You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/09/11 13:27:18 UTC
svn commit: r1624262 - in /webservices/wss4j/trunk:
ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/
ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/
ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/
ws-secu...
Author: coheigea
Date: Thu Sep 11 11:27:18 2014
New Revision: 1624262
URL: http://svn.apache.org/r1624262
Log:
[WSS-510] - Provide a way of requiring a particular SAML subject confirmation method
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java Thu Sep 11 11:27:18 2014
@@ -56,6 +56,11 @@ public class SamlAssertionValidator exte
private boolean validateSignatureAgainstProfile = true;
/**
+ * If this is set, then the value must appear as one of the Subject Confirmation Methods
+ */
+ private String requiredSubjectConfirmationMethod;
+
+ /**
* Set the time in seconds in the future within which the NotBefore time of an incoming
* Assertion is valid. The default is 60 seconds.
*/
@@ -77,23 +82,8 @@ public class SamlAssertionValidator exte
}
SamlAssertionWrapper samlAssertion = credential.getSamlAssertion();
- // Check HOK requirements
- String confirmMethod = null;
- List<String> methods = samlAssertion.getConfirmationMethods();
- if (methods != null && methods.size() > 0) {
- confirmMethod = methods.get(0);
- }
- if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
- if (samlAssertion.getSubjectKeyInfo() == null) {
- LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject conf method");
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
- }
- // The assertion must have been signed for HOK
- if (!samlAssertion.isSigned()) {
- LOG.debug("A holder-of-key assertion must be signed");
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
- }
- }
+ // Check the Subject Confirmation requirements
+ verifySubjectConfirmationMethod(samlAssertion);
// Check conditions
checkConditions(samlAssertion);
@@ -112,6 +102,49 @@ public class SamlAssertionValidator exte
}
/**
+ * Check the Subject Confirmation method requirements
+ */
+ protected void verifySubjectConfirmationMethod(
+ SamlAssertionWrapper samlAssertion
+ ) throws WSSecurityException {
+
+ List<String> methods = samlAssertion.getConfirmationMethods();
+ if ((methods == null || methods.isEmpty())
+ && requiredSubjectConfirmationMethod != null) {
+ LOG.debug("A required subject confirmation method was not present");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "invalidSAMLsecurity");
+ }
+
+ boolean signed = samlAssertion.isSigned();
+ boolean requiredMethodFound = false;
+ for (String method : methods) {
+ if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
+ if (samlAssertion.getSubjectKeyInfo() == null) {
+ LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject conf method");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
+ }
+
+ // The assertion must have been signed for HOK
+ if (!signed) {
+ LOG.debug("A holder-of-key assertion must be signed");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+ }
+
+ if (method != null && method.equals(requiredSubjectConfirmationMethod)) {
+ requiredMethodFound = true;
+ }
+ }
+
+ if (!requiredMethodFound && requiredSubjectConfirmationMethod != null) {
+ LOG.debug("A required subject confirmation method was not present");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "invalidSAMLsecurity");
+ }
+ }
+
+ /**
* Verify trust in the signature of a signed Assertion. This method is separate so that
* the user can override if if they want.
* @param samlAssertion The signed Assertion
@@ -194,5 +227,13 @@ public class SamlAssertionValidator exte
public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile) {
this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
}
+
+ public String getRequiredSubjectConfirmationMethod() {
+ return requiredSubjectConfirmationMethod;
+ }
+
+ public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod) {
+ this.requiredSubjectConfirmationMethod = requiredSubjectConfirmationMethod;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java Thu Sep 11 11:27:18 2014
@@ -40,6 +40,7 @@ import org.apache.wss4j.common.saml.SAML
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSConfig;
@@ -60,6 +61,7 @@ import org.apache.wss4j.dom.message.WSSe
import org.apache.wss4j.dom.message.WSSecSAMLToken;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
import org.apache.xml.security.encryption.EncryptedData;
import org.apache.xml.security.encryption.EncryptedKey;
import org.apache.xml.security.encryption.XMLCipher;
@@ -957,6 +959,57 @@ public class SamlTokenTest extends org.j
assertEquals(assertionString, secondAssertionString);
}
+ @org.junit.Test
+ public void testRequiredSubjectConfirmationMethod() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+ WSSConfig config = WSSConfig.getNewInstance();
+ SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+ assertionValidator.setRequiredSubjectConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+ config.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+ config.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+ config.setValidateSamlSubjectConfirmation(false);
+
+ WSSecurityEngine newEngine = new WSSecurityEngine();
+ newEngine.setWssConfig(config);
+ newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+
+ // Now create a Bearer assertion
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+
+ samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ wsSign = new WSSecSAMLToken();
+
+ doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+ try {
+ newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+ fail("Failure expected on an incorrect subject confirmation method");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
+
private void encryptElement(
Document document,
Element elementToEncrypt,
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java Thu Sep 11 11:27:18 2014
@@ -157,15 +157,20 @@ public class SAMLTokenInputHandler exten
}
}
- String confirmMethod = null;
+ final InboundSecurityToken subjectSecurityToken;
+
List<String> methods = samlAssertionWrapper.getConfirmationMethods();
- if (methods != null && methods.size() > 0) {
- confirmMethod = methods.get(0);
+ boolean holderOfKey = false;
+ if (methods != null) {
+ for (String method : methods) {
+ if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
+ holderOfKey = true;
+ break;
+ }
+ }
}
- final InboundSecurityToken subjectSecurityToken;
-
- if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
+ if (holderOfKey) {
// First try to get the credential from a CallbackHandler
final byte[] subjectSecretKey = SAMLUtil.getSecretKeyFromCallbackHandler(
@@ -200,11 +205,6 @@ public class SAMLTokenInputHandler exten
}
};
} else {
- // The assertion must have been signed for HOK
- if (!samlAssertionWrapper.isSigned()) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidSAMLsecurity");
- }
-
int subjectKeyInfoIndex = getSubjectKeyInfoIndex(eventQueue);
if (subjectKeyInfoIndex < 0) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java Thu Sep 11 11:27:18 2014
@@ -19,10 +19,12 @@
package org.apache.wss4j.stax.validate;
import java.util.Date;
+import java.util.List;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
@@ -33,6 +35,9 @@ import org.opensaml.common.SAMLVersion;
public class SamlTokenValidatorImpl extends SignatureTokenValidatorImpl implements SamlTokenValidator {
+ private static final transient org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(SamlTokenValidatorImpl.class);
+
/**
* The time in seconds in the future within which the NotBefore time of an incoming
* Assertion is valid. The default is 60 seconds.
