You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/02/13 11:36:33 UTC
[17/18] cxf-fediz git commit: Whitespace cleanup
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index 076f861..0cb71f5 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -56,9 +56,9 @@ import static org.apache.cxf.fediz.core.FedizConstants.SCHEMA_INSTANCE_NS;
import static org.apache.cxf.fediz.core.FedizConstants.WS_ADDRESSING_NS;
public class MetadataWriter {
-
+
private static final Logger LOG = LoggerFactory.getLogger(MetadataWriter.class);
-
+
private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
//CHECKSTYLE:OFF
@@ -77,14 +77,14 @@ public class MetadataWriter {
String referenceID = IDGenerator.generateID("_");
writer.writeStartElement("md", "EntityDescriptor", SAML2_METADATA_NS);
writer.writeAttribute("ID", referenceID);
-
+
String serviceURL = protocol.getApplicationServiceURL();
if (serviceURL == null) {
serviceURL = extractFullContextPath(request);
}
-
+
writer.writeAttribute("entityID", serviceURL);
-
+
writer.writeNamespace("md", SAML2_METADATA_NS);
writer.writeNamespace("fed", WS_FEDERATION_NS);
writer.writeNamespace("wsa", WS_ADDRESSING_NS);
@@ -96,11 +96,11 @@ public class MetadataWriter {
} else if (protocol instanceof SAMLProtocol) {
writeSAMLMetadata(writer, request, config, serviceURL);
}
-
+
writer.writeEndElement(); // EntityDescriptor
writer.writeEndDocument();
-
+
streamWriter.flush();
bout.flush();
//
@@ -124,7 +124,7 @@ public class MetadataWriter {
if (hasSigningKey) {
Document doc = DOMUtils.readXml(is);
Document result = SignatureUtils.signMetaInfo(
- config.getSigningKey().getCrypto(), config.getSigningKey().getKeyAlias(), config.getSigningKey().getKeyPassword(),
+ config.getSigningKey().getCrypto(), config.getSigningKey().getKeyAlias(), config.getSigningKey().getKeyPassword(),
doc, referenceID);
if (result != null) {
return result;
@@ -144,7 +144,7 @@ public class MetadataWriter {
}
private void writeFederationMetadata(
- XMLStreamWriter writer,
+ XMLStreamWriter writer,
FedizContext config,
String serviceURL
) throws XMLStreamException {
@@ -158,7 +158,7 @@ public class MetadataWriter {
writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
writer.writeCharacters(serviceURL);
-
+
writer.writeEndElement(); // Address
writer.writeEndElement(); // EndpointReference
writer.writeEndElement(); // ApplicationServiceEndpoint
@@ -214,24 +214,24 @@ public class MetadataWriter {
writer.writeEndElement(); // PassiveRequestorEndpoint
writer.writeEndElement(); // RoleDescriptor
}
-
+
private void writeSAMLMetadata(
- XMLStreamWriter writer,
+ XMLStreamWriter writer,
HttpServletRequest request,
FedizContext config,
String serviceURL
) throws Exception {
-
+
SAMLProtocol protocol = (SAMLProtocol)config.getProtocol();
-
+
writer.writeStartElement("md", "SPSSODescriptor", SAML2_METADATA_NS);
writer.writeAttribute("AuthnRequestsSigned", Boolean.toString(protocol.isSignRequest()));
writer.writeAttribute("WantAssertionsSigned", "true");
writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
-
+
if (config.getLogoutURL() != null) {
writer.writeStartElement("md", "SingleLogoutService", SAML2_METADATA_NS);
-
+
String logoutURL = config.getLogoutURL();
if (logoutURL.startsWith("/")) {
logoutURL = extractFullContextPath(request).concat(logoutURL.substring(1));
@@ -239,39 +239,39 @@ public class MetadataWriter {
logoutURL = extractFullContextPath(request).concat(logoutURL);
}
writer.writeAttribute("Location", logoutURL);
-
+
writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
writer.writeEndElement(); // SingleLogoutService
}
-
+
writer.writeStartElement("md", "AssertionConsumerService", SAML2_METADATA_NS);
writer.writeAttribute("Location", serviceURL);
writer.writeAttribute("index", "0");
writer.writeAttribute("isDefault", "true");
writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
writer.writeEndElement(); // AssertionConsumerService
-
+
if (protocol.getClaimTypesRequested() != null && !protocol.getClaimTypesRequested().isEmpty()) {
writer.writeStartElement("md", "AttributeConsumingService", SAML2_METADATA_NS);
writer.writeAttribute("index", "0");
-
+
writer.writeStartElement("md", "ServiceName", SAML2_METADATA_NS);
writer.writeAttribute("xml:lang", "en");
writer.writeCharacters(config.getName());
writer.writeEndElement(); // ServiceName
-
+
for (Claim claim : protocol.getClaimTypesRequested()) {
writer.writeStartElement("md", "RequestedAttribute", SAML2_METADATA_NS);
writer.writeAttribute("isRequired", Boolean.toString(claim.isOptional()));
writer.writeAttribute("Name", claim.getType());
- writer.writeAttribute("NameFormat",
+ writer.writeAttribute("NameFormat",
"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
writer.writeEndElement(); // RequestedAttribute
}
-
+
writer.writeEndElement(); // AttributeConsumingService
}
-
+
boolean hasSigningKey = false;
try {
if (config.getSigningKey().getCrypto() != null) {
@@ -283,7 +283,7 @@ public class MetadataWriter {
if (protocol.isSignRequest() && hasSigningKey) {
writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
writer.writeAttribute("use", "signing");
-
+
writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
@@ -294,23 +294,23 @@ public class MetadataWriter {
if (keyAlias == null || "".equals(keyAlias)) {
keyAlias = config.getSigningKey().getCrypto().getDefaultX509Identifier();
}
- X509Certificate cert =
+ X509Certificate cert =
CertsUtils.getX509CertificateFromCrypto(config.getSigningKey().getCrypto(), keyAlias);
if (cert == null) {
throw new ProcessingException(
- "No signing certs were found to insert into the metadata using name: "
+ "No signing certs were found to insert into the metadata using name: "
+ keyAlias);
}
byte data[] = cert.getEncoded();
String encodedCertificate = Base64.encode(data);
writer.writeCharacters(encodedCertificate);
-
+
writer.writeEndElement(); // X509Certificate
writer.writeEndElement(); // X509Data
writer.writeEndElement(); // KeyInfo
writer.writeEndElement(); // KeyDescriptor
}
-
+
writer.writeEndElement(); // SPSSODescriptor
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
index fa7e49d..cad8c60 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
@@ -38,7 +38,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public abstract class AbstractFedizProcessor implements FedizProcessor {
-
+
private static final Logger LOG = LoggerFactory.getLogger(AbstractFedizProcessor.class);
protected String resolveIssuer(HttpServletRequest request, FedizContext config) throws IOException,
@@ -74,8 +74,8 @@ public abstract class AbstractFedizProcessor implements FedizProcessor {
}
return wtRealm;
}
-
- protected void testForReplayAttack(String tokenId, FedizContext config, Date expires)
+
+ protected void testForReplayAttack(String tokenId, FedizContext config, Date expires)
throws ProcessingException {
// Check whether token already used for signin
if (tokenId != null && config.isDetectReplayedTokens()) {
@@ -118,5 +118,5 @@ public abstract class AbstractFedizProcessor implements FedizProcessor {
}
return result;
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 0066c11..cc03440 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -155,7 +155,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
