You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/02/04 12:29:55 UTC
[2/2] cxf git commit: Add the ability to validate SAML Audience
Restrictions. Defaults to false unlike for SOAP
Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/514e7c10
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/514e7c10
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/514e7c10
Branch: refs/heads/master
Commit: 514e7c10913d73b5fd363f6475eb1396301af41d
Parents: 3aec3e2
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Feb 3 16:21:47 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 4 11:28:55 2015 +0000
----------------------------------------------------------------------
.../rs/security/saml/AbstractSamlInHandler.java | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/514e7c10/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index ea4bd63..9d5d257 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -25,6 +25,7 @@ import java.io.InputStreamReader;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -126,6 +127,10 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter {
protected void validateToken(Message message, SamlAssertionWrapper assertion) {
try {
RequestData data = new RequestData();
+
+ // Add Audience Restrictions for SAML
+ configureAudienceRestriction(message, data);
+
if (assertion.isSigned()) {
WSSConfig cfg = WSSConfig.getNewInstance();
data.setWssConfig(cfg);
@@ -177,6 +182,21 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter {
}
}
+ protected void configureAudienceRestriction(Message msg, RequestData reqData) {
+ // Add Audience Restrictions for SAML
+ boolean enableAudienceRestriction =
+ MessageUtils.getContextualBoolean(msg,
+ SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,
+ false);
+ if (enableAudienceRestriction) {
+ List<String> audiences = new ArrayList<String>();
+ if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) {
+ audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+ }
+ reqData.setAudienceRestrictions(audiences);
+ }
+ }
+
protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException {
try {
X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto,