You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/11/27 14:55:27 UTC

[2/5] cxf git commit: Explicitly disallow SAML 1.1 in OAuth

Explicitly disallow SAML 1.1 in OAuth


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/97aea164
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/97aea164
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/97aea164

Branch: refs/heads/3.0.x-fixes
Commit: 97aea164b164a6901a9152f6a326be34f72db1f1
Parents: becdcd1
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 27 11:25:08 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 27 13:06:10 2015 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/oauth2/saml/SamlOAuthValidator.java       | 7 +++++++
 1 file changed, 7 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/97aea164/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index dc9eb62..888ddf5 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -62,6 +62,7 @@ public class SamlOAuthValidator {
     }
     
     public void validate(Message message, SamlAssertionWrapper wrapper) {
+        validateSAMLVersion(wrapper);
         
         Conditions cs = wrapper.getSaml2().getConditions();
         validateAudience(message, cs);
@@ -79,6 +80,12 @@ public class SamlOAuthValidator {
         }
     }
     
+    private void validateSAMLVersion(SamlAssertionWrapper assertionW) {
+        if (assertionW.getSaml2() == null) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+    }
+    
     private String getIssuer(SamlAssertionWrapper assertionW) {
         Issuer samlIssuer = assertionW.getSaml2().getIssuer();
         return samlIssuer == null ? null : samlIssuer.getValue();