@@ -44,6 +49,11 @@ public class SamlTokenValidatorImpl exte
* relevant profile. Default is true.
*/
private boolean validateSignatureAgainstProfile = true;
+
+ /**
+ * If this is set, then the value must appear as one of the Subject Confirmation Methods
+ */
+ private String requiredSubjectConfirmationMethod;
/**
* Set the time in seconds in the future within which the NotBefore time of an incoming
@@ -68,6 +78,14 @@ public class SamlTokenValidatorImpl exte
public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile) {
this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
}
+
+ public String getRequiredSubjectConfirmationMethod() {
+ return requiredSubjectConfirmationMethod;
+ }
+
+ public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod) {
+ this.requiredSubjectConfirmationMethod = requiredSubjectConfirmationMethod;
+ }
@Override
public <T extends SamlSecurityToken & InboundSecurityToken> T validate(final SamlAssertionWrapper samlAssertionWrapper,
@@ -76,6 +94,9 @@ public class SamlTokenValidatorImpl exte
// Check conditions
checkConditions(samlAssertionWrapper);
+ // Check the Subject Confirmation requirements
+ verifySubjectConfirmationMethod(samlAssertionWrapper);
+
// Check OneTimeUse Condition
checkOneTimeUse(samlAssertionWrapper,
tokenContext.getWssSecurityProperties().getSamlOneTimeUseReplayCache());
@@ -101,6 +122,41 @@ public class SamlTokenValidatorImpl exte
return token;
}
+ /**
+ * Check the Subject Confirmation method requirements
+ */
+ protected void verifySubjectConfirmationMethod(
+ SamlAssertionWrapper samlAssertion
+ ) throws WSSecurityException {
+
+ List<String> methods = samlAssertion.getConfirmationMethods();
+ if ((methods == null || methods.isEmpty())
+ && requiredSubjectConfirmationMethod != null) {
+ LOG.debug("A required subject confirmation method was not present");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "invalidSAMLsecurity");
+ }
+
+ boolean signed = samlAssertion.isSigned();
+ boolean requiredMethodFound = false;
+ for (String method : methods) {
+ // The assertion must have been signed for HOK
+ if (OpenSAMLUtil.isMethodHolderOfKey(method) && !signed) {
+ LOG.debug("A holder-of-key assertion must be signed");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+
+ if (method != null && method.equals(requiredSubjectConfirmationMethod)) {
+ requiredMethodFound = true;
+ }
+ }
+
+ if (!requiredMethodFound && requiredSubjectConfirmationMethod != null) {
+ LOG.debug("A required subject confirmation method was not present");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "invalidSAMLsecurity");
+ }
+ }
/**
* Check the Conditions of the Assertion.
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java Thu Sep 11 11:27:18 2014
@@ -26,6 +26,7 @@ import org.apache.wss4j.common.saml.SAML
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
@@ -42,6 +43,7 @@ import org.apache.wss4j.stax.test.Abstra
import org.apache.wss4j.stax.test.utils.SOAPUtil;
import org.apache.wss4j.stax.test.utils.StAX2DOM;
import org.apache.wss4j.stax.test.utils.XmlReaderToWriter;
+import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
import org.apache.xml.security.encryption.EncryptedData;
import org.apache.xml.security.encryption.EncryptedKey;
import org.apache.xml.security.encryption.XMLCipher;
@@ -64,6 +66,7 @@ import org.w3c.dom.NodeList;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
+import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.dom.DOMSource;
@@ -927,6 +930,99 @@ public class SAMLTokenTest extends Abstr
}
}
+ @Test
+ public void testRequiredSubjectConfirmationMethod() throws Exception {
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+ callbackHandler.setSignAssertion(false);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+ properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+
+ // Test that we have a SenderVouches assertion
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+
+ SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+ validator.setRequiredSubjectConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+ securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+ securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+ //header element must still be there
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+ }
+
+ baos = new ByteArrayOutputStream();
+ // Now create a Bearer assertion
+ {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setIssuer("www.example.com");
+ callbackHandler.setSignAssertion(false);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+ properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+
+ // Test that we have a SenderVouches assertion
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+
+ SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+ validator.setRequiredSubjectConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+ securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+ securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ try {
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ fail("Failure expected on a Bearer assertion");
+ } catch (XMLStreamException e) {
+ // expected
+ }
+ }
+ }
+
private void encryptElement(
Document document,
Element elementToEncrypt,