You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/21 17:39:54 UTC

[1/3] cxf-fediz git commit: Updating SAML SSO validators

Repository: cxf-fediz
Updated Branches:
  refs/heads/1.2.x-fixes 4e78c68e6 -> 7f5761547


Updating SAML SSO validators


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/3854680b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/3854680b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/3854680b

Branch: refs/heads/1.2.x-fixes
Commit: 3854680bc21c2ebb0f1c7143bf4932b8829ba444
Parents: 4e78c68
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 21 16:19:28 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 21 16:30:10 2015 +0000

----------------------------------------------------------------------
 .../fediz/core/samlsso/SAMLSSOResponseValidator.java | 15 +++++++++------
 .../cxf/fediz/core/samlsso/SSOValidatorResponse.java | 11 +++++++++++
 2 files changed, 20 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3854680b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 86bb005..3ecce44 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -94,7 +94,7 @@ public class SAMLSSOResponseValidator {
         }
         
         // Validate Assertions
-        boolean foundValidSubject = false;
+        org.opensaml.saml.saml2.core.Assertion validAssertion = null;
         Date sessionNotOnOrAfter = null;
         for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) {
             // Check the Issuer
@@ -116,7 +116,7 @@ public class SAMLSSOResponseValidator {
                 org.opensaml.saml2.core.Subject subject = assertion.getSubject();
                 if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) {
                     validateAudienceRestrictionCondition(assertion.getConditions());
-                    foundValidSubject = true;
+                    validAssertion = assertion;
                     // Store Session NotOnOrAfter
                     for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
                         if (authnStatment.getSessionNotOnOrAfter() != null) {
@@ -128,7 +128,7 @@ public class SAMLSSOResponseValidator {
             
         }
         
-        if (!foundValidSubject) {
+        if (validAssertion == null) {
             LOG.debug("The Response did not contain any Authentication Statement that matched "
                      + "the Subject Confirmation criteria");
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
@@ -137,9 +137,12 @@ public class SAMLSSOResponseValidator {
         SSOValidatorResponse validatorResponse = new SSOValidatorResponse();
         validatorResponse.setResponseId(samlResponse.getID());
         validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
-        // the assumption for now is that SAMLResponse will contain only a single assertion
-        Element assertionElement = samlResponse.getAssertions().get(0).getDOM();
-        validatorResponse.setAssertion(DOM2Writer.nodeToString(assertionElement.cloneNode(true)));
+        
+        Element assertionElement = validAssertion.getDOM();
+        Element clonedAssertionElement = (Element)assertionElement.cloneNode(true);
+        validatorResponse.setAssertionElement(clonedAssertionElement);
+        validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement));
+        
         return validatorResponse;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3854680b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
index 13bd839..61e748d 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
@@ -20,6 +20,8 @@ package org.apache.cxf.fediz.core.samlsso;
 
 import java.util.Date;
 
+import org.w3c.dom.Element;
+
 /**
  * Some information that encapsulates a successful validation by the SAMLSSOResponseValidator
  */
@@ -27,6 +29,7 @@ public class SSOValidatorResponse {
     private Date sessionNotOnOrAfter;
     private String responseId;
     private String assertion;
+    private Element assertionElement;
 
     public String getAssertion() {
         return assertion;
@@ -51,4 +54,12 @@ public class SSOValidatorResponse {
     public void setResponseId(String responseId) {
         this.responseId = responseId;
     }
+    
+    public Element getAssertionElement() {
+        return assertionElement;
+    }
+
+    public void setAssertionElement(Element assertionElement) {
+        this.assertionElement = assertionElement;
+    }
 }

[2/3] cxf-fediz git commit: [FEDIZ-142] - TrustedIdpSAMLProtocolHandler.REQUIRE_KEYINFO does not work

Posted by co...@apache.org.

[FEDIZ-142] - TrustedIdpSAMLProtocolHandler.REQUIRE_KEYINFO does not work


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9434b632
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9434b632
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9434b632

Branch: refs/heads/1.2.x-fixes
Commit: 9434b63202e9033cf884d802fc6d247dc0f11d5e
Parents: 3854680
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 21 16:20:48 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 21 16:30:16 2015 +0000

----------------------------------------------------------------------
 .../fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9434b632/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index 15a8445..e55a372 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -394,7 +394,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
         try {
             SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
             protocolValidator.setKeyInfoMustBeAvailable(
-                isPropertyConfigured(trustedIdp, REQUIRE_KNOWN_ISSUER, true));
+                isPropertyConfigured(trustedIdp, REQUIRE_KEYINFO, true));
             protocolValidator.validateSamlResponse(samlResponse, crypto, null);
         } catch (WSSecurityException ex) {
             LOG.debug(ex.getMessage(), ex);

[3/3] cxf-fediz git commit: Fixing merge

Posted by co...@apache.org.

Fixing merge


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/7f576154
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/7f576154
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/7f576154

Branch: refs/heads/1.2.x-fixes
Commit: 7f5761547a91c5c64c06bffca020f6538869c135
Parents: 9434b63
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 21 16:31:38 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 21 16:31:38 2015 +0000

----------------------------------------------------------------------
 .../apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7f576154/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 3ecce44..609103e 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -94,7 +94,7 @@ public class SAMLSSOResponseValidator {
         }
         
         // Validate Assertions
-        org.opensaml.saml.saml2.core.Assertion validAssertion = null;
+        org.opensaml.saml2.core.Assertion validAssertion = null;
         Date sessionNotOnOrAfter = null;
         for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) {
             // Check the Issuer