Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CCD23C044 for ; Tue, 10 Jul 2012 10:40:27 +0000 (UTC) Received: (qmail 53474 invoked by uid 500); 10 Jul 2012 10:40:27 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 53338 invoked by uid 500); 10 Jul 2012 10:40:26 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 53311 invoked by uid 99); 10 Jul 2012 10:40:25 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jul 2012 10:40:25 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jul 2012 10:40:23 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 5C033238889B; Tue, 10 Jul 2012 10:40:02 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1359583 - in /cxf/branches/2.4.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/ systests/ws-security/src/test/java/org/apache/cxf/sy... Date: Tue, 10 Jul 2012 10:40:02 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120710104002.5C033238889B@eris.apache.org> Author: coheigea Date: Tue Jul 10 10:40:01 2012 New Revision: 1359583 URL: http://svn.apache.org/viewvc?rev=1359583&view=rev Log: Merged revisions 1359575 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.5.x-fixes ........ r1359575 | coheigea | 2012-07-10 11:25:52 +0100 (Tue, 10 Jul 2012) | 18 lines Merged revisions 1359568 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes ........ r1359568 | coheigea | 2012-07-10 11:10:57 +0100 (Tue, 10 Jul 2012) | 10 lines Merged revisions 1359554 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/trunk ........ r1359554 | coheigea | 2012-07-10 10:56:30 +0100 (Tue, 10 Jul 2012) | 2 lines [CXF-4414] - SecurityPolicy validation fails when a KeyValue is used as an EndorsingSupportingToken ........ ........ ........ Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1359583&r1=1359582&r2=1359583&view=diff ============================================================================== --- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (original) +++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Tue Jul 10 10:40:01 2012 @@ -567,14 +567,14 @@ public abstract class AbstractSupporting X509Certificate cert = (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET); + PublicKey publicKey = + (PublicKey)result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); // Now see if the same credential exists in the tokenResult list for (WSSecurityEngineResult token : tokenResult) { Integer actInt = (Integer)token.get(WSSecurityEngineResult.TAG_ACTION); BinarySecurity binarySecurity = (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); - PublicKey publicKey = - (PublicKey)token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) { X509Certificate foundCert = @@ -590,10 +590,10 @@ public abstract class AbstractSupporting if (samlKeyInfo != null) { X509Certificate[] subjectCerts = samlKeyInfo.getCerts(); byte[] subjectSecretKey = samlKeyInfo.getSecret(); - if (cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) { - return true; - } - if (subjectSecretKey != null && Arrays.equals(subjectSecretKey, secret)) { + PublicKey subjectPublicKey = samlKeyInfo.getPublicKey(); + if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) + || (subjectSecretKey != null && Arrays.equals(subjectSecretKey, secret)) + || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) { return true; } } Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1359583&r1=1359582&r2=1359583&view=diff ============================================================================== --- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original) +++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Tue Jul 10 10:40:01 2012 @@ -33,6 +33,7 @@ import org.apache.cxf.bus.spring.SpringB import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler; import org.apache.cxf.systest.ws.saml.server.Server; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER; import org.apache.ws.security.saml.ext.builder.SAML2Constants; import org.example.contract.doubleit.DoubleItPortType; @@ -375,6 +376,36 @@ public class SamlTokenTest extends Abstr } @org.junit.Test + public void testSaml2EndorsingPKOverTransport() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SamlTokenTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSaml2EndorsingTransportPort"); + DoubleItPortType saml2Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(saml2Port, PORT2); + + SamlCallbackHandler callbackHandler = new SamlCallbackHandler(); + callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY); + callbackHandler.setKeyInfoIdentifier(CERT_IDENTIFIER.KEY_VALUE); + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + + int result = saml2Port.doubleIt(25); + assertTrue(result == 50); + + bus.shutdown(true); + } + + @org.junit.Test public void testSaml2EndorsingOverTransportSP11() throws Exception { SpringBusFactory bf = new SpringBusFactory(); Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java?rev=1359583&r1=1359582&r2=1359583&view=diff ============================================================================== --- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java (original) +++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java Tue Jul 10 10:40:01 2012 @@ -46,6 +46,7 @@ import org.opensaml.common.SAMLVersion; public class SamlCallbackHandler implements CallbackHandler { private boolean saml2 = true; private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES; + private CERT_IDENTIFIER keyInfoIdentifier = CERT_IDENTIFIER.X509_CERT; public SamlCallbackHandler() { // @@ -59,6 +60,10 @@ public class SamlCallbackHandler impleme this.confirmationMethod = confirmationMethod; } + public void setKeyInfoIdentifier(CERT_IDENTIFIER keyInfoIdentifier) { + this.keyInfoIdentifier = keyInfoIdentifier; + } + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof SAMLCallback) { @@ -114,8 +119,12 @@ public class SamlCallbackHandler impleme X509Certificate[] certs = crypto.getX509Certificates(cryptoType); KeyInfoBean keyInfo = new KeyInfoBean(); - keyInfo.setCertificate(certs[0]); - keyInfo.setCertIdentifer(CERT_IDENTIFIER.X509_CERT); + keyInfo.setCertIdentifer(keyInfoIdentifier); + if (keyInfoIdentifier == CERT_IDENTIFIER.X509_CERT) { + keyInfo.setCertificate(certs[0]); + } else if (keyInfoIdentifier == CERT_IDENTIFIER.KEY_VALUE) { + keyInfo.setPublicKey(certs[0].getPublicKey()); + } return keyInfo; }