cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1414251 - in /cxf/branches/2.6.x-fixes/rt/ws/security/src: main/java/org/apache/cxf/ws/security/ main/java/org/apache/cxf/ws/security/wss4j/ main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ test/java/org/apache/cxf/ws/security/...
Date Tue, 27 Nov 2012 16:36:14 GMT
Author: coheigea
Date: Tue Nov 27 16:36:13 2012
New Revision: 1414251

URL: http://svn.apache.org/viewvc?rev=1414251&view=rev
Log:
[CXF-4655] - Enforce SAML SubjectConfirmation requirements for the non WS-SecurityPolicy case

Modified:
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1414251&r1=1414250&r2=1414251&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Tue Nov 27 16:36:13 2012
@@ -25,7 +25,8 @@ import java.util.HashSet;
 import java.util.Set;
 
 /**
- * Configuration tags used to configure the WS-SecurityPolicy layer.
+ * Configuration tags used to configure the WS-SecurityPolicy layer. Some of them are also

+ * used by the non WS-SecurityPolicy approach in the WSS4J(Out|In)Interceptors.
  */
 public final class SecurityConstants {
     
@@ -174,6 +175,14 @@ public final class SecurityConstants {
      */
     public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
     
+    /**
+     * Whether to validate the SubjectConfirmation requirements of a received SAML Token
+     * (sender-vouches or holder-of-key). The default is false (for backwards
+     * compatibility reasons).
+     */
+    public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = 
+        "ws-security.validate.saml.subject.conf";
+    
     //
     // Non-boolean WS-Security Configuration parameters
     //

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java?rev=1414251&r1=1414250&r2=1414251&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
Tue Nov 27 16:36:13 2012
@@ -19,20 +19,41 @@
 
 package org.apache.cxf.ws.security.wss4j;
 
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import java.util.logging.Logger;
 
 import org.w3c.dom.Element;
 
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.util.WSSecurityUtil;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.xml.XMLObject;
 
 /**
  * internal SAMLUtils to avoid direct reference to opensaml from WSS4J interceptors.
  */
-final class SAMLUtils {
+public final class SAMLUtils {
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class);
+    
     private SAMLUtils() {
     }
     
@@ -119,5 +140,214 @@ final class SAMLUtils {
         }
         return Collections.unmodifiableList(roles);
     }
+    
+    public static void validateSAMLResults(
+        List<WSSecurityEngineResult> results,
+        Message message,
+        Element body
+    ) throws WSSecurityException {
+        List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
+        
+        if (samlResults.isEmpty()) {
+            return;
+        }
+        
+        List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_SIGN, signedResults);
+        
+        for (WSSecurityEngineResult samlResult : samlResults) {
+            AssertionWrapper assertionWrapper = 
+                (AssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            
+            TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+            Certificate[] tlsCerts = null;
+            if (tlsInfo != null) {
+                tlsCerts = tlsInfo.getPeerCertificates();
+            }
+            if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+                LOG.warning("Assertion fails holder-of-key requirements");
+                throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
+            }
+            if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults))
{
+                LOG.warning("Assertion fails sender-vouches requirements");
+                throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
+            }
+        }
+        
+    }
+    
+    /**
+     * Check the holder-of-key requirements against the received assertion. The subject
+     * credential of the SAML Assertion must have been used to sign some portion of
+     * the message, thus showing proof-of-possession of the private/secret key. Alternatively,
+     * the subject credential of the SAML Assertion must match a client certificate credential
+     * when 2-way TLS is used.
+     * @param assertionWrapper the SAML Assertion wrapper object
+     * @param signedResults a list of all of the signed results
+     */
+    public static boolean checkHolderOfKey(
+        AssertionWrapper assertionWrapper,
+        List<WSSecurityEngineResult> signedResults,
+        Certificate[] tlsCerts
+    ) {
+        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+        for (String confirmationMethod : confirmationMethods) {
+            if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+                if (tlsCerts == null && (signedResults == null || signedResults.isEmpty()))
{
+                    return false;
+                }
+                SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Compare the credentials of the assertion to the credentials used in 2-way TLS or those
+     * used to verify signatures.
+     * Return true on a match
+     * @param subjectKeyInfo the SAMLKeyInfo object
+     * @param signedResults a list of all of the signed results
+     * @return true if the credentials of the assertion were used to verify a signature
+     */
+    public static boolean compareCredentials(
+        SAMLKeyInfo subjectKeyInfo,
+        List<WSSecurityEngineResult> signedResults,
+        Certificate[] tlsCerts
+    ) {
+        X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
+        PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
+        byte[] subjectSecretKey = subjectKeyInfo.getSecret();
+        
+        //
+        // Try to match the TLS certs first
+        //
+        if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts !=
null 
+            && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0]))
{
+            return true;
+        } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey
!= null
+            && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
+            return true;
+        }
+        
+        //
+        // Now try the message-level signatures
+        //
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            X509Certificate[] certs =
+                (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+            PublicKey publicKey =
+                (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+            byte[] secretKey =
+                (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
+            if (certs != null && certs.length > 0 && subjectCerts != null
+                && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0]))
{
+                return true;
+            }
+            if (publicKey != null && publicKey.equals(subjectPublicKey)) {
+                return true;
+            }
+            if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    private static boolean checkSecretKey(
+        byte[] secretKey,
+        byte[] subjectSecretKey,
+        WSSecurityEngineResult signedResult
+    ) {
+        if (secretKey != null && subjectSecretKey != null) {
+            if (Arrays.equals(secretKey, subjectSecretKey)) {
+                return true;
+            } else {
+                Principal principal =
+                    (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                if (principal instanceof WSDerivedKeyTokenPrincipal) {
+                    secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
+                    if (Arrays.equals(secretKey, subjectSecretKey)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+    
+    /**
+     * Check the sender-vouches requirements against the received assertion. The SAML
+     * Assertion and the SOAP Body must be signed by the same signature.
+     */
+    public static boolean checkSenderVouches(
+        AssertionWrapper assertionWrapper,
+        Certificate[] tlsCerts,
+        Element body,
+        List<WSSecurityEngineResult> signed
+    ) {
+        //
+        // If we have a 2-way TLS connection, then we don't have to check that the
+        // assertion + SOAP body are signed
+        //
+        if (tlsCerts != null && tlsCerts.length > 0) {
+            return true;
+        }
+        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+        for (String confirmationMethod : confirmationMethods) {
+            if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+                if (signed == null || signed.isEmpty()) {
+                    return false;
+                }
+                if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Return true if there is a signature which references the Assertion and the SOAP Body.
+     * @param assertionWrapper the AssertionWrapper object
+     * @param body The SOAP body
+     * @param signed The List of signed results
+     * @return true if there is a signature which references the Assertion and the SOAP Body.
+     */
+    private static boolean checkAssertionAndBodyAreSigned(
+        AssertionWrapper assertionWrapper,
+        Element body,
+        List<WSSecurityEngineResult> signed
+    ) {
+        for (WSSecurityEngineResult signedResult : signed) {
+            List<WSDataRef> sl =
+                CastUtils.cast((List<?>)signedResult.get(
+                    WSSecurityEngineResult.TAG_DATA_REF_URIS
+                ));
+            boolean assertionIsSigned = false;
+            boolean bodyIsSigned = false;
+            if (sl != null) {
+                for (WSDataRef dataRef : sl) {
+                    Element se = dataRef.getProtectedElement();
+                    if (se == assertionWrapper.getElement()) {
+                        assertionIsSigned = true;
+                    }
+                    if (se == body) {
+                        bodyIsSigned = true;
+                    }
+                    if (assertionIsSigned && bodyIsSigned) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
 
 }

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1414251&r1=1414250&r2=1414251&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Tue Nov 27 16:36:13 2012
@@ -284,7 +284,7 @@ public class WSS4JInInterceptor extends 
 
