You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/07/31 13:11:58 UTC
[1/4] cxf git commit: Adding more SAML SSO tests
Repository: cxf
Updated Branches:
refs/heads/2.7.x-fixes c716a824b -> 6c2ab7d08
Adding more SAML SSO tests
Conflicts:
rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
Conflicts:
rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ef06a563
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ef06a563
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ef06a563
Branch: refs/heads/2.7.x-fixes
Commit: ef06a5634c203bd23aa9887d91db3003451c7c4a
Parents: c716a82
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 31 11:59:53 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 31 12:06:51 2015 +0100
----------------------------------------------------------------------
...AbstractRequestAssertionConsumerHandler.java | 23 ++
.../saml/sso/SAMLSSOResponseValidator.java | 17 ++
.../saml/sso/CombinedValidatorTest.java | 211 ++++++++++++++++++-
3 files changed, 240 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/ef06a563/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
index f622ace..2c37543 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
@@ -65,6 +65,11 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
private boolean supportBase64Encoding = true;
private boolean enforceAssertionsSigned = true;
private boolean enforceKnownIssuer = true;
+<<<<<<< HEAD
+=======
+ private boolean keyInfoMustBeAvailable = true;
+ private boolean enforceResponseSigned;
+>>>>>>> a61db28... Adding more SAML SSO tests
private TokenReplayCache<String> replayCache;
private MessageContext messageContext;
@@ -318,6 +323,7 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
+ ssoResponseValidator.setEnforceResponseSigned(enforceResponseSigned);
ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer);
ssoResponseValidator.setReplayCache(getReplayCache());
@@ -334,4 +340,21 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
LOG.warning(errorMsg.toString());
}
+<<<<<<< HEAD
+=======
+ public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) {
+ this.keyInfoMustBeAvailable = keyInfoMustBeAvailable;
+ }
+
+ public boolean isEnforceResponseSigned() {
+ return enforceResponseSigned;
+ }
+
+ /**
+ * Enforce that a SAML Response must be signed.
+ */
+ public void setEnforceResponseSigned(boolean enforceResponseSigned) {
+ this.enforceResponseSigned = enforceResponseSigned;
+ }
+>>>>>>> a61db28... Adding more SAML SSO tests
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/ef06a563/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 2d864a5..30bdcd8 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -44,6 +44,7 @@ public class SAMLSSOResponseValidator {
private String clientAddress;
private String requestId;
private String spIdentifier;
+ private boolean enforceResponseSigned;
private boolean enforceAssertionsSigned = true;
private boolean enforceKnownIssuer = true;
private TokenReplayCache<String> replayCache;
@@ -91,6 +92,11 @@ public class SAMLSSOResponseValidator {
throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
}
+ if (enforceResponseSigned && !samlResponse.isSigned()) {
+ LOG.fine("The Response must be signed!");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+
// Validate Assertions
org.opensaml.saml2.core.Assertion validAssertion = null;
Date sessionNotOnOrAfter = null;
@@ -333,5 +339,16 @@ public class SAMLSSOResponseValidator {
public void setReplayCache(TokenReplayCache<String> replayCache) {
this.replayCache = replayCache;
}
+
+ public boolean isEnforceResponseSigned() {
+ return enforceResponseSigned;
+ }
+
+ /**
+ * Enforce whether a SAML Response must be signed.
