You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/03 13:17:21 UTC
svn commit: r1519646 - in /cxf/branches/2.7.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/sam...
Author: coheigea
Date: Tue Sep 3 11:17:20 2013
New Revision: 1519646
URL: http://svn.apache.org/r1519646
Log:
[CXF-5248] - Signed SAML assertion validation error w/ SupportingTokens only policy
- Added tests + some other bits and pieces
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
Modified:
cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java?rev=1519646&r1=1519645&r2=1519646&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java Tue Sep 3 11:17:20 2013
@@ -23,6 +23,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.Principal;
+import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
@@ -32,7 +33,6 @@ import javax.security.auth.callback.Call
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
-
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
@@ -45,12 +45,14 @@ import org.apache.cxf.interceptor.securi
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.resource.ResourceManager;
import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.cxf.ws.security.policy.model.Token;
+
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
@@ -67,6 +69,7 @@ import org.apache.ws.security.processor.
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.SAMLParms;
import org.apache.ws.security.validate.Validator;
+
import org.opensaml.common.SAMLVersion;
/**
@@ -124,6 +127,20 @@ public class SamlTokenInterceptor extend
if (!checkVersion(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
}
+
+ TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+ Certificate[] tlsCerts = null;
+ if (tlsInfo != null) {
+ tlsCerts = tlsInfo.getPeerCertificates();
+ }
+ if (!SAMLUtils.checkHolderOfKey(assertionWrapper, null, tlsCerts)) {
+ ai.setNotAsserted("Assertion fails holder-of-key requirements");
+ continue;
+ }
+ if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, null, null)) {
+ ai.setNotAsserted("Assertion fails sender-vouches requirements");
+ continue;
+ }
}
}
@@ -182,6 +199,9 @@ public class SamlTokenInterceptor extend
};
data.setWssConfig(WSSConfig.getNewInstance());
+ data.setSigCrypto(getCrypto(null, SecurityConstants.SIGNATURE_CRYPTO,
+ SecurityConstants.SIGNATURE_PROPERTIES, message));
+
SAMLTokenProcessor p = new SAMLTokenProcessor();
List<WSSecurityEngineResult> results =
p.handleToken(tokenElement, data, wsDocInfo);
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1519646&r1=1519645&r2=1519646&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Tue Sep 3 11:17:20 2013
@@ -33,6 +33,7 @@ import org.apache.cxf.systest.ws.saml.cl
import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
import org.apache.cxf.systest.ws.saml.server.Server;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.example.contract.doubleit.DoubleItPortType;
@@ -126,6 +127,78 @@ public class SamlTokenTest extends Abstr
}
@org.junit.Test
+ public void testSaml1Supporting() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSaml1SupportingPort");
+ DoubleItPortType saml1Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(saml1Port, PORT2);
+
+ ((BindingProvider)saml1Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", new SamlCallbackHandler(false)
+ );
+
+ int result = saml1Port.doubleIt(25);
+ assertTrue(result == 50);
+
+ ((java.io.Closeable)saml1Port).close();
+ bus.shutdown(true);
+ }
+
+ // Self-signing (see CXF-5248)
+ @org.junit.Test
+ public void testSaml1SupportingSelfSigned() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSaml1SupportingPort");
+ DoubleItPortType saml1Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(saml1Port, PORT2);
+
+ ((BindingProvider)saml1Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", new SamlCallbackHandler(false)
+ );
+
+ ((BindingProvider)saml1Port).getRequestContext().put(
+ SecurityConstants.SELF_SIGN_SAML_ASSERTION, true
+ );
+ ((BindingProvider)saml1Port).getRequestContext().put(
+ SecurityConstants.SIGNATURE_USERNAME, "alice"
+ );
+ ((BindingProvider)saml1Port).getRequestContext().put(
+ SecurityConstants.SIGNATURE_PROPERTIES,
+ "org/apache/cxf/systest/ws/wssec10/client/alice.properties"
+ );
+ ((BindingProvider)saml1Port).getRequestContext().put(
+ SecurityConstants.CALLBACK_HANDLER,
+ "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"
+ );
+
+ int result = saml1Port.doubleIt(25);
+ assertTrue(result == 50);
+
+ ((java.io.Closeable)saml1Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testSaml1ElementOverTransport() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl?rev=1519646&r1=1519645&r2=1519646&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl Tue Sep 3 11:17:20 2013
@@ -49,6 +49,23 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItSaml1SupportingBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSaml1SupportingPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItSaml1SelfSignedTransportBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItSaml1SelfSignedTransportPolicy" />
<soap:binding style="document"
@@ -298,6 +315,9 @@
<wsdl:port name="DoubleItSaml1TransportPort" binding="tns:DoubleItSaml1TransportBinding">
<soap:address location="https://localhost:9009/DoubleItSaml1Transport" />
</wsdl:port>
+ <wsdl:port name="DoubleItSaml1SupportingPort" binding="tns:DoubleItSaml1SupportingBinding">
+ <soap:address location="https://localhost:9009/DoubleItSaml1Supporting" />
+ </wsdl:port>
<wsdl:port name="DoubleItSaml1TransportPort2" binding="tns:DoubleItInlinePolicyBinding">
<soap:address location="https://localhost:9009/DoubleItSaml1Transport2" />
</wsdl:port>
@@ -397,6 +417,22 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItSaml1SupportingPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SupportingTokens>
+ <wsp:Policy>
+ <sp:SamlToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssSamlV11Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItSaml1SelfSignedTransportPolicy">
<wsp:ExactlyOne>
<wsp:All>
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1519646&r1=1519645&r2=1519646&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml Tue Sep 3 11:17:20 2013
@@ -105,6 +105,26 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="Saml1SupportingToken"
+ address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Supporting"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSaml1SupportingPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
<jaxws:endpoint
id="Saml2TokenOverSymmetric"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Symmetric"