el = DOMUtils.getNextElement(el);
}
-
+
if (LOG.isDebugEnabled()) {
if (rst != null) {
LOG.debug("RST: {}", DOM2Writer.nodeToString(rst));
@@ -165,7 +165,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
}
LOG.debug("Tokentype: {}", tt);
-
+
if (rst == null) {
LOG.warn("RequestedSecurityToken element not found in wresult");
throw new ProcessingException(TYPE.BAD_REQUEST);
@@ -209,8 +209,8 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
testForMandatoryClaims(((FederationProtocol)config.getProtocol()).getRoleURI(),
- ((FederationProtocol)config.getProtocol()).getClaimTypesRequested(),
- validatorResponse.getClaims(),
+ ((FederationProtocol)config.getProtocol()).getClaimTypesRequested(),
+ validatorResponse.getClaims(),
validatorResponse.getRoles() != null && !validatorResponse.getRoles().isEmpty());
Date created = validatorResponse.getCreated();
@@ -510,7 +510,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
if (logoutRedirectToConstraint == null) {
LOG.debug("No regular expression constraint configured for logout. Ignoring wreply parameter");
} else {
- Matcher matcher =
+ Matcher matcher =
logoutRedirectToConstraint.matcher(request.getParameter(FederationConstants.PARAM_REPLY));
if (matcher.matches()) {
logoutRedirectTo = request.getParameter(FederationConstants.PARAM_REPLY);
@@ -520,11 +520,11 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
}
}
-
+
if (logoutRedirectTo == null || logoutRedirectTo.isEmpty()) {
logoutRedirectTo = config.getLogoutRedirectTo();
}
-
+
if (logoutRedirectTo != null && !logoutRedirectTo.isEmpty()) {
if (logoutRedirectTo.startsWith("/")) {
logoutRedirectTo = extractFullContextPath(request).concat(logoutRedirectTo.substring(1));
@@ -536,7 +536,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
sb.append('&').append(FederationConstants.PARAM_REPLY).append('=');
sb.append(URLEncoder.encode(logoutRedirectTo, "UTF-8"));
}
-
+
String signOutQuery = resolveSignOutQuery(request, config);
LOG.debug("SignIn Query: {}", signOutQuery);
@@ -544,7 +544,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
if (signOutQuery != null && signOutQuery.length() > 0) {
sb.append('&').append(signOutQuery);
}
-
+
redirectURL = redirectURL + "?" + sb.toString();
} catch (Exception ex) {
LOG.error("Failed to create SignInRequest", ex);
@@ -585,7 +585,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
return signInQuery;
}
-
+
private String resolveSignOutQuery(HttpServletRequest request, FedizContext config) throws IOException,
UnsupportedCallbackException, UnsupportedEncodingException {
Object signOutQueryObj = ((FederationProtocol)config.getProtocol()).getSignOutQuery();
@@ -662,7 +662,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
LOG.debug("Users home realm will be set to {}", homeRealm);
return homeRealm;
}
-
+
private String resolveHomeRealm(Object cbh, HttpServletRequest request) {
if (cbh instanceof CallbackHandler) {
CallbackHandler hrCBH = (CallbackHandler)cbh;
@@ -716,7 +716,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
return wReq;
}
-
+
private String resolveReply(HttpServletRequest request, FedizContext config) throws IOException,
UnsupportedCallbackException {
Object replyObj = ((FederationProtocol)config.getProtocol()).getReply();
@@ -735,9 +735,9 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
return reply;
}
-
+
private void testForMandatoryClaims(String roleURI,
- List<org.apache.cxf.fediz.core.config.Claim> requestedClaims,
+ List<org.apache.cxf.fediz.core.config.Claim> requestedClaims,
List<org.apache.cxf.fediz.core.Claim> receivedClaims,
boolean foundRoles
) throws ProcessingException {
@@ -752,7 +752,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
}
if (!found && foundRoles && roleURI != null && roleURI.equals(requestedClaim.getType())) {
- // Maybe the requested claim is a role, which has already been removed
+ // Maybe the requested claim is a role, which has already been removed
// from the claims collection
found = true;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
index 846ebf8..0e7ea7b 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessor.java
@@ -32,7 +32,7 @@ public interface FedizProcessor {
FedizResponse processRequest(
FedizRequest request, FedizContext config
) throws ProcessingException;
-
+
RedirectionResponse createSignInRequest(
HttpServletRequest request, FedizContext config
) throws ProcessingException;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessorFactory.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessorFactory.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessorFactory.java
index ebc441e..eb8ecb3 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessorFactory.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizProcessorFactory.java
@@ -27,7 +27,7 @@ import org.apache.cxf.fediz.core.config.SAMLProtocol;
* A Factory to return FedizProcessor instances depending on the Protocol
*/
public final class FedizProcessorFactory {
-
+
private FedizProcessorFactory() {
// complete
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
index e71c0cb..4b07a57 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
@@ -30,7 +30,7 @@ import org.apache.cxf.fediz.core.RequestState;
public class FedizRequest implements Serializable {
private static final long serialVersionUID = 1L;
-
+
private String action;
private String responseToken;
private String freshness;
@@ -88,5 +88,5 @@ public class FedizRequest implements Serializable {
public void setRequestState(RequestState requestState) {
this.requestState = requestState;
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
index 255765d..0c0ae33 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizResponse.java
@@ -31,7 +31,7 @@ import org.apache.cxf.fediz.core.Claim;
public class FedizResponse implements Serializable {
private static final long serialVersionUID = 1L;
-
+
private String audience;
private String username;
private List<String> roles;
@@ -51,7 +51,7 @@ public class FedizResponse implements Serializable {
private Date tokenExpires;
//CHECKSTYLE:OFF
- public FedizResponse(String username, String issuer, List<String> roles, List<Claim> claims, String audience,
+ public FedizResponse(String username, String issuer, List<String> roles, List<Claim> claims, String audience,
Date created, Date expires, Element token, String uniqueTokenId) {
this.username = username;
this.issuer = issuer;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/RedirectionResponse.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/RedirectionResponse.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/RedirectionResponse.java
index 96589a0..91ded34 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/RedirectionResponse.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/RedirectionResponse.java
@@ -31,23 +31,23 @@ import org.apache.cxf.fediz.core.RequestState;
public class RedirectionResponse implements Serializable {
private static final long serialVersionUID = 3182350165552249151L;
-
+
private String redirectionURL;
private Map<String, String> headers = new HashMap<>();
private RequestState requestState;
-
+
public String getRedirectionURL() {
return redirectionURL;
}
-
+