+ */
+ public void setEnforceResponseSigned(boolean enforceResponseSigned) {
+ this.enforceResponseSigned = enforceResponseSigned;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/ef06a563/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index 7b9a9c1..466f97f 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -22,6 +22,8 @@ package org.apache.cxf.rs.security.saml.sso;
import java.io.InputStream;
import java.io.StringReader;
import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
import java.util.Collections;
import javax.xml.parsers.DocumentBuilder;
@@ -29,6 +31,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+<<<<<<< HEAD
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
@@ -42,25 +45,65 @@ import org.apache.ws.security.saml.ext.bean.ConditionsBean;
import org.apache.ws.security.saml.ext.bean.SubjectConfirmationDataBean;
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.apache.ws.security.util.Loader;
+=======
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.crypto.Merlin;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
+import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.Loader;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSConfig;
+>>>>>>> a61db28... Adding more SAML SSO tests
import org.joda.time.DateTime;
+<<<<<<< HEAD
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Status;
+=======
+import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.Status;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
+import org.opensaml.xmlsec.signature.KeyInfo;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+>>>>>>> 3228637... Adding more SAML SSO tests
/**
* Some unit tests for the SAMLProtocolResponseValidator and the SAMLSSOResponseValidator
*/
public class CombinedValidatorTest extends org.junit.Assert {
+ private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
+
static {
WSSConfig.init();
OpenSAMLUtil.initSamlEngine();
+ DOC_BUILDER_FACTORY.setNamespaceAware(true);
}
@org.junit.Test
public void testSuccessfulValidation() throws Exception {
- Element responseElement = createResponse();
+ DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
+ Document doc = docBuilder.newDocument();
+
+ Response response = createResponse(doc);
+
+ Element responseElement = OpenSAMLUtil.toDom(response, doc);
+ doc.appendChild(responseElement);
+ assertNotNull(responseElement);
+
Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement);
Crypto issuerCrypto = new Merlin();
@@ -96,7 +139,14 @@ public class CombinedValidatorTest extends org.junit.Assert {
@org.junit.Test
public void testWrappingAttack3() throws Exception {
- Element responseElement = createResponse();
+ DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
+ Document doc = docBuilder.newDocument();
+
+ Response response = createResponse(doc);
+
+ Element responseElement = OpenSAMLUtil.toDom(response, doc);
+ doc.appendChild(responseElement);
+ assertNotNull(responseElement);
// Get Assertion Element
Element assertionElement =
@@ -158,12 +208,98 @@ public class CombinedValidatorTest extends org.junit.Assert {
assertEquals("alice", parsedAssertion.getSaml2().getSubject().getNameID().getValue());
}
- private Element createResponse() throws Exception {
- DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
- docBuilderFactory.setNamespaceAware(true);
- DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+ @org.junit.Test
+ public void testSuccessfulSignedValidation() throws Exception {
+
+ DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
Document doc = docBuilder.newDocument();
+ Response response = createResponse(doc);
+
+ Crypto issuerCrypto = new Merlin();
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
+ InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+ keyStore.load(input, "password".toCharArray());
+ ((Merlin)issuerCrypto).setKeyStore(keyStore);
+
+ signResponse(response, "alice", "password", issuerCrypto, true);
+
+ Element responseElement = OpenSAMLUtil.toDom(response, doc);
+ doc.appendChild(responseElement);
+ assertNotNull(responseElement);
+
+ Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement);
+
+ // Validate the Response
+ SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
+ validator.validateSamlResponse(
+ marshalledResponse, issuerCrypto, new KeystorePasswordCallback()
+ );
+
+ // Test SSO validation
+ SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+ ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
+ ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
