Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 42578EB7E for ; Tue, 27 Nov 2012 16:36:39 +0000 (UTC) Received: (qmail 48971 invoked by uid 500); 27 Nov 2012 16:36:39 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 48833 invoked by uid 500); 27 Nov 2012 16:36:38 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 48819 invoked by uid 99); 27 Nov 2012 16:36:38 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Nov 2012 16:36:38 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Nov 2012 16:36:36 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id F0CD02388906; Tue, 27 Nov 2012 16:36:15 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1414251 - in /cxf/branches/2.6.x-fixes/rt/ws/security/src: main/java/org/apache/cxf/ws/security/ main/java/org/apache/cxf/ws/security/wss4j/ main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ test/java/org/apache/cxf/ws/security/... Date: Tue, 27 Nov 2012 16:36:14 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20121127163615.F0CD02388906@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Tue Nov 27 16:36:13 2012 New Revision: 1414251 URL: http://svn.apache.org/viewvc?rev=1414251&view=rev Log: [CXF-4655] - Enforce SAML SubjectConfirmation requirements for the non WS-SecurityPolicy case Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1414251&r1=1414250&r2=1414251&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original) +++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Tue Nov 27 16:36:13 2012 @@ -25,7 +25,8 @@ import java.util.HashSet; import java.util.Set; /** - * Configuration tags used to configure the WS-SecurityPolicy layer. + * Configuration tags used to configure the WS-SecurityPolicy layer. Some of them are also + * used by the non WS-SecurityPolicy approach in the WSS4J(Out|In)Interceptors. */ public final class SecurityConstants { @@ -174,6 +175,14 @@ public final class SecurityConstants { */ public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache"; + /** + * Whether to validate the SubjectConfirmation requirements of a received SAML Token + * (sender-vouches or holder-of-key). The default is false (for backwards + * compatibility reasons). + */ + public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = + "ws-security.validate.saml.subject.conf"; + // // Non-boolean WS-Security Configuration parameters // Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java?rev=1414251&r1=1414250&r2=1414251&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java (original) +++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java Tue Nov 27 16:36:13 2012 @@ -19,20 +19,41 @@ package org.apache.cxf.ws.security.wss4j; +import java.security.Principal; +import java.security.PublicKey; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.List; +import java.util.logging.Logger; import org.w3c.dom.Element; +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.message.Message; +import org.apache.cxf.security.transport.TLSSessionInfo; +import org.apache.ws.security.WSConstants; +import org.apache.ws.security.WSDataRef; +import org.apache.ws.security.WSDerivedKeyTokenPrincipal; +import org.apache.ws.security.WSSecurityEngineResult; +import org.apache.ws.security.WSSecurityException; +import org.apache.ws.security.saml.SAMLKeyInfo; import org.apache.ws.security.saml.ext.AssertionWrapper; +import org.apache.ws.security.saml.ext.OpenSAMLUtil; +import org.apache.ws.security.util.WSSecurityUtil; import org.opensaml.common.SAMLVersion; import org.opensaml.xml.XMLObject; /** * internal SAMLUtils to avoid direct reference to opensaml from WSS4J interceptors. */ -final class SAMLUtils { +public final class SAMLUtils { + + private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class); + private SAMLUtils() { } @@ -119,5 +140,214 @@ final class SAMLUtils { } return Collections.unmodifiableList(roles); } + + public static void validateSAMLResults( + List results, + Message message, + Element body + ) throws WSSecurityException { + List samlResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults); + + if (samlResults.isEmpty()) { + return; + } + + List signedResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_SIGN, signedResults); + + for (WSSecurityEngineResult samlResult : samlResults) { + AssertionWrapper assertionWrapper = + (AssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + + TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class); + Certificate[] tlsCerts = null; + if (tlsInfo != null) { + tlsCerts = tlsInfo.getPeerCertificates(); + } + if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) { + LOG.warning("Assertion fails holder-of-key requirements"); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) { + LOG.warning("Assertion fails sender-vouches requirements"); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } + + } + + /** + * Check the holder-of-key requirements against the received assertion. The subject + * credential of the SAML Assertion must have been used to sign some portion of + * the message, thus showing proof-of-possession of the private/secret key. Alternatively, + * the subject credential of the SAML Assertion must match a client certificate credential + * when 2-way TLS is used. + * @param assertionWrapper the SAML Assertion wrapper object + * @param signedResults a list of all of the signed results + */ + public static boolean checkHolderOfKey( + AssertionWrapper assertionWrapper, + List