                 storeSignature(msg, reqData, wsResult);
                 storeTimestamp(msg, reqData, wsResult);
-                checkActions(msg, reqData, wsResult, actions);
+                checkActions(msg, reqData, wsResult, actions, SAAJUtils.getBody(doc));
                 doResults(
                     msg, actor, 
                     SAAJUtils.getHeader(doc),
@@ -313,7 +313,7 @@ public class WSS4JInInterceptor extends 
                               SAAJUtils.getBody(doc),
                               wsResult);
                 } else {
-                    checkActions(msg, reqData, wsResult, actions);
+                    checkActions(msg, reqData, wsResult, actions, SAAJUtils.getBody(doc));
                     doResults(msg, actor,
                               SAAJUtils.getHeader(doc),
                               SAAJUtils.getBody(doc),
@@ -345,7 +345,8 @@ public class WSS4JInInterceptor extends 
         SoapMessage msg, 
         RequestData reqData, 
         List<WSSecurityEngineResult> wsResult, 
-        List<Integer> actions
+        List<Integer> actions,
+        Element body
     ) throws WSSecurityException {
         if (ignoreActions) {
             // Not applicable for the WS-SecurityPolicy case
@@ -367,6 +368,16 @@ public class WSS4JInInterceptor extends 
                 + "SignatureCoverageChecker";
             LOG.warning(warning);
         }
+        
+        // Now check SAML SenderVouches + Holder Of Key requirements
+        boolean validateSAMLSubjectConf = 
+            MessageUtils.getContextualBoolean(
+                msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, false
+            );
+        if (validateSAMLSubjectConf) {
+            SAMLUtils.validateSAMLResults(wsResult, msg, body);
+        }
+        
     }
     
     private void storeSignature(

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1414251&r1=1414250&r2=1414251&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Tue Nov 27 16:36:13 2012
@@ -19,22 +19,17 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
-import java.security.Principal;
-import java.security.PublicKey;
 import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
 import java.util.List;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
 import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
+import org.apache.cxf.ws.security.wss4j.SAMLUtils;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
 
 /**
  * Some abstract functionality for validating SAML Assertions
@@ -82,19 +77,7 @@ public abstract class AbstractSamlPolicy
         List<WSSecurityEngineResult> signedResults,
         Certificate[] tlsCerts
     ) {
-        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
-        for (String confirmationMethod : confirmationMethods) {
-            if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
-                if (tlsCerts == null && (signedResults == null || signedResults.isEmpty()))
{
-                    return false;
-                }
-                SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
-                if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
-                    return false;
-                }
-            }
-        }
-        return true;
+        return SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
     }
 
     /**
@@ -110,65 +93,7 @@ public abstract class AbstractSamlPolicy
         List<WSSecurityEngineResult> signedResults,
         Certificate[] tlsCerts
     ) {
-        X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
-        PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
-        byte[] subjectSecretKey = subjectKeyInfo.getSecret();
-        
-        //
-        // Try to match the TLS certs first
-        //
-        if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts !=
null 
-            && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0]))
{
-            return true;
-        } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey
!= null
-            && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
-            return true;
-        }
-        
-        //
-        // Now try the message-level signatures
-        //
-        for (WSSecurityEngineResult signedResult : signedResults) {
-            X509Certificate[] certs =
-                (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-            PublicKey publicKey =
-                (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
-            byte[] secretKey =
-                (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
-            if (certs != null && certs.length > 0 && subjectCerts != null
-                && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0]))
{
-                return true;
-            }
-            if (publicKey != null && publicKey.equals(subjectPublicKey)) {
-                return true;
-            }
-            if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
-                return true;
-            }
-        }
-        return false;
+        return SAMLUtils.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
     }
     
-    private boolean checkSecretKey(
-        byte[] secretKey,
-        byte[] subjectSecretKey,
-        WSSecurityEngineResult signedResult
-    ) {
-        if (secretKey != null && subjectSecretKey != null) {
-            if (Arrays.equals(secretKey, subjectSecretKey)) {
-                return true;
-            } else {
-                Principal principal =
-                    (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
-                if (principal instanceof WSDerivedKeyTokenPrincipal) {
-                    secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
-                    if (Arrays.equals(secretKey, subjectSecretKey)) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
-    }
-
 }

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1414251&r1=1414250&r2=1414251&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Tue Nov 27 16:36:13 2012
@@ -26,20 +26,17 @@ import java.util.List;
 
 import org.w3c.dom.Element;
 
-import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.cxf.ws.security.wss4j.SAMLUtils;
 import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
 import org.apache.ws.security.util.WSSecurityUtil;
-
 import org.opensaml.common.SAMLVersion;
 
 /**
@@ -102,7 +99,7 @@ public class SamlTokenPolicyValidator ex
                     ai.setNotAsserted("Assertion fails holder-of-key requirements");
                     return false;
                 }
-                if (!checkSenderVouches(assertionWrapper, tlsCerts)) {
+                if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signed))
{
                     ai.setNotAsserted("Assertion fails sender-vouches requirements");
                     return false;
                 }
@@ -146,63 +143,4 @@ public class SamlTokenPolicyValidator ex
         return true;
     }
     
