You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/10/19 15:30:23 UTC
cxf git commit: CXF-7099 - Technical user should be the SAML Subject
for the ActAs use-case
Repository: cxf
Updated Branches:
refs/heads/master 319456ecd -> 5c82ab1ca
CXF-7099 - Technical user should be the SAML Subject for the ActAs use-case
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5c82ab1c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5c82ab1c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5c82ab1c
Branch: refs/heads/master
Commit: 5c82ab1ca211be71f3ff68474edeef2cb0ed2bff
Parents: 319456e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Oct 19 16:08:56 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Oct 19 16:08:56 2016 +0100
----------------------------------------------------------------------
.../token/provider/DefaultSubjectProvider.java | 6 ----
.../sts/delegation/SAMLDelegationTest.java | 29 +++-----------------
.../sts/username_actas/ActAsValidator.java | 8 ++++++
.../sts/delegation/cxf-sts-transport.xml | 2 +-
4 files changed, 13 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index 9f9a51e..114d10f 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -113,7 +113,6 @@ public class DefaultSubjectProvider implements SubjectProvider {
/**
* Get the Principal (which is used as the Subject). By default, we check the following (in order):
* - A valid OnBehalfOf principal
- * - A valid ActAs principal
* - A valid principal associated with a token received as ValidateTarget
* - The principal associated with the request. We don't need to check to see if it is "valid" here, as it
* is not parsed by the STS (but rather the WS-Security layer).
@@ -129,11 +128,6 @@ public class DefaultSubjectProvider implements SubjectProvider {
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
- } else if (providerParameters.getTokenRequirements().getActAs() != null) {
- ReceivedToken receivedToken = providerParameters.getTokenRequirements().getActAs();
- if (receivedToken.getState().equals(STATE.VALID)) {
- principal = receivedToken.getPrincipal();
- }
} else if (providerParameters.getTokenRequirements().getValidateTarget() != null) {
ReceivedToken receivedToken = providerParameters.getTokenRequirements().getValidateTarget();
if (receivedToken.getState().equals(STATE.VALID)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
index dcfe966..fa66846 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
@@ -40,7 +40,6 @@ import org.apache.cxf.sts.token.provider.TokenProviderParameters;
import org.apache.cxf.sts.token.provider.TokenProviderResponse;
import org.apache.cxf.systest.sts.common.CommonCallbackHandler;
import org.apache.cxf.systest.sts.common.SecurityTestUtil;
-import org.apache.cxf.systest.sts.issueunit.IssueUnitTest;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -90,7 +89,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase {
@org.junit.Test
public void testSAMLOnBehalfOf() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
- URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+ URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
@@ -127,7 +126,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase {
@org.junit.Test
public void testSAMLActAs() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
- URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+ URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
@@ -162,29 +161,9 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
- public void testTransportNoDelegationToken() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- try {
- requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus,
- DEFAULT_ADDRESS, "Transport_Port");
- fail("Failure expected on no delegation token");
- } catch (Exception ex) {
- // expected
- }
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
public void testTransportForgedDelegationToken() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
- URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+ URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
@@ -220,7 +199,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase {
@org.junit.Test
public void testTransportUnsignedDelegationToken() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
- URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+ URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
index 4d41397..78db7f6 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
@@ -30,6 +30,7 @@ import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
+import org.opensaml.saml.saml2.core.Subject;
/**
* This class validates a SAML 2 Assertion and checks that it has a CustomActAs Attribute with
@@ -47,6 +48,13 @@ public class ActAsValidator extends SamlAssertionValidator {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
+ // The technical user should be in the Subject
+ Subject subject = saml2Assertion.getSubject();
+ if (subject == null || subject.getNameID() == null
+ || !subject.getNameID().getValue().contains("CN=www.client.com")) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
index 2510ebb..665a4ec 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
@@ -128,7 +128,7 @@
<sec:trustManagers>
<sec:keyStore type="jks" password="stsspass" resource="keys/stsstore.jks"/>
</sec:trustManagers>
- <sec:clientAuthentication want="false" required="false"/>
+ <sec:clientAuthentication want="true" required="false"/>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>