You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/12 13:22:01 UTC
svn commit: r1522530 - in /cxf/branches/2.6.x-fixes/services/sts:
sts-core/src/main/java/org/apache/cxf/sts/token/delegation/
systests/basic/src/test/java/org/apache/cxf/systest/sts/common/
systests/basic/src/test/resources/org/apache/cxf/systest/sts/d...
Author: coheigea
Date: Thu Sep 12 11:22:01 2013
New Revision: 1522530
URL: http://svn.apache.org/r1522530
Log:
Merged revisions 1522519 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes
........
r1522519 | coheigea | 2013-09-12 11:58:26 +0100 (Thu, 12 Sep 2013) | 2 lines
Make it easier to relax the AudienceRestriction requirement for OnBehalfOf SAML Tokens
........
Removed:
cxf/branches/2.6.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/HOKDelegationHandler.java
Modified:
cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/HOKDelegationHandler.java
cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/SAMLDelegationHandler.java
cxf/branches/2.6.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
Modified: cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/HOKDelegationHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/HOKDelegationHandler.java?rev=1522530&r1=1522529&r2=1522530&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/HOKDelegationHandler.java (original)
+++ cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/HOKDelegationHandler.java Thu Sep 12 11:22:01 2013
@@ -60,7 +60,7 @@ public class HOKDelegationHandler extend
}
}
- if (appliesToAddress != null) {
+ if (isCheckAudienceRestriction() && appliesToAddress != null) {
List<String> addresses = getAudienceRestrictions(assertion);
if (!(addresses.isEmpty() || addresses.contains(appliesToAddress))) {
return false;
Modified: cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/SAMLDelegationHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/SAMLDelegationHandler.java?rev=1522530&r1=1522529&r2=1522530&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/SAMLDelegationHandler.java (original)
+++ cxf/branches/2.6.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/delegation/SAMLDelegationHandler.java Thu Sep 12 11:22:01 2013
@@ -44,6 +44,8 @@ public class SAMLDelegationHandler imple
private static final Logger LOG =
LogUtils.getL7dLogger(SAMLDelegationHandler.class);
+ private boolean checkAudienceRestriction = true;
+
public boolean canHandleToken(ReceivedToken delegateTarget) {
Object token = delegateTarget.getToken();
if (token instanceof Element) {
@@ -92,7 +94,7 @@ public class SAMLDelegationHandler imple
}
}
- if (appliesToAddress != null) {
+ if (checkAudienceRestriction && appliesToAddress != null) {
List<String> addresses = getAudienceRestrictions(assertion);
if (!(addresses.isEmpty() || addresses.contains(appliesToAddress))) {
LOG.fine("The AppliesTo address " + appliesToAddress + " is not contained"
@@ -129,4 +131,16 @@ public class SAMLDelegationHandler imple
return addresses;
}
+ public boolean isCheckAudienceRestriction() {
+ return checkAudienceRestriction;
+ }
+
+ /**
+ * Set whether to perform a check that the received AppliesTo address is contained in the
+ * token as one of the AudienceRestriction URIs. The default is true.
+ * @param checkAudienceRestriction whether to perform an audience restriction check or not
+ */
+ public void setCheckAudienceRestriction(boolean checkAudienceRestriction) {
+ this.checkAudienceRestriction = checkAudienceRestriction;
+ }
}
Modified: cxf/branches/2.6.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml?rev=1522530&r1=1522529&r2=1522530&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml (original)
+++ cxf/branches/2.6.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml Thu Sep 12 11:22:01 2013
@@ -48,7 +48,9 @@
</cxf:bus>
<bean id="hokDelegationHandler"
- class="org.apache.cxf.systest.sts.common.HOKDelegationHandler" />
+ class="org.apache.cxf.sts.token.delegation.HOKDelegationHandler">
+ <property name="checkAudienceRestriction" value="false"/>
+ </bean>
<bean id="transportSTSProviderBean"
class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">