You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/05/17 14:44:47 UTC
svn commit: r1339577 - in
/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso:
RequestAssertionConsumerService.java SAMLSSOResponseValidator.java
Author: coheigea
Date: Thu May 17 12:44:46 2012
New Revision: 1339577
URL: http://svn.apache.org/viewvc?rev=1339577&view=rev
Log:
Make the enforcement of signed Assertions configurable for Web SSO
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1339577&r1=1339576&r2=1339577&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Thu May 17 12:44:46 2012
@@ -77,6 +77,7 @@ public class RequestAssertionConsumerSer
private boolean supportBase64Encoding = true;
private Crypto signatureCrypto;
private String signaturePropertiesFile;
+ private boolean enforceAssertionsSigned = true;
@Context
private MessageContext jaxrsContext;
@@ -88,6 +89,13 @@ public class RequestAssertionConsumerSer
return supportDeflateEncoding;
}
+ /**
+ * Enforce that Assertions must be signed if the POST binding was used. The default is true.
+ */
+ public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
+ this.enforceAssertionsSigned = enforceAssertionsSigned;
+ }
+
public void setSupportBase64Encoding(boolean supportBase64Encoding) {
this.supportBase64Encoding = supportBase64Encoding;
}
@@ -294,9 +302,9 @@ public class RequestAssertionConsumerSer
ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
+ ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
- // TODO post binding
- return ssoResponseValidator.validateSamlResponse(samlResponse, false);
+ return ssoResponseValidator.validateSamlResponse(samlResponse, postBinding);
} catch (WSSecurityException ex) {
reportError("INVALID_SAML_RESPONSE");
throw new WebApplicationException(400);
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1339577&r1=1339576&r2=1339577&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Thu May 17 12:44:46 2012
@@ -45,6 +45,14 @@ public class SAMLSSOResponseValidator {
private String clientAddress;
private String requestId;
private String spIdentifier;
+ private boolean enforceAssertionsSigned = true;
+
+ /**
+ * Enforce that Assertions must be signed if the POST binding was used. The default is true.
+ */
+ public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
+ this.enforceAssertionsSigned = enforceAssertionsSigned;
+ }
/**
* Validate a SAML 2 Protocol Response
@@ -86,7 +94,7 @@ public class SAMLSSOResponseValidator {
}
validateIssuer(assertion.getIssuer());
- if (postBinding && assertion.getSignature() == null) {
+ if (enforceAssertionsSigned && postBinding && assertion.getSignature() == null) {
LOG.fine("If the HTTP Post binding is used to deliver the Response, "
+ "the enclosed assertions must be signed");
throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");