), parameters.getSignedResults(),
+
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
+ List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
+ for (WSSecurityEngineResult wser : tokenResults) {
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (assertion != null && assertion.getSubjectKeyInfo() != null
+ && assertion.getSubjectKeyInfo().getSecret() != null) {
+ WSSecurityEngineResult dktResult =
+ getMatchingDerivedKey(assertion.getSubjectKeyInfo().getSecret(), parameters.getResults());
+ if (dktResult != null) {
+ dktResults.add(dktResult);
+ }
+ }
+ }
+ tokenResults.addAll(dktResults);
+ }
+
+
+ if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(),
parameters.getMessage(),
parameters.getTimestampElement())) {
return false;
}
- return validateSignedEncryptedPolicies(parameters.getSamlResults(), parameters.getSignedResults(),
+ return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(),
parameters.getEncryptedResults(),
parameters.getMessage());
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
index 9f267ca..8aa61e8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
@@ -76,7 +76,7 @@ public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTo
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
@@ -98,7 +98,7 @@ public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTo
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
index 6cbaba3..7246062 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
@@ -101,12 +101,12 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index 9f4fd14..6924422 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -110,12 +110,12 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
index d5f9de0..a8ab8c1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
@@ -99,12 +99,12 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
index 1303688..727e941 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
@@ -101,12 +101,12 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index 4a50f55..62d8c2e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -93,7 +93,7 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
@@ -115,7 +115,7 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
index a64382d..4e5dd66 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
@@ -82,7 +82,7 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
@@ -104,7 +104,7 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
index f84346b..e3e6dcc 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
@@ -75,7 +75,7 @@ public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyVal
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(parameters)) {
+ if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
@@ -96,7 +96,7 @@ public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyVal
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken)token;
- if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
index 69287c4..4da85f5 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
@@ -520,7 +520,7 @@
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
- <!-- TODO <sp:RequireDerivedKeys/> -->
+ <sp:RequireDerivedKeys/>
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/STS/STSUT
diff --git a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl
index af0b2df..70c2233 100644
--- a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl
+++ b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl
@@ -643,7 +643,7 @@
<t:SignWith>http://www.w3.org/2000/09/xmldsig#hmac-sha1</t:SignWith>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
- <!-- TODO re-enable <sp:RequireDerivedKeys/> -->
+ <sp:RequireDerivedKeys/>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].