You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/11/27 17:21:44 UTC
svn commit: r1414247 - in /cxf/trunk/rt/ws/security/src:
main/java/org/apache/cxf/ws/security/
main/java/org/apache/cxf/ws/security/wss4j/
main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
test/java/org/apache/cxf/ws/security/wss4j/saml/
Author: coheigea
Date: Tue Nov 27 16:21:43 2012
New Revision: 1414247
URL: http://svn.apache.org/viewvc?rev=1414247&view=rev
Log:
[CXF-4655] - Enforce SAML SubjectConfirmation requirements for the non WS-SecurityPolicy case
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1414247&r1=1414246&r2=1414247&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Tue Nov 27 16:21:43 2012
@@ -25,7 +25,8 @@ import java.util.HashSet;
import java.util.Set;
/**
- * Configuration tags used to configure the WS-SecurityPolicy layer.
+ * Configuration tags used to configure the WS-SecurityPolicy layer. Some of them are also
+ * used by the non WS-SecurityPolicy approach in the WSS4J(Out|In)Interceptors.
*/
public final class SecurityConstants {
@@ -174,6 +175,13 @@ public final class SecurityConstants {
*/
public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
+ /**
+ * Whether to validate the SubjectConfirmation requirements of a received SAML Token
+ * (sender-vouches or holder-of-key). The default is true.
+ */
+ public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION =
+ "ws-security.validate.saml.subject.conf";
+
//
// Non-boolean WS-Security Configuration parameters
//
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java?rev=1414247&r1=1414246&r2=1414247&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java Tue Nov 27 16:21:43 2012
@@ -19,20 +19,41 @@
package org.apache.cxf.ws.security.wss4j;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
import java.util.List;
+import java.util.logging.Logger;
import org.w3c.dom.Element;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.opensaml.common.SAMLVersion;
import org.opensaml.xml.XMLObject;
/**
* internal SAMLUtils to avoid direct reference to opensaml from WSS4J interceptors.
*/
-final class SAMLUtils {
+public final class SAMLUtils {
+
+ private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class);
+
private SAMLUtils() {
}
@@ -127,5 +148,214 @@ final class SAMLUtils {
}
return Collections.unmodifiableList(roles);
}
+
+ public static void validateSAMLResults(
+ List<WSSecurityEngineResult> results,
+ Message message,
+ Element body
+ ) throws WSSecurityException {
+ List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
+
+ if (samlResults.isEmpty()) {
+ return;
+ }
+
+ List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_SIGN, signedResults);
+
+ for (WSSecurityEngineResult samlResult : samlResults) {
+ AssertionWrapper assertionWrapper =
+ (AssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+
+ TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+ Certificate[] tlsCerts = null;
+ if (tlsInfo != null) {
+ tlsCerts = tlsInfo.getPeerCertificates();
+ }
+ if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+ LOG.warning("Assertion fails holder-of-key requirements");
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
+ }
+ if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) {
+ LOG.warning("Assertion fails sender-vouches requirements");
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
+ }
+ }
+
+ }
+
+ /**
+ * Check the holder-of-key requirements against the received assertion. The subject
+ * credential of the SAML Assertion must have been used to sign some portion of
+ * the message, thus showing proof-of-possession of the private/secret key. Alternatively,
+ * the subject credential of the SAML Assertion must match a client certificate credential
+ * when 2-way TLS is used.
+ * @param assertionWrapper the SAML Assertion wrapper object
+ * @param signedResults a list of all of the signed results
+ */
+ public static boolean checkHolderOfKey(
+ AssertionWrapper assertionWrapper,
+ List<WSSecurityEngineResult> signedResults,
+ Certificate[] tlsCerts
+ ) {
+ List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+ for (String confirmationMethod : confirmationMethods) {
+ if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+ if (tlsCerts == null && (signedResults == null || signedResults.isEmpty())) {
+ return false;
+ }
+ SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+ if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Compare the credentials of the assertion to the credentials used in 2-way TLS or those
+ * used to verify signatures.
