You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/11/23 13:31:44 UTC
cxf-fediz git commit: Findbugs work on the Fediz services
Repository: cxf-fediz
Updated Branches:
refs/heads/master 4944104ee -> 467382b88
Findbugs work on the Fediz services
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/467382b8
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/467382b8
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/467382b8
Branch: refs/heads/master
Commit: 467382b88b5652450f648a06a0f6575c7417ed1a
Parents: 4944104
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Nov 23 13:31:31 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Nov 23 13:31:31 2016 +0000
----------------------------------------------------------------------
.../cxf/fediz/service/idp/FedizEntryPoint.java | 3 +-
.../service/idp/STSAuthenticationProvider.java | 2 +-
.../idp/STSKrbAuthenticationProvider.java | 5 ++
.../cxf/fediz/service/idp/STSUserDetails.java | 24 +++++++++
.../service/idp/beans/CommonsURLValidator.java | 52 ++++++++++++++++++++
.../idp/beans/PassiveRequestorValidator.java | 10 ----
.../service/idp/beans/STSClientAction.java | 2 +-
.../kerberos/KerberosServiceRequestToken.java | 17 +++++--
.../idp/kerberos/PassThroughKerberosClient.java | 13 ++++-
.../ApplicationProtocolControllerImpl.java | 2 +-
.../fediz/service/idp/rest/IdpServiceImpl.java | 25 ++++++----
.../WEB-INF/flows/federation-signin-request.xml | 3 +-
.../flows/federation-validate-request.xml | 8 ++-
.../WEB-INF/flows/saml-signin-request.xml | 3 +-
.../oidc/clients/ClientRegistrationService.java | 4 +-
.../fediz/service/sts/FileClaimsHandler.java | 2 +-
.../sts/realms/RealmFileClaimsHandler.java | 2 +-
17 files changed, 142 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
index ea594d3..d266f3c 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
@@ -95,7 +95,8 @@ public class FedizEntryPoint implements AuthenticationEntryPoint,
if (loginUri == null) {
LOG.warn("wauth value '" + wauth + "' not supported");
response.sendError(
- HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "wauth value '" + wauth + "' not supported");
+ HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "The wauth value that was supplied is not supported");
+ return;
}
redirectUrl = new StringBuilder(extractFullContextPath(servletRequest))
.append(loginUri).append("?").append(servletRequest.getQueryString()).toString();
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
index dd30a4a..9938b7d 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
@@ -92,7 +92,7 @@ public abstract class STSAuthenticationProvider implements AuthenticationProvide
List<Claim> claims = parseClaimsInAssertion(assertion.getSaml2());
for (Claim c : claims) {
- if (roleURI.equals(c.getClaimType())) {
+ if (c.getClaimType() != null && roleURI.equals(c.getClaimType().toString())) {
Object oValue = c.getValue();
if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty()) {
List<?> values = (List<?>)oValue;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
index 9a5dae8..62f4817 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
@@ -132,6 +132,11 @@ public class STSKrbAuthenticationProvider extends STSAuthenticationProvider {
new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
}
+ if (kerberosPrincipal == null) {
+ LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName());
+ return null;
+ }
+
List<GrantedAuthority> authorities = createAuthorities(token);
KerberosServiceRequestToken ksrt =
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java
index bc084d7..080bcb4 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java
@@ -46,4 +46,28 @@ public class STSUserDetails extends User {
return this.token;
}
+ @Override
+ public boolean equals(Object object) {
+ if (!(object instanceof STSUserDetails)) {
+ return false;
+ }
+
+ if (token != null && !token.equals(((STSUserDetails)object).token)) {
+ return false;
+ } else if (token == null && ((STSUserDetails)object).token != null) {
+ return false;
+ }
+
+ return super.equals(object);
+ }
+
+ @Override
+ public int hashCode() {
+ int hashCode = 17;
+ if (token != null) {
+ hashCode *= 31 * token.hashCode();
+ }
+
+ return hashCode * super.hashCode();
