Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 17960CE26 for ; Fri, 25 May 2012 11:51:44 +0000 (UTC) Received: (qmail 78417 invoked by uid 500); 25 May 2012 11:51:43 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 78286 invoked by uid 500); 25 May 2012 11:51:42 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 78266 invoked by uid 99); 25 May 2012 11:51:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 May 2012 11:51:41 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 May 2012 11:51:37 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 7C7212388865; Fri, 25 May 2012 11:51:15 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1342584 - in /cxf/trunk/rt/rs/security: sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/ xml/src/main/java/org/apache/cxf/rs/security/saml/ Date: Fri, 25 May 2012 11:51:15 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120525115115.7C7212388865@eris.apache.org> Author: coheigea Date: Fri May 25 11:51:14 2012 New Revision: 1342584 URL: http://svn.apache.org/viewvc?rev=1342584&view=rev Log: Changing POST binding not to use Deflate encoding by default + changing deflate encoder to also support gzip Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java?rev=1342584&r1=1342583&r2=1342584&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java (original) +++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java Fri May 25 11:51:14 2012 @@ -40,13 +40,11 @@ import org.w3c.dom.Element; import org.apache.cxf.common.i18n.BundleUtils; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.security.SimplePrincipal; -import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.jaxrs.ext.RequestHandler; import org.apache.cxf.jaxrs.impl.HttpHeadersImpl; import org.apache.cxf.jaxrs.impl.UriInfoImpl; import org.apache.cxf.message.Message; -import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder; import org.apache.cxf.rs.security.saml.SAMLUtils; import org.apache.cxf.rs.security.saml.assertion.Subject; import org.apache.cxf.rs.security.saml.sso.state.RequestState; @@ -54,7 +52,6 @@ import org.apache.cxf.rs.security.saml.s import org.apache.cxf.security.SecurityContext; import org.apache.ws.security.saml.ext.AssertionWrapper; import org.apache.ws.security.saml.ext.OpenSAMLUtil; -import org.apache.ws.security.util.DOM2Writer; import org.opensaml.saml2.core.AuthnRequest; public abstract class AbstractServiceProviderFilter extends AbstractSSOSpHandler @@ -229,16 +226,6 @@ public abstract class AbstractServicePro return responseState; } - protected String deflateEncodeAuthnRequest(Element authnRequestElement) - throws IOException { - String requestMessage = DOM2Writer.nodeToString(authnRequestElement); - - DeflateEncoderDecoder encoder = new DeflateEncoderDecoder(); - byte[] deflatedBytes = encoder.deflateToken(requestMessage.getBytes("UTF-8")); - - return Base64Utility.encode(deflatedBytes); - } - protected SamlRequestInfo createSamlRequestInfo(Message m) throws Exception { Document doc = DOMUtils.createDocument(); doc.appendChild(doc.createElement("root")); @@ -252,7 +239,7 @@ public abstract class AbstractServicePro signAuthnRequest(authnRequest); } Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc); - String authnRequestEncoded = deflateEncodeAuthnRequest(authnRequestElement); + String authnRequestEncoded = encodeAuthnRequest(authnRequestElement); SamlRequestInfo info = new SamlRequestInfo(); info.setSamlRequest(authnRequestEncoded); @@ -277,6 +264,8 @@ public abstract class AbstractServicePro return info; } + protected abstract String encodeAuthnRequest(Element authnRequest) throws IOException; + protected abstract void signAuthnRequest(AuthnRequest authnRequest) throws Exception; private String getAbsoluteAssertionServiceAddress(Message m) { Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1342584&r1=1342583&r2=1342584&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original) +++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Fri May 25 11:51:14 2012 @@ -23,7 +23,6 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.io.UnsupportedEncodingException; import java.net.URI; -import java.net.URLDecoder; import java.util.Date; import java.util.ResourceBundle; import java.util.UUID; @@ -112,28 +111,29 @@ public class RequestAssertionConsumerSer @Produces(MediaType.APPLICATION_FORM_URLENCODED) public Response processSamlResponse(@FormParam(SSOConstants.SAML_RESPONSE) String encodedSamlResponse, @FormParam(SSOConstants.RELAY_STATE) String relayState) { - return doProcessSamlResponse(encodedSamlResponse, relayState); + return doProcessSamlResponse(encodedSamlResponse, relayState, true); } @GET public Response getSamlResponse(@QueryParam(SSOConstants.SAML_RESPONSE) String encodedSamlResponse, @QueryParam(SSOConstants.RELAY_STATE) String relayState) { - return doProcessSamlResponse(encodedSamlResponse, relayState); + return doProcessSamlResponse(encodedSamlResponse, relayState, false); } protected Response doProcessSamlResponse(String encodedSamlResponse, - String relayState) { + String relayState, + boolean postBinding) { RequestState requestState = processRelayState(relayState); URI targetURI = getTargetURI(requestState.getTargetAddress()); org.opensaml.saml2.core.Response samlResponse = - readSAMLResponse(true, encodedSamlResponse); + readSAMLResponse(postBinding, encodedSamlResponse); // Validate the Response validateSamlResponseProtocol(samlResponse); SSOValidatorResponse validatorResponse = - validateSamlSSOResponse(true, samlResponse, requestState); + validateSamlSSOResponse(postBinding, samlResponse, requestState); // Set the security