You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/02 12:31:25 UTC
svn commit: r1478319 - in /cxf/fediz/trunk/plugins/core/src:
main/java/org/apache/cxf/fediz/core/saml/
test/java/org/apache/cxf/fediz/core/ test/resources/
Author: coheigea
Date: Thu May 2 10:31:25 2013
New Revision: 1478319
URL: http://svn.apache.org/r1478319
Log:
[FEDIZ-4] - Fixed a bug with HolderOfKey + added a unit test
Added:
cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties
cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks (with props)
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java Thu May 2 10:31:25 2013
@@ -102,8 +102,11 @@ public class SAMLTokenValidator implemen
throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
}
// Verify the signature
- assertion.verifySignature(requestData,
- new WSDocInfo(token.getOwnerDocument()));
+ WSDocInfo docInfo = new WSDocInfo(token.getOwnerDocument());
+ assertion.verifySignature(requestData, docInfo);
+
+ // Parse the HOK subject if it exists
+ assertion.parseHOKSubject(requestData, docInfo);
// Now verify trust on the signature
Credential trustCredential = new Credential();
@@ -185,32 +188,7 @@ public class SAMLTokenValidator implemen
audience = getAudienceRestriction(assertion.getSaml1());
}
- List<String> roles = null;
- FederationProtocol fp = (FederationProtocol)config.getProtocol();
- if (fp.getRoleURI() != null) {
- URI roleURI = URI.create(fp.getRoleURI());
- String delim = fp.getRoleDelimiter();
- for (Claim c : claims) {
- if (roleURI.equals(c.getClaimType())) {
- Object oValue = c.getValue();
- if ((oValue instanceof String) && !"".equals((String)oValue)) {
- if (delim == null) {
- roles = Collections.singletonList((String)oValue);
- } else {
- roles = parseRoles((String)oValue, delim);
- }
- } else if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty()) {
- List<String> values = (List<String>)oValue;
- roles = Collections.unmodifiableList(values);
- } else if (!((oValue instanceof String) || (oValue instanceof List<?>))) {
- LOG.error("Unsupported value type of Claim value");
- throw new IllegalStateException("Unsupported value type of Claim value");
- }
- claims.remove(c);
- break;
- }
- }
- }
+ List<String> roles = parseRoles(config, claims);
SAMLTokenPrincipal p = new SAMLTokenPrincipal(assertion);
@@ -226,6 +204,37 @@ public class SAMLTokenValidator implemen
throw new ProcessingException(TYPE.TOKEN_INVALID);
}
}
+
+ protected List<String> parseRoles(FederationContext config, List<Claim> claims) {
+ List<String> roles = null;
+ FederationProtocol fp = (FederationProtocol)config.getProtocol();
+ if (fp.getRoleURI() != null) {
+ URI roleURI = URI.create(fp.getRoleURI());
+ String delim = fp.getRoleDelimiter();
+ for (Claim c : claims) {
+ if (roleURI.equals(c.getClaimType())) {
+ Object oValue = c.getValue();
+ if ((oValue instanceof String) && !"".equals((String)oValue)) {
+ if (delim == null) {
+ roles = Collections.singletonList((String)oValue);
+ } else {
+ roles = parseRoles((String)oValue, delim);
+ }
+ } else if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty()) {
+ List<String> values = (List<String>)oValue;
+ roles = Collections.unmodifiableList(values);
+ } else if (!((oValue instanceof String) || (oValue instanceof List<?>))) {
+ LOG.error("Unsupported value type of Claim value");
+ throw new IllegalStateException("Unsupported value type of Claim value");
+ }
+ claims.remove(c);
+ break;
+ }
+ }
+ }
+
+ return roles;
+ }
protected List<Claim> parseClaimsInAssertion(
org.opensaml.saml1.core.Assertion assertion) {
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java Thu May 2 10:31:25 2013
@@ -42,8 +42,7 @@ public final class SAMLUtil {
* credential of the SAML Assertion must match a client certificate credential when
* 2-way TLS is used.