signedResults, + Certificate[] tlsCerts + ) { + List confirmationMethods = assertionWrapper.getConfirmationMethods(); + for (String confirmationMethod : confirmationMethods) { + if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) { + if (tlsCerts == null && (signedResults == null || signedResults.isEmpty())) { + return false; + } + SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); + if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) { + return false; + } + } + } + return true; + } + + /** + * Compare the credentials of the assertion to the credentials used in 2-way TLS or those + * used to verify signatures. + * Return true on a match + * @param subjectKeyInfo the SAMLKeyInfo object + * @param signedResults a list of all of the signed results + * @return true if the credentials of the assertion were used to verify a signature + */ + public static boolean compareCredentials( + SAMLKeyInfo subjectKeyInfo, + List signedResults, + Certificate[] tlsCerts + ) { + X509Certificate[] subjectCerts = subjectKeyInfo.getCerts(); + PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey(); + byte[] subjectSecretKey = subjectKeyInfo.getSecret(); + + // + // Try to match the TLS certs first + // + if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null + && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0])) { + return true; + } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey != null + && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) { + return true; + } + + // + // Now try the message-level signatures + // + for (WSSecurityEngineResult signedResult : signedResults) { + X509Certificate[] certs = + (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); + PublicKey publicKey = + (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); + byte[] secretKey = + (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET); + if (certs != null && certs.length > 0 && subjectCerts != null + && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0])) { + return true; + } + if (publicKey != null && publicKey.equals(subjectPublicKey)) { + return true; + } + if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) { + return true; + } + } + return false; + } + + private static boolean checkSecretKey( + byte[] secretKey, + byte[] subjectSecretKey, + WSSecurityEngineResult signedResult + ) { + if (secretKey != null && subjectSecretKey != null) { + if (Arrays.equals(secretKey, subjectSecretKey)) { + return true; + } else { + Principal principal = + (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL); + if (principal instanceof WSDerivedKeyTokenPrincipal) { + secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret(); + if (Arrays.equals(secretKey, subjectSecretKey)) { + return true; + } + } + } + } + return false; + } + + /** + * Check the sender-vouches requirements against the received assertion. The SAML + * Assertion and the SOAP Body must be signed by the same signature. + */ + public static boolean checkSenderVouches( + AssertionWrapper assertionWrapper, + Certificate[] tlsCerts, + Element body, + List signed + ) { + // + // If we have a 2-way TLS connection, then we don't have to check that the + // assertion + SOAP body are signed + // + if (tlsCerts != null && tlsCerts.length > 0) { + return true; + } + List confirmationMethods = assertionWrapper.getConfirmationMethods(); + for (String confirmationMethod : confirmationMethods) { + if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) { + if (signed == null || signed.isEmpty()) { + return false; + } + if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) { + return false; + } + } + } + return true; + } + + /** + * Return true if there is a signature which references the Assertion and the SOAP Body. + * @param assertionWrapper the AssertionWrapper object + * @param body The SOAP body + * @param signed The List of signed results + * @return true if there is a signature which references the Assertion and the SOAP Body. + */ + private static boolean checkAssertionAndBodyAreSigned( + AssertionWrapper assertionWrapper, + Element body, + List signed + ) { + for (WSSecurityEngineResult signedResult : signed) { + List sl = + CastUtils.cast((List)signedResult.get( + WSSecurityEngineResult.TAG_DATA_REF_URIS + )); + boolean assertionIsSigned = false; + boolean bodyIsSigned = false; + if (sl != null) { + for (WSDataRef dataRef : sl) { + Element se = dataRef.getProtectedElement(); + if (se == assertionWrapper.getElement()) { + assertionIsSigned = true; + } + if (se == body) { + bodyIsSigned = true; + } + if (assertionIsSigned && bodyIsSigned) { + return true; + } + } + } + } + return false; + } } Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1414251&r1=1414250&r2=1414251&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original) +++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Tue Nov 27 16:36:13 2012 @@ -284,7 +284,7 @@ public class WSS4JInInterceptor extends storeSignature(msg, reqData, wsResult); storeTimestamp(msg, reqData, wsResult); - checkActions(msg, reqData, wsResult, actions); + checkActions(msg, reqData, wsResult, actions, SAAJUtils.getBody(doc)); doResults( msg, actor, SAAJUtils.getHeader(doc), @@ -313,7 +313,7 @@ public class WSS4JInInterceptor extends SAAJUtils.getBody(doc), wsResult); } else { - checkActions(msg, reqData, wsResult, actions); + checkActions(msg, reqData, wsResult, actions, SAAJUtils.getBody(doc)); doResults(msg, actor, SAAJUtils.getHeader(doc), SAAJUtils.getBody(doc), @@ -345,7 +345,8 @@ public class WSS4JInInterceptor extends SoapMessage msg, RequestData reqData, List wsResult, - List actions + List actions, + Element body ) throws WSSecurityException { if (ignoreActions) { // Not applicable for the WS-SecurityPolicy case @@ -367,6 +368,16 @@ public class WSS4JInInterceptor extends + "SignatureCoverageChecker"; LOG.warning(warning); } + + // Now check SAML SenderVouches + Holder Of Key requirements + boolean validateSAMLSubjectConf = + MessageUtils.getContextualBoolean( + msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, false + ); + if (validateSAMLSubjectConf) { + SAMLUtils.validateSAMLResults(wsResult, msg, body); + } + } private void storeSignature( Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1414251&r1=1414250&r2=1414251&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java (original) +++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java Tue Nov 27 16:36:13 2012 @@ -19,22 +19,17 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators; -import java.security.Principal; -import java.security.PublicKey; import java.security.cert.Certificate; -import java.security.cert.X509Certificate; -import java.util.Arrays; import java.util.List; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType; import org.apache.cxf.ws.security.policy.model.Token; -import org.apache.ws.security.WSDerivedKeyTokenPrincipal; +import org.apache.cxf.ws.security.wss4j.SAMLUtils; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.saml.SAMLKeyInfo; import org.apache.ws.security.saml.ext.AssertionWrapper; -import org.apache.ws.security.saml.ext.OpenSAMLUtil; /** * Some abstract functionality for validating SAML Assertions @@ -82,19 +77,7 @@ public abstract class AbstractSamlPolicy List signedResults, Certificate[] tlsCerts ) { - List confirmationMethods = assertionWrapper.getConfirmationMethods(); - for (String confirmationMethod : confirmationMethods) { - if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) { - if (tlsCerts == null && (signedResults == null || signedResults.isEmpty())) { - return false; - } - SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); - if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) { - return false; - } - } - } - return true; + return SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts); } /** @@ -110,65 +93,7 @@ public abstract class AbstractSamlPolicy List signedResults, Certificate[] tlsCerts ) { - X509Certificate[] subjectCerts = subjectKeyInfo.getCerts(); - PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey(); - byte[] subjectSecretKey = subjectKeyInfo.getSecret(); - - // - // Try to match the TLS certs first - // - if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null - && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0])) { - return true; - } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey != null - && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) { - return true; - } - - // - // Now try the message-level signatures - // - for (WSSecurityEngineResult signedResult : signedResults) { - X509Certificate[] certs = - (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); - PublicKey publicKey = - (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); - byte[] secretKey = - (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET); - if (certs != null && certs.length > 0 && subjectCerts != null - && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0])) { - return true; - } - if (publicKey != null && publicKey.equals(subjectPublicKey)) { - return true; - } - if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) { - return true; - } - } - return false; + return SAMLUtils.compareCredentials(subjectKeyInfo, signedResults, tlsCerts); } - private boolean checkSecretKey( - byte[] secretKey, - byte[] subjectSecretKey, - WSSecurityEngineResult signedResult - ) { - if (secretKey != null && subjectSecretKey != null) { - if (Arrays.equals(secretKey, subjectSecretKey)) { - return true; - } else { - Principal principal = - (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL); - if (principal instanceof WSDerivedKeyTokenPrincipal) { - secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret(); - if (Arrays.equals(secretKey, subjectSecretKey)) { - return true; - } - } - } - } - return false; - } - } Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1414251&r1=1414250&r2=1414251&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original) +++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Tue Nov 27 16:36:13 2012 @@ -26,20 +26,17 @@ import java.util.List; import org.w3c.dom.Element; -import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.message.Message; import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.policy.SP12Constants; import org.apache.cxf.ws.security.policy.model.SamlToken; +import org.apache.cxf.ws.security.wss4j.SAMLUtils; import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSDataRef; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.saml.ext.AssertionWrapper; -import org.apache.ws.security.saml.ext.OpenSAMLUtil; import org.apache.ws.security.util.WSSecurityUtil; - import org.opensaml.common.SAMLVersion; /** @@ -102,7 +99,7 @@ public class SamlTokenPolicyValidator ex ai.setNotAsserted("Assertion fails holder-of-key requirements"); return false; } - if (!checkSenderVouches(assertionWrapper, tlsCerts)) { + if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) { ai.setNotAsserted("Assertion fails sender-vouches requirements"); return false; } @@ -146,63 +143,4 @@ public class SamlTokenPolicyValidator ex return true; } - /** - * Check the sender-vouches requirements against the received assertion. The SAML - * Assertion and the SOAP Body must be signed by the same signature. - */ - private boolean checkSenderVouches( - AssertionWrapper assertionWrapper, - Certificate[] tlsCerts - ) { - // - // If we have a 2-way TLS connection, then we don't have to check that the - // assertion + SOAP body are signed - // - if (tlsCerts != null && tlsCerts.length > 0) { - return true; - } - List confirmationMethods = assertionWrapper.getConfirmationMethods(); - for (String confirmationMethod : confirmationMethods) { - if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) { - if (signed == null || signed.isEmpty()) { - return false; - } - if (!checkAssertionAndBodyAreSigned(assertionWrapper)) { - return false; - } - } - } - return true; - } - - /** - * Return true if there is a signature which references the Assertion and the SOAP Body. - * @param assertionWrapper the AssertionWrapper object - * @return true if there is a signature which references the Assertion and the SOAP Body. - */ - private boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper) { - for (WSSecurityEngineResult signedResult : signed) { - List sl = - CastUtils.cast((List)signedResult.get( - WSSecurityEngineResult.TAG_DATA_REF_URIS - )); - boolean assertionIsSigned = false; - boolean bodyIsSigned = false; - if (sl != null) { - for (WSDataRef dataRef : sl) { - Element se = dataRef.getProtectedElement(); - if (se == assertionWrapper.getElement()) { - assertionIsSigned = true; - } - if (se == body) { - bodyIsSigned = true; - } - if (assertionIsSigned && bodyIsSigned) { - return true; - } - } - } - } - return false; - } } Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java?rev=1414251&r1=1414250&r2=1414251&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java (original) +++ cxf/branches/2.6.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java Tue Nov 27 16:36:13 2012 @@ -100,7 +100,10 @@ public class SamlTokenTest extends Abstr xpaths.add("//wsse:Security"); xpaths.add("//wsse:Security/saml1:Assertion"); - Message message = makeInvocation(outProperties, xpaths, inProperties); + Map inMessageProperties = new HashMap(); + inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false"); + Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties); + final List handlerResults = CastUtils.cast((List)message.get(WSHandlerConstants.RECV_RESULTS)); @@ -138,7 +141,10 @@ public class SamlTokenTest extends Abstr xpaths.add("//wsse:Security"); xpaths.add("//wsse:Security/saml2:Assertion"); - Message message = makeInvocation(outProperties, xpaths, inProperties); + Map inMessageProperties = new HashMap(); + inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false"); + Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties); + final List handlerResults = CastUtils.cast((List)message.get(WSHandlerConstants.RECV_RESULTS)); @@ -404,7 +410,10 @@ public class SamlTokenTest extends Abstr xpaths.add("//wsse:Security"); xpaths.add("//wsse:Security/saml2:Assertion"); - Message message = makeInvocation(outProperties, xpaths, inProperties); + Map inMessageProperties = new HashMap(); + inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false"); + Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties); + final List handlerResults = CastUtils.cast((List)message.get(WSHandlerConstants.RECV_RESULTS)); @@ -451,7 +460,10 @@ public class SamlTokenTest extends Abstr xpaths.add("//wsse:Security"); xpaths.add("//wsse:Security/saml2:Assertion"); - Message message = makeInvocation(outProperties, xpaths, inProperties); + Map inMessageProperties = new HashMap(); + inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false"); + Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties); + final List handlerResults = CastUtils.cast((List)message.get(WSHandlerConstants.RECV_RESULTS)); @@ -497,7 +509,10 @@ public class SamlTokenTest extends Abstr xpaths.add("//wsse:Security"); xpaths.add("//wsse:Security/saml1:Assertion"); - Message message = makeInvocation(outProperties, xpaths, inProperties); + Map inMessageProperties = new HashMap(); + inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false"); + Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties); + final List handlerResults = CastUtils.cast((List)message.get(WSHandlerConstants.RECV_RESULTS)); @@ -519,6 +534,15 @@ public class SamlTokenTest extends Abstr List xpaths, Map inProperties ) throws Exception { + return makeInvocation(outProperties, xpaths, inProperties, new HashMap()); + } + + private SoapMessage makeInvocation( + Map outProperties, + List xpaths, + Map inProperties, + Map inMessageProperties + ) throws Exception { Document doc = readDocument("wsse-request-clean.xml"); WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(); @@ -565,6 +589,9 @@ public class SamlTokenTest extends Abstr SoapMessage inmsg = new SoapMessage(new MessageImpl()); inmsg.put(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, "role"); + for (String inMessageProperty : inMessageProperties.keySet()) { + inmsg.put(inMessageProperty, inMessageProperties.get(inMessageProperty)); + } ex.setInMessage(inmsg); inmsg.setContent(SOAPMessage.class, saajMsg);