+ ssoValidator.setClientAddress("http://apache.org");
+ ssoValidator.setRequestId("12345");
+ ssoValidator.setSpIdentifier("http://service.apache.org");
+
+ // Parse the response
+ SSOValidatorResponse ssoResponse =
+ ssoValidator.validateSamlResponse(marshalledResponse, false);
+ SamlAssertionWrapper parsedAssertion =
+ new SamlAssertionWrapper(ssoResponse.getAssertionElement());
+
+ assertEquals("alice", parsedAssertion.getSubjectName());
+ }
+
+ @org.junit.Test
+ public void testEnforceResponseSigned() throws Exception {
+
+ DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
+ Document doc = docBuilder.newDocument();
+
+ Response response = createResponse(doc);
+
+ Element responseElement = OpenSAMLUtil.toDom(response, doc);
+ doc.appendChild(responseElement);
+ assertNotNull(responseElement);
+
+ Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement);
+
+ Crypto issuerCrypto = new Merlin();
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
+ InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+ keyStore.load(input, "password".toCharArray());
+ ((Merlin)issuerCrypto).setKeyStore(keyStore);
+
+ // Validate the Response
+ SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
+ validator.validateSamlResponse(
+ marshalledResponse, issuerCrypto, new KeystorePasswordCallback()
+ );
+
+ // Test SSO validation
+ SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+ ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
+ ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
+ ssoValidator.setClientAddress("http://apache.org");
+ ssoValidator.setRequestId("12345");
+ ssoValidator.setSpIdentifier("http://service.apache.org");
+ ssoValidator.setEnforceResponseSigned(true);
+
+ // Parse the response
+ try {
+ ssoValidator.validateSamlResponse(marshalledResponse, false);
+ fail("Failure expected on an unsigned Response");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
+
+ private Response createResponse(Document doc) throws Exception {
Status status =
SAML2PResponseComponentBuilder.createStatus(
SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
@@ -172,6 +308,7 @@ public class CombinedValidatorTest extends org.junit.Assert {
SAML2PResponseComponentBuilder.createSAMLResponse(
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
+ response.setDestination("http://recipient.apache.org");
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
@@ -211,10 +348,62 @@ public class CombinedValidatorTest extends org.junit.Assert {
response.getAssertions().add(assertion.getSaml2());
- Element policyElement = OpenSAMLUtil.toDom(response, doc);
- doc.appendChild(policyElement);
- assertNotNull(policyElement);
-
- return policyElement;
+ return response;
+ }
+
+ private void signResponse(
+ Response response,
+ String issuerKeyName,
+ String issuerKeyPassword,
+ Crypto issuerCrypto,
+ boolean useKeyInfo
+ ) throws Exception {
+ //
+ // Create the signature
+ //
+ Signature signature = OpenSAMLUtil.buildSignature();
+ signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+
+ // prepare to sign the SAML token
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(issuerKeyName);
+ X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
+ if (issuerCerts == null) {
+ throw new Exception(
+ "No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName);
+ }
+
+ String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+ String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
+
+ if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
+ sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
+ }
+
+ PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
+
+ signature.setSignatureAlgorithm(sigAlgo);
+
+ BasicX509Credential signingCredential =
+ new BasicX509Credential(issuerCerts[0], privateKey);
+ signature.setSigningCredential(signingCredential);
+
+ if (useKeyInfo) {
+ X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
+ kiFactory.setEmitEntityCertificate(true);
+
+ try {
+ KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
+ signature.setKeyInfo(keyInfo);
+ } catch (org.opensaml.security.SecurityException ex) {
+ throw new Exception("Error generating KeyInfo from signing credential", ex);
+ }
+ }
+
+ // add the signature to the assertion
+ SignableSAMLObject signableObject = (SignableSAMLObject) response;
+ signableObject.setSignature(signature);
+ signableObject.releaseDOM();
+ signableObject.releaseChildrenDOM(true);
}
}
[4/4] cxf git commit: Fixing backmerge
Posted by co...@apache.org.
Fixing backmerge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6c2ab7d0
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6c2ab7d0
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6c2ab7d0
Branch: refs/heads/2.7.x-fixes
Commit: 6c2ab7d08840f21e265819c3fc5108ab4465439b
Parents: 01d5ea1
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 31 12:11:49 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 31 12:11:49 2015 +0100
----------------------------------------------------------------------
...AbstractRequestAssertionConsumerHandler.java | 11 --------
.../saml/sso/SAMLSSOResponseValidator.java | 2 +-
.../saml/sso/CombinedValidatorTest.java | 27 +++++---------------
3 files changed, 7 insertions(+), 33 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/6c2ab7d0/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
index 2c37543..ef8b0e1 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
@@ -65,11 +65,7 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
private boolean supportBase64Encoding = true;
private boolean enforceAssertionsSigned = true;
private boolean enforceKnownIssuer = true;
-<<<<<<< HEAD
-=======
- private boolean keyInfoMustBeAvailable = true;
private boolean enforceResponseSigned;
->>>>>>> a61db28... Adding more SAML SSO tests
private TokenReplayCache<String> replayCache;
private MessageContext messageContext;
@@ -340,12 +336,6 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
LOG.warning(errorMsg.toString());
}
-<<<<<<< HEAD
-=======
- public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) {
- this.keyInfoMustBeAvailable = keyInfoMustBeAvailable;
- }
-
public boolean isEnforceResponseSigned() {
return enforceResponseSigned;
}
@@ -356,5 +346,4 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
public void setEnforceResponseSigned(boolean enforceResponseSigned) {
this.enforceResponseSigned = enforceResponseSigned;
}
->>>>>>> a61db28... Adding more SAML SSO tests
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/6c2ab7d0/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 30bdcd8..d9234d9 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -94,7 +94,7 @@ public class SAMLSSOResponseValidator {
if (enforceResponseSigned && !samlResponse.isSigned()) {
LOG.fine("The Response must be signed!");
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
}
// Validate Assertions
http://git-wip-us.apache.org/repos/asf/cxf/blob/6c2ab7d0/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index dc2f167..e83cc27 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -31,11 +31,12 @@ import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-<<<<<<< HEAD
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.components.crypto.Merlin;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
@@ -45,23 +46,6 @@ import org.apache.ws.security.saml.ext.bean.ConditionsBean;
import org.apache.ws.security.saml.ext.bean.SubjectConfirmationDataBean;
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.apache.ws.security.util.Loader;
-=======
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.CryptoType;
-import org.apache.wss4j.common.crypto.Merlin;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.saml.SAMLCallback;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
-import org.apache.wss4j.common.saml.bean.ConditionsBean;
-import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
-import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.apache.wss4j.common.util.Loader;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.WSSConfig;
->>>>>>> a61db28... Adding more SAML SSO tests
import org.joda.time.DateTime;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.xml.SAMLConstants;
@@ -242,10 +226,11 @@ public class CombinedValidatorTest extends org.junit.Assert {
// Parse the response
SSOValidatorResponse ssoResponse =
ssoValidator.validateSamlResponse(marshalledResponse, false);
- SamlAssertionWrapper parsedAssertion =
- new SamlAssertionWrapper(ssoResponse.getAssertionElement());
+ Document assertionDoc = StaxUtils.read(new StringReader(ssoResponse.getAssertion()));
+ AssertionWrapper parsedAssertion =
+ new AssertionWrapper(assertionDoc.getDocumentElement());
- assertEquals("alice", parsedAssertion.getSubjectName());
+ assertEquals("alice", parsedAssertion.getSaml2().getSubject().getNameID().getValue());
}
@org.junit.Test
[3/4] cxf git commit: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
Recording .gitmergeinfo Changes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/01d5ea11
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/01d5ea11
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/01d5ea11
Branch: refs/heads/2.7.x-fixes
Commit: 01d5ea1133b6cb9b5f61804ea6f8ca0b8442c689
