You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/11/27 13:44:00 UTC

[2/3] cxf git commit: Explicitly disallow SAML 1.1 in OAuth

Explicitly disallow SAML 1.1 in OAuth


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d4e1d302
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d4e1d302
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d4e1d302

Branch: refs/heads/master
Commit: d4e1d302493f5ae1603fa71d1e17ee78fe40b212
Parents: a369148
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 27 11:25:08 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 27 11:25:08 2015 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/oauth2/saml/SamlOAuthValidator.java       | 7 +++++++
 1 file changed, 7 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d4e1d302/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index ffb8719..5a87fd4 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -62,6 +62,7 @@ public class SamlOAuthValidator {
     }
     
     public void validate(Message message, SamlAssertionWrapper wrapper) {
+        validateSAMLVersion(wrapper);
         
         Conditions cs = wrapper.getSaml2().getConditions();
         validateAudience(message, cs);
@@ -79,6 +80,12 @@ public class SamlOAuthValidator {
         }
     }
     
+    private void validateSAMLVersion(SamlAssertionWrapper assertionW) {
+        if (assertionW.getSaml2() == null) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+    }
+    
     private String getIssuer(SamlAssertionWrapper assertionW) {
         Issuer samlIssuer = assertionW.getSaml2().getIssuer();
         return samlIssuer == null ? null : samlIssuer.getValue();