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CommonsURLValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CommonsURLValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CommonsURLValidator.java
new file mode 100644
index 0000000..25780d2
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CommonsURLValidator.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.beans;
+
+import org.apache.commons.validator.routines.UrlValidator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * Validate a URL using Commons Validator
+ */
+@Component
+public class CommonsURLValidator {
+
+ private static final Logger LOG = LoggerFactory.getLogger(CommonsURLValidator.class);
+
+ public boolean isValid(RequestContext context, String endpointAddress)
+ throws Exception {
+ if (endpointAddress == null) {
+ return true;
+ }
+
+ // The endpointAddress address must be a valid URL + start with http(s)
+ // Validate it first using commons-validator
+ UrlValidator urlValidator = new UrlValidator(new String[] {"http", "https"}, UrlValidator.ALLOW_LOCAL_URLS);
+ if (!urlValidator.isValid(endpointAddress)) {
+ LOG.warn("The given endpointAddress parameter {} is not a valid URL", endpointAddress);
+ return false;
+ }
+
+ return true;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
index d7e5bbc..0393d4f 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
@@ -20,7 +20,6 @@ package org.apache.cxf.fediz.service.idp.beans;
import java.util.regex.Matcher;
-import org.apache.commons.validator.routines.UrlValidator;
import org.apache.cxf.fediz.service.idp.domain.Application;
import org.apache.cxf.fediz.service.idp.domain.Idp;
import org.apache.cxf.fediz.service.idp.util.WebUtils;
@@ -53,15 +52,6 @@ public class PassiveRequestorValidator {
// The endpointAddress address must match the passive endpoint requestor constraint
// (if it is specified)
- // Also, it must be a valid URL + start with https
- // Validate it first using commons-validator
- UrlValidator urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
- + UrlValidator.ALLOW_ALL_SCHEMES);
- if (!urlValidator.isValid(endpointAddress)) {
- LOG.warn("The given endpointAddress parameter {} is not a valid URL", endpointAddress);
- return false;
- }
-
if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
LOG.warn("No passive requestor endpoint constraint is configured for the application. "
+ "This could lead to a malicious redirection attack");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index dbe4a25..0c01352 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -376,7 +376,7 @@ public class STSClientAction {
writer.writeAttribute("Dialect",
HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
- if (realmClaims != null && realmClaims.size() > 0) {
+ if (realmClaims.size() > 0) {
for (RequestClaim item : realmClaims) {
LOG.debug(" {}", item.getClaimType().toString());
writer.writeStartElement("ic", "ClaimType",
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java
index 40308e4..2aba9cf 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java
@@ -67,7 +67,11 @@ public class KerberosServiceRequestToken extends AbstractAuthenticationToken {
Collection<? extends GrantedAuthority> authorities,
byte[] token) {
super(authorities);
- this.token = token;
+ if (token != null) {
+ this.token = Arrays.copyOf(token, token.length);
+ } else {
+ this.token = null;
+ }
this.principal = principal;
super.setAuthenticated(true);
}
@@ -81,7 +85,11 @@ public class KerberosServiceRequestToken extends AbstractAuthenticationToken {
*/
public KerberosServiceRequestToken(byte[] token) {
super(null);
- this.token = token;
+ if (token != null) {
+ this.token = Arrays.copyOf(token, token.length);
+ } else {
+ this.token = null;
+ }
this.principal = null;
}
@@ -134,6 +142,9 @@ public class KerberosServiceRequestToken extends AbstractAuthenticationToken {
/** Returns the Kerberos token
*/
public byte[] getToken() {
- return this.token;
+ if (token != null) {
+ return Arrays.copyOf(token, token.length);
+ }
+ return null;
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java
index da665a9..d75b812 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java
@@ -19,6 +19,8 @@
package org.apache.cxf.fediz.service.idp.kerberos;
+import java.util.Arrays;
+
