You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/09/25 21:34:06 UTC
[cxf-fediz] branch master updated: Map a role claim with no
AttributeValue to null
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push:
new 4232f33 Map a role claim with no AttributeValue to null
4232f33 is described below
commit 4232f332a4b337d3572fe3536e295ff2006a249c
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Sep 25 17:33:40 2018 -0400
Map a role claim with no AttributeValue to null
---
.../cxf/fediz/core/saml/SAMLTokenValidator.java | 2 +-
.../fediz/core/AbstractSAMLCallbackHandler.java | 20 ++++++++++--
.../core/federation/FederationResponseTest.java | 37 ++++++++++++++++++++++
3 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
index 55dbc0c..f1755c1 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
@@ -266,7 +266,7 @@ public class SAMLTokenValidator implements TokenValidator {
} else {
roles = parseRoles((String)oValue, delim);
}
- } else if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty()) {
+ } else if (oValue instanceof List<?>) {
@SuppressWarnings("unchecked")
List<String> values = (List<String>)oValue;
roles = Collections.unmodifiableList(values);
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
index ef750a8..2f67522 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
@@ -94,6 +94,7 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
protected String attributeNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified";
protected boolean useNameFormatAsNamespace;
private boolean addGivenName;
+ private boolean addRoleValue = true;
public void setSubjectConfirmationData(SubjectConfirmationDataBean subjectConfirmationData) {
this.subjectConfirmationData = subjectConfirmationData;
@@ -273,8 +274,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
attributeBean.setNameFormat(this.getAttributeNameFormat());
}
if (this.multiValueType.equals(MultiValue.MULTI_VALUE)) {
- for (String role : roles) {
- attributeBean.addAttributeValue(role);
+ if (addRoleValue) {
+ for (String role : roles) {
+ attributeBean.addAttributeValue(role);
+ }
}
} else {
StringBuilder sb = new StringBuilder();
@@ -315,7 +318,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
attributeBean.setQualifiedName(this.roleAttributeName);
attributeBean.setNameFormat(this.getAttributeNameFormat());
}
- attributeBean.addAttributeValue(role);
+
+ if (addRoleValue) {
+ attributeBean.addAttributeValue(role);
+ }
attributeList.add(attributeBean);
}
}
@@ -460,4 +466,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
public void setAddGivenName(boolean addGivenName) {
this.addGivenName = addGivenName;
}
+
+ public boolean isAddRoleValue() {
+ return addRoleValue;
+ }
+
+ public void setAddRoleValue(boolean addRoleValue) {
+ this.addRoleValue = addRoleValue;
+ }
}
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
index f9ee9ec..77f6b79 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
@@ -761,6 +761,43 @@ public class FederationResponseTest {
Assert.assertEquals(1, wfRes.getRoles().size());
Assert.assertEquals("", wfRes.getRoles().get(0));
}
+
+ @org.junit.Test
+ public void validateSAML2TokenNoRoleValue() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+ callbackHandler.setSubjectName(TEST_USER);
+ callbackHandler.setAddRoleValue(false);
+ ConditionsBean cp = new ConditionsBean();
+ AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+ audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
+ cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+ callbackHandler.setConditions(cp);
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+ String rstr = createSamlToken(assertion, "mystskey", true);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setAction(FederationConstants.ACTION_SIGNIN);
+ wfReq.setResponseToken(rstr);
+
+ configurator = null;
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+ Protocol protocol = config.getProtocol();
+ protocol.setRoleDelimiter(",");
+
+ FedizProcessor wfProc = new FederationProcessorImpl();
+ FedizResponse wfRes = wfProc.processRequest(wfReq, config);
+
+ Assert.assertEquals("Principal name wrong", TEST_USER,
+ wfRes.getUsername());
+ Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+ Assert.assertEquals(null, wfRes.getRoles());
+ }
/**
* Validate SAML 2 token which includes the role attribute with 2 values