+ * Return true on a match
+ * @param subjectKeyInfo the SAMLKeyInfo object
+ * @param signedResults a list of all of the signed results
+ * @return true if the credentials of the assertion were used to verify a signature
+ */
+ public static boolean compareCredentials(
+ SAMLKeyInfo subjectKeyInfo,
+ List<WSSecurityEngineResult> signedResults,
+ Certificate[] tlsCerts
+ ) {
+ X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
+ PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
+ byte[] subjectSecretKey = subjectKeyInfo.getSecret();
+
+ //
+ // Try to match the TLS certs first
+ //
+ if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null
+ && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0])) {
+ return true;
+ } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey != null
+ && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
+ return true;
+ }
+
+ //
+ // Now try the message-level signatures
+ //
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ X509Certificate[] certs =
+ (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ PublicKey publicKey =
+ (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+ byte[] secretKey =
+ (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
+ if (certs != null && certs.length > 0 && subjectCerts != null
+ && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0])) {
+ return true;
+ }
+ if (publicKey != null && publicKey.equals(subjectPublicKey)) {
+ return true;
+ }
+ if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static boolean checkSecretKey(
+ byte[] secretKey,
+ byte[] subjectSecretKey,
+ WSSecurityEngineResult signedResult
+ ) {
+ if (secretKey != null && subjectSecretKey != null) {
+ if (Arrays.equals(secretKey, subjectSecretKey)) {
+ return true;
+ } else {
+ Principal principal =
+ (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ if (principal instanceof WSDerivedKeyTokenPrincipal) {
+ secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
+ if (Arrays.equals(secretKey, subjectSecretKey)) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Check the sender-vouches requirements against the received assertion. The SAML
+ * Assertion and the SOAP Body must be signed by the same signature.
+ */
+ public static boolean checkSenderVouches(
+ AssertionWrapper assertionWrapper,
+ Certificate[] tlsCerts,
+ Element body,
+ List<WSSecurityEngineResult> signed
+ ) {
+ //
+ // If we have a 2-way TLS connection, then we don't have to check that the
+ // assertion + SOAP body are signed
+ //
+ if (tlsCerts != null && tlsCerts.length > 0) {
+ return true;
+ }
+ List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+ for (String confirmationMethod : confirmationMethods) {
+ if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+ if (signed == null || signed.isEmpty()) {
+ return false;
+ }
+ if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Return true if there is a signature which references the Assertion and the SOAP Body.
+ * @param assertionWrapper the AssertionWrapper object
+ * @param body The SOAP body
+ * @param signed The List of signed results
+ * @return true if there is a signature which references the Assertion and the SOAP Body.
+ */
+ private static boolean checkAssertionAndBodyAreSigned(
+ AssertionWrapper assertionWrapper,
+ Element body,
+ List<WSSecurityEngineResult> signed
+ ) {
+ for (WSSecurityEngineResult signedResult : signed) {
+ List<WSDataRef> sl =
+ CastUtils.cast((List<?>)signedResult.get(
+ WSSecurityEngineResult.TAG_DATA_REF_URIS
+ ));
+ boolean assertionIsSigned = false;
+ boolean bodyIsSigned = false;
+ if (sl != null) {
+ for (WSDataRef dataRef : sl) {
+ Element se = dataRef.getProtectedElement();
+ if (se == assertionWrapper.getElement()) {
+ assertionIsSigned = true;
+ }
+ if (se == body) {
+ bodyIsSigned = true;
+ }
+ if (assertionIsSigned && bodyIsSigned) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1414247&r1=1414246&r2=1414247&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Tue Nov 27 16:21:43 2012
@@ -281,7 +281,7 @@ public class WSS4JInInterceptor extends
storeSignature(msg, reqData, wsResult);
storeTimestamp(msg, reqData, wsResult);
- checkActions(msg, reqData, wsResult, actions);
+ checkActions(msg, reqData, wsResult, actions, SAAJUtils.getBody(doc));
doResults(
msg, actor,
SAAJUtils.getHeader(doc),
@@ -310,7 +310,7 @@ public class WSS4JInInterceptor extends
SAAJUtils.getBody(doc),
wsResult);
} else {
- checkActions(msg, reqData, wsResult, actions);
+ checkActions(msg, reqData, wsResult, actions, SAAJUtils.getBody(doc));
doResults(msg, actor,
SAAJUtils.getHeader(doc),
SAAJUtils.getBody(doc),
@@ -342,7 +342,8 @@ public class WSS4JInInterceptor extends
SoapMessage msg,
RequestData reqData,
