cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1091114 - in /cxf/trunk/rt/ws/security/src: main/java/org/apache/cxf/ws/security/policy/interceptors/ main/java/org/apache/cxf/ws/security/wss4j/ main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ main/java/org/apache/cxf/ws/securi...
Date Mon, 11 Apr 2011 16:29:41 GMT
Author: coheigea
Date: Mon Apr 11 16:29:41 2011
New Revision: 1091114

URL: http://svn.apache.org/viewvc?rev=1091114&view=rev
Log:
[CXF-3432] - Support WS-SecurityPolicy SamlToken expressions (Part VI)
 - Added support for validation of SAML holder-of-key and sender-vouches requirements

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Mon Apr 11 16:29:41 2011
@@ -20,6 +20,7 @@
 package org.apache.cxf.ws.security.policy.interceptors;
 
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
@@ -55,6 +56,7 @@ import org.apache.ws.security.handler.WS
 import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
  * 
@@ -207,18 +209,7 @@ public class IssuedTokenInterceptorProvi
                     List<WSHandlerResult> results = 
                         CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
                     if (results != null) {
-                        for (WSHandlerResult rResult : results) {
-                            WSSecurityEngineResult wser = 
-                                findSecurityResult(rResult.getResults());
-                            if (wser != null) {
-                                IssuedTokenPolicyValidator issuedValidator = 
-                                    new IssuedTokenPolicyValidator();
-                                issuedValidator.validatePolicy(aim, wser);
-                                
-                                SecurityToken token = createSecurityToken(wser);
-                                message.getExchange().put(SecurityConstants.TOKEN, token);
-                            }
-                        }
+                        parseHandlerResults(results, message, aim);
                     }
                 } else {
                     //client side should be checked on the way out
@@ -229,6 +220,38 @@ public class IssuedTokenInterceptorProvi
             }
         }
         
+        private void parseHandlerResults(
+            List<WSHandlerResult> results,
+            Message message,
+            AssertionInfoMap aim
+        ) {
+            if (results != null) {
+                for (WSHandlerResult rResult : results) {
+                    WSSecurityEngineResult wser = 
+                        findSecurityResult(rResult.getResults());
+                    if (wser != null) {
+                        List<WSSecurityEngineResult> signedResults = 
+                            new ArrayList<WSSecurityEngineResult>();
+                        WSSecurityUtil.fetchAllActionResults(
+                            rResult.getResults(), WSConstants.SIGN, signedResults
+                        );
+                        
+                        //
+                        // Validate the Issued Token policy
+                        //
+                        IssuedTokenPolicyValidator issuedValidator = 
+                            new IssuedTokenPolicyValidator(signedResults, message);
+                        if (!issuedValidator.validatePolicy(aim, wser)) {
+                            break;
+                        }
+                        
+                        SecurityToken token = createSecurityToken(wser);
+                        message.getExchange().put(SecurityConstants.TOKEN, token);
+                    }
+                }
+            }
+        }
+        
         private WSSecurityEngineResult findSecurityResult(
             List<WSSecurityEngineResult> wsSecEngineResults
         ) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Apr 11 16:29:41 2011
@@ -22,6 +22,7 @@ package org.apache.cxf.ws.security.wss4j
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
@@ -82,6 +83,7 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.WSUsernameTokenPrincipal;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
  * 
@@ -518,6 +520,12 @@ public class PolicyBasedWSS4JInIntercept
         boolean hasEndorsement = false;
         Protections prots = Protections.NONE;
         
+        //
+        // Prefetch all signature results
+        //
+        List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults);
+
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             switch (actInt.intValue()) {   
@@ -574,7 +582,8 @@ public class PolicyBasedWSS4JInIntercept
                 break;
             case WSConstants.ST_SIGNED:
             case WSConstants.ST_UNSIGNED:
-                SamlTokenPolicyValidator validator = new SamlTokenPolicyValidator();
+                SamlTokenPolicyValidator validator = 
+                    new SamlTokenPolicyValidator(soapBody, signedResults, msg);
                 validator.validatePolicy(aim, wser);
                 break;
             case WSConstants.TS:
@@ -624,7 +633,6 @@ public class PolicyBasedWSS4JInIntercept
             assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
             assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         }
-        
         super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
     }
     private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)


Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Apr 11 16:29:41 2011
@@ -624,8 +624,6 @@ public abstract class AbstractBindingBui
                     );
                 if (!selfSignAssertion) {
                     AssertionWrapper assertionWrapper = (AssertionWrapper)tempTok;
-                    part = new WSEncryptionPart(assertionWrapper.getId());
-                    part.setElement(assertionWrapper.getElement());
                     
                     // TODO We only support using a KeyIdentifier for the moment
                     SecurityTokenReference secRef = 

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1091114&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Mon Apr 11 16:29:41 2011
@@ -0,0 +1,120 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+/**
+ * Some abstract functionality for validating SAML Assertions
+ */
+public abstract class AbstractSamlPolicyValidator {
+    
+    /**
+     * Check the holder-of-key requirements against the received assertion. The subject
+     * credential of the SAML Assertion must have been used to sign some portion of
+     * the message, thus showing proof-of-possession of the private/secret key. Alternatively,
+     * the subject credential of the SAML Assertion must match a client certificate credential
+     * when 2-way TLS is used.
+     * @param assertionWrapper the SAML Assertion wrapper object
+     * @param signedResults a list of all of the signed results
+     */
+    public boolean checkHolderOfKey(
+        AssertionWrapper assertionWrapper,
+        List<WSSecurityEngineResult> signedResults,
+        Certificate[] tlsCerts
+    ) {
+        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+        for (String confirmationMethod : confirmationMethods) {
+            if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+                if (tlsCerts == null && (signedResults == null || signedResults.isEmpty()))
{
+                    return false;
+                }
+                SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Compare the credentials of the assertion to the credentials used in 2-way TLS or those
+     * used to verify signatures.
+     * Return true on a match
+     * @param subjectKeyInfo the SAMLKeyInfo object
+     * @param signedResults a list of all of the signed results
+     * @return true if the credentials of the assertion were used to verify a signature
+     */
+    private boolean compareCredentials(
+        SAMLKeyInfo subjectKeyInfo,
+        List<WSSecurityEngineResult> signedResults,
+        Certificate[] tlsCerts
+    ) {
+        X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
+        PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
+        byte[] subjectSecretKey = subjectKeyInfo.getSecret();
+        
+        //
+        // Try to match the TLS certs first
+        //
+        if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts !=
null 
+            && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0]))
{
+            return true;
+        } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey
!= null
+            && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
+            return true;
+        }
+        
+        //
+        // Now try the message-level signatures
+        //
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            X509Certificate[] certs =
+                (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+            PublicKey publicKey =
+                (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+            byte[] secretKey =
+                (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
+            if (certs != null && certs.length > 0 && subjectCerts != null
+                && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0]))
{
+                return true;
+            }
+            if (publicKey != null && publicKey.equals(subjectPublicKey)) {
+                return true;
+            }
+            if (secretKey != null && subjectSecretKey != null
+                && Arrays.equals(secretKey, subjectSecretKey)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Mon Apr 11 16:29:41 2011
@@ -19,11 +19,15 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.security.cert.Certificate;
 import java.util.Collection;
+import java.util.List;
 
 import org.w3c.dom.Element;
 
 import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
@@ -39,7 +43,18 @@ import org.opensaml.common.SAMLVersion;
  * Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
  * against an IssuedToken policy.
  */
-public class IssuedTokenPolicyValidator {
+public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
+    
+    private List<WSSecurityEngineResult> signedResults;
+    private Message message;
+
+    public IssuedTokenPolicyValidator(
+        List<WSSecurityEngineResult> signedResults,
+        Message message
+    ) {
+        this.signedResults = signedResults;
+        this.message = message;
+    }
     
     public boolean validatePolicy(
         AssertionInfoMap aim,
@@ -51,13 +66,23 @@ public class IssuedTokenPolicyValidator 
                 AssertionWrapper assertionWrapper = 
                     (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+                ai.setAsserted(true);
+                
                 Element template = issuedToken.getRstTemplate();
                 if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper))
{
                     ai.setNotAsserted("Error in validating the IssuedToken policy");
                     return false;
                 }
-
-                ai.setAsserted(true);
+                
+                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+                Certificate[] tlsCerts = null;
+                if (tlsInfo != null) {
+                    tlsCerts = tlsInfo.getPeerCertificates();
+                }
+                if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
+                    return false;
+                }
             }
         }
         return true;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Mon Apr 11 16:29:41 2011
@@ -19,14 +19,23 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.security.cert.Certificate;
 import java.util.Collection;
+import java.util.List;
 
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
 
 import org.opensaml.common.SAMLVersion;
 
@@ -34,7 +43,21 @@ import org.opensaml.common.SAMLVersion;
  * Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
  * against the appropriate policy.
  */
-public class SamlTokenPolicyValidator {
+public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator {
+    
+    private List<WSSecurityEngineResult> signedResults;
+    private Element soapBody;
+    private Message message;
+
+    public SamlTokenPolicyValidator(
+        Element soapBody,
+        List<WSSecurityEngineResult> signedResults,
+        Message message
+    ) {
+        this.soapBody = soapBody;
+        this.signedResults = signedResults;
+        this.message = message;
+    }
     
