You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/04/08 18:41:00 UTC
[1/3] cxf-fediz git commit: Add a POST SAML SSO test
Repository: cxf-fediz
Updated Branches:
refs/heads/master 32855169a -> 20ab01614
Add a POST SAML SSO test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/20ab0161
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/20ab0161
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/20ab0161
Branch: refs/heads/master
Commit: 20ab016144a338d79bf5bbcc9e9b56d21fd1bcb7
Parents: ad26d39
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Apr 8 17:39:22 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 8 17:40:44 2016 +0100
----------------------------------------------------------------------
.../apache/cxf/fediz/systests/idp/IdpTest.java | 68 ++++++++++++++++++++
1 file changed, 68 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/20ab0161/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index f67b38e..bc1423e 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -23,10 +23,12 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
+import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.UUID;
import javax.servlet.ServletException;
@@ -34,10 +36,13 @@ import javax.servlet.ServletException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import com.gargoylesoftware.htmlunit.HttpMethod;
import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebRequest;
import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.DomNodeList;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleState;
@@ -231,6 +236,69 @@ public class IdpTest {
}
@org.junit.Test
+ public void testSuccessfulInvokeOnIdPUsingPOST() throws Exception {
+ OpenSAMLUtil.initSamlEngine();
+
+ // Create SAML AuthnRequest
+ Document doc = DOMUtils.createDocument();
+ doc.appendChild(doc.createElement("root"));
+ // Create the AuthnRequest
+ String consumerURL = "https://localhost:" + getRpHttpsPort() + "/"
+ + getServletContextName() + "/secure/fedservlet";
+ AuthnRequest authnRequest =
+ new DefaultAuthnRequestBuilder().createAuthnRequest(
+ null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL
+ );
+ authnRequest.setDestination("https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml/up");
+ signAuthnRequest(authnRequest);
+
+ Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
+ String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
+
+ String relayState = UUID.randomUUID().toString();
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml/up";
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+
+ WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+
+ request.setRequestParameters(new ArrayList<NameValuePair>());
+ request.getRequestParameters().add(new NameValuePair(SSOConstants.RELAY_STATE, relayState));
+ request.getRequestParameters().add(new NameValuePair(SSOConstants.SAML_REQUEST, authnRequestEncoded));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(request);
+
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ org.opensaml.saml.saml2.core.Response samlResponse =
+ parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID());
+ String expected = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue());
+
+ // Check claims
+ String parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument());
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue(parsedResponse.contains(claim));
+
+ webClient.close();
+ }
+
+ @org.junit.Test
public void testBadIssuer() throws Exception {
OpenSAMLUtil.initSamlEngine();
[3/3] cxf-fediz git commit: [FEDIZ-162] - Make it possible to disable
the requirement for a SAML SSO signature
Posted by co...@apache.org.
[FEDIZ-162] - Make it possible to disable the requirement for a SAML SSO signature
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e34b37f1
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e34b37f1
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e34b37f1
Branch: refs/heads/master
Commit: e34b37f1d691bc36b212de9e23ef568f1cd4f5e5
Parents: 3285516
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Apr 8 15:54:24 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 8 17:40:44 2016 +0100
----------------------------------------------------------------------
.../idp/beans/samlsso/AuthnRequestValidator.java | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e34b37f1/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
index 80f4d0c..0b99805 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
@@ -66,6 +66,8 @@ import org.springframework.webflow.execution.RequestContext;
public class AuthnRequestValidator {
private static final Logger LOG = LoggerFactory.getLogger(AuthnRequestValidator.class);
+
+ private boolean requireSignature = true;
public void validateAuthnRequest(RequestContext context, Idp idp, String signature,
String relayState, String samlRequest, String realm)
@@ -129,9 +131,11 @@ public class AuthnRequestValidator {
LOG.debug("Signature validation failed");
throw new ProcessingException(TYPE.BAD_REQUEST);
}
- } else {
+ } else if (requireSignature) {
LOG.debug("No signature is present, therefore the request is rejected");
throw new ProcessingException(TYPE.BAD_REQUEST);
+ } else {
+ LOG.debug("No signature is present, but this is allowed by configuration");
}
}
@@ -241,5 +245,17 @@ public class AuthnRequestValidator {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
+
+ public boolean isRequireSignature() {
+ return requireSignature;
+ }
+
+ /**
+ * Whether to require a signature or not on the AuthnRequest
+ * @param requireSignature
+ */
+ public void setRequireSignature(boolean requireSignature) {
+ this.requireSignature = requireSignature;
+ }
}
[2/3] cxf-fediz git commit: Avoid NPE
Posted by co...@apache.org.
Avoid NPE
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ad26d39f
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ad26d39f
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ad26d39f
Branch: refs/heads/master
Commit: ad26d39f5e835c9810a0befb271282785c74e323
Parents: e34b37f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Apr 8 17:34:25 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 8 17:40:44 2016 +0100
----------------------------------------------------------------------
.../fediz/service/idp/beans/samlsso/AuthnRequestValidator.java | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ad26d39f/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
index 0b99805..11be3f7 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestValidator.java
@@ -74,6 +74,9 @@ public class AuthnRequestValidator {
throws Exception {
AuthnRequest authnRequest =
(AuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
+ if (authnRequest == null) {
+ throw new ProcessingException(TYPE.BAD_REQUEST);
+ }
validateSignature(context, authnRequest, idp, signature, relayState, samlRequest, realm);