* @param assertionWrapper the SAML Assertion wrapper object
- * @tlsCerts The client certificates
- * @param signedResults a list of all of the signed results
+ * @param tlsCerts The client certificates
*/
public static boolean checkHolderOfKey(
AssertionWrapper assertionWrapper,
@@ -68,7 +67,7 @@ public final class SAMLUtil {
* Compare the credentials of the assertion to the credentials used in 2-way TLS.
* Return true on a match
* @param subjectKeyInfo the SAMLKeyInfo object
- * @param signedResults a list of all of the signed results
+ * @param tlsCerts The client certificates
* @return true if the credentials of the assertion were used to verify a signature
*/
private static boolean compareCredentials(
Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java (original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java Thu May 2 10:31:25 2013
@@ -23,6 +23,7 @@ import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
+import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
@@ -49,6 +50,7 @@ import org.apache.ws.security.WSPassword
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.message.WSSecEncrypt;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.SAMLParms;
@@ -991,6 +993,72 @@ public class FederationProcessorTest {
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
+ /**
+ * Validate a HolderOfKey SAML 2 token
+ */
+ @org.junit.Test
+ public void validateHOKSAML2Token() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+ callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+ callbackHandler.setSubjectName(TEST_USER);
+ ConditionsBean cp = new ConditionsBean();
+ cp.setAudienceURI(TEST_AUDIENCE);
+ callbackHandler.setConditions(cp);
+
+ Crypto clientCrypto = CryptoFactory.getInstance("client-crypto.properties");
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias("myclientkey");
+ X509Certificate[] certs = clientCrypto.getX509Certificates(cryptoType);
+ callbackHandler.setCerts(certs);
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ WSPasswordCallback[] cb = {
+ new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE)
+ };
+ cbPasswordHandler.handle(cb);
+ String password = cb[0].getPassword();
+
+ assertion.signAssertion("mystskey", password, crypto, false);
+
+ Document doc = STSUtil.toSOAPPart(STSUtil.SAMPLE_RSTR_COLL_MSG);
+ Element token = assertion.toDOM(doc);
+
+ Element e = FederationProcessorTest.findElement(doc, "RequestedSecurityToken",
+ FederationConstants.WS_TRUST_13_NS);
+ if (e == null) {
+ e = FederationProcessorTest.findElement(doc, "RequestedSecurityToken",
+ FederationConstants.WS_TRUST_2005_02_NS);
+ }
+ e.appendChild(token);
+
+ String rstr = DOM2Writer.nodeToString(doc);
+
+ FederationRequest wfReq = new FederationRequest();
+ wfReq.setWa(FederationConstants.ACTION_SIGNIN);
+ wfReq.setWresult(rstr);
+
+ configurator = null;
+ FederationContext config =
+ getFederationConfigurator().getFederationContext("ROOT_DECRYPTION");
+
+ FederationProcessor wfProc = new FederationProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on missing client certs");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+
+ // Now set client certs
+ wfReq.setCerts(certs);
+ wfProc.processRequest(wfReq, config);
+ }
+
private String encryptAndSignToken(
AssertionWrapper assertion
) throws Exception {
Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java (original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java Thu May 2 10:31:25 2013
@@ -39,6 +39,7 @@ public class KeystoreCallbackHandler imp
public KeystoreCallbackHandler() {
users.put("mystskey", "stskpass");
+ users.put("myclientkey", "ckpass");
users.put("realma", "realma");
users.put("realmb", "realmb");
}
Added: cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties?rev=1478319&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties (added)
+++ cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties Thu May 2 10:31:25 2013
@@ -0,0 +1,5 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=cspass
+org.apache.ws.security.crypto.merlin.keystore.file=clientstore.jks
+
Added: cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks?rev=1478319&view=auto
==============================================================================
Binary file - no diff available.
Propchange: cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream