You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ow...@apache.org on 2013/10/28 21:39:11 UTC
svn commit: r1536509 - in /cxf/fediz/trunk:
examples/simpleWebapp/src/main/config/
examples/spring2Webapp/src/main/webapp/WEB-INF/
examples/springPreauthWebapp/src/main/config/
examples/springWebapp/src/main/webapp/WEB-INF/
examples/wsclientWebapp/weba...
Author: owulff
Date: Mon Oct 28 20:39:10 2013
New Revision: 1536509
URL: http://svn.apache.org/r1536509
Log:
PeerTrust configured for self-signed signer certificates
Modified:
cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml
cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml
cxf/fediz/trunk/examples/springPreauthWebapp/src/main/config/fediz_config.xml
cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml
cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
cxf/fediz/trunk/plugins/core/src/test/resources/fediz_meta_test_config.xml
cxf/fediz/trunk/plugins/core/src/test/resources/fediz_test_config.xml
cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml
cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml
cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml
Modified: cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -15,10 +15,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -15,10 +15,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/examples/springPreauthWebapp/src/main/config/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springPreauthWebapp/src/main/config/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/springPreauthWebapp/src/main/config/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/springPreauthWebapp/src/main/config/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -15,10 +15,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -15,10 +15,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/config/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -15,10 +15,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java Mon Oct 28 20:39:10 2013
@@ -276,9 +276,19 @@ public class SamlAssertionValidator impl
//
boolean isInKeystore = isCertificateInKeyStore(crypto, cert);
if (!enableRevocation && isInKeystore) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "Certificate " + subjectString + " found in keystore"
+ );
+ }
return true;
}
if (!isInKeystore && signatureTrustType.equals(TRUST_TYPE.PEER_TRUST)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "Certificate " + subjectString + " not found in keystore"
+ );
+ }
return false;
}
Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java (original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java Mon Oct 28 20:39:10 2013
@@ -596,8 +596,11 @@ public class FederationProcessorTest {
* Validate SAML 2 token which includes the role attribute with 2 values
* The configured subject of the trusted issuer doesn't match with
* the issuer of the SAML token
+ *
+ * Ignored because PeerTrust ignores subject attribute
*/
@org.junit.Test
+ @org.junit.Ignore
public void validateSAML2TokenUntrustedIssuer() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
Modified: cxf/fediz/trunk/plugins/core/src/test/resources/fediz_meta_test_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/resources/fediz_meta_test_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/resources/fediz_meta_test_config.xml (original)
+++ cxf/fediz/trunk/plugins/core/src/test/resources/fediz_meta_test_config.xml Mon Oct 28 20:39:10 2013
@@ -11,8 +11,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<signingKey keyAlias="mystskey" keyPassword="stskpass">
@@ -48,8 +47,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<signingKey keyPassword="stskpass">
@@ -84,8 +82,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/plugins/core/src/test/resources/fediz_test_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/resources/fediz_test_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/resources/fediz_test_config.xml (original)
+++ cxf/fediz/trunk/plugins/core/src/test/resources/fediz_test_config.xml Mon Oct 28 20:39:10 2013
@@ -11,8 +11,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
@@ -48,8 +47,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
@@ -85,10 +83,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer2" />
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
@@ -119,8 +114,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
@@ -155,8 +149,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -186,8 +179,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
@@ -219,8 +211,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="FedizSTSIssuer" />
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<tokenDecryptionKey keyPassword="stskpass">
<keyStore file="stsstore.jks" password="stsspass" type="JKS" />
Modified: cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml (original)
+++ cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -14,10 +14,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -43,10 +40,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml (original)
+++ cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -14,10 +14,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -48,10 +45,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Modified: cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml?rev=1536509&r1=1536508&r2=1536509&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml (original)
+++ cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml Mon Oct 28 20:39:10 2013
@@ -14,10 +14,7 @@
</trustManager>
</certificateStores>
<trustedIssuers>
- <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
- name="DoubleItSTSIssuer" />
- <issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
- name="REALM A"/>
+ <issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"