You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/05/17 14:44:47 UTC

svn commit: r1339577 - in /cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso: RequestAssertionConsumerService.java SAMLSSOResponseValidator.java

Author: coheigea
Date: Thu May 17 12:44:46 2012
New Revision: 1339577

URL: http://svn.apache.org/viewvc?rev=1339577&view=rev
Log:
Make the enforcement of signed Assertions configurable for Web SSO

Modified:
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1339577&r1=1339576&r2=1339577&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Thu May 17 12:44:46 2012
@@ -77,6 +77,7 @@ public class RequestAssertionConsumerSer
     private boolean supportBase64Encoding = true;
     private Crypto signatureCrypto;
     private String signaturePropertiesFile;
+    private boolean enforceAssertionsSigned = true;
 
     @Context 
     private MessageContext jaxrsContext;
@@ -88,6 +89,13 @@ public class RequestAssertionConsumerSer
         return supportDeflateEncoding;
     }
     
+    /**
+     * Enforce that Assertions must be signed if the POST binding was used. The default is true.
+     */
+    public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
+        this.enforceAssertionsSigned = enforceAssertionsSigned;
+    }
+    
     public void setSupportBase64Encoding(boolean supportBase64Encoding) {
         this.supportBase64Encoding = supportBase64Encoding;
     }
@@ -294,9 +302,9 @@ public class RequestAssertionConsumerSer
             ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
             ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
+            ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
 
-            // TODO post binding
-            return ssoResponseValidator.validateSamlResponse(samlResponse, false);
+            return ssoResponseValidator.validateSamlResponse(samlResponse, postBinding);
         } catch (WSSecurityException ex) {
             reportError("INVALID_SAML_RESPONSE");
             throw new WebApplicationException(400);

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1339577&r1=1339576&r2=1339577&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Thu May 17 12:44:46 2012
@@ -45,6 +45,14 @@ public class SAMLSSOResponseValidator {
     private String clientAddress;
     private String requestId;
     private String spIdentifier;
+    private boolean enforceAssertionsSigned = true;
+    
+    /**
+     * Enforce that Assertions must be signed if the POST binding was used. The default is true.
+     */
+    public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
+        this.enforceAssertionsSigned = enforceAssertionsSigned;
+    }
     
     /**
      * Validate a SAML 2 Protocol Response
@@ -86,7 +94,7 @@ public class SAMLSSOResponseValidator {
             }
             validateIssuer(assertion.getIssuer());
             
-            if (postBinding && assertion.getSignature() == null) {
+            if (enforceAssertionsSigned && postBinding && assertion.getSignature() == null) {
                 LOG.fine("If the HTTP Post binding is used to deliver the Response, "
                          + "the enclosed assertions must be signed");
                 throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");