You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/08/14 15:13:22 UTC
[2/3] cxf git commit: [CXF-6543] - It's not possible to specify the
signature + digest algorithms for self-signed SAML Assertions with JAX-RS
[CXF-6543] - It's not possible to specify the signature + digest algorithms for self-signed SAML Assertions with JAX-RS
Conflicts:
systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a42e14a4
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a42e14a4
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a42e14a4
Branch: refs/heads/3.0.x-fixes
Commit: a42e14a42a0be3b6a00bd5b29a38ec6da70d7cb1
Parents: c3ce9ae
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Aug 14 14:06:51 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Aug 14 14:07:31 2015 +0100
----------------------------------------------------------------------
.../apache/cxf/rs/security/saml/SAMLUtils.java | 5 ++-
.../jaxrs/security/saml/JAXRSSamlTest.java | 36 +++++++++++++++++--
.../security/saml/SamlCallbackHandler.java | 37 ++++++++++++++++++++
3 files changed, 75 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/a42e14a4/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
index f9ef27e..af7ca2a 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
@@ -92,7 +92,10 @@ public final class SAMLUtils {
SecurityUtils.getPassword(message, user, WSPasswordCallback.SIGNATURE,
SAMLUtils.class);
- assertion.signAssertion(user, password, crypto, false);
+ assertion.signAssertion(user, password, crypto, false,
+ samlCallback.getCanonicalizationAlgorithm(),
+ samlCallback.getSignatureAlgorithm(),
+ samlCallback.getSignatureDigestAlgorithm());
}
return assertion;
} catch (Exception ex) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/a42e14a4/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
index 0337c7d..e00ccb8 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
@@ -23,6 +23,7 @@ import java.net.URL;
import java.util.HashMap;
import java.util.Map;
+import javax.security.auth.callback.CallbackHandler;
import javax.ws.rs.ProcessingException;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Form;
@@ -41,9 +42,11 @@ import org.apache.cxf.rs.security.saml.SamlEnvelopedOutInterceptor;
import org.apache.cxf.rs.security.saml.SamlFormOutInterceptor;
import org.apache.cxf.rs.security.saml.SamlHeaderOutInterceptor;
import org.apache.cxf.rs.security.xml.XmlSigOutInterceptor;
+import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.systest.jaxrs.security.Book;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.dom.WSConstants;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -125,6 +128,16 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
}
@Test
+ public void testBearerSignedDifferentAlgorithms() throws Exception {
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+ callbackHandler.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
+ callbackHandler.setDigestAlgorithm(WSConstants.SHA256);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setSignAssertion(true);
+ doTestEnvelopedSAMLToken(true, callbackHandler);
+ }
+
+ @Test
public void testEnvelopedUnsignedSAMLToken() throws Exception {
doTestEnvelopedSAMLToken(false);
}
@@ -177,8 +190,12 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
}
public void doTestEnvelopedSAMLToken(boolean signed) throws Exception {
+ doTestEnvelopedSAMLToken(signed, new SamlCallbackHandler());
+ }
+
+ public void doTestEnvelopedSAMLToken(boolean signed, CallbackHandler samlCallbackHandler) throws Exception {
String address = "https://localhost:" + PORT + "/samlxml/bookstore/books";
- WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed), null);
+ WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed), null, samlCallbackHandler);
XmlSigOutInterceptor xmlSig = new XmlSigOutInterceptor();
if (signed) {
xmlSig.setStyle(XmlSigOutInterceptor.DETACHED_SIG);
@@ -204,6 +221,13 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
private WebClient createWebClient(String address,
Interceptor<Message> outInterceptor,
Object provider) {
+ return createWebClient(address, outInterceptor, provider, new SamlCallbackHandler());
+ }
+
+ private WebClient createWebClient(String address,
+ Interceptor<Message> outInterceptor,
+ Object provider,
+ CallbackHandler samlCallbackHandler) {
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
@@ -213,12 +237,20 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
bean.setBus(springBus);
Map<String, Object> properties = new HashMap<String, Object>();
+<<<<<<< HEAD
properties.put("ws-security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
properties.put("ws-security.saml-callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
properties.put("ws-security.signature.username", "alice");
properties.put("ws-security.signature.properties",
+=======
+ properties.put(SecurityConstants.CALLBACK_HANDLER,
+ "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
+ properties.put(SecurityConstants.SAML_CALLBACK_HANDLER, samlCallbackHandler);
+ properties.put(SecurityConstants.SIGNATURE_USERNAME, "alice");
+ properties.put(SecurityConstants.SIGNATURE_PROPERTIES,
+>>>>>>> 953d23f... [CXF-6543] - It's not possible to specify the signature + digest algorithms for self-signed SAML Assertions with JAX-RS
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a42e14a4/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
index 2cc75f2..1bc5ea8 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
@@ -59,6 +59,9 @@ import org.joda.time.DateTime;
public class SamlCallbackHandler implements CallbackHandler {
private boolean saml2 = true;
private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+ private String signatureAlgorithm;
+ private String digestAlgorithm;
+ private boolean signAssertion;
public SamlCallbackHandler() {
//
@@ -105,8 +108,13 @@ public class SamlCallbackHandler implements CallbackHandler {
SecurityConstants.SIGNATURE_CRYPTO,
SecurityConstants.SIGNATURE_PROPERTIES);
X509Certificate cert =
+<<<<<<< HEAD
SecurityUtils.getCertificates(crypto,
SecurityUtils.getUserName(m, crypto, "ws-security.signature.username"))[0];
+=======
+ RSSecurityUtils.getCertificates(crypto,
+ RSSecurityUtils.getUserName(m, crypto, SecurityConstants.SIGNATURE_USERNAME))[0];
+>>>>>>> 953d23f... [CXF-6543] - It's not possible to specify the signature + digest algorithms for self-signed SAML Assertions with JAX-RS
KeyInfoBean keyInfo = new KeyInfoBean();
keyInfo.setCertificate(cert);
@@ -172,8 +180,37 @@ public class SamlCallbackHandler implements CallbackHandler {
attrBean.setSamlAttributes(claims);
callback.setAttributeStatementData(Collections.singletonList(attrBean));
+
+ callback.setSignatureAlgorithm(signatureAlgorithm);
+ callback.setSignatureDigestAlgorithm(digestAlgorithm);
+
+ callback.setSignAssertion(signAssertion);
}
}
}
+
+ public String getSignatureAlgorithm() {
+ return signatureAlgorithm;
+ }
+
+ public void setSignatureAlgorithm(String signatureAlgorithm) {
+ this.signatureAlgorithm = signatureAlgorithm;
+ }
+
+ public String getDigestAlgorithm() {
+ return digestAlgorithm;
+ }
+
+ public void setDigestAlgorithm(String digestAlgorithm) {
+ this.digestAlgorithm = digestAlgorithm;
+ }
+
+ public boolean isSignAssertion() {
+ return signAssertion;
+ }
+
+ public void setSignAssertion(boolean signAssertion) {
+ this.signAssertion = signAssertion;
+ }
}