You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by jp...@apache.org on 2014/10/17 00:19:09 UTC
git commit: CXF-6054 add a property to allow unsigned saml tokens
Repository: cxf
Updated Branches:
refs/heads/2.7.x-fixes 7c8b9c566 -> 3b0d0d60c
CXF-6054 add a property to allow unsigned saml tokens
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3b0d0d60
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3b0d0d60
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3b0d0d60
Branch: refs/heads/2.7.x-fixes
Commit: 3b0d0d60c4db065a1baf60713b79fe2bbf870dd7
Parents: 7c8b9c5
Author: Jason Pell <jp...@apache.org>
Authored: Fri Oct 17 09:07:16 2014 +1100
Committer: Jason Pell <jp...@apache.org>
Committed: Fri Oct 17 09:07:16 2014 +1100
----------------------------------------------------------------------
.../cxf/ws/security/SecurityConstants.java | 8 ++++++-
.../ws/security/wss4j/WSS4JInInterceptor.java | 11 +++++++--
.../ws/security/wss4j/saml/SamlTokenTest.java | 24 +++++++++++++++++---
3 files changed, 37 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/3b0d0d60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index ac7b4dd..f2f2201 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -168,6 +168,12 @@ public final class SecurityConstants {
public static final String SELF_SIGN_SAML_ASSERTION = "ws-security.self-sign-saml-assertion";
/**
+ * Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false.
+ */
+ public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL =
+ "ws-security.enable.unsigned-saml-assertion.principal";
+
+ /**
* Whether to cache UsernameToken nonces. The default value is "true" for message recipients, and
* "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to
* not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken
@@ -602,7 +608,7 @@ public final class SecurityConstants {
CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION,
KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
- KERBEROS_REQUEST_CREDENTIAL_DELEGATION
+ KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
}));
ALL_PROPERTIES = Collections.unmodifiableSet(s);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3b0d0d60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index ada29bc..e1c5b52 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -523,6 +523,10 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
results.add(0, rResult);
+ Boolean allowUnsignedSamlPrincipals =
+ MessageUtils.getContextualBoolean(msg,
+ SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, false);
+
for (int i = wsResult.size() - 1; i >= 0; i--) {
WSSecurityEngineResult o = wsResult.get(i);
@@ -533,10 +537,13 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
.getContextualBoolean(msg, SecurityConstants.SC_FROM_JAAS_SUBJECT, true);
final Object binarySecurity = o.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- // UsernameToken, Kerberos, Signed SAML token or XML Signature
+ final boolean isValidSamlToken = action == WSConstants.ST_SIGNED
+ || (allowUnsignedSamlPrincipals && action == WSConstants.ST_UNSIGNED);
+
+ // UsernameToken, Kerberos, SAML token or XML Signature
if (action == WSConstants.UT || action == WSConstants.UT_NOPASSWORD
|| (action == WSConstants.BST && binarySecurity instanceof KerberosSecurity)
- || action == WSConstants.ST_SIGNED || action == WSConstants.SIGN) {
+ || isValidSamlToken || action == WSConstants.SIGN) {
if (action == WSConstants.SIGN) {
// Check we have a public key / certificate for the signing case
http://git-wip-us.apache.org/repos/asf/cxf/blob/3b0d0d60/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index aca3e98..d40636d 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -36,7 +36,6 @@ import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.dom.DOMSource;
import org.w3c.dom.Document;
-
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils.NullResolver;
@@ -54,7 +53,7 @@ import org.apache.cxf.ws.security.wss4j.AbstractSecurityTest;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.cxf.ws.security.wss4j.saml.AbstractSAMLCallbackHandler.Statement;
-
+import org.apache.ws.security.SAMLTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
@@ -79,7 +78,17 @@ public class SamlTokenTest extends AbstractSecurityTest {
* This test creates a SAML1 Assertion and sends it in the security header to the provider.
*/
@Test
- public void testSaml1Token() throws Exception {
+ public void testUnsignedSaml1Token() throws Exception {
+ assertNull(testSaml1Token(false));
+ }
+
+ @Test
+ public void testUnsignedSaml1TokenWithPrincipal() throws Exception {
+ SecurityContext ctx = testSaml1Token(true);
+ assertTrue(ctx.getUserPrincipal() instanceof SAMLTokenPrincipal);
+ }
+
+ private SecurityContext testSaml1Token(boolean allowUnsignedPrincipal) throws Exception {
Map<String, Object> outProperties = new HashMap<String, Object>();
outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
outProperties.put(WSHandlerConstants.SAML_PROP_FILE, "saml_sv.properties");
@@ -88,7 +97,9 @@ public class SamlTokenTest extends AbstractSecurityTest {
"org.apache.cxf.ws.security.wss4j.saml.SAML1CallbackHandler"
);
+
Map<String, Object> inProperties = new HashMap<String, Object>();
+
inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
final Map<QName, Object> customMap = new HashMap<QName, Object>();
CustomSamlValidator validator = new CustomSamlValidator();
@@ -101,6 +112,11 @@ public class SamlTokenTest extends AbstractSecurityTest {
xpaths.add("//wsse:Security/saml1:Assertion");
Map<String, String> inMessageProperties = new HashMap<String, String>();
+
+ if (allowUnsignedPrincipal) {
+ inMessageProperties.put(SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, "true");
+ }
+
inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
@@ -113,6 +129,8 @@ public class SamlTokenTest extends AbstractSecurityTest {
(AssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
assert !receivedAssertion.isSigned();
+
+ return message.get(SecurityContext.class);
}
/**