List<WSSecurityEngineResult> wsResult,
- List<Integer> actions
+ List<Integer> actions,
+ Element body
) throws WSSecurityException {
if (ignoreActions) {
// Not applicable for the WS-SecurityPolicy case
@@ -364,6 +365,16 @@ public class WSS4JInInterceptor extends
+ "SignatureCoverageChecker";
LOG.warning(warning);
}
+
+ // Now check SAML SenderVouches + Holder Of Key requirements
+ boolean validateSAMLSubjectConf =
+ MessageUtils.getContextualBoolean(
+ msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true
+ );
+ if (validateSAMLSubjectConf) {
+ SAMLUtils.validateSAMLResults(wsResult, msg, body);
+ }
+
}
private void storeSignature(
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1414247&r1=1414246&r2=1414247&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java Tue Nov 27 16:21:43 2012
@@ -19,22 +19,17 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
-import java.security.Principal;
-import java.security.PublicKey;
import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
+import org.apache.cxf.ws.security.wss4j.SAMLUtils;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
/**
* Some abstract functionality for validating SAML Assertions
@@ -82,19 +77,7 @@ public abstract class AbstractSamlPolicy
List<WSSecurityEngineResult> signedResults,
Certificate[] tlsCerts
) {
- List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
- for (String confirmationMethod : confirmationMethods) {
- if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
- if (tlsCerts == null && (signedResults == null || signedResults.isEmpty())) {
- return false;
- }
- SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
- if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
- return false;
- }
- }
- }
- return true;
+ return SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
}
/**
@@ -110,65 +93,7 @@ public abstract class AbstractSamlPolicy
List<WSSecurityEngineResult> signedResults,
Certificate[] tlsCerts
) {
- X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
- PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
- byte[] subjectSecretKey = subjectKeyInfo.getSecret();
-
- //
- // Try to match the TLS certs first
- //
- if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null
- && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0])) {
- return true;
- } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey != null
- && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
- return true;
- }
-
- //
- // Now try the message-level signatures
- //
- for (WSSecurityEngineResult signedResult : signedResults) {
- X509Certificate[] certs =
- (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
- PublicKey publicKey =
- (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
- byte[] secretKey =
- (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
- if (certs != null && certs.length > 0 && subjectCerts != null
- && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0])) {
- return true;
- }
- if (publicKey != null && publicKey.equals(subjectPublicKey)) {
- return true;
- }
- if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
- return true;
- }
- }
- return false;
+ return SAMLUtils.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
}
- private boolean checkSecretKey(
- byte[] secretKey,
- byte[] subjectSecretKey,
- WSSecurityEngineResult signedResult
- ) {
- if (secretKey != null && subjectSecretKey != null) {
- if (Arrays.equals(secretKey, subjectSecretKey)) {
- return true;
- } else {
- Principal principal =
- (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
- if (principal instanceof WSDerivedKeyTokenPrincipal) {
- secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
- if (Arrays.equals(secretKey, subjectSecretKey)) {
- return true;
- }
- }
- }
- }
- return false;
- }
-
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1414247&r1=1414246&r2=1414247&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Tue Nov 27 16:21:43 2012
@@ -26,20 +26,17 @@ import java.util.List;
import org.w3c.dom.Element;
-import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.cxf.ws.security.wss4j.SAMLUtils;
import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.util.WSSecurityUtil;
-
import org.opensaml.common.SAMLVersion;
/**
@@ -102,7 +99,7 @@ public class SamlTokenPolicyValidator ex
ai.setNotAsserted("Assertion fails holder-of-key requirements");
return false;
}
- if (!checkSenderVouches(assertionWrapper, tlsCerts)) {
+ if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
return false;
}
@@ -146,63 +143,4 @@ public class SamlTokenPolicyValidator ex
return true;
}
- /**
- * Check the sender-vouches requirements against the received assertion. The SAML
- * Assertion and the SOAP Body must be signed by the same signature.
