You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/01/19 10:18:36 UTC
[cxf] branch 3.1.x-fixes updated: CXF-7616 - Add support for (SAML)
IssuedToken policy validation
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/3.1.x-fixes by this push:
new 430430c CXF-7616 - Add support for (SAML) IssuedToken policy validation
430430c is described below
commit 430430cbb05cd4247a9b65e97ef7c671923d9390
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jan 18 14:53:14 2018 +0000
CXF-7616 - Add support for (SAML) IssuedToken policy validation
---
.../AbstractSupportingTokenPolicyValidator.java | 18 ++++++++++++++++++
.../ConcreteSupportingTokenPolicyValidator.java | 7 ++++++-
.../EncryptedTokenPolicyValidator.java | 7 ++++++-
.../EndorsingEncryptedTokenPolicyValidator.java | 7 ++++++-
.../EndorsingTokenPolicyValidator.java | 7 ++++++-
.../SignedEncryptedTokenPolicyValidator.java | 7 ++++++-
.../SignedEndorsingEncryptedTokenPolicyValidator.java | 7 ++++++-
.../SignedEndorsingTokenPolicyValidator.java | 7 ++++++-
.../policyvalidators/SignedTokenPolicyValidator.java | 7 ++++++-
.../org/apache/cxf/systest/sts/transport/DoubleIt.wsdl | 2 +-
.../cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl | 2 +-
11 files changed, 68 insertions(+), 10 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 6ef9efc..f88b263 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -67,6 +67,7 @@ import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
import org.apache.wss4j.policy.model.EncryptedElements;
import org.apache.wss4j.policy.model.EncryptedParts;
import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.RequiredElements;
import org.apache.wss4j.policy.model.SignedElements;
import org.apache.wss4j.policy.model.SignedParts;
@@ -900,4 +901,21 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
PolicyUtils.assertPolicy(aim, new QName(token.getName().getNamespaceURI(), derivedKeys.name()));
}
}
+
+ protected static boolean isSamlTokenRequiredForIssuedToken(IssuedToken issuedToken) {
+ Element template = issuedToken.getRequestSecurityTokenTemplate();
+ if (template != null) {
+ Element child = DOMUtils.getFirstElement(template);
+ while (child != null) {
+ if ("TokenType".equals(child.getLocalName())) {
+ String content = child.getTextContent();
+ return WSConstants.WSS_SAML_TOKEN_TYPE.equals(content)
+ || WSConstants.WSS_SAML2_TOKEN_TYPE.equals(content);
+ }
+ child = DOMUtils.getNextElement(child);
+ }
+ }
+ return false;
+ }
+
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
index 3a1c979..af5d511 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
@@ -96,7 +96,12 @@ public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTo
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
index 8e59d15..1abed71 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
@@ -104,7 +104,12 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy
if (!processSAMLTokens(parameters)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index e1b5e96..6eb51f4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -113,7 +113,12 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
if (!processSAMLTokens(parameters)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
index c6e109a..a5eb1f2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
@@ -102,7 +102,12 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
if (!processSAMLTokens(parameters)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
index 51b2300..053e317 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
@@ -104,7 +104,12 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
if (!processSAMLTokens(parameters)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index 92bbb1f..dcaa03d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -113,7 +113,12 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
index 7b65962..0ba2832 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
@@ -102,7 +102,12 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
index c04f4b6..6b4e7ce 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
@@ -94,7 +94,12 @@ public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyVal
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
- } else if (!(token instanceof IssuedToken)) {
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters)) {
+ processingFailed = true;
+ }
+ } else {
processingFailed = true;
}
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
index 4da85f5..69287c4 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
@@ -520,7 +520,7 @@
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
- <sp:RequireDerivedKeys/>
+ <!-- TODO <sp:RequireDerivedKeys/> -->
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/STS/STSUT
diff --git a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl
index 70c2233..af0b2df 100644
--- a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl
+++ b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl
@@ -643,7 +643,7 @@
<t:SignWith>http://www.w3.org/2000/09/xmldsig#hmac-sha1</t:SignWith>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
- <sp:RequireDerivedKeys/>
+ <!-- TODO re-enable <sp:RequireDerivedKeys/> -->
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].