You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/01/11 18:02:04 UTC
[2/2] cxf git commit: [CXF-6735] - Add a configuration option to
disable the STR Transform
[CXF-6735] - Add a configuration option to disable the STR Transform
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/46362669
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/46362669
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/46362669
Branch: refs/heads/3.0.x-fixes
Commit: 463626698e399b36555a9ca35240f278bfb40153
Parents: 25f1d6d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 11 16:49:38 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 11 16:58:45 2016 +0000
----------------------------------------------------------------------
.../cxf/ws/security/SecurityConstants.java | 7 +++
.../policyhandlers/AbstractBindingBuilder.java | 45 +++++++++++++-------
.../X509SymmetricBindingTest.java | 38 +++++++++++++++++
3 files changed, 75 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 286eccb..383369c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -264,6 +264,13 @@ public final class SecurityConstants {
*/
public static final String USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM =
"ws-security.swa.encryption.attachment.transform.content";
+
+ /**
+ * Whether to use the STR (Security Token Reference) Transform when (externally) signing a SAML Token.
+ * The default is true. Some frameworks cannot handle processing the SecurityTokenReference is created,
+ * hence set this configuration option to "false" in this case.
+ */
+ public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform";
//
// Non-boolean WS-Security Configuration parameters
http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 2712d60..4d33fc7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -605,6 +605,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
protected void addSignatureParts(List<SupportingToken> tokenList,
List<WSEncryptionPart> sigParts) {
+ boolean useSTRTransform =
+ MessageUtils.getContextualBoolean(
+ message, SecurityConstants.USE_STR_TRANSFORM, true
+ );
+
for (SupportingToken supportingToken : tokenList) {
Object tempTok = supportingToken.getTokenImplementation();
@@ -642,14 +647,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
Document doc = assertionWrapper.getElement().getOwnerDocument();
boolean saml1 = assertionWrapper.getSaml1() != null;
- // TODO We only support using a KeyIdentifier for the moment
- SecurityTokenReference secRef =
- createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
- Element clone = cloneElement(secRef.getElement());
- addSupportingElement(clone);
- part = new WSEncryptionPart("STRTransform", null, "Element");
- part.setId(secRef.getID());
- part.setElement(clone);
+ if (useSTRTransform) {
+ // TODO We only support using a KeyIdentifier for the moment
+ SecurityTokenReference secRef =
+ createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
+ Element clone = cloneElement(secRef.getElement());
+ addSupportingElement(clone);
+ part = new WSEncryptionPart("STRTransform", null, "Element");
+ part.setId(secRef.getID());
+ part.setElement(clone);
+ } else {
+ part = new WSEncryptionPart(assertionWrapper.getId());
+ part.setElement(assertionWrapper.getElement());
+ }
} else if (tempTok instanceof WSSecurityTokenHolder) {
SecurityToken token = ((WSSecurityTokenHolder)tempTok).getToken();
String tokenType = token.getTokenType();
@@ -668,13 +678,18 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
id = token.getToken().getAttributeNS(null, "ID");
}
}
- SecurityTokenReference secRef =
- createSTRForSamlAssertion(doc, id, saml1, false);
- Element clone = cloneElement(secRef.getElement());
- addSupportingElement(clone);
- part = new WSEncryptionPart("STRTransform", null, "Element");
- part.setId(secRef.getID());
- part.setElement(clone);
+ if (useSTRTransform) {
+ SecurityTokenReference secRef =
+ createSTRForSamlAssertion(doc, id, saml1, false);
+ Element clone = cloneElement(secRef.getElement());
+ addSupportingElement(clone);
+ part = new WSEncryptionPart("STRTransform", null, "Element");
+ part.setId(secRef.getID());
+ part.setElement(clone);
+ } else {
+ part = new WSEncryptionPart(id);
+ part.setElement(token.getToken());
+ }
} else {
String id = token.getId();
if (id != null && id.charAt(0) == '#') {
http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
index f019cfe..8527f65 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
@@ -233,6 +233,44 @@ public class X509SymmetricBindingTest extends AbstractBusClientServerTestBase {
bus.shutdown(true);
}
+ // Here we refer to the Assertion directly, instead of creating a SecurityTokenReference and using the
+ // STR Transform
+ @org.junit.Test
+ public void testX509SAML2SupportingDirectReferenceToAssertion() throws Exception {
+
+ // TODO Not yet supported for the client streaming code
+ if (test.isStreaming()) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509SymmetricBindingTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509SymmetricBindingTest.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2SupportingPort");
+ DoubleItPortType symmetricSaml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(symmetricSaml2Port, test.getPort());
+
+ TokenTestUtils.updateSTSPort((BindingProvider)symmetricSaml2Port, test.getStsPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(symmetricSaml2Port);
+ }
+
+ ((BindingProvider)symmetricSaml2Port).getRequestContext().put("ws-security.use.str.transform", "false");
+
+ doubleIt(symmetricSaml2Port, 30);
+
+ ((java.io.Closeable)symmetricSaml2Port).close();
+ bus.shutdown(true);
+ }
+
private static void doubleIt(DoubleItPortType port, int numToDouble) {
int resp = port.doubleIt(numToDouble);
assertEquals(numToDouble * 2 , resp);