You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/02/04 18:07:57 UTC
[1/2] cxf git commit: Add the ability to validate SAML Audience
Restrictions. Defaults to false unlike for SOAP
Repository: cxf
Updated Branches:
refs/heads/3.0.x-fixes 4e85d25dc -> 6e541124a
Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/03770229
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/03770229
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/03770229
Branch: refs/heads/3.0.x-fixes
Commit: 037702299176dc276ebe8a2cd0641687df993d12
Parents: 4e85d25
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Feb 3 16:21:47 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 4 17:07:18 2015 +0000
----------------------------------------------------------------------
.../rs/security/saml/AbstractSamlInHandler.java | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/03770229/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index ea4bd63..9d5d257 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -25,6 +25,7 @@ import java.io.InputStreamReader;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -126,6 +127,10 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter {
protected void validateToken(Message message, SamlAssertionWrapper assertion) {
try {
RequestData data = new RequestData();
+
+ // Add Audience Restrictions for SAML
+ configureAudienceRestriction(message, data);
+
if (assertion.isSigned()) {
WSSConfig cfg = WSSConfig.getNewInstance();
data.setWssConfig(cfg);
@@ -177,6 +182,21 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter {
}
}
+ protected void configureAudienceRestriction(Message msg, RequestData reqData) {
+ // Add Audience Restrictions for SAML
+ boolean enableAudienceRestriction =
+ MessageUtils.getContextualBoolean(msg,
+ SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,
+ false);
+ if (enableAudienceRestriction) {
+ List<String> audiences = new ArrayList<String>();
+ if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) {
+ audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+ }
+ reqData.setAudienceRestrictions(audiences);
+ }
+ }
+
protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException {
try {
X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto,
[2/2] cxf git commit: Adding another spnego test
Posted by co...@apache.org.
Adding another spnego test
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6e541124
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6e541124
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6e541124
Branch: refs/heads/3.0.x-fixes
Commit: 6e541124a3be23e4ec74e2d9357e60910edf91a7
Parents: 0377022
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 4 11:28:33 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 4 17:07:19 2015 +0000
----------------------------------------------------------------------
.../kerberos/wssec/spnego/SpnegoTokenTest.java | 14 ++++++++
.../kerberos/wssec/spnego/DoubleItSpnego.wsdl | 35 ++++++++++++++++----
.../systest/kerberos/wssec/spnego/client.xml | 7 ++++
.../systest/kerberos/wssec/spnego/server.xml | 6 ++++
.../kerberos/wssec/spnego/stax-server.xml | 7 ++++
5 files changed, 62 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/6e541124/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/spnego/SpnegoTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/spnego/SpnegoTokenTest.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/spnego/SpnegoTokenTest.java
index ff4e120..90280b2 100644
--- a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/spnego/SpnegoTokenTest.java
+++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/spnego/SpnegoTokenTest.java
@@ -246,6 +246,20 @@ public class SpnegoTokenTest extends AbstractLdapTestUnit {
// runKerberosTest(portName, true, PORT2);
// runKerberosTest(portName, true, STAX_PORT2);
}
+
+ @org.junit.Test
+ public void testSpnegoOverTransportEndorsingSP11() throws Exception {
+ if (!runTests || !unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ String portName = "DoubleItSpnegoTransportEndorsingSP11Port";
+ runKerberosTest(portName, false, PORT2);
+ runKerberosTest(portName, false, STAX_PORT2);
+ // TODO Supporting streaming Spnego outbound
+ // runKerberosTest(portName, true, PORT2);
+ // runKerberosTest(portName, true, STAX_PORT2);
+ }
@org.junit.Test
@org.junit.Ignore
http://git-wip-us.apache.org/repos/asf/cxf/blob/6e541124/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl
index a318642..c68eee8 100644
--- a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl
+++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl
@@ -109,6 +109,24 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItSpnegoTransportEndorsingSP11Binding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSpnegoTransportEndorsingSP11Policy"/>
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault"/>
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItSpnegoSymmetricSecureConversationBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItSpnegoSymmetricSecureConversationPolicy"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
@@ -143,6 +161,9 @@
<wsdl:port name="DoubleItSpnegoTransportEndorsingPort" binding="tns:DoubleItSpnegoTransportEndorsingBinding">
<soap:address location="https://localhost:9001/DoubleItSpnegoTransportEndorsing"/>
</wsdl:port>
+ <wsdl:port name="DoubleItSpnegoTransportEndorsingSP11Port" binding="tns:DoubleItSpnegoTransportEndorsingSP11Binding">
+ <soap:address location="https://localhost:9001/DoubleItSpnegoTransportEndorsingSP11"/>
+ </wsdl:port>
<wsdl:port name="DoubleItSpnegoSymmetricSecureConversationPort" binding="tns:DoubleItSpnegoSymmetricSecureConversationBinding">
<soap:address location="http://localhost:9001/DoubleItSpnegoSymmetricSecureConversation"/>
</wsdl:port>
@@ -302,7 +323,7 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
- <wsp:Policy wsu:Id="DoubleItSpnegoTransportPolicy">
+ <wsp:Policy wsu:Id="DoubleItSpnegoTransportEndorsingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
@@ -327,13 +348,13 @@
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
- <sp:SupportingTokens>
+ <sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SpnegoContextToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
<wsp:Policy />
</sp:SpnegoContextToken>
</wsp:Policy>
- </sp:SupportingTokens>
+ </sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
@@ -344,10 +365,10 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
- <wsp:Policy wsu:Id="DoubleItSpnegoTransportEndorsingPolicy">
+ <wsp:Policy wsu:Id="DoubleItSpnegoTransportEndorsingSP11Policy">
<wsp:ExactlyOne>
<wsp:All>
- <sp:TransportBinding>
+ <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
@@ -369,9 +390,9 @@
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
- <sp:EndorsingSupportingTokens>
+ <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
- <sp:SpnegoContextToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
+ <sp:SpnegoContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once">
<wsp:Policy />
</sp:SpnegoContextToken>
</wsp:Policy>
http://git-wip-us.apache.org/repos/asf/cxf/blob/6e541124/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/client.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/client.xml b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/client.xml
index 136bd0a..39f4e70 100644
--- a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/client.xml
+++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/client.xml
@@ -64,6 +64,13 @@
<entry key="ws-security.callback-handler" value-ref="kerberosCallbackHandler"/>
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSpnegoTransportEndorsingSP11Port" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.kerberos.jaas.context" value="alice"/>
+ <entry key="ws-security.kerberos.spn" value="bob@service.ws.apache.org"/>
+ <entry key="ws-security.callback-handler" value-ref="kerberosCallbackHandler"/>
+ </jaxws:properties>
+ </jaxws:client>
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSpnegoSymmetricSecureConversationPort" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.kerberos.jaas.context" value="alice"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/6e541124/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/server.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/server.xml b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/server.xml
index 8b575d8..ebf665b 100644
--- a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/server.xml
+++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/server.xml
@@ -77,6 +77,12 @@
<entry key="ws-security.callback-handler" value-ref="kerberosCallbackHandler"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SpnegoOverTransportEndorsingSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSpnegoTransportEndorsingSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSpnegoTransportEndorsingSP11Port" implementor="org.apache.cxf.systest.kerberos.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl" depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.kerberos.jaas.context" value="bob"/>
+ <entry key="ws-security.callback-handler" value-ref="kerberosCallbackHandler"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SpnegoOverSymmetricSecureConversation" address="http://localhost:${testutil.ports.Server}/DoubleItSpnegoSymmetricSecureConversation" serviceName="s:DoubleItService" endpointName="s:DoubleItSpnegoSymmetricSecureConversationPort" implementor="org.apache.cxf.systest.kerberos.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl">
<jaxws:properties>
<entry key="ws-security.kerberos.jaas.context" value="bob"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/6e541124/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/stax-server.xml b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/stax-server.xml
index 72c639b..0b5defe 100644
--- a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/stax-server.xml
+++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/spnego/stax-server.xml
@@ -82,4 +82,11 @@
<entry key="ws-security.callback-handler" value-ref="kerberosCallbackHandler"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SpnegoOverTransportEndorsingSP11" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSpnegoTransportEndorsingSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSpnegoTransportEndorsingSP11Port" implementor="org.apache.cxf.systest.kerberos.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/kerberos/wssec/spnego/DoubleItSpnego.wsdl" depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.kerberos.jaas.context" value="bob"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ <entry key="ws-security.callback-handler" value-ref="kerberosCallbackHandler"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
</beans>