You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/21 17:29:39 UTC
[1/2] cxf-fediz git commit: Updating SAML SSO validators
Repository: cxf-fediz
Updated Branches:
refs/heads/master 983cd4066 -> e8da76141
Updating SAML SSO validators
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/fcb03c9f
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/fcb03c9f
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/fcb03c9f
Branch: refs/heads/master
Commit: fcb03c9f3d0145dd73869f2078625b9043a746f3
Parents: 983cd40
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 21 16:19:28 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 21 16:19:28 2015 +0000
----------------------------------------------------------------------
.../fediz/core/samlsso/SAMLSSOResponseValidator.java | 15 +++++++++------
.../cxf/fediz/core/samlsso/SSOValidatorResponse.java | 11 +++++++++++
2 files changed, 20 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fcb03c9f/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 7313406..f3030e5 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -93,7 +93,7 @@ public class SAMLSSOResponseValidator {
}
// Validate Assertions
- boolean foundValidSubject = false;
+ org.opensaml.saml.saml2.core.Assertion validAssertion = null;
Date sessionNotOnOrAfter = null;
for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) {
// Check the Issuer
@@ -115,7 +115,7 @@ public class SAMLSSOResponseValidator {
org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject();
if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) {
validateAudienceRestrictionCondition(assertion.getConditions());
- foundValidSubject = true;
+ validAssertion = assertion;
// Store Session NotOnOrAfter
for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
if (authnStatment.getSessionNotOnOrAfter() != null) {
@@ -127,7 +127,7 @@ public class SAMLSSOResponseValidator {
}
- if (!foundValidSubject) {
+ if (validAssertion == null) {
LOG.debug("The Response did not contain any Authentication Statement that matched "
+ "the Subject Confirmation criteria");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
@@ -136,9 +136,12 @@ public class SAMLSSOResponseValidator {
SSOValidatorResponse validatorResponse = new SSOValidatorResponse();
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
- // the assumption for now is that SAMLResponse will contain only a single assertion
- Element assertionElement = samlResponse.getAssertions().get(0).getDOM();
- validatorResponse.setAssertion(DOM2Writer.nodeToString(assertionElement.cloneNode(true)));
+
+ Element assertionElement = validAssertion.getDOM();
+ Element clonedAssertionElement = (Element)assertionElement.cloneNode(true);
+ validatorResponse.setAssertionElement(clonedAssertionElement);
+ validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement));
+
return validatorResponse;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fcb03c9f/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
index 13bd839..61e748d 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SSOValidatorResponse.java
@@ -20,6 +20,8 @@ package org.apache.cxf.fediz.core.samlsso;
import java.util.Date;
+import org.w3c.dom.Element;
+
/**
* Some information that encapsulates a successful validation by the SAMLSSOResponseValidator
*/
@@ -27,6 +29,7 @@ public class SSOValidatorResponse {
private Date sessionNotOnOrAfter;
private String responseId;
private String assertion;
+ private Element assertionElement;
public String getAssertion() {
return assertion;
@@ -51,4 +54,12 @@ public class SSOValidatorResponse {
public void setResponseId(String responseId) {
this.responseId = responseId;
}
+
+ public Element getAssertionElement() {
+ return assertionElement;
+ }
+
+ public void setAssertionElement(Element assertionElement) {
+ this.assertionElement = assertionElement;
+ }
}
[2/2] cxf-fediz git commit: [FEDIZ-142] -
TrustedIdpSAMLProtocolHandler.REQUIRE_KEYINFO does not work
Posted by co...@apache.org.
[FEDIZ-142] - TrustedIdpSAMLProtocolHandler.REQUIRE_KEYINFO does not work
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e8da7614
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e8da7614
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e8da7614
Branch: refs/heads/master
Commit: e8da76141de188da51c54bb6dcadd792c14073ee
Parents: fcb03c9
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 21 16:20:48 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 21 16:20:48 2015 +0000
----------------------------------------------------------------------
.../fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e8da7614/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index eef725f..47200a1 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -394,7 +394,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
try {
SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
protocolValidator.setKeyInfoMustBeAvailable(
- isPropertyConfigured(trustedIdp, REQUIRE_KNOWN_ISSUER, true));
+ isPropertyConfigured(trustedIdp, REQUIRE_KEYINFO, true));
protocolValidator.validateSamlResponse(samlResponse, crypto, null);
} catch (WSSecurityException ex) {
LOG.debug(ex.getMessage(), ex);