public void setRedirectionURL(String redirectionURL) {
this.redirectionURL = redirectionURL;
}
-
+
public Map<String, String> getHeaders() {
return headers;
}
-
+
public void addHeader(String headerName, String headerValue) {
headers.put(headerName, headerValue);
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 6fb50fa..6233c60 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -69,7 +69,7 @@ import org.slf4j.LoggerFactory;
public class SAMLProcessorImpl extends AbstractFedizProcessor {
private static final Logger LOG = LoggerFactory.getLogger(SAMLProcessorImpl.class);
-
+
static {
OpenSAMLUtil.initSamlEngine();
}
@@ -85,25 +85,25 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
public FedizResponse processRequest(FedizRequest request,
FedizContext config)
throws ProcessingException {
-
+
if (!(config.getProtocol() instanceof SAMLProtocol)) {
LOG.error("Unsupported protocol");
throw new IllegalStateException("Unsupported protocol");
}
-
+
if (request.getResponseToken() == null || request.getState() == null) {
LOG.error("Missing response token or RelayState parameters");
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
-
+
return processSignInRequest(request, config);
}
-
+
public Document getMetaData(HttpServletRequest request, FedizContext config) throws ProcessingException {
return new MetadataWriter().getMetaData(request, config);
}
-
+
private RequestState processRelayState(
String relayState, RequestState requestState
) throws ProcessingException {
@@ -117,14 +117,14 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
}
return requestState;
}
-
+
protected FedizResponse processSignInRequest(
FedizRequest request, FedizContext config)
throws ProcessingException {
SAMLProtocol protocol = (SAMLProtocol)config.getProtocol();
- RequestState requestState =
+ RequestState requestState =
processRelayState(request.getState(), request.getRequestState());
-
+
InputStream tokenStream = null;
try {
byte[] deflatedToken = Base64.decode(request.getResponseToken());
@@ -138,7 +138,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
} catch (Base64DecodingException e) {
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
-
+
Document doc = null;
Element el = null;
try {
@@ -149,9 +149,9 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
LOG.warn("Failed to parse token: " + e.getMessage());
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
-
+
LOG.debug("Received response: " + DOM2Writer.nodeToString(el));
-
+
XMLObject responseObject = null;
try {
responseObject = OpenSAMLUtil.fromDom(el);
@@ -162,31 +162,31 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
if (!(responseObject instanceof org.opensaml.saml.saml2.core.Response)) {
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
-
+
// Validate the Response
validateSamlResponseProtocol((org.opensaml.saml.saml2.core.Response)responseObject, config);
-
- SSOValidatorResponse ssoValidatorResponse =
- validateSamlSSOResponse((org.opensaml.saml.saml2.core.Response)responseObject,
+
+ SSOValidatorResponse ssoValidatorResponse =
+ validateSamlSSOResponse((org.opensaml.saml.saml2.core.Response)responseObject,
request.getRequest(), requestState, config);
-
+
// Validate the internal assertion(s)
TokenValidatorResponse validatorResponse = null;
- List<Element> assertions =
+ List<Element> assertions =
DOMUtils.getChildrenWithName(el, SAMLConstants.SAML20_NS, "Assertion");
-
+
if (assertions.isEmpty()) {
LOG.debug("No Assertion extracted from SAML Response");
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
Element token = assertions.get(0);
-
+
List<TokenValidator> validators = protocol.getTokenValidators();
for (TokenValidator validator : validators) {
boolean canHandle = validator.canHandleToken(token);
if (canHandle) {
try {
- TokenValidatorRequest validatorRequest =
+ TokenValidatorRequest validatorRequest =
new TokenValidatorRequest(token, request.getCerts());
validatorResponse = validator.validateAndProcessToken(validatorRequest, config);
} catch (ProcessingException ex) {
@@ -201,19 +201,19 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
throw new ProcessingException(TYPE.BAD_REQUEST);
}
}
-
+
if (validatorResponse == null) {
LOG.warn("No token validation response was available");
throw new ProcessingException(TYPE.BAD_REQUEST);
}
-
+
// Check whether token already used for signin
Date expires = validatorResponse.getExpires();
if (expires == null) {
expires = ssoValidatorResponse.getSessionNotOnOrAfter();
}
testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
-
+
FedizResponse fedResponse = new FedizResponse(
validatorResponse.getUsername(), validatorResponse.getIssuer(),
validatorResponse.getRoles(), validatorResponse.getClaims(),
@@ -225,10 +225,10 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
return fedResponse;
}
-
+
/**
* Validate the received SAML Response as per the protocol
- * @throws ProcessingException
+ * @throws ProcessingException
*/
protected void validateSamlResponseProtocol(
org.opensaml.saml.saml2.core.Response samlResponse,
@@ -242,10 +242,10 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
}
-
+
/**
* Validate the received SAML Response as per the Web SSO profile
- * @throws ProcessingException
+ * @throws ProcessingException
*/
protected SSOValidatorResponse validateSamlSSOResponse(
org.opensaml.saml.saml2.core.Response samlResponse,
@@ -258,8 +258,8 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
String requestURL = request.getRequestURL().toString();
ssoResponseValidator.setAssertionConsumerURL(requestURL);
ssoResponseValidator.setClientAddress(request.getRemoteAddr());
-
- boolean doNotEnforceKnownIssuer =
+
+ boolean doNotEnforceKnownIssuer =
((SAMLProtocol)config.getProtocol()).isDoNotEnforceKnownIssuer();
ssoResponseValidator.setEnforceKnownIssuer(!doNotEnforceKnownIssuer);
@@ -286,32 +286,32 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
LOG.error("Unsupported protocol");
throw new IllegalStateException("Unsupported protocol");
}
-
+
String issuerURL = resolveIssuer(request, config);
LOG.info("Issuer url: " + issuerURL);
if (issuerURL != null && issuerURL.length() > 0) {
redirectURL = issuerURL;
}
-
- SAMLPRequestBuilder samlpRequestBuilder =
+
+ SAMLPRequestBuilder samlpRequestBuilder =
((SAMLProtocol)config.getProtocol()).getSAMLPRequestBuilder();
-
+
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
-
+
// Create the AuthnRequest
String requestURL = request.getRequestURL().toString();
String realm = resolveWTRealm(request, config);
- AuthnRequest authnRequest =
+ AuthnRequest authnRequest =
samlpRequestBuilder.createAuthnRequest(realm, requestURL);
-
+
if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
authnRequest.setDestination(redirectURL);
}
-
+
Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
-
+
String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
RequestState requestState = new RequestState();
requestState.setTargetAddress(requestURL);
@@ -321,34 +321,34 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
requestState.setWebAppContext(authnRequest.getIssuer().getValue());
requestState.setState(relayState);
requestState.setCreatedAt(System.currentTimeMillis());
-
- String urlEncodedRequest =
+
+ String urlEncodedRequest =
URLEncoder.encode(authnRequestEncoded, "UTF-8");
-
+
StringBuilder sb = new StringBuilder();
sb.append(SAMLSSOConstants.SAML_REQUEST).append('=').append(urlEncodedRequest);
sb.append("&" + SAMLSSOConstants.RELAY_STATE).append('=').append(relayState);
-
+
if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
String signature = signRequest(config, sb);
sb.append("&" + SAMLSSOConstants.SIGNATURE).append('=').append(signature);
}
-
+
RedirectionResponse response = new RedirectionResponse();
response.addHeader("Cache-Control", "no-cache, no-store");
response.addHeader("Pragma", "no-cache");
response.setRequestState(requestState);
-
+
redirectURL = redirectURL + "?" + sb.toString();
response.setRedirectionURL(redirectURL);
-
+
return response;
} catch (Exception ex) {
LOG.error("Failed to create SignInRequest", ex);
throw new ProcessingException("Failed to create SignInRequest");
}
}
-
+
/**
* Sign a request according to the redirect binding spec for Web SSO
*/
@@ -371,14 +371,14 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
LOG.debug("No signature password available");
throw new ProcessingException("Failed to Sign Request");
}
-
+
// Get the private key
PrivateKey privateKey = crypto.getPrivateKey(signatureUser, signaturePassword);
if (privateKey == null) {
LOG.debug("No private key available");
throw new ProcessingException("Failed to Sign Request");
}
-
+
String sigAlgo = WSConstants.RSA_SHA1;
String jceSigAlgo = "SHA1withRSA";
LOG.debug("automatic sig algo detection: " + privateKey.getAlgorithm());
@@ -387,22 +387,22 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
jceSigAlgo = "SHA1withDSA";
}
LOG.debug("Using Signature algorithm " + sigAlgo);
-
+
// Sign the request
Signature signature = Signature.getInstance(jceSigAlgo);
signature.initSign(privateKey);
-
+
sb.append("&" + SAMLSSOConstants.SIG_ALG).append('=').append(URLEncoder.encode(sigAlgo, "UTF-8"));
String requestToSign = sb.toString();
signature.update(requestToSign.getBytes("UTF-8"));
byte[] signBytes = signature.sign();
-
+
String encodedSignature = Base64.encode(signBytes);
-
+
return URLEncoder.encode(encodedSignature, "UTF-8");
}
-
+
protected String encodeAuthnRequest(Element authnRequest) throws IOException {
String requestMessage = DOM2Writer.nodeToString(authnRequest);
@@ -412,11 +412,11 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
}
@Override
- public RedirectionResponse createSignOutRequest(HttpServletRequest request,
+ public RedirectionResponse createSignOutRequest(HttpServletRequest request,
SamlAssertionWrapper token,
FedizContext config)
throws ProcessingException {
-
+
String redirectURL = null;
try {
if (!(config.getProtocol() instanceof SAMLProtocol)) {
@@ -436,52 +436,52 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
LOG.debug("No issuerLogoutURL or issuer parameter specified for logout");
throw new ProcessingException("Failed to create SignOutRequest");
}
-
- SAMLPRequestBuilder samlpRequestBuilder =
+
+ SAMLPRequestBuilder samlpRequestBuilder =
((SAMLProtocol)config.getProtocol()).getSAMLPRequestBuilder();
-
+
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
-
+
// Create the LogoutRequest
String realm = resolveWTRealm(request, config);
String reason = "urn:oasis:names:tc:SAML:2.0:logout:user";
- LogoutRequest logoutRequest =
+ LogoutRequest logoutRequest =
samlpRequestBuilder.createLogoutRequest(realm, reason, token);
-
+
if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
logoutRequest.setDestination(redirectURL);
}
-
+
Element logoutRequestElement = OpenSAMLUtil.toDom(logoutRequest, doc);
String logoutRequestEncoded = encodeAuthnRequest(logoutRequestElement);
-
+
String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
-
- String urlEncodedRequest =
+
+ String urlEncodedRequest =
URLEncoder.encode(logoutRequestEncoded, "UTF-8");
StringBuilder sb = new StringBuilder();
sb.append(SAMLSSOConstants.SAML_REQUEST).append('=').append(urlEncodedRequest);
sb.append("&" + SAMLSSOConstants.RELAY_STATE).append('=').append(relayState);
-
+
if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
String signature = signRequest(config, sb);
sb.append("&" + SAMLSSOConstants.SIGNATURE).append('=').append(signature);
}
-
+
RedirectionResponse response = new RedirectionResponse();
response.addHeader("Cache-Control", "no-cache, no-store");
response.addHeader("Pragma", "no-cache");
-
+
redirectURL = redirectURL + "?" + sb.toString();
response.setRedirectionURL(redirectURL);
-
+
return response;
} catch (Exception ex) {
LOG.error("Failed to create SignOutRequest", ex);
throw new ProcessingException("Failed to create SignOutRequest");
}
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java
index a5757ef..c27f34b 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java
@@ -38,25 +38,25 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
- * This class verifies trust in a signature..
+ * This class verifies trust in a signature..
*/
public class FedizSignatureTrustValidator implements Validator {
-
+
private static final Logger LOG = LoggerFactory.getLogger(FedizSignatureTrustValidator.class);
-
+
public enum TrustType { CHAIN_TRUST, CHAIN_TRUST_CONSTRAINTS, PEER_TRUST }
-
+
/**
* Defines the kind of trust which is required
*/
private TrustType signatureTrustType = TrustType.CHAIN_TRUST;
-
+
/**
* a collection of compiled regular expression patterns for the subject DN
*/
private Collection<Pattern> subjectDNPatterns = new ArrayList<>();
-
-
+
+
/**
* Set the kind of trust. The default is CHAIN_TRUST.
*/
@@ -74,12 +74,12 @@ public class FedizSignatureTrustValidator implements Validator {
subjectDNPatterns.addAll(constraints);
}
}
-
+
/**
* Validate the credential argument. It must contain either some Certificates or a PublicKey.
- *
+ *
* A Crypto and a CallbackHandler implementation is required to be set.
- *
+ *
* @param credential the Credential to be validated
* @param data the RequestData associated with the request
* @throws WSSecurityException on a failed validation
@@ -90,12 +90,12 @@ public class FedizSignatureTrustValidator implements Validator {
&& credential.getPublicKey() == null)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
}
-
+
verifyTrust(credential, data);
-
+
return credential;
}
-
+
/**
* Verify trust in the credential.
* @param credential the Credential to be validated
@@ -113,7 +113,7 @@ public class FedizSignatureTrustValidator implements Validator {
if (crypto == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
}
-
+
if (certs != null && certs.length > 0) {
validateCertificates(certs);
verifyTrustInCerts(certs, crypto, data, data.isRevocationEnabled());
@@ -143,7 +143,7 @@ public class FedizSignatureTrustValidator implements Validator {
* Validate the certificates by checking the validity of each cert
* @throws WSSecurityException
*/
- protected void validateCertificates(X509Certificate[] certificates)
+ protected void validateCertificates(X509Certificate[] certificates)
throws WSSecurityException {
try {
for (int i = 0; i < certificates.length; i++) {
@@ -159,10 +159,10 @@ public class FedizSignatureTrustValidator implements Validator {
);
}
}
-
+
/**
* Evaluate whether the given certificate chain should be trusted.
- *
+ *
* @param certificates the certificate chain that should be validated against the keystore
* @param crypto A Crypto instance
* @param data A RequestData instance
@@ -170,13 +170,13 @@ public class FedizSignatureTrustValidator implements Validator {
* @throws WSSecurityException if the certificate chain is not trusted
*/
protected void verifyTrustInCerts(
- X509Certificate[] certificates,
+ X509Certificate[] certificates,
Crypto crypto,
RequestData data,
boolean enableRevocation
) throws WSSecurityException {
//
- // Use the validation method from the crypto to check whether the subjects'
+ // Use the validation method from the crypto to check whether the subjects'
// certificate was really signed by the issuer stated in the certificate
//
crypto.verifyTrust(certificates, enableRevocation, null);
@@ -187,16 +187,16 @@ public class FedizSignatureTrustValidator implements Validator {
);
}
}
-
+
/**
* Validate a public key
* @throws WSSecurityException
*/
- protected void validatePublicKey(PublicKey publicKey, Crypto crypto)
+ protected void validatePublicKey(PublicKey publicKey, Crypto crypto)
throws WSSecurityException {
crypto.verifyTrust(publicKey);
}
-
+
/**
* @return true if the certificate's SubjectDN matches the constraints
* defined in the subject DNConstraints; false, otherwise. The
@@ -224,5 +224,5 @@ public class FedizSignatureTrustValidator implements Validator {
return true;
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
index 7f4eb66..a629d8a 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
@@ -67,7 +67,7 @@ import org.slf4j.LoggerFactory;
public class SAMLTokenValidator implements TokenValidator {
private static final Logger LOG = LoggerFactory.getLogger(SAMLTokenValidator.class);
-
+
@Override
public boolean canHandleTokenType(String tokenType) {
@@ -80,12 +80,12 @@ public class SAMLTokenValidator implements TokenValidator {
String ns = token.getNamespaceURI();
return WSConstants.SAML2_NS.equals(ns) || WSConstants.SAML_NS.equals(ns);
}
-
+
public TokenValidatorResponse validateAndProcessToken(TokenValidatorRequest request,
FedizContext config) throws ProcessingException {
Element token = request.getToken();
- try {
+ try {
RequestData requestData = new RequestData();
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
@@ -102,16 +102,16 @@ public class SAMLTokenValidator implements TokenValidator {
WSDocInfo docInfo = new WSDocInfo(token.getOwnerDocument());
Signature sig = assertion.getSignature();
KeyInfo keyInfo = sig.getKeyInfo();
- SAMLKeyInfo samlKeyInfo =
+ SAMLKeyInfo samlKeyInfo =
org.apache.wss4j.common.saml.SAMLUtil.getCredentialFromKeyInfo(
- keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo),
+ keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo),
requestData.getSigVerCrypto()
);
assertion.verifySignature(samlKeyInfo);
-
+
// Parse the subject if it exists
assertion.parseSubject(
- new WSSSAMLKeyInfoProcessor(requestData, docInfo), requestData.getSigVerCrypto(),
+ new WSSSAMLKeyInfoProcessor(requestData, docInfo), requestData.getSigVerCrypto(),
requestData.getCallbackHandler()
);
@@ -123,10 +123,10 @@ public class SAMLTokenValidator implements TokenValidator {
SamlAssertionValidator trustValidator = new SamlAssertionValidator();
trustValidator.setFutureTTL(config.getMaximumClockSkew().intValue());
-
+
boolean trusted = false;
String assertionIssuer = assertion.getIssuerString();
-
+
List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers();
for (TrustedIssuer ti : trustedIssuers) {
Pattern subjectConstraint = ti.getCompiledSubject();
@@ -134,14 +134,14 @@ public class SAMLTokenValidator implements TokenValidator {
if (subjectConstraint != null) {
subjectConstraints.add(subjectConstraint);
}
-
+
if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
trustValidator.setSubjectConstraints(subjectConstraints);
trustValidator.setSignatureTrustType(TrustType.CHAIN_TRUST_CONSTRAINTS);
} else if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) {
trustValidator.setSignatureTrustType(TrustType.PEER_TRUST);
} else {
- throw new IllegalStateException("Unsupported certificate validation method: "
+ throw new IllegalStateException("Unsupported certificate validation method: "
+ ti.getCertificateValidationMethod());
}
try {
@@ -159,7 +159,7 @@ public class SAMLTokenValidator implements TokenValidator {
if (trusted) {
break;
}
-
+
} catch (Exception ex) {
if (LOG.isInfoEnabled()) {
LOG.info("Issuer '" + assertionIssuer + "' doesn't match trusted issuer '" + ti.getName()
@@ -167,7 +167,7 @@ public class SAMLTokenValidator implements TokenValidator {
}
}
}
-
+
if (!trusted) {
// Condition already checked in SamlAssertionValidator
// Minor performance impact on untrusted and expired tokens
@@ -179,7 +179,7 @@ public class SAMLTokenValidator implements TokenValidator {
throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
}
}
-
+
// Now check for HolderOfKey requirements
if (!SAMLUtil.checkHolderOfKey(assertion, request.getCerts())) {
LOG.warn("Assertion fails holder-of-key requirements");
@@ -198,9 +198,9 @@ public class SAMLTokenValidator implements TokenValidator {
} else {
claims = Collections.emptyList();
}
-
+
List<String> roles = parseRoles(config, claims);
-
+
SAMLTokenPrincipal p = new SAMLTokenPrincipalImpl(assertion);
TokenValidatorResponse response = new TokenValidatorResponse(
@@ -208,7 +208,7 @@ public class SAMLTokenValidator implements TokenValidator {
new ClaimCollection(claims), audience);
response.setExpires(getExpires(assertion));
response.setCreated(getCreated(assertion));
-
+
return response;
} catch (WSSecurityException ex) {
@@ -216,7 +216,7 @@ public class SAMLTokenValidator implements TokenValidator {
throw new ProcessingException(TYPE.TOKEN_INVALID);
}
}
-
+
protected List<String> parseRoles(FedizContext config, List<Claim> claims) {
List<String> roles = null;
Protocol protocol = config.getProtocol();
@@ -245,7 +245,7 @@ public class SAMLTokenValidator implements TokenValidator {
}
}
}
-
+
return roles;
}
@@ -332,7 +332,7 @@ public class SAMLTokenValidator implements TokenValidator {
LOG.debug("parsing attribute: " + attribute.getName());
}
Claim c = new Claim();
- // Workaround for CXF-4484
+ // Workaround for CXF-4484
// Value of Attribute Name not fully qualified
// if NameFormat is http://schemas.xmlsoap.org/ws/2005/05/identity/claims
// but ClaimType value must be fully qualified as Namespace attribute goes away
@@ -344,7 +344,7 @@ public class SAMLTokenValidator implements TokenValidator {
c.setClaimType(URI.create(attribute.getName()));
}
c.setIssuer(assertion.getIssuer().getNameQualifier());
-
+
List<String> valueList = new ArrayList<>();
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
@@ -392,7 +392,7 @@ public class SAMLTokenValidator implements TokenValidator {
claimsMap.put(c.getClaimType().toString(), c);
}
}
-
+
protected List<String> parseRoles(String value, String delim) {
List<String> roles = new ArrayList<>();
StringTokenizer st = new StringTokenizer(value, delim);
@@ -429,7 +429,7 @@ public class SAMLTokenValidator implements TokenValidator {
}
-
+
private Date getExpires(SamlAssertionWrapper assertion) {
DateTime validTill = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
@@ -437,13 +437,13 @@ public class SAMLTokenValidator implements TokenValidator {
} else {
validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
}
-
+
if (validTill == null) {
return null;
}
return validTill.toDate();
}
-
+
private Date getCreated(SamlAssertionWrapper assertion) {
DateTime validFrom = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
@@ -451,13 +451,13 @@ public class SAMLTokenValidator implements TokenValidator {
} else {
validFrom = assertion.getSaml1().getConditions().getNotBefore();
}
-
+
if (validFrom == null) {
return null;
}
return validFrom.toDate();
}
-
+
/**
* Check the Conditions of the Assertion.
