You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/02/04 18:11:49 UTC
[1/3] cxf git commit: Add the ability to validate SAML Audience
Restrictions. Defaults to false unlike for SOAP
Repository: cxf
Updated Branches:
refs/heads/2.7.x-fixes a9251eca7 -> cfd1ae315
Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP
Conflicts:
rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ac1573cf
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ac1573cf
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ac1573cf
Branch: refs/heads/2.7.x-fixes
Commit: ac1573cf09da4dffe63462a6db077a6fde129864
Parents: a9251ec
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Feb 3 16:21:47 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 4 17:08:18 2015 +0000
----------------------------------------------------------------------
.../rs/security/saml/AbstractSamlInHandler.java | 37 ++++++++++++++++++++
1 file changed, 37 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/ac1573cf/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index 78c80c5..cc4e1f1 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -25,6 +25,7 @@ import java.io.InputStreamReader;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;
@@ -116,6 +117,10 @@ public abstract class AbstractSamlInHandler implements RequestHandler {
protected void validateToken(Message message, AssertionWrapper assertion) {
try {
RequestData data = new RequestData();
+
+ // Add Audience Restrictions for SAML
+ configureAudienceRestriction(message, data);
+
if (assertion.isSigned()) {
WSSConfig cfg = WSSConfig.getNewInstance();
data.setWssConfig(cfg);
@@ -149,7 +154,39 @@ public abstract class AbstractSamlInHandler implements RequestHandler {
}
}
+<<<<<<< HEAD
protected void checkSubjectConfirmationData(Message message, AssertionWrapper assertion) {
+=======
+ protected void configureAudienceRestriction(Message msg, RequestData reqData) {
+ // Add Audience Restrictions for SAML
+ boolean enableAudienceRestriction =
+ MessageUtils.getContextualBoolean(msg,
+ SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,
+ false);
+ if (enableAudienceRestriction) {
+ List<String> audiences = new ArrayList<String>();
+ if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) {
+ audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+ }
+ reqData.setAudienceRestrictions(audiences);
+ }
+ }
+
+ protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException {
+ try {
+ X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto,
+ sigCrypto.getDefaultX509Identifier());
+ SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(new X509Certificate[]{certs[0]});
+ samlKeyInfo.setPublicKey(certs[0].getPublicKey());
+ return samlKeyInfo;
+ } catch (Exception ex) {
+ LOG.log(Level.FINE, "Error in loading the certificates: " + ex.getMessage(), ex);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, ex);
+ }
+ }
+
+ protected void checkSubjectConfirmationData(Message message, SamlAssertionWrapper assertion) {
+>>>>>>> 0377022... Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP
Certificate[] tlsCerts = getTLSCertificates(message);
if (!checkHolderOfKey(message, assertion, tlsCerts)) {
throwFault("Holder Of Key claim fails", null);
[2/3] cxf git commit: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
Recording .gitmergeinfo Changes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b3d359ea
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b3d359ea
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b3d359ea
Branch: refs/heads/2.7.x-fixes
Commit: b3d359eafe7c47c0a6274c24caa6e984c8963488
Parents: ac1573c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 4 17:08:21 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 4 17:08:21 2015 +0000
----------------------------------------------------------------------
.gitmergeinfo | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/b3d359ea/.gitmergeinfo
----------------------------------------------------------------------
diff --git a/.gitmergeinfo b/.gitmergeinfo
index f7aa610..064884a 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -751,6 +751,7 @@ B 6d90bcc2633460b5fce7892365afb0dd23b38e94
B 6dcd71fce8cabcb0557fe6d5d00052968635e267
B 6ddc65814221b8d9ebb29db82eb7f66a443ac319
B 6e351465962e069730f95d60d581181207a16ef3
+B 6e541124a3be23e4ec74e2d9357e60910edf91a7
B 6e5cba3561217f30159588f17def9e458cf63555
B 6e8b999f0e4f724e3e9f1a5aacef87a426d360e9
B 6ea2061602527aa5a3a15e022aa6efbe0aee5996
@@ -1717,6 +1718,7 @@ M 021f781caab5e7fd82844f0ea734ec23729592ec
M 023872e3024af7bf283031372fc0340d9560f51c
M 02848d574a92a861503f636decef33c5a5e1c45e
M 03630b26abad154d953a217ee7a822a8dac3a4ac
+M 037702299176dc276ebe8a2cd0641687df993d12
M 037da2d9693ff7de7fd85b9d1fc85550831a2133
M 03eca7af8b03c10e3f2a6d9915bf5a06e6627879
M 03f31aedfaf53d808e88e9262c5ee3232b023a67
[3/3] cxf git commit: Fixing merge
Posted by co...@apache.org.
Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cfd1ae31
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cfd1ae31
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cfd1ae31
Branch: refs/heads/2.7.x-fixes
Commit: cfd1ae31590e68df0a1c35e9393b21daf887ee78
Parents: b3d359e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 4 17:10:54 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 4 17:10:54 2015 +0000
----------------------------------------------------------------------
.../rs/security/saml/AbstractSamlInHandler.java | 19 +------------------
1 file changed, 1 insertion(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/cfd1ae31/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index cc4e1f1..a1d108d 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -154,9 +154,6 @@ public abstract class AbstractSamlInHandler implements RequestHandler {
}
}
-<<<<<<< HEAD
- protected void checkSubjectConfirmationData(Message message, AssertionWrapper assertion) {
-=======
protected void configureAudienceRestriction(Message msg, RequestData reqData) {
// Add Audience Restrictions for SAML
boolean enableAudienceRestriction =
@@ -172,21 +169,7 @@ public abstract class AbstractSamlInHandler implements RequestHandler {
}
}
- protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException {
- try {
- X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto,
- sigCrypto.getDefaultX509Identifier());
- SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(new X509Certificate[]{certs[0]});
- samlKeyInfo.setPublicKey(certs[0].getPublicKey());
- return samlKeyInfo;
- } catch (Exception ex) {
- LOG.log(Level.FINE, "Error in loading the certificates: " + ex.getMessage(), ex);
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, ex);
- }
- }
-
- protected void checkSubjectConfirmationData(Message message, SamlAssertionWrapper assertion) {
->>>>>>> 0377022... Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP
+ protected void checkSubjectConfirmationData(Message message, AssertionWrapper assertion) {
Certificate[] tlsCerts = getTLSCertificates(message);
if (!checkHolderOfKey(message, assertion, tlsCerts)) {
throwFault("Holder Of Key claim fails", null);