Return-Path: 
 <commits-return-25517-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0772FED95
	for <apmail-cxf-commits-archive@www.apache.org>;
 Mon, 18 Mar 2013 16:07:37 +0000 (UTC)
Received: (qmail 37416 invoked by uid 500); 18 Mar 2013 16:07:36 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 37360 invoked by uid 500); 18 Mar 2013 16:07:36 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 37352 invoked by uid 99); 18 Mar 2013 16:07:36 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Mar 2013 16:07:36 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Mar 2013 16:07:35 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id B7F61238889B;
	Mon, 18 Mar 2013 16:07:15 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1457839 -
 /cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
Date: Mon, 18 Mar 2013 16:07:15 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20130318160715.B7F61238889B@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: coheigea
Date: Mon Mar 18 16:07:15 2013
New Revision: 1457839

URL: http://svn.apache.org/r1457839
Log:
Merged revisions 1457832 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes

........
  r1457832 | coheigea | 2013-03-18 15:59:44 +0000 (Mon, 18 Mar 2013) | 18 lines

  Merged revisions 1457825 via  git cherry-pick from
  https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes

  ........
    r1457825 | coheigea | 2013-03-18 15:46:26 +0000 (Mon, 18 Mar 2013) | 10 lines

    Merged revisions 1457781 via  git cherry-pick from
    https://svn.apache.org/repos/asf/cxf/trunk

    ........
      r1457781 | coheigea | 2013-03-18 14:39:26 +0000 (Mon, 18 Mar 2013) | 2 lines

      SamlTokenInterceptor is not checking version of received token against the policy

    ........

  ........

........

Modified:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java?rev=1457839&r1=1457838&r2=1457839&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java Mon Mar 18 16:07:15 2013
@@ -113,6 +113,20 @@ public class SamlTokenInterceptor extend
                         }
                         assertTokens(message, SP12Constants.SAML_TOKEN, signed);
                         
+                        // Check version against policy
+                        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+                        for (AssertionInfo ai : aim.getAssertionInfo(SP12Constants.SAML_TOKEN)) {
+                            SamlToken samlToken = (SamlToken)ai.getAssertion();
+                            for (WSSecurityEngineResult result : samlResults) {
+                                AssertionWrapper assertionWrapper = 
+                                    (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+
+                                if (!checkVersion(samlToken, assertionWrapper)) {
+                                    ai.setNotAsserted("Wrong SAML Version");
+                                }
+                            }
+                        }
+                        
                         Principal principal = 
                             (Principal)samlResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
                         message.put(WSS4JInInterceptor.PRINCIPAL_RESULT, principal);                   
@@ -339,4 +353,19 @@ public class SamlTokenInterceptor extend
         return crypto;
     }
 
+    /**
+     * Check the policy version against the received assertion
+     */
+    private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper) {
+        if ((samlToken.isUseSamlVersion11Profile10()
+            || samlToken.isUseSamlVersion11Profile11())
+            && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
+            return false;
+        } else if (samlToken.isUseSamlVersion20Profile11()
+            && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
+            return false;
+        }
+        return true;
+    }
+    
 }