cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1346450 - in /cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso: RequestAssertionConsumerService.java SAMLSSOResponseValidator.java
Date Tue, 05 Jun 2012 16:01:06 GMT
Author: coheigea
Date: Tue Jun  5 16:01:05 2012
New Revision: 1346450

URL: http://svn.apache.org/viewvc?rev=1346450&view=rev
Log:
Making it possible to relax the Issuer checking in the RequestAssertionConsumerService

Modified:
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1346450&r1=1346449&r2=1346450&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Tue Jun  5 16:01:05 2012
@@ -68,6 +68,7 @@ public class RequestAssertionConsumerSer
     private boolean supportDeflateEncoding = true;
     private boolean supportBase64Encoding = true;
     private boolean enforceAssertionsSigned = true;
+    private boolean enforceKnownIssuer = true;
     private TokenReplayCache<String> replayCache;
 
     private MessageContext messageContext;
@@ -102,6 +103,14 @@ public class RequestAssertionConsumerSer
         this.enforceAssertionsSigned = enforceAssertionsSigned;
     }
     
+    /**
+     * Enforce that the Issuer of the received Response/Assertion is known to this RACS.
The
+     * default is true.
+     */
+    public void setEnforceKnownIssuer(boolean enforceKnownIssuer) {
+        this.enforceKnownIssuer = enforceKnownIssuer;
+    }
+    
     public void setSupportBase64Encoding(boolean supportBase64Encoding) {
         this.supportBase64Encoding = supportBase64Encoding;
     }
@@ -293,6 +302,7 @@ public class RequestAssertionConsumerSer
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
             ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
             ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
+            ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer);
             ssoResponseValidator.setReplayCache(getReplayCache());
 
             return ssoResponseValidator.validateSamlResponse(samlResponse, postBinding);

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1346450&r1=1346449&r2=1346450&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Tue Jun  5 16:01:05 2012
@@ -45,6 +45,7 @@ public class SAMLSSOResponseValidator {
     private String requestId;
     private String spIdentifier;
     private boolean enforceAssertionsSigned = true;
+    private boolean enforceKnownIssuer = true;
     private TokenReplayCache<String> replayCache;
     
     /**
@@ -55,6 +56,13 @@ public class SAMLSSOResponseValidator {
     }
     
     /**
+     * Enforce that the Issuer of the received Response/Assertion is known. The default is
true.
+     */
+    public void setEnforceKnownIssuer(boolean enforceKnownIssuer) {
+        this.enforceKnownIssuer = enforceKnownIssuer;
+    }
+    
+    /**
      * Validate a SAML 2 Protocol Response
      * @param samlResponse
      * @param postBinding
@@ -142,7 +150,7 @@ public class SAMLSSOResponseValidator {
         }
         
         // Issuer value must match (be contained in) Issuer IDP
-        if (!issuerIDP.startsWith(issuer.getValue())) {
+        if (enforceKnownIssuer && !issuerIDP.startsWith(issuer.getValue())) {
             LOG.fine("Issuer value: " + issuer.getValue() + " does not match issuer IDP:
" 
                 + issuerIDP);
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");



Mime
View raw message