cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/6] git commit: Introduced SAMLClaim, and ported cxf-rt-ws-security to use it
Date Mon, 10 Mar 2014 16:52:10 GMT
Introduced SAMLClaim, and ported cxf-rt-ws-security to use it


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cae108db
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cae108db
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cae108db

Branch: refs/heads/master
Commit: cae108db6420d77202660d6770fb4777c5951764
Parents: ac69305
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 6 12:42:48 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 6 12:42:48 2014 +0000

----------------------------------------------------------------------
 .../cxf/rt/security/claims/SAMLClaim.java       |  59 ++++++++
 .../apache/cxf/rt/security/saml/SAMLUtils.java  | 149 +++++++++++++++++++
 .../apache/cxf/ws/security/wss4j/SAMLUtils.java | 132 ----------------
 .../wss4j/StaxSecurityContextInInterceptor.java |  32 ++--
 .../ws/security/wss4j/WSS4JInInterceptor.java   |  29 ++--
 .../ws/security/wss4j/saml/SamlTokenTest.java   |   1 -
 .../token/validator/DefaultSAMLRoleParser.java  |  32 ++--
 7 files changed, 239 insertions(+), 195 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/cae108db/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
new file mode 100644
index 0000000..abe629d
--- /dev/null
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.claims;
+
+
+/**
+ * This represents a Claim that is coupled to a SAML Assertion
+ */
+public class SAMLClaim extends Claim {
+    
+    private static final long serialVersionUID = 5530712294179589442L;
+
+    private String nameFormat;
+    private String name;
+    private String friendlyName;
+    
+    public String getNameFormat() {
+        return nameFormat;
+    }
+    
+    public void setNameFormat(String nameFormat) {
+        this.nameFormat = nameFormat;
+    }
+    
+    public String getName() {
+        return name;
+    }
+    
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getFriendlyName() {
+        return friendlyName;
+    }
+
+    public void setFriendlyName(String friendlyName) {
+        this.friendlyName = friendlyName;
+    }
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cae108db/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
new file mode 100644
index 0000000..b5801a8
--- /dev/null
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml;
+
+import java.net.URI;
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.rt.security.claims.Claim;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.claims.SAMLClaim;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.xml.XMLObject;
+
+public final class SAMLUtils {
+    
+    /**
+     * This configuration tag specifies the default attribute name where the roles are present
+     * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
+     */
+    public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT =
+        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
+    
+    private SAMLUtils() {
+        
+    }
+    
+    /**
+     * Extract Claims from a SAML Assertion
+     */
+    public static ClaimCollection getClaims(SamlAssertionWrapper assertion) {
+        ClaimCollection claims = new ClaimCollection();
+        
+        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+            List<AttributeStatement> statements = assertion.getSaml2().getAttributeStatements();
+            for (AttributeStatement as : statements) {
+                for (Attribute atr : as.getAttributes()) {
+                    SAMLClaim claim = new SAMLClaim();
+                    claim.setClaimType(URI.create(atr.getName()));
+                    
+                    claim.setName(atr.getName());
+                    claim.setNameFormat(atr.getNameFormat());
+                    claim.setFriendlyName(atr.getFriendlyName());
+                    
+                    for (XMLObject o : atr.getAttributeValues()) {
+                        String attrValue = o.getDOM().getTextContent();
+                        claim.getValues().add(attrValue);
+                    }
+                    
+                    claims.add(claim);
+                }
+            }
+        } else {
+            List<org.opensaml.saml1.core.AttributeStatement> attributeStatements =

+                assertion.getSaml1().getAttributeStatements();
+            
+            for (org.opensaml.saml1.core.AttributeStatement statement : attributeStatements)
{
+                for (org.opensaml.saml1.core.Attribute atr : statement.getAttributes()) {
+                    SAMLClaim claim = new SAMLClaim();
+                    
+                    String claimType = atr.getAttributeName();
+                    if (atr.getAttributeNamespace() != null) {
+                        claimType = atr.getAttributeNamespace() + "/" + claimType;
+                    }
+                    claim.setClaimType(URI.create(claimType));
+
+                    claim.setName(atr.getