You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/05/16 15:38:29 UTC
svn commit: r1339160 - in /cxf/trunk/rt/rs/security/sso/saml: pom.xml
src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Author: coheigea
Date: Wed May 16 13:38:28 2012
New Revision: 1339160
URL: http://svn.apache.org/viewvc?rev=1339160&view=rev
Log:
Checking Client's IP Address in the SAML Web SSO module
Modified:
cxf/trunk/rt/rs/security/sso/saml/pom.xml
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Modified: cxf/trunk/rt/rs/security/sso/saml/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/pom.xml?rev=1339160&r1=1339159&r2=1339160&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/pom.xml (original)
+++ cxf/trunk/rt/rs/security/sso/saml/pom.xml Wed May 16 13:38:28 2012
@@ -32,6 +32,12 @@
<version>2.6.1-SNAPSHOT</version>
<relativePath>../../../../../parent/pom.xml</relativePath>
</parent>
+
+ <properties>
+ <cxf.osgi.import>
+ javax.servlet*;version="${cxf.osgi.javax.servlet.version}",
+ </cxf.osgi.import>
+ </properties>
<dependencies>
<dependency>
@@ -59,6 +65,10 @@
<artifactId>cxf-rt-rs-security-xml</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
+ <groupId>${cxf.servlet-api.group}</groupId>
+ <artifactId>${cxf.servlet-api.artifact}</artifactId>
+ </dependency>
</dependencies>
<build>
<plugins>
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1339160&r1=1339159&r2=1339160&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Wed May 16 13:38:28 2012
@@ -32,6 +32,7 @@ import java.util.UUID;
import java.util.logging.Logger;
import java.util.zip.DataFormatException;
+import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
@@ -57,6 +58,7 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.cxf.rs.security.saml.sso.state.RequestState;
import org.apache.cxf.rs.security.saml.sso.state.ResponseState;
+import org.apache.cxf.transport.http.AbstractHTTPDestination;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
@@ -250,7 +252,11 @@ public class RequestAssertionConsumerSer
SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
ssoResponseValidator.setAssertionConsumerURL((String)jaxrsContext.get(Message.REQUEST_URL));
- // TODO client address ssoResponseValidator.setClientAddress(clientAddress);
+
+ HttpServletRequest httpRequest =
+ (HttpServletRequest)jaxrsContext.get(AbstractHTTPDestination.HTTP_REQUEST);
+ ssoResponseValidator.setClientAddress(httpRequest.getRemoteAddr());
+
ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1339160&r1=1339159&r2=1339160&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Wed May 16 13:38:28 2012
@@ -68,9 +68,9 @@ public class SAMLSSOResponseValidator {
}
// The Response must contain a Destination that matches the assertionConsumerURL if it is
- // signed and received over the redirect Binding.
+ // signed
String destination = samlResponse.getDestination();
- if (!postBinding && samlResponse.isSigned()
+ if (samlResponse.isSigned()
&& (destination == null || !destination.equals(assertionConsumerURL))) {
LOG.fine("The Response must contain a destination that matches the assertion consumer URL");
throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");