You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/08/14 15:07:15 UTC
cxf git commit: [CXF-6543] - It's not possible to specify the
signature + digest algorithms for self-signed SAML Assertions with JAX-RS
Repository: cxf
Updated Branches:
refs/heads/master 7dec3c88a -> 953d23f38
[CXF-6543] - It's not possible to specify the signature + digest algorithms for self-signed SAML Assertions with JAX-RS
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/953d23f3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/953d23f3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/953d23f3
Branch: refs/heads/master
Commit: 953d23f38ddfe044a4dff4783498ebe5d68d76c1
Parents: 7dec3c8
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Aug 14 14:06:51 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Aug 14 14:07:09 2015 +0100
----------------------------------------------------------------------
.../apache/cxf/rs/security/saml/SAMLUtils.java | 5 ++-
.../jaxrs/security/saml/JAXRSSamlTest.java | 37 ++++++++++++++++----
.../security/saml/SamlCallbackHandler.java | 34 +++++++++++++++++-
3 files changed, 67 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
index 1471191..60c755d 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
@@ -112,7 +112,10 @@ public final class SAMLUtils {
RSSecurityUtils.getPassword(message, user, WSPasswordCallback.SIGNATURE,
SAMLUtils.class);
- assertion.signAssertion(user, password, crypto, false);
+ assertion.signAssertion(user, password, crypto, false,
+ samlCallback.getCanonicalizationAlgorithm(),
+ samlCallback.getSignatureAlgorithm(),
+ samlCallback.getSignatureDigestAlgorithm());
}
return assertion;
} catch (Exception ex) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
index ccbabf4..7949c13 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
@@ -23,6 +23,7 @@ import java.net.URL;
import java.util.HashMap;
import java.util.Map;
+import javax.security.auth.callback.CallbackHandler;
import javax.ws.rs.ProcessingException;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Form;
@@ -41,9 +42,11 @@ import org.apache.cxf.rs.security.saml.SamlEnvelopedOutInterceptor;
import org.apache.cxf.rs.security.saml.SamlFormOutInterceptor;
import org.apache.cxf.rs.security.saml.SamlHeaderOutInterceptor;
import org.apache.cxf.rs.security.xml.XmlSigOutInterceptor;
+import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.systest.jaxrs.security.Book;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.dom.WSConstants;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -125,6 +128,16 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
}
@Test
+ public void testBearerSignedDifferentAlgorithms() throws Exception {
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+ callbackHandler.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
+ callbackHandler.setDigestAlgorithm(WSConstants.SHA256);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setSignAssertion(true);
+ doTestEnvelopedSAMLToken(true, callbackHandler);
+ }
+
+ @Test
public void testEnvelopedUnsignedSAMLToken() throws Exception {
doTestEnvelopedSAMLToken(false);
}
@@ -177,8 +190,12 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
}
public void doTestEnvelopedSAMLToken(boolean signed) throws Exception {
+ doTestEnvelopedSAMLToken(signed, new SamlCallbackHandler());
+ }
+
+ public void doTestEnvelopedSAMLToken(boolean signed, CallbackHandler samlCallbackHandler) throws Exception {
String address = "https://localhost:" + PORT + "/samlxml/bookstore/books";
- WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed), null);
+ WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed), null, samlCallbackHandler);
XmlSigOutInterceptor xmlSig = new XmlSigOutInterceptor();
if (signed) {
xmlSig.setStyle(XmlSigOutInterceptor.DETACHED_SIG);
@@ -204,6 +221,13 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
private WebClient createWebClient(String address,
Interceptor<Message> outInterceptor,
Object provider) {
+ return createWebClient(address, outInterceptor, provider, new SamlCallbackHandler());
+ }
+
+ private WebClient createWebClient(String address,
+ Interceptor<Message> outInterceptor,
+ Object provider,
+ CallbackHandler samlCallbackHandler) {
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
@@ -213,12 +237,11 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
bean.setBus(springBus);
Map<String, Object> properties = new HashMap<String, Object>();
- properties.put("security.callback-handler",
+ properties.put(SecurityConstants.CALLBACK_HANDLER,
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
- properties.put("security.saml-callback-handler",
- "org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
- properties.put("security.signature.username", "alice");
- properties.put("security.signature.properties",
+ properties.put(SecurityConstants.SAML_CALLBACK_HANDLER, samlCallbackHandler);
+ properties.put(SecurityConstants.SIGNATURE_USERNAME, "alice");
+ properties.put(SecurityConstants.SIGNATURE_PROPERTIES,
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
index 81e4448..5a6b26f 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
@@ -59,6 +59,9 @@ import org.joda.time.DateTime;
public class SamlCallbackHandler implements CallbackHandler {
private boolean saml2 = true;
private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+ private String signatureAlgorithm;
+ private String digestAlgorithm;
+ private boolean signAssertion;
public SamlCallbackHandler() {
//
@@ -106,7 +109,7 @@ public class SamlCallbackHandler implements CallbackHandler {
SecurityConstants.SIGNATURE_PROPERTIES);
X509Certificate cert =
RSSecurityUtils.getCertificates(crypto,
- RSSecurityUtils.getUserName(m, crypto, "security.signature.username"))[0];
+ RSSecurityUtils.getUserName(m, crypto, SecurityConstants.SIGNATURE_USERNAME))[0];
KeyInfoBean keyInfo = new KeyInfoBean();
keyInfo.setCertificate(cert);
@@ -172,8 +175,37 @@ public class SamlCallbackHandler implements CallbackHandler {
attrBean.setSamlAttributes(claims);
callback.setAttributeStatementData(Collections.singletonList(attrBean));
+
+ callback.setSignatureAlgorithm(signatureAlgorithm);
+ callback.setSignatureDigestAlgorithm(digestAlgorithm);
+
+ callback.setSignAssertion(signAssertion);
}
}
}
+
+ public String getSignatureAlgorithm() {
+ return signatureAlgorithm;
+ }
+
+ public void setSignatureAlgorithm(String signatureAlgorithm) {
+ this.signatureAlgorithm = signatureAlgorithm;
+ }
+
+ public String getDigestAlgorithm() {
+ return digestAlgorithm;
+ }
+
+ public void setDigestAlgorithm(String digestAlgorithm) {
+ this.digestAlgorithm = digestAlgorithm;
+ }
+
+ public boolean isSignAssertion() {
+ return signAssertion;
+ }
+
+ public void setSignAssertion(boolean signAssertion) {
+ this.signAssertion = signAssertion;
+ }
}