*/
@@ -473,7 +473,7 @@ public class SAMLTokenValidator implements TokenValidator {
validFrom = assertion.getSaml1().getConditions().getNotBefore();
validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
}
-
+
if (validFrom != null) {
DateTime currentTime = new DateTime();
currentTime = currentTime.plusSeconds(maxClockSkew);
@@ -489,6 +489,6 @@ public class SAMLTokenValidator implements TokenValidator {
}
return true;
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
index c534bc8..d7609d9 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
@@ -32,14 +32,14 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
* Some SAML Utility methods
*/
public final class SAMLUtil {
-
+
private SAMLUtil() {
// complete
}
/**
* Check the holder-of-key requirements against the received assertion. The subject
- * credential of the SAML Assertion must match a client certificate credential when
+ * credential of the SAML Assertion must match a client certificate credential when
* 2-way TLS is used.
* @param assertionWrapper the SAML Assertion wrapper object
* @param tlsCerts The client certificates
@@ -80,7 +80,7 @@ public final class SAMLUtil {
//
// Try to match the TLS certs
//
- if (subjectCerts != null && subjectCerts.length > 0
+ if (subjectCerts != null && subjectCerts.length > 0
&& tlsCerts[0].equals(subjectCerts[0])) {
return true;
} else if (subjectPublicKey != null
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
index 1dd6b01..20ede29 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
@@ -36,14 +36,14 @@ import org.apache.wss4j.dom.validate.Credential;
* constraints.
*/
public class SamlAssertionValidator extends org.apache.wss4j.dom.validate.SamlAssertionValidator {
-
+
private TrustType signatureTrustType = TrustType.CHAIN_TRUST;
-
+
/**
* a collection of compiled regular expression patterns for the subject DN
*/
private Collection<Pattern> subjectDNPatterns = new ArrayList<>();
-
+
/**
* Set a list of Strings corresponding to regular expression constraints on
* the subject DN of a certificate
@@ -54,7 +54,7 @@ public class SamlAssertionValidator extends org.apache.wss4j.dom.validate.SamlAs
subjectDNPatterns.addAll(constraints);
}
}
-
+
/**
* Set the kind of trust. The default is CHAIN_TRUST.
*/
@@ -79,13 +79,13 @@ public class SamlAssertionValidator extends org.apache.wss4j.dom.validate.SamlAs
SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo();
credential.setPublicKey(samlKeyInfo.getPublicKey());
credential.setCertificates(samlKeyInfo.getCerts());
-
+
FedizSignatureTrustValidator trustValidator = new FedizSignatureTrustValidator();
trustValidator.setSignatureTrustType(signatureTrustType);
trustValidator.setSubjectConstraints(subjectDNPatterns);
-
+
return trustValidator.validate(credential, data);
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/CompressionUtils.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/CompressionUtils.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/CompressionUtils.java
index eb6a413..696d54c 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/CompressionUtils.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/CompressionUtils.java
@@ -27,17 +27,17 @@ import java.util.zip.Inflater;
public final class CompressionUtils {
private CompressionUtils() {
-
+
}
- public static InputStream inflate(byte[] deflatedToken)
+ public static InputStream inflate(byte[] deflatedToken)
throws DataFormatException {
return inflate(deflatedToken, true);
}
- public static InputStream inflate(byte[] deflatedToken, boolean nowrap)
+ public static InputStream inflate(byte[] deflatedToken, boolean nowrap)
throws DataFormatException {
Inflater inflater = new Inflater(nowrap);
inflater.setInput(deflatedToken);
-
+
byte[] input = new byte[deflatedToken.length * 2];
int inflatedLen = 0;
int inputLen = 0;
@@ -45,7 +45,7 @@ public final class CompressionUtils {
while (!inflater.finished()) {
inputLen = inflater.inflate(input);
if (!inflater.finished()) {
-
+
if (inputLen == 0) {
if (inflater.needsInput()) {
throw new DataFormatException("Inflater can not inflate all the token bytes");
@@ -53,7 +53,7 @@ public final class CompressionUtils {
break;
}
}
-
+
inflatedToken = new byte[input.length + inflatedLen];
System.arraycopy(input, 0, inflatedToken, inflatedLen, inputLen);
inflatedLen += inputLen;
@@ -66,21 +66,21 @@ public final class CompressionUtils {
}
return is;
}
-
+
public static byte[] deflate(byte[] tokenBytes) {
return deflate(tokenBytes, true);
}
-
+
public static byte[] deflate(byte[] tokenBytes, boolean nowrap) {
Deflater compresser = new Deflater(Deflater.DEFLATED, nowrap);
-
+
compresser.setInput(tokenBytes);
compresser.finish();
-
+
byte[] output = new byte[tokenBytes.length * 2];
-
+
int compressedDataLength = compresser.deflate(output);
-
+
byte[] result = new byte[compressedDataLength];
System.arraycopy(output, 0, result, 0, compressedDataLength);
return result;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
index 3e61592..f34a491 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java
@@ -40,11 +40,11 @@ import org.opensaml.saml.saml2.core.RequestedAuthnContext;
* Protocol AuthnRequest and LogoutRequest
*/
public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
-
+
private boolean forceAuthn;
private boolean isPassive;
private String protocolBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
-
+
/**
* Create a SAML 2.0 Protocol AuthnRequest
*/
@@ -54,12 +54,12 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
) throws Exception {
Issuer issuer =
SamlpRequestComponentBuilder.createIssuer(issuerId);
-
+
NameIDPolicy nameIDPolicy =
SamlpRequestComponentBuilder.createNameIDPolicy(
true, "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", issuerId
);
-
+
AuthnContextClassRef authnCtxClassRef =
SamlpRequestComponentBuilder.createAuthnCtxClassRef(
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
@@ -69,19 +69,19 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
AuthnContextComparisonTypeEnumeration.EXACT,
Collections.singletonList(authnCtxClassRef), null
);
-
+
//CHECKSTYLE:OFF
return SamlpRequestComponentBuilder.createAuthnRequest(
- assertionConsumerServiceAddress,
- forceAuthn,
+ assertionConsumerServiceAddress,
+ forceAuthn,
isPassive,
- protocolBinding,
+ protocolBinding,
SAMLVersion.VERSION_20,
- issuer,
- nameIDPolicy,
+ issuer,
+ nameIDPolicy,
authnCtx
);
-
+
}
public boolean isForceAuthn() {
@@ -116,24 +116,24 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
) throws Exception {
Issuer issuer =
SamlpRequestComponentBuilder.createIssuer(issuerId);
-
+
NameID nameID = null;
List<String> sessionIndices = new ArrayList<>();
-
+
if (authenticatedAssertion != null) {
if (authenticatedAssertion.getSaml2() != null) {
- org.opensaml.saml.saml2.core.Subject subject =
+ org.opensaml.saml.saml2.core.Subject subject =
authenticatedAssertion.getSaml2().getSubject();
if (subject != null && subject.getNameID() != null) {
nameID = subject.getNameID();
}
}
-
+
if (nameID != null) {
nameID.detach();
}
-
- List<AuthnStatement> authnStatements =
+
+ List<AuthnStatement> authnStatements =
authenticatedAssertion.getSaml2().getAuthnStatements();
if (authnStatements != null && !authnStatements.isEmpty()) {
for (AuthnStatement authnStatement : authnStatements) {
@@ -143,7 +143,7 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
}
}
}
-
+
//CHECKSTYLE:OFF
return SamlpRequestComponentBuilder.createLogoutRequest(
issuer,
@@ -152,5 +152,5 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder {
sessionIndices
);
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java
index 597cc0d..4cbc275 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java
@@ -27,7 +27,7 @@ import org.opensaml.saml.saml2.core.LogoutRequest;
* This interface defines a methods to create a SAML 2.0 Protocol AuthnRequest and LogoutRequest.
