cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1235369 - in /cxf/trunk: rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/ rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/ services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/ s...
Date Tue, 24 Jan 2012 17:34:50 GMT
Author: coheigea
Date: Tue Jan 24 17:34:49 2012
New Revision: 1235369

URL: http://svn.apache.org/viewvc?rev=1235369&view=rev
Log:
Updating all SAML CallbackHandlers to produce schema compliant SAML Assertions
 - Validating received SAML Assertions in the STS against the schema + specs.

Modified:
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
    cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/Saml2CallbackHandler.java
    cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
    cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlCallbackHandler.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
Tue Jan 24 17:34:49 2012
@@ -92,11 +92,14 @@ public abstract class AbstractSAMLCallba
             callback.setAuthenticationStatementData(Collections.singletonList(authBean));
         } else if (statement == Statement.ATTR) {
             AttributeStatementBean attrBean = new AttributeStatementBean();
+            AttributeBean attributeBean = new AttributeBean();
             if (subjectBean != null) {
                 attrBean.setSubject(subjectBean);
+                attributeBean.setSimpleName("role");
+                attributeBean.setQualifiedName("http://custom-ns");
+            } else {
+                attributeBean.setQualifiedName("role");
             }
-            AttributeBean attributeBean = new AttributeBean();
-            attributeBean.setSimpleName("role");
             attributeBean.setAttributeValues(Collections.singletonList("user"));
             attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
             callback.setAttributeStatementData(Collections.singletonList(attrBean));

Modified: cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
(original)
+++ cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
Tue Jan 24 17:34:49 2012
@@ -2,7 +2,7 @@
 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soap:Header>
   <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
-  <saml2:Assertion ID="4D2CF5C052E2084C8F13014023747597" IssueInstant="2011-03-29T12:39:34.759Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml2:AssertionType"><saml2:Issuer>www.example.com</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-03-29T12:39:34.763Z" NotOnOrAfter="2111-03-29T12:44:34.763Z"/><saml2:AuthzDecisionStatement
Decision="Permit" Resource="endpoint"><saml2:Action>Read</saml2:Action></saml2:AuthzDecisionStatement></saml2:Assertion>
+  <saml2:Assertion ID="4D2CF5C052E2084C8F13014023747597" IssueInstant="2011-03-29T12:39:34.759Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="saml2:AssertionType"><saml2:Issuer>www.example.com</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-03-29T12:39:34.763Z" NotOnOrAfter="2111-03-29T12:44:34.763Z"/><saml2:AuthzDecisionStatement
Decision="Permit" Resource="endpoint"><saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc-negation">Read</saml2:Action></saml2:AuthzDecisionStatement></saml2:Assertion>
   </wsse:Security>
   </soap:Header>
   <soap:Body>

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
Tue Jan 24 17:34:49 2012
@@ -51,6 +51,8 @@ import org.apache.ws.security.validate.S
 import org.apache.ws.security.validate.Validator;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
+import org.opensaml.xml.validation.ValidationException;
+import org.opensaml.xml.validation.ValidatorSuite;
 
 /**
  * Validate a SAML Assertion. It is valid if it was issued and signed by this STS.
@@ -165,6 +167,9 @@ public class SAMLTokenValidator implemen
                 assertion.verifySignature(
                     requestData, new WSDocInfo(validateTargetElement.getOwnerDocument())
                 );
+                
+                // Validate the assertion against schemas/profiles
+                validateAssertion(assertion);
 
                 // Now verify trust on the signature
                 Credential trustCredential = new Credential();
@@ -227,4 +232,35 @@ public class SAMLTokenValidator implemen
         return response;
     }
     
+    /**
+     * Validate the assertion against schemas/profiles
+     */
+    protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException
{
+        if (assertion.getSaml1() != null) {
+            ValidatorSuite schemaValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
+            ValidatorSuite specValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
+            try {
+                schemaValidators.validate(assertion.getSaml1());
+                specValidators.validate(assertion.getSaml1());
+            } catch (ValidationException e) {
+                LOG.fine("Saml Validation error: " + e.getMessage());
+                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+            }
+        } else if (assertion.getSaml2() != null) {
+            ValidatorSuite schemaValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
+            ValidatorSuite specValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
+            try {
+                schemaValidators.validate(assertion.getSaml2());
+                specValidators.validate(assertion.getSaml2());
+            } catch (ValidationException e) {
+                LOG.fine("Saml Validation error: " + e.getMessage());
+                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+            }
+        }
+    }
+    
 }

Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/Saml2CallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/Saml2CallbackHandler.java?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/Saml2CallbackHandler.java
(original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/bearer/Saml2CallbackHandler.java
Tue Jan 24 17:34:49 2012
@@ -57,7 +57,7 @@ public class Saml2CallbackHandler implem
                     attrBean.setSubject(subjectBean);
                 }
                 AttributeBean attributeBean = new AttributeBean();
-                attributeBean.setSimpleName("role");
+                attributeBean.setQualifiedName("role");
                 attributeBean.setAttributeValues(Collections.singletonList("user"));
                 attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));

Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java
(original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java
Tue Jan 24 17:34:49 2012
@@ -64,7 +64,7 @@ public class Saml2CallbackHandler implem
                     attrBean.setSubject(subjectBean);
                 }
                 AttributeBean attributeBean = new AttributeBean();
-                attributeBean.setSimpleName("role");
+                attributeBean.setQualifiedName("role");
                 attributeBean.setAttributeValues(Collections.singletonList("user"));
                 attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));

Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
(original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
Tue Jan 24 17:34:49 2012
@@ -38,6 +38,7 @@ import org.apache.cxf.rs.security.saml.a
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.saml.ext.SAMLCallback;
+import org.apache.ws.security.saml.ext.bean.ActionBean;
 import org.apache.ws.security.saml.ext.bean.AttributeBean;
 import org.apache.ws.security.saml.ext.bean.AttributeStatementBean;
 import org.apache.ws.security.saml.ext.bean.AuthDecisionStatementBean;
@@ -121,6 +122,10 @@ public class SamlCallbackHandler impleme
                 
                 AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
                 authDecBean.setDecision(Decision.INDETERMINATE);
+                authDecBean.setResource("https://sp.example.com/SAML2");
+                ActionBean actionBean = new ActionBean();
+                actionBean.setContents("Read");
+                authDecBean.setActions(Collections.singletonList(actionBean));
                 callback.setAuthDecisionStatementData(Collections.singletonList(authDecBean));
                 
                 AuthenticationStatementBean authBean = new AuthenticationStatementBean();
@@ -154,6 +159,7 @@ public class SamlCallbackHandler impleme
                 }
                 
                 AttributeBean authClaim = new AttributeBean();
+                authClaim.setSimpleName("http://claims/authentication");
                 authClaim.setQualifiedName("http://claims/authentication");
                 authClaim.setNameFormat("http://claims/authentication-format");
                 authClaim.setAttributeValues(authMethods);

Modified: cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlCallbackHandler.java?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlCallbackHandler.java
(original)
+++ cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlCallbackHandler.java
Tue Jan 24 17:34:49 2012
@@ -90,7 +90,12 @@ public class SamlCallbackHandler impleme
                 attrBean.setSubject(subjectBean);
                 
                 AttributeBean attributeBean = new AttributeBean();
-                attributeBean.setSimpleName("subject-role");
+                if (saml2) {
+                    attributeBean.setQualifiedName("subject-role");
+                } else {
+                    attributeBean.setSimpleName("subject-role");
+                    attributeBean.setQualifiedName("http://custom-ns");
+                }
                 attributeBean.setAttributeValues(Collections.singletonList("system-user"));
                 attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java?rev=1235369&r1=1235368&r2=1235369&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
Tue Jan 24 17:34:49 2012
@@ -93,7 +93,12 @@ public class SamlCallbackHandler impleme
                 attrBean.setSubject(subjectBean);
                 
                 AttributeBean attributeBean = new AttributeBean();
-                attributeBean.setSimpleName("subject-role");
+                if (saml2) {
+                    attributeBean.setQualifiedName("subject-role");
+                } else {
+                    attributeBean.setSimpleName("subject-role");
+                    attributeBean.setQualifiedName("http://custom-ns");
+                }
                 attributeBean.setAttributeValues(Collections.singletonList("system-user"));
                 attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));



Mime
View raw message