context String securityContextKey = UUID.randomUUID().toString(); @@ -197,6 +197,7 @@ public class RequestAssertionConsumerSer } String samlResponseDecoded = samlResponse; + /* // URL Decoding only applies for the re-direct binding if (!postBinding) { try { @@ -205,11 +206,12 @@ public class RequestAssertionConsumerSer throw new WebApplicationException(400); } } + */ InputStream tokenStream = null; if (isSupportBase64Encoding()) { try { byte[] deflatedToken = Base64Utility.decode(samlResponseDecoded); - tokenStream = isSupportDeflateEncoding() + tokenStream = !postBinding && isSupportDeflateEncoding() ? new DeflateEncoderDecoder().inflateToken(deflatedToken) : new ByteArrayInputStream(deflatedToken); } catch (Base64Exception ex) { Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java?rev=1342584&r1=1342583&r2=1342584&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java (original) +++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java Fri May 25 11:51:14 2012 @@ -18,6 +18,7 @@ */ package org.apache.cxf.rs.security.saml.sso; +import java.io.IOException; import java.security.PrivateKey; import java.security.cert.X509Certificate; @@ -26,14 +27,19 @@ import javax.ws.rs.WebApplicationExcepti import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; +import org.w3c.dom.Element; + +import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.jaxrs.ext.MessageContextImpl; import org.apache.cxf.jaxrs.model.ClassResourceInfo; import org.apache.cxf.message.Message; +import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder; import org.apache.ws.security.WSPasswordCallback; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoType; import org.apache.ws.security.saml.ext.OpenSAMLUtil; +import org.apache.ws.security.util.DOM2Writer; import org.opensaml.common.SignableSAMLObject; import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.xml.security.x509.BasicX509Credential; @@ -44,6 +50,12 @@ import org.opensaml.xml.signature.Signat public class SamlPostBindingFilter extends AbstractServiceProviderFilter { + private boolean useDeflateEncoding; + + public void setUseDeflateEncoding(boolean useDeflateEncoding) { + this.useDeflateEncoding = useDeflateEncoding; + } + public Response handleRequest(Message m, ClassResourceInfo resourceClass) { if (checkSecurityContext(m)) { return null; @@ -76,6 +88,21 @@ public class SamlPostBindingFilter exten } } + protected String encodeAuthnRequest(Element authnRequest) throws IOException { + String requestMessage = DOM2Writer.nodeToString(authnRequest); + + byte[] deflatedBytes = null; + // Not correct according to the spec but required by some IDPs. + if (useDeflateEncoding) { + DeflateEncoderDecoder encoder = new DeflateEncoderDecoder(); + deflatedBytes = encoder.deflateToken(requestMessage.getBytes("UTF-8")); + } else { + deflatedBytes = requestMessage.getBytes("UTF-8"); + } + + return Base64Utility.encode(deflatedBytes); + } + protected void signAuthnRequest(AuthnRequest authnRequest) throws Exception { Crypto crypto = getSignatureCrypto(); if (crypto == null) { Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java?rev=1342584&r1=1342583&r2=1342584&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java (original) +++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java Fri May 25 11:51:14 2012 @@ -18,6 +18,7 @@ */ package org.apache.cxf.rs.security.saml.sso; +import java.io.IOException; import java.net.URLEncoder; import java.security.PrivateKey; import java.security.Signature; @@ -28,13 +29,18 @@ import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; +import org.w3c.dom.Element; + +import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.jaxrs.model.ClassResourceInfo; import org.apache.cxf.message.Message; +import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder; import org.apache.ws.security.WSPasswordCallback; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoType; import org.apache.ws.security.util.Base64; +import org.apache.ws.security.util.DOM2Writer; import org.opensaml.saml2.core.AuthnRequest; public class SamlRedirectBindingFilter extends AbstractServiceProviderFilter { @@ -77,6 +83,15 @@ public class SamlRedirectBindingFilter e // Do nothing as we sign the request in a different way for the redirect binding } + protected String encodeAuthnRequest(Element authnRequest) throws IOException { + String requestMessage = DOM2Writer.nodeToString(authnRequest); + + DeflateEncoderDecoder encoder = new DeflateEncoderDecoder(); + byte[] deflatedBytes = encoder.deflateToken(requestMessage.getBytes("UTF-8")); + + return Base64Utility.encode(deflatedBytes); + } + /** * Sign a request according to the redirect binding spec for Web SSO */ Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java?rev=1342584&r1=1342583&r2=1342584&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java (original) +++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java Fri May 25 11:51:14 2012 @@ -28,11 +28,10 @@ import java.util.zip.Inflater; public class DeflateEncoderDecoder { public InputStream inflateToken(byte[] deflatedToken) throws DataFormatException { - Inflater inflater = new Inflater(); + Inflater inflater = new Inflater(true); inflater.setInput(deflatedToken); byte[] input = new byte[deflatedToken.length * 2]; - int inflatedLen = 0; int inputLen = 0; byte[] inflatedToken = input; @@ -53,7 +52,7 @@ public class DeflateEncoderDecoder { } public byte[] deflateToken(byte[] tokenBytes) { - Deflater compresser = new Deflater(); + Deflater compresser = new Deflater(Deflater.DEFLATED, true); compresser.setInput(tokenBytes); compresser.finish();