Parents: 4056b2e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 31 12:06:55 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 31 12:06:55 2015 +0100
----------------------------------------------------------------------
.gitmergeinfo | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/01d5ea11/.gitmergeinfo
----------------------------------------------------------------------
diff --git a/.gitmergeinfo b/.gitmergeinfo
index 684c192..f3204e9 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -1498,6 +1498,7 @@ B aa08a3348b0f282986270a55a731c4cf5dc0d4fe
B aa3834037a647154850de57a9fdacb1d7a44e219
B aa560f4b8a11f0acde05e41adac328f180f6257a
B aa87076da759533c750031e17a0a19393812a5a3
+B aa890da21a61f9beea80cf8d556fe06132f0b782
B aaa555d559dd9eff300953e8cbb5b5d32d19275e
B aab6216c1a32ce7f37792066b4dbbbe9ca04b90e
B aad0e65c08ca5f5a48d3a6c0afd865b3258df873
@@ -2740,11 +2741,13 @@ M a3f7f142a17da0d0fecd4fa039c07ba6e2496d49
M a40358aedb488fdf517955ead872d0f832625ec6
M a4903d384fff5d10d24400750522e07dd158970a
M a4a5b4fb19362f33b5b1255aff61d9edf51628a1
+M a4a6beac90ac6109eb2f6a2664e6376b0d1fb4f0
M a4d82fe2908471335bebd85a88728605aff15084
M a4e4ea126e7f68d4f7c5de02aad5eaab50ac2a96
M a5272604a833f7fb53514428ef04a3bc9a550e79
M a5b6a887d813d793a6b236162ff85211c35759ab
M a5d661351c3ccce427072d9000d6ed554a173abe
+M a61db289f87e448292f7ff0d0a3d25792dd4d42d
M a699418b5fe74314c804cc56097fa266e0b62b78
M a6a844461cfa3e611359b02ef6b35880243f2ee1
M a6eaa6b0ed6e2407a85d9314a7a05f10ce2de0d3
[2/4] cxf git commit: Fixing backmerge
Posted by co...@apache.org.
Fixing backmerge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4056b2e3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4056b2e3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4056b2e3
Branch: refs/heads/2.7.x-fixes
Commit: 4056b2e38c0d276788b6d81fe489270eafe10706
Parents: ef06a56
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 31 12:06:16 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 31 12:06:54 2015 +0100
----------------------------------------------------------------------
.../saml/sso/CombinedValidatorTest.java | 38 ++++++++++----------
1 file changed, 18 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/4056b2e3/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index 466f97f..dc2f167 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -63,21 +63,15 @@ import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSConfig;
>>>>>>> a61db28... Adding more SAML SSO tests
import org.joda.time.DateTime;
-<<<<<<< HEAD
+import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Status;
-=======
-import org.opensaml.saml.common.SignableSAMLObject;
-import org.opensaml.saml.common.xml.SAMLConstants;
-import org.opensaml.saml.saml2.core.Response;
-import org.opensaml.saml.saml2.core.Status;
-import org.opensaml.security.x509.BasicX509Credential;
-import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
-import org.opensaml.xmlsec.signature.KeyInfo;
-import org.opensaml.xmlsec.signature.Signature;
-import org.opensaml.xmlsec.signature.support.SignatureConstants;
->>>>>>> 3228637... Adding more SAML SSO tests
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.KeyInfo;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
/**
* Some unit tests for the SAMLProtocolResponseValidator and the SAMLSSOResponseValidator
@@ -363,14 +357,15 @@ public class CombinedValidatorTest extends org.junit.Assert {
//
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
-
+
// prepare to sign the SAML token
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(issuerKeyName);
X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception(
- "No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName);
+ "No issuer certs were found to sign the SAML Assertion using issuer name: "
+ + issuerKeyName);
}
String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
@@ -379,24 +374,27 @@ public class CombinedValidatorTest extends org.junit.Assert {
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
}
-
+
PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
signature.setSignatureAlgorithm(sigAlgo);
- BasicX509Credential signingCredential =
- new BasicX509Credential(issuerCerts[0], privateKey);
+ BasicX509Credential signingCredential = new BasicX509Credential();
+ signingCredential.setEntityCertificate(issuerCerts[0]);
+ signingCredential.setPrivateKey(privateKey);
+
signature.setSigningCredential(signingCredential);
if (useKeyInfo) {
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
-
+
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
- } catch (org.opensaml.security.SecurityException ex) {
- throw new Exception("Error generating KeyInfo from signing credential", ex);
+ } catch (org.opensaml.xml.security.SecurityException ex) {
+ throw new Exception(
+ "Error generating KeyInfo from signing credential", ex);
}
}