svn commit: r1339160 - in /cxf/trunk/rt/rs/security/sso/saml: pom.xml src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java

[co...@apache.org]

Author: coheigea
Date: Wed May 16 13:38:28 2012
New Revision: 1339160

URL: http://svn.apache.org/viewvc?rev=1339160&view=rev
Log:
Checking Client's IP Address in the SAML Web SSO module

Modified:
    cxf/trunk/rt/rs/security/sso/saml/pom.xml
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java

Modified: cxf/trunk/rt/rs/security/sso/saml/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/pom.xml?rev=1339160&r1=1339159&r2=1339160&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/pom.xml (original)
+++ cxf/trunk/rt/rs/security/sso/saml/pom.xml Wed May 16 13:38:28 2012
@@ -32,6 +32,12 @@
         <version>2.6.1-SNAPSHOT</version>
         <relativePath>../../../../../parent/pom.xml</relativePath>
     </parent>
+    
+    <properties>
+        <cxf.osgi.import>
+            javax.servlet*;version="${cxf.osgi.javax.servlet.version}",
+        </cxf.osgi.import>
+    </properties>
 
     <dependencies>
         <dependency>
@@ -59,6 +65,10 @@
             <artifactId>cxf-rt-rs-security-xml</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>${cxf.servlet-api.group}</groupId>
+            <artifactId>${cxf.servlet-api.artifact}</artifactId>
+        </dependency>
     </dependencies>
     <build>
         <plugins>

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1339160&r1=1339159&r2=1339160&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Wed May 16 13:38:28 2012
@@ -32,6 +32,7 @@ import java.util.UUID;
 import java.util.logging.Logger;
 import java.util.zip.DataFormatException;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.FormParam;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -57,6 +58,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
 import org.apache.cxf.rs.security.saml.sso.state.RequestState;
 import org.apache.cxf.rs.security.saml.sso.state.ResponseState;
+import org.apache.cxf.transport.http.AbstractHTTPDestination;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
@@ -250,7 +252,11 @@ public class RequestAssertionConsumerSer
             
             SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
             ssoResponseValidator.setAssertionConsumerURL((String)jaxrsContext.get(Message.REQUEST_URL));
-            // TODO client address ssoResponseValidator.setClientAddress(clientAddress);
+            
+            HttpServletRequest httpRequest = 
+                (HttpServletRequest)jaxrsContext.get(AbstractHTTPDestination.HTTP_REQUEST);
+            ssoResponseValidator.setClientAddress(httpRequest.getRemoteAddr());
+            
             ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
             ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1339160&r1=1339159&r2=1339160&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Wed May 16 13:38:28 2012
@@ -68,9 +68,9 @@ public class SAMLSSOResponseValidator {
         }
         
         // The Response must contain a Destination that matches the assertionConsumerURL if it is
-        // signed and received over the redirect Binding.
+        // signed
         String destination = samlResponse.getDestination();
-        if (!postBinding && samlResponse.isSigned()
+        if (samlResponse.isSigned()
             && (destination == null || !destination.equals(assertionConsumerURL))) {
             LOG.fine("The Response must contain a destination that matches the assertion consumer URL");
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");