cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1086244 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust: STSSamlAssertionValidator.java STSTokenValidator.java
Date Mon, 28 Mar 2011 14:04:48 GMT
Author: coheigea
Date: Mon Mar 28 14:04:48 2011
New Revision: 1086244

URL: http://svn.apache.org/viewvc?rev=1086244&view=rev
Log:
Added a STSSamlAssertionValidator, which does not throw an exception if signature trust verification
fails.
 - This validator is used by the STSTokenValidator. If trust verification fails, then the
token is dispatched to the STS for verification.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java?rev=1086244&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java
Mon Mar 28 14:04:48 2011
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.trust;
+
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.validate.Credential;
+import org.apache.ws.security.validate.SamlAssertionValidator;
+
+/**
+ * This class validates a SAML Assertion by invoking the SamlAssertionValidator in WSS4J.
It 
+ * overrides the signature verification, so that if the signature is not trusted, it just
sets
+ * a boolean. The STSTokenValidator can parse this tag and dispatch the Assertion to the
STS
+ * for validation.
+ */
+public class STSSamlAssertionValidator extends SamlAssertionValidator {
+    
+    private boolean trustVerificationSucceeded;
+    
+    /**
+     * Validate the credential argument. It must contain a non-null AssertionWrapper. 
+     * A Crypto and a CallbackHandler implementation is also required to be set.
+     * 
+     * @param credential the Credential to be validated
+     * @param data the RequestData associated with the request
+     * @throws WSSecurityException on a failed validation
+     */
+    public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
+        return super.validate(credential, data);
+    }
+    
+    /**
+     * Try to verify trust on the assertion. If it fails, then set a boolean and return.
+     * @param assertion The signed Assertion
+     * @param data The RequestData context
+     * @return A Credential instance
+     * @throws WSSecurityException
+     */
+    @Override
+    protected Credential verifySignedAssertion(
+        AssertionWrapper assertion,
+        RequestData data
+    ) throws WSSecurityException {
+        try {
+            Credential credential = super.verifySignedAssertion(assertion, data);
+            trustVerificationSucceeded = true;
+            return credential;
+        } catch (WSSecurityException ex) {
+            trustVerificationSucceeded = false;
+            return null;
+        }
+    }
+    
+    /**
+     * Return if trust verification on the signature of the assertion succeeded.
+     * @return if trust verification on the signature of the assertion succeeded
+     */
+    public boolean isTrustVerificationSucceeded() {
+        return trustVerificationSucceeded;
+    }
+    
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java?rev=1086244&r1=1086243&r2=1086244&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
Mon Mar 28 14:04:48 2011
@@ -31,23 +31,36 @@ import org.apache.ws.security.validate.V
  * 
  */
 public class STSTokenValidator implements Validator {
-    Validator delegate;
+    private STSSamlAssertionValidator samlValidator = new STSSamlAssertionValidator();
+    private boolean alwaysValidateToSts;
     
     public STSTokenValidator() {
     }
-    public STSTokenValidator(Validator delegate) {
-        this.delegate = delegate;
+    
+    /**
+     * Construct a new instance.
+     * @param alwaysValidateToSts whether to always validate the token to the STS
+     */
+    public STSTokenValidator(boolean alwaysValidateToSts) {
+        this.alwaysValidateToSts = alwaysValidateToSts;
     }
     
     public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
-        if (delegate != null) {
-            credential = delegate.validate(credential, data);
-        }
         SoapMessage m = (SoapMessage)data.getMsgContext();
         SecurityToken token = new SecurityToken();
         
         try {
             if (credential.getAssertion() != null) {
+                if (!alwaysValidateToSts) {
+                    //
+                    // Try to validate the Assertion locally first. If trust verification
fails
+                    // then send it off to the STS for validation
+                    //
+                    samlValidator.validate(credential, data);
+                    if (samlValidator.isTrustVerificationSucceeded()) {
+                        return credential;
+                    }
+                }
                 token.setToken(credential.getAssertion().getElement());
             } else if (credential.getUsernametoken() != null) {
                 token.setToken(credential.getUsernametoken().getElement());



Mime
View raw message