- */
- private boolean checkSenderVouches(
- AssertionWrapper assertionWrapper,
- Certificate[] tlsCerts
- ) {
- //
- // If we have a 2-way TLS connection, then we don't have to check that the
- // assertion + SOAP body are signed
- //
- if (tlsCerts != null && tlsCerts.length > 0) {
- return true;
- }
- List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
- for (String confirmationMethod : confirmationMethods) {
- if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
- if (signed == null || signed.isEmpty()) {
- return false;
- }
- if (!checkAssertionAndBodyAreSigned(assertionWrapper)) {
- return false;
- }
- }
- }
- return true;
- }
-
- /**
- * Return true if there is a signature which references the Assertion and the SOAP Body.
- * @param assertionWrapper the AssertionWrapper object
- * @return true if there is a signature which references the Assertion and the SOAP Body.
- */
- private boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper) {
- for (WSSecurityEngineResult signedResult : signed) {
- List<WSDataRef> sl =
- CastUtils.cast((List<?>)signedResult.get(
- WSSecurityEngineResult.TAG_DATA_REF_URIS
- ));
- boolean assertionIsSigned = false;
- boolean bodyIsSigned = false;
- if (sl != null) {
- for (WSDataRef dataRef : sl) {
- Element se = dataRef.getProtectedElement();
- if (se == assertionWrapper.getElement()) {
- assertionIsSigned = true;
- }
- if (se == body) {
- bodyIsSigned = true;
- }
- if (assertionIsSigned && bodyIsSigned) {
- return true;
- }
- }
- }
- }
- return false;
- }
}
Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java?rev=1414247&r1=1414246&r2=1414247&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java Tue Nov 27 16:21:43 2012
@@ -100,7 +100,10 @@ public class SamlTokenTest extends Abstr
xpaths.add("//wsse:Security");
xpaths.add("//wsse:Security/saml1:Assertion");
- Message message = makeInvocation(outProperties, xpaths, inProperties);
+ Map<String, String> inMessageProperties = new HashMap<String, String>();
+ inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+ Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
@@ -138,7 +141,10 @@ public class SamlTokenTest extends Abstr
xpaths.add("//wsse:Security");
xpaths.add("//wsse:Security/saml2:Assertion");
- Message message = makeInvocation(outProperties, xpaths, inProperties);
+ Map<String, String> inMessageProperties = new HashMap<String, String>();
+ inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+ Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
@@ -404,7 +410,10 @@ public class SamlTokenTest extends Abstr
xpaths.add("//wsse:Security");
xpaths.add("//wsse:Security/saml2:Assertion");
- Message message = makeInvocation(outProperties, xpaths, inProperties);
+ Map<String, String> inMessageProperties = new HashMap<String, String>();
+ inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+ Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
@@ -451,7 +460,10 @@ public class SamlTokenTest extends Abstr
xpaths.add("//wsse:Security");
xpaths.add("//wsse:Security/saml2:Assertion");
- Message message = makeInvocation(outProperties, xpaths, inProperties);
+ Map<String, String> inMessageProperties = new HashMap<String, String>();
+ inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+ Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
@@ -497,7 +509,10 @@ public class SamlTokenTest extends Abstr
xpaths.add("//wsse:Security");
xpaths.add("//wsse:Security/saml1:Assertion");
- Message message = makeInvocation(outProperties, xpaths, inProperties);
+ Map<String, String> inMessageProperties = new HashMap<String, String>();
+ inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+ Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
@@ -519,6 +534,15 @@ public class SamlTokenTest extends Abstr
List<String> xpaths,
Map<String, Object> inProperties
) throws Exception {
+ return makeInvocation(outProperties, xpaths, inProperties, new HashMap<String, String>());
+ }
+
+ private SoapMessage makeInvocation(
+ Map<String, Object> outProperties,
+ List<String> xpaths,
+ Map<String, Object> inProperties,
+ Map<String, String> inMessageProperties
+ ) throws Exception {
Document doc = readDocument("wsse-request-clean.xml");
WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
@@ -565,6 +589,9 @@ public class SamlTokenTest extends Abstr
SoapMessage inmsg = new SoapMessage(new MessageImpl());
inmsg.put(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, "role");
+ for (String inMessageProperty : inMessageProperties.keySet()) {
+ inmsg.put(inMessageProperty, inMessageProperties.get(inMessageProperty));
+ }
ex.setInMessage(inmsg);
inmsg.setContent(SOAPMessage.class, saajMsg);