     public boolean validatePolicy(
         AssertionInfoMap aim,
@@ -52,6 +75,19 @@ public class SamlTokenPolicyValidator {
                     ai.setNotAsserted("Wrong SAML Version");
                     return false;
                 }
+                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+                Certificate[] tlsCerts = null;
+                if (tlsInfo != null) {
+                    tlsCerts = tlsInfo.getPeerCertificates();
+                }
+                if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
+                    return false;
+                }
+                if (!checkSenderVouches(assertionWrapper, tlsCerts)) {
+                    ai.setNotAsserted("Assertion fails sender-vouches requirements");
+                    return false;
+                }
                 /*
                 if (!checkIssuerName(samlToken, assertionWrapper)) {
                     ai.setNotAsserted("Wrong IssuerName");
@@ -90,5 +126,64 @@ public class SamlTokenPolicyValidator {
         }
         return true;
     }
-   
+    
+    /**
+     * Check the sender-vouches requirements against the received assertion. The SAML
+     * Assertion and the SOAP Body must be signed by the same signature.
+     */
+    private boolean checkSenderVouches(
+        AssertionWrapper assertionWrapper,
+        Certificate[] tlsCerts
+    ) {
+        //
+        // If we have a 2-way TLS connection, then we don't have to check that the
+        // assertion + SOAP body are signed
+        //
+        if (tlsCerts != null && tlsCerts.length > 0) {
+            return true;
+        }
+        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+        for (String confirmationMethod : confirmationMethods) {
+            if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+                if (signedResults == null || signedResults.isEmpty()) {
+                    return false;
+                }
+                if (!checkAssertionAndBodyAreSigned(assertionWrapper)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Return true if there is a signature which references the Assertion and the SOAP Body.
+     * @param assertionWrapper the AssertionWrapper object
+     * @return true if there is a signature which references the Assertion and the SOAP Body.
+     */
+    private boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper) {
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            List<WSDataRef> sl =
+                CastUtils.cast((List<?>)signedResult.get(
+                    WSSecurityEngineResult.TAG_DATA_REF_URIS
+                ));
+            boolean assertionIsSigned = false;
+            boolean bodyIsSigned = false;
+            if (sl != null) {
+                for (WSDataRef dataRef : sl) {
+                    Element se = dataRef.getProtectedElement();
+                    if (se == assertionWrapper.getElement()) {
+                        assertionIsSigned = true;
+                    }
+                    if (se == soapBody) {
+                        bodyIsSigned = true;
+                    }
+                    if (assertionIsSigned && bodyIsSigned) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
 }

Modified: cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
(original)
+++ cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
Mon Apr 11 16:29:41 2011
@@ -2,7 +2,7 @@
 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soap:Header>
   <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
-  <saml2:Assertion ID="4D2CF5C052E2084C8F13014023747597" IssueInstant="2011-03-29T12:39:34.759Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml2:AssertionType"><saml2:Issuer>www.example.com</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"><saml2:SubjectConfirmationData/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-03-29T12:39:34.763Z" NotOnOrAfter="2011-03-29T12:44:34.763Z"/><saml2:AuthzDecisionStatement
Decision="Permit" Resource="endpoint"><saml2:Action>Read</saml2:Action></saml2:AuthzDecisionStatement></saml2:Assertion>
+  <saml2:Assertion ID="4D2CF5C052E2084C8F13014023747597" IssueInstant="2011-03-29T12:39:34.759Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml2:AssertionType"><saml2:Issuer>www.example.com</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-03-29T12:39:34.763Z" NotOnOrAfter="2011-03-29T12:44:34.763Z"/><saml2:AuthzDecisionStatement
Decision="Permit" Resource="endpoint"><saml2:Action>Read</saml2:Action></saml2:AuthzDecisionStatement></saml2:Assertion>
   </wsse:Security>
   </soap:Header>
   <soap:Body>

Modified: cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
(original)
+++ cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
Mon Apr 11 16:29:41 2011
@@ -2,7 +2,7 @@
 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soap:Header>
   <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
-  <saml1:Assertion AssertionID="4D2CF5C052E2084C8F13014023748318" IssueInstant="2011-03-29T12:39:34.831Z"
Issuer="www.example.com" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="saml1:AssertionType"><saml1:ConditionsType
NotBefore="2011-03-29T12:39:34.832Z" NotOnOrAfter="2011-03-29T12:44:34.832Z"/><saml1:AuthenticationStatement
AuthenticationInstant="2011-03-29T12:39:34.831Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
xsi:type="saml1:AuthenticationStatementType"><saml1:Subject><saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement
 ></saml1:Assertion>
+  <saml1:Assertion AssertionID="4D2CF5C052E2084C8F13014023748318" IssueInstant="2011-03-29T12:39:34.831Z"
Issuer="www.example.com" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="saml1:AssertionType"><saml1:ConditionsType
NotBefore="2011-03-29T12:39:34.832Z" NotOnOrAfter="2011-03-29T12:44:34.832Z"/><saml1:AuthenticationStatement
AuthenticationInstant="2011-03-29T12:39:34.831Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
xsi:type="saml1:AuthenticationStatementType"><saml1:Subject><saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></saml1
 :Assertion>
   </wsse:Security>
   </soap:Header>
   <soap:Body>



Mime
View raw message