You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/07/20 20:56:19 UTC
cxf git commit: Enforce stronger constraints on role names for SAML
Repository: cxf
Updated Branches:
refs/heads/master dd8025a16 -> a614b7538
Enforce stronger constraints on role names for SAML
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a614b753
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a614b753
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a614b753
Branch: refs/heads/master
Commit: a614b75389c2758d6d27e598b679ba013bcb72f0
Parents: dd8025a
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jul 20 19:56:04 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jul 20 19:56:04 2015 +0100
----------------------------------------------------------------------
.../rt/security/saml/claims/SAMLSecurityContext.java | 13 +++++++++++--
.../xacml2/AbstractXACMLAuthorizingInterceptor.java | 6 +++++-
2 files changed, 16 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/a614b753/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java
index b9b012a..97fee53 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java
@@ -19,6 +19,8 @@
package org.apache.cxf.rt.security.saml.claims;
import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
import java.util.Set;
import org.w3c.dom.Element;
@@ -67,7 +69,7 @@ public class SAMLSecurityContext implements ClaimsSecurityContext {
return false;
}
for (Principal principalRole : roles) {
- if (principalRole.getName().equals(role)) {
+ if (principalRole != principal && principalRole.getName().equals(role)) {
return true;
}
}
@@ -83,7 +85,14 @@ public class SAMLSecurityContext implements ClaimsSecurityContext {
}
public Set<Principal> getUserRoles() {
- return roles;
+ if (roles == null) {
+ return Collections.emptySet();
+ }
+ Set<Principal> retRoles = new HashSet<Principal>(roles);
+ if (principal != null && retRoles.contains(principal)) {
+ retRoles.remove(principal);
+ }
+ return retRoles;
}
public void setAssertionElement(Element assertionElement) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/a614b753/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
index f81f07a..39e611d 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
@@ -67,13 +67,17 @@ public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseI
if (sc instanceof LoginSecurityContext) {
Principal principal = sc.getUserPrincipal();
+ String principalName = null;
+ if (principal != null) {
+ principalName = principal.getName();
+ }
LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
List<String> roles = new ArrayList<>();
if (principalRoles != null) {
for (Principal p : principalRoles) {
- if (p != principal) {
+ if (p != null && p.getName() != null && !p.getName().equals(principalName)) {
roles.add(p.getName());
}
}