You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/11/27 13:43:59 UTC
[1/3] cxf git commit: Allow setting the security context up with a
SAML 1.1 assertion
Repository: cxf
Updated Branches:
refs/heads/master 37ffe1288 -> cb5681f71
Allow setting the security context up with a SAML 1.1 assertion
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a3691487
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a3691487
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a3691487
Branch: refs/heads/master
Commit: a36914873fe13e05e27a9cffdd78d6c17a049686
Parents: 37ffe12
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 27 11:21:32 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 27 11:21:32 2015 +0000
----------------------------------------------------------------------
.../apache/cxf/rs/security/saml/SAMLUtils.java | 66 ++++++++++++++++----
1 file changed, 54 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/a3691487/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
index 60c755d..b9aa742 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
@@ -40,6 +40,11 @@ import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.opensaml.saml.saml1.core.AttributeStatement;
+import org.opensaml.saml.saml1.core.AuthenticationStatement;
+import org.opensaml.saml.saml1.core.AuthorizationDecisionStatement;
+import org.opensaml.saml.saml1.core.NameIdentifier;
+import org.opensaml.saml.saml1.core.Statement;
import org.opensaml.saml.saml2.core.NameID;
public final class SAMLUtils {
@@ -51,18 +56,55 @@ public final class SAMLUtils {
}
public static Subject getSubject(Message message, SamlAssertionWrapper assertionW) {
- org.opensaml.saml.saml2.core.Subject s = assertionW.getSaml2().getSubject();
- Subject subject = new Subject();
- NameID nameId = s.getNameID();
- subject.setNameQualifier(nameId.getNameQualifier());
- // if format is transient then we may need to use STSClient
- // to request an alternate name from IDP
- subject.setNameFormat(nameId.getFormat());
-
- subject.setName(nameId.getValue());
- subject.setSpId(nameId.getSPProvidedID());
- subject.setSpQualifier(nameId.getSPNameQualifier());
- return subject;
+ if (assertionW.getSaml2() != null) {
+ org.opensaml.saml.saml2.core.Subject s = assertionW.getSaml2().getSubject();
+ Subject subject = new Subject();
+ NameID nameId = s.getNameID();
+ subject.setNameQualifier(nameId.getNameQualifier());
+ // if format is transient then we may need to use STSClient
+ // to request an alternate name from IDP
+ subject.setNameFormat(nameId.getFormat());
+
+ subject.setName(nameId.getValue());
+ subject.setSpId(nameId.getSPProvidedID());
+ subject.setSpQualifier(nameId.getSPNameQualifier());
+ return subject;
+ } else if (assertionW.getSaml1() != null) {
+ org.opensaml.saml.saml1.core.Subject s = getSaml1Subject(assertionW);
+ if (s != null) {
+ Subject subject = new Subject();
+ NameIdentifier nameId = s.getNameIdentifier();
+ subject.setNameQualifier(nameId.getNameQualifier());
+ // if format is transient then we may need to use STSClient
+ // to request an alternate name from IDP
+ subject.setNameFormat(nameId.getFormat());
+
+ subject.setName(nameId.getValue());
+ return subject;
+ }
+ }
+ return null;
+ }
+
+ private static org.opensaml.saml.saml1.core.Subject getSaml1Subject(SamlAssertionWrapper assertionW) {
+ for (Statement stmt : ((org.opensaml.saml.saml1.core.Assertion)assertionW.getSaml1()).getStatements()) {
+ org.opensaml.saml.saml1.core.Subject samlSubject = null;
+ if (stmt instanceof AttributeStatement) {
+ AttributeStatement attrStmt = (AttributeStatement) stmt;
+ samlSubject = attrStmt.getSubject();
+ } else if (stmt instanceof AuthenticationStatement) {
+ AuthenticationStatement authStmt = (AuthenticationStatement) stmt;
+ samlSubject = authStmt.getSubject();
+ } else {
+ AuthorizationDecisionStatement authzStmt =
+ (AuthorizationDecisionStatement)stmt;
+ samlSubject = authzStmt.getSubject();
+ }
+ if (samlSubject != null) {
+ return samlSubject;
+ }
+ }
+ return null;
}
public static SamlAssertionWrapper createAssertion(Message message) throws Fault {
[3/3] cxf git commit: Avoid a bug that a bearer subject conf is not
enforced if the subject conf list is not empty
Posted by co...@apache.org.
Avoid a bug that a bearer subject conf is not enforced if the subject conf list is not empty
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cb5681f7
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cb5681f7
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cb5681f7
Branch: refs/heads/master
Commit: cb5681f71eb562b9d437fd637a0de8b3b35793c2
Parents: d4e1d30
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 27 12:04:48 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 27 12:04:48 2015 +0000
----------------------------------------------------------------------
.../rs/security/oauth2/saml/SamlOAuthValidator.java | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/cb5681f7/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index 5a87fd4..48830b0 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -124,17 +124,18 @@ public class SamlOAuthValidator {
private boolean validateAuthenticationSubject(Message m,
Conditions cs,
org.opensaml.saml.saml2.core.Subject subject) {
- if (subject.getSubjectConfirmations() == null) {
- return false;
- }
// We need to find a Bearer Subject Confirmation method
- for (SubjectConfirmation subjectConf : subject.getSubjectConfirmations()) {
- if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) {
- validateSubjectConfirmation(m, cs, subjectConf.getSubjectConfirmationData());
+ boolean bearerSubjectConfFound = false;
+ if (subject.getSubjectConfirmations() != null) {
+ for (SubjectConfirmation subjectConf : subject.getSubjectConfirmations()) {
+ if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) {
+ validateSubjectConfirmation(m, cs, subjectConf.getSubjectConfirmationData());
+ bearerSubjectConfFound = true;
+ }
}
}
- return true;
+ return bearerSubjectConfFound;
}
/**
[2/3] cxf git commit: Explicitly disallow SAML 1.1 in OAuth
Posted by co...@apache.org.
Explicitly disallow SAML 1.1 in OAuth
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d4e1d302
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d4e1d302
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d4e1d302
Branch: refs/heads/master
Commit: d4e1d302493f5ae1603fa71d1e17ee78fe40b212
Parents: a369148
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 27 11:25:08 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 27 11:25:08 2015 +0000
----------------------------------------------------------------------
.../cxf/rs/security/oauth2/saml/SamlOAuthValidator.java | 7 +++++++
1 file changed, 7 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/d4e1d302/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index ffb8719..5a87fd4 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -62,6 +62,7 @@ public class SamlOAuthValidator {
}
public void validate(Message message, SamlAssertionWrapper wrapper) {
+ validateSAMLVersion(wrapper);
Conditions cs = wrapper.getSaml2().getConditions();
validateAudience(message, cs);
@@ -79,6 +80,12 @@ public class SamlOAuthValidator {
}
}
+ private void validateSAMLVersion(SamlAssertionWrapper assertionW) {
+ if (assertionW.getSaml2() == null) {
+ throw ExceptionUtils.toNotAuthorizedException(null, null);
+ }
+ }
+
private String getIssuer(SamlAssertionWrapper assertionW) {
Issuer samlIssuer = assertionW.getSaml2().getIssuer();
return samlIssuer == null ? null : samlIssuer.getValue();