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.cxf.ws.security.kerberos.KerberosClient;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -61,11 +63,18 @@ public class PassThroughKerberosClient extends KerberosClient {
}
public byte[] getToken() {
- return token;
+ if (token != null) {
+ return Arrays.copyOf(token, token.length);
+ }
+ return null;
}
public void setToken(byte[] token) {
- this.token = token;
+ if (token != null) {
+ this.token = Arrays.copyOf(token, token.length);
+ } else {
+ this.token = null;
+ }
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java
index 3cd583e..c2be3eb 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java
@@ -40,7 +40,7 @@ public class ApplicationProtocolControllerImpl implements ProtocolController<App
@Override
public ApplicationProtocolHandler getProtocolHandler(String protocol) {
for (ApplicationProtocolHandler protocolHandler : protocolHandlers) {
- if (protocolHandler.equals(protocol)) {
+ if (protocolHandler.getProtocol() != null && protocolHandler.getProtocol().equals(protocol)) {
return protocolHandler;
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/rest/IdpServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/rest/IdpServiceImpl.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/rest/IdpServiceImpl.java
index 36f859d..d4b5c40 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/rest/IdpServiceImpl.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/rest/IdpServiceImpl.java
@@ -129,9 +129,11 @@ public class IdpServiceImpl implements IdpService {
@Override
public Response addApplicationToIdp(UriInfo ui, String realm, Application application) {
Idp idp = idpDAO.getIdp(realm, Arrays.asList("all"));
- if (idp.getApplications().contains(application.getRealm())) {
- LOG.warn("Application '" + application.getRealm() + "' already added");
- throw new WebApplicationException(Status.CONFLICT);
+ for (Application idpApplication : idp.getApplications()) {
+ if (idpApplication.getRealm() != null && idpApplication.getRealm().equals(application.getRealm())) {
+ LOG.warn("Application '" + application.getRealm() + "' already added");
+ throw new WebApplicationException(Status.CONFLICT);
+ }
}
Application application2 = applicationDAO.getApplication(application.getRealm(), null);
idpDAO.addApplicationToIdp(idp, application2);
@@ -165,9 +167,11 @@ public class IdpServiceImpl implements IdpService {
@Override
public Response addTrustedIdpToIdp(UriInfo ui, String realm, TrustedIdp trustedIdp) {
Idp idp = idpDAO.getIdp(realm, Arrays.asList("all"));
- if (idp.getTrustedIdps().contains(trustedIdp.getRealm())) {
- LOG.warn("Trusted IDP '" + trustedIdp.getRealm() + "' already added");
- throw new WebApplicationException(Status.CONFLICT);
+ for (TrustedIdp idpTrustedIdp : idp.getTrustedIdps()) {
+ if (idpTrustedIdp.getRealm() != null && idpTrustedIdp.getRealm().equals(trustedIdp.getRealm())) {
+ LOG.warn("Trusted IDP '" + trustedIdp.getRealm() + "' already added");
+ throw new WebApplicationException(Status.CONFLICT);
+ }
}
TrustedIdp trustedIpd2 = trustedIdpDAO.getTrustedIDP(trustedIdp.getRealm());
@@ -199,9 +203,12 @@ public class IdpServiceImpl implements IdpService {
@Override
public Response addClaimToIdp(UriInfo ui, String realm, Claim claim) {
Idp idp = idpDAO.getIdp(realm, Arrays.asList("all"));
- if (idp.getClaimTypesOffered().contains(claim.getClaimType().toString())) {
- LOG.warn("Claim '" + claim.getClaimType() + "' already added");
- throw new WebApplicationException(Status.CONFLICT);
+ for (Claim idpClaim : idp.getClaimTypesOffered()) {
+ if (idpClaim.getClaimType() != null
+ && idpClaim.getClaimType().toString().equals(claim.getClaimType().toString())) {
+ LOG.warn("Claim '" + claim.getClaimType() + "' already added");
+ throw new WebApplicationException(Status.CONFLICT);
+ }
}
Claim claim2 = claimDAO.getClaim(claim.getClaimType().toString());
idpDAO.addClaimToIdp(idp, claim2);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index 7494366..194404b 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -98,7 +98,8 @@
</action-state>
<action-state id="validateWReply">
- <evaluate expression="passiveRequestorValidator.isValid(flowRequestContext, flowScope.wreply, flowScope.wtrealm)"/>
+ <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)
