You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/11/27 13:44:00 UTC
[2/3] cxf git commit: Explicitly disallow SAML 1.1 in OAuth
Explicitly disallow SAML 1.1 in OAuth
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d4e1d302
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d4e1d302
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d4e1d302
Branch: refs/heads/master
Commit: d4e1d302493f5ae1603fa71d1e17ee78fe40b212
Parents: a369148
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 27 11:25:08 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Nov 27 11:25:08 2015 +0000
----------------------------------------------------------------------
.../cxf/rs/security/oauth2/saml/SamlOAuthValidator.java | 7 +++++++
1 file changed, 7 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/d4e1d302/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index ffb8719..5a87fd4 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -62,6 +62,7 @@ public class SamlOAuthValidator {
}
public void validate(Message message, SamlAssertionWrapper wrapper) {
+ validateSAMLVersion(wrapper);
Conditions cs = wrapper.getSaml2().getConditions();
validateAudience(message, cs);
@@ -79,6 +80,12 @@ public class SamlOAuthValidator {
}
}
+ private void validateSAMLVersion(SamlAssertionWrapper assertionW) {
+ if (assertionW.getSaml2() == null) {
+ throw ExceptionUtils.toNotAuthorizedException(null, null);
+ }
+ }
+
private String getIssuer(SamlAssertionWrapper assertionW) {
Issuer samlIssuer = assertionW.getSaml2().getIssuer();
return samlIssuer == null ? null : samlIssuer.getValue();