*/
public interface SAMLPRequestBuilder {
-
+
/**
* Create a SAML 2.0 Protocol AuthnRequest
*/
@@ -35,7 +35,7 @@ public interface SAMLPRequestBuilder {
String issuerId,
String assertionConsumerServiceAddress
) throws Exception;
-
+
/**
* Create a SAML 2.0 Protocol LogoutRequest
*/
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
index d25ab1d..9f2c038 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
@@ -49,19 +49,19 @@ import org.slf4j.LoggerFactory;
/**
* Validate a SAML (1.1 or 2.0) Protocol Response. It validates the Response against the specs,
- * the signature of the Response (if it exists), and any internal Assertion stored in the Response
+ * the signature of the Response (if it exists), and any internal Assertion stored in the Response
* - including any signature. It validates the status code of the Response as well.
*/
public class SAMLProtocolResponseValidator {
-
- public static final String SAML2_STATUSCODE_SUCCESS =
+
+ public static final String SAML2_STATUSCODE_SUCCESS =
"urn:oasis:names:tc:SAML:2.0:status:Success";
public static final String SAML1_STATUSCODE_SUCCESS = "Success";
-
+
private static final Logger LOG = LoggerFactory.getLogger(SAMLProtocolResponseValidator.class);
-
+
// private Validator signatureValidator = new SignatureTrustValidator();
-
+
/**
* Validate a SAML 2 Protocol Response
* @param samlResponse
@@ -84,10 +84,10 @@ public class SAMLProtocolResponseValidator {
);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
validateResponseSignature(samlResponse, config);
}
-
+
/**
* Validate a SAML 1.1 Protocol Response
* @param samlResponse
@@ -115,7 +115,7 @@ public class SAMLProtocolResponseValidator {
validateResponseSignature(samlResponse, config);
}
-
+
/**
* Validate the Response signature (if it exists)
*/
@@ -126,12 +126,12 @@ public class SAMLProtocolResponseValidator {
if (!samlResponse.isSigned()) {
return;
}
-
+
validateResponseSignature(
samlResponse.getSignature(), samlResponse.getDOM().getOwnerDocument(), config
);
}
-
+
/**
* Validate the Response signature (if it exists)
*/
@@ -142,32 +142,32 @@ public class SAMLProtocolResponseValidator {
if (!samlResponse.isSigned()) {
return;
}
-
+
validateResponseSignature(
samlResponse.getSignature(), samlResponse.getDOM().getOwnerDocument(), config
);
}
-
+
/**
* Validate the response signature
*/
private void validateResponseSignature(
- Signature signature,
+ Signature signature,
Document doc,
FedizContext config
) throws WSSecurityException {
RequestData requestData = new RequestData();
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
-
+
SAMLKeyInfo samlKeyInfo = null;
-
+
KeyInfo keyInfo = signature.getKeyInfo();
if (keyInfo != null) {
try {
- samlKeyInfo =
+ samlKeyInfo =
SAMLUtil.getCredentialFromKeyInfo(
- keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)),
+ keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)),
requestData.getSigVerCrypto()
);
} catch (WSSecurityException ex) {
@@ -179,7 +179,7 @@ public class SAMLProtocolResponseValidator {
LOG.debug("No KeyInfo supplied in the SAMLResponse signature");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// Validate Signature against profiles
validateSignatureAgainstProfiles(signature, samlKeyInfo);
@@ -189,9 +189,9 @@ public class SAMLProtocolResponseValidator {
trustCredential.setCertificates(samlKeyInfo.getCerts());
FedizSignatureTrustValidator trustValidator = new FedizSignatureTrustValidator();
-
+
boolean trusted = false;
-
+
List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers();
for (TrustedIssuer ti : trustedIssuers) {
Pattern subjectConstraint = ti.getCompiledSubject();
@@ -199,14 +199,14 @@ public class SAMLProtocolResponseValidator {
if (subjectConstraint != null) {
subjectConstraints.add(subjectConstraint);
}
-
+
if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
trustValidator.setSubjectConstraints(subjectConstraints);
trustValidator.setSignatureTrustType(TrustType.CHAIN_TRUST_CONSTRAINTS);
} else if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) {
trustValidator.setSignatureTrustType(TrustType.PEER_TRUST);
} else {
- throw new IllegalStateException("Unsupported certificate validation method: "
+ throw new IllegalStateException("Unsupported certificate validation method: "
+ ti.getCertificateValidationMethod());
}
try {
@@ -224,24 +224,24 @@ public class SAMLProtocolResponseValidator {
if (trusted) {
break;
}
-
+
} catch (Exception ex) {
LOG.info("Error in validating signature on SAML Response: " + ex.getMessage(), ex);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
-
+
if (!trusted) {
LOG.warn("SAML Response is not trusted");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
}
-
+
/**
* Validate a signature against the profiles
*/
private void validateSignatureAgainstProfiles(
- Signature signature,
+ Signature signature,
SAMLKeyInfo samlKeyInfo
) throws WSSecurityException {
// Validate Signature against profiles
@@ -269,5 +269,5 @@ public class SAMLProtocolResponseValidator {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 1365a32..1541b89 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -37,9 +37,9 @@ import org.slf4j.LoggerFactory;
* should be validated by the SAMLProtocolResponseValidator first.
*/
public class SAMLSSOResponseValidator {
-
+
private static final Logger LOG = LoggerFactory.getLogger(SAMLSSOResponseValidator.class);
-
+
private String issuerIDP;
private String assertionConsumerURL;
private String clientAddress;
@@ -49,7 +49,7 @@ public class SAMLSSOResponseValidator {
private boolean enforceAssertionsSigned = true;
private boolean enforceKnownIssuer = true;
private ReplayCache replayCache;
-
+
/**
* Enforce that Assertions contained in the Response must be signed (if the Response itself is not
* signed). The default is true.
@@ -57,14 +57,14 @@ public class SAMLSSOResponseValidator {
public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
this.enforceAssertionsSigned = enforceAssertionsSigned;
}
-
+
/**
* Enforce that the Issuer of the received Response/Assertion is known. The default is true.
*/
public void setEnforceKnownIssuer(boolean enforceKnownIssuer) {
this.enforceKnownIssuer = enforceKnownIssuer;
}
-
+
/**
* Validate a SAML 2 Protocol Response
* @param samlResponse
@@ -84,7 +84,7 @@ public class SAMLSSOResponseValidator {
LOG.debug("The Response must contain at least one Assertion");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// The Response must contain a Destination that matches the assertionConsumerURL if it is
// signed
String destination = samlResponse.getDestination();
@@ -93,12 +93,12 @@ public class SAMLSSOResponseValidator {
LOG.debug("The Response must contain a destination that matches the assertion consumer URL");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
if (enforceResponseSigned && !samlResponse.isSigned()) {
LOG.debug("The Response must be signed!");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// Validate Assertions
org.opensaml.saml.saml2.core.Assertion validAssertion = null;
Date sessionNotOnOrAfter = null;
@@ -109,12 +109,12 @@ public class SAMLSSOResponseValidator {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
validateIssuer(assertion.getIssuer());
-
+
if (!samlResponse.isSigned() && enforceAssertionsSigned && assertion.getSignature() == null) {
LOG.debug("The enclosed assertions in the SAML Response must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// Check for AuthnStatements and validate the Subject accordingly
if (assertion.getAuthnStatements() != null
&& !assertion.getAuthnStatements().isEmpty()) {
@@ -130,27 +130,27 @@ public class SAMLSSOResponseValidator {
}
}
}
-
+
}
-
+
if (validAssertion == null) {
LOG.debug("The Response did not contain any Authentication Statement that matched "
+ "the Subject Confirmation criteria");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
SSOValidatorResponse validatorResponse = new SSOValidatorResponse();
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
-
+
Element assertionElement = validAssertion.getDOM();
Element clonedAssertionElement = (Element)assertionElement.cloneNode(true);
validatorResponse.setAssertionElement(clonedAssertionElement);
validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement));
-
+
return validatorResponse;
}
-
+
/**
* Validate the Issuer (if it exists)
*/
@@ -158,23 +158,23 @@ public class SAMLSSOResponseValidator {
if (issuer == null) {
return;
}
-
+
// Issuer value must match (be contained in) Issuer IDP
if (enforceKnownIssuer && !issuerIDP.startsWith(issuer.getValue())) {
- LOG.debug("Issuer value: " + issuer.getValue() + " does not match issuer IDP: "
+ LOG.debug("Issuer value: " + issuer.getValue() + " does not match issuer IDP: "
+ issuerIDP);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// Format must be nameid-format-entity
if (issuer.getFormat() != null
&& !SAML2Constants.NAMEID_FORMAT_ENTITY.equals(issuer.getFormat())) {
- LOG.debug("Issuer format is not null and does not equal: "
+ LOG.debug("Issuer format is not null and does not equal: "
+ SAML2Constants.NAMEID_FORMAT_ENTITY);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
-
+
/**
* Validate the Subject (of an Authentication Statement).
*/
@@ -184,20 +184,20 @@ public class SAMLSSOResponseValidator {
if (subject.getSubjectConfirmations() == null) {
return false;
}
-
+
boolean foundBearerSubjectConf = false;
// We need to find a Bearer Subject Confirmation method
- for (org.opensaml.saml.saml2.core.SubjectConfirmation subjectConf
+ for (org.opensaml.saml.saml2.core.SubjectConfirmation subjectConf
: subject.getSubjectConfirmations()) {
if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) {
foundBearerSubjectConf = true;
validateSubjectConfirmation(subjectConf.getSubjectConfirmationData(), id, postBinding);
}
}
-
+
return foundBearerSubjectConf;
}
-
+
/**
* Validate a (Bearer) Subject Confirmation
*/
@@ -208,7 +208,7 @@ public class SAMLSSOResponseValidator {
LOG.debug("Subject Confirmation Data of a Bearer Subject Confirmation is null");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// Recipient must match assertion consumer URL
String recipient = subjectConfData.getRecipient();
if (recipient == null || !recipient.equals(assertionConsumerURL)) {
@@ -216,14 +216,14 @@ public class SAMLSSOResponseValidator {
+ assertionConsumerURL);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// We must have a NotOnOrAfter timestamp
if (subjectConfData.getNotOnOrAfter() == null
|| subjectConfData.getNotOnOrAfter().isBeforeNow()) {
LOG.debug("Subject Conf Data does not contain NotOnOrAfter or it has expired");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
if (postBinding && replayCache != null) {
if (replayCache.contains(id)) {
@@ -236,7 +236,7 @@ public class SAMLSSOResponseValidator {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
-
+
// Check address
if (subjectConfData.getAddress() != null
&& !subjectConfData.getAddress().equals(clientAddress)) {
@@ -244,22 +244,22 @@ public class SAMLSSOResponseValidator {
+ " client address " + clientAddress);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// It must not contain a NotBefore timestamp
if (subjectConfData.getNotBefore() != null) {
LOG.debug("The Subject Conf Data must not contain a NotBefore timestamp");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
// InResponseTo must match the AuthnRequest request Id
if (requestId != null && !requestId.equals(subjectConfData.getInResponseTo())) {
- LOG.debug("The InResponseTo String " + subjectConfData.getInResponseTo()
+ LOG.debug("The InResponseTo String " + subjectConfData.getInResponseTo()
+ " does match the original request id " + requestId);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
-
+
}
-
+
private void validateAudienceRestrictionCondition(
org.opensaml.saml.saml2.core.Conditions conditions
) throws WSSecurityException {
@@ -269,13 +269,13 @@ public class SAMLSSOResponseValidator {
}
List<AudienceRestriction> audienceRestrs = conditions.getAudienceRestrictions();
if (!matchSaml2AudienceRestriction(spIdentifier, audienceRestrs)) {
- LOG.debug("Assertion does not contain unique subject provider identifier "
+ LOG.debug("Assertion does not contain unique subject provider identifier "
+ spIdentifier + " in the audience restriction conditions");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
-
-
+
+
private boolean matchSaml2AudienceRestriction(
String appliesTo, List<AudienceRestriction> audienceRestrictions
) {
@@ -334,11 +334,11 @@ public class SAMLSSOResponseValidator {
public void setSpIdentifier(String spIdentifier) {
this.spIdentifier = spIdentifier;
}
-
+
public void setReplayCache(ReplayCache replayCache) {
this.replayCache = replayCache;
}
-
+
public boolean isEnforceResponseSigned() {
return enforceResponseSigned;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2ca31863/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
index b8b3969..a16be80 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
@@ -38,14 +38,14 @@ public class SSOValidatorResponse {
public void setAssertion(String assertion) {
this.assertion = assertion;
}
-
+
public Date getSessionNotOnOrAfter() {
if (sessionNotOnOrAfter != null) {
return new Date(sessionNotOnOrAfter.getTime());
}
return null;
}
-
+
public void setSessionNotOnOrAfter(Date sessionNotOnOrAfter) {
if (sessionNotOnOrAfter != null) {
this.sessionNotOnOrAfter = new Date(sessionNotOnOrAfter.getTime());
@@ -53,15 +53,15 @@ public class SSOValidatorResponse {
this.sessionNotOnOrAfter = null;
}
}
-
+
public String getResponseId() {
return responseId;
}
-
+
public void setResponseId(String responseId) {
this.responseId = responseId;
}
-
+
public Element getAssertionElement() {
return assertionElement;
}