+ and passiveRequestorValidator.isValid(flowRequestContext, flowScope.wreply, flowScope.wtrealm)"/>
<transition on="yes" to="requestRpToken" />
<transition on="no" to="viewBadRequest" />
</action-state>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 2964176..35ce933 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -41,7 +41,7 @@
<set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
</on-entry>
<if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
- then="selectSignOutProcess" />
+ then="validateWReplyForSignout" />
<if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
<if test="requestParameters.SAMLResponse != null" then="selectSAMLProcess"
else="selectOIDCAuthorizationCodeFlowProcess"
@@ -68,6 +68,12 @@
<if test="requestParameters.state == null or requestParameters.state.length() == 0"
then="viewBadRequest" else="signinResponse" />
</decision-state>
+
+ <action-state id="validateWReplyForSignout">
+ <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)"/>
+ <transition on="yes" to="selectSignOutProcess" />
+ <transition on="no" to="viewBadRequest" />
+ </action-state>
<decision-state id="selectSignOutProcess">
<if test="requestParameters.wa == 'wsignout1.0' and flowScope.idpConfig.rpSingleSignOutConfirmation == true
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index 6382a48..446aa8e 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -102,7 +102,8 @@
</action-state>
<action-state id="validateWReply">
- <evaluate expression="passiveRequestorValidator.isValid(flowRequestContext, flowScope.consumerURL, flowScope.realm)"/>
+ <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)
+ and passiveRequestorValidator.isValid(flowRequestContext, flowScope.consumerURL, flowScope.realm)"/>
<transition on="yes" to="requestRpToken" />
<transition on="no" to="viewBadRequest" />
</action-state>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java
index d82a309..cbebdb4 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java
@@ -447,7 +447,7 @@ public class ClientRegistrationService {
@Override
public int compare(ServerAccessToken t1, ServerAccessToken t2) {
- return Long.valueOf(t1.getIssuedAt()).compareTo(t2.getIssuedAt());
+ return Long.compare(t1.getIssuedAt(), t2.getIssuedAt());
}
}
@@ -455,7 +455,7 @@ public class ClientRegistrationService {
@Override
public int compare(ServerAuthorizationCodeGrant g1, ServerAuthorizationCodeGrant g2) {
- return Long.valueOf(g1.getIssuedAt()).compareTo(g2.getIssuedAt());
+ return Long.compare(g1.getIssuedAt(), g2.getIssuedAt());
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java
----------------------------------------------------------------------
diff --git a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java
index e6ca110..bfe0b97 100644
--- a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java
+++ b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java
@@ -76,7 +76,7 @@ public class FileClaimsHandler implements ClaimsHandler {
return new ProcessedClaimCollection();
}
- if (claims != null && claims.size() > 0) {
+ if (claims.size() > 0) {
ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
for (Claim requestClaim : claims) {
String claimValue = claimMap.get(requestClaim.getClaimType().toString());
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/467382b8/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/realms/RealmFileClaimsHandler.java
----------------------------------------------------------------------
diff --git a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/realms/RealmFileClaimsHandler.java b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/realms/RealmFileClaimsHandler.java
index 1088811..fefc343 100644
--- a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/realms/RealmFileClaimsHandler.java
+++ b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/realms/RealmFileClaimsHandler.java
@@ -97,7 +97,7 @@ public class RealmFileClaimsHandler implements ClaimsHandler {
}
LOG.fine("Claims found for principal '" + parameters.getPrincipal().getName() + "'");
- if (claims != null && claims.size() > 0) {
+ if (claims.size() > 0) {
ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
for (Claim requestClaim : claims) {
String claimValue = claimMap.get(requestClaim.getClaimType().toString());