-    /**
-     * Check the sender-vouches requirements against the received assertion. The SAML
-     * Assertion and the SOAP Body must be signed by the same signature.
-     */
-    private boolean checkSenderVouches(
-        AssertionWrapper assertionWrapper,
-        Certificate[] tlsCerts
-    ) {
-        //
-        // If we have a 2-way TLS connection, then we don't have to check that the
-        // assertion + SOAP body are signed
-        //
-        if (tlsCerts != null && tlsCerts.length > 0) {
-            return true;
-        }
-        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
-        for (String confirmationMethod : confirmationMethods) {
-            if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
-                if (signed == null || signed.isEmpty()) {
-                    return false;
-                }
-                if (!checkAssertionAndBodyAreSigned(assertionWrapper)) {
-                    return false;
-                }
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Return true if there is a signature which references the Assertion and the SOAP Body.
-     * @param assertionWrapper the AssertionWrapper object
-     * @return true if there is a signature which references the Assertion and the SOAP Body.
-     */
-    private boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper) {
-        for (WSSecurityEngineResult signedResult : signed) {
-            List<WSDataRef> sl =
-                CastUtils.cast((List<?>)signedResult.get(
-                    WSSecurityEngineResult.TAG_DATA_REF_URIS
-                ));
-            boolean assertionIsSigned = false;
-            boolean bodyIsSigned = false;
-            if (sl != null) {
-                for (WSDataRef dataRef : sl) {
-                    Element se = dataRef.getProtectedElement();
-                    if (se == assertionWrapper.getElement()) {
-                        assertionIsSigned = true;
-                    }
-                    if (se == body) {
-                        bodyIsSigned = true;
-                    }
-                    if (assertionIsSigned && bodyIsSigned) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
-    }
 }

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java?rev=1414251&r1=1414250&r2=1414251&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
Tue Nov 27 16:36:13 2012
@@ -100,7 +100,10 @@ public class SamlTokenTest extends Abstr
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml1:Assertion");
 
-        Message message = makeInvocation(outProperties, xpaths, inProperties);
+        Map<String, String> inMessageProperties = new HashMap<String, String>();
+        inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+        Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+        
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
@@ -138,7 +141,10 @@ public class SamlTokenTest extends Abstr
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml2:Assertion");
 
-        Message message = makeInvocation(outProperties, xpaths, inProperties);
+        Map<String, String> inMessageProperties = new HashMap<String, String>();
+        inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+        Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+        
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
@@ -404,7 +410,10 @@ public class SamlTokenTest extends Abstr
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml2:Assertion");
 
-        Message message = makeInvocation(outProperties, xpaths, inProperties);
+        Map<String, String> inMessageProperties = new HashMap<String, String>();
+        inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+        Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+        
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
@@ -451,7 +460,10 @@ public class SamlTokenTest extends Abstr
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml2:Assertion");
 
-        Message message = makeInvocation(outProperties, xpaths, inProperties);
+        Map<String, String> inMessageProperties = new HashMap<String, String>();
+        inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+        Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+        
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
@@ -497,7 +509,10 @@ public class SamlTokenTest extends Abstr
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml1:Assertion");
 
-        Message message = makeInvocation(outProperties, xpaths, inProperties);
+        Map<String, String> inMessageProperties = new HashMap<String, String>();
+        inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
+        Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
+        
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
@@ -519,6 +534,15 @@ public class SamlTokenTest extends Abstr
         List<String> xpaths,
         Map<String, Object> inProperties
     ) throws Exception {
+        return makeInvocation(outProperties, xpaths, inProperties, new HashMap<String,
String>());
+    }
+    
+    private SoapMessage makeInvocation(
+        Map<String, Object> outProperties,
+        List<String> xpaths,
+        Map<String, Object> inProperties,
+        Map<String, String> inMessageProperties
+    ) throws Exception {
         Document doc = readDocument("wsse-request-clean.xml");
 
         WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
@@ -565,6 +589,9 @@ public class SamlTokenTest extends Abstr
 
         SoapMessage inmsg = new SoapMessage(new MessageImpl());
         inmsg.put(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, "role");
+        for (String inMessageProperty : inMessageProperties.keySet()) {
+            inmsg.put(inMessageProperty, inMessageProperties.get(inMessageProperty));
+        }
         ex.setInMessage(inmsg);
         inmsg.setContent(SOAPMessage.class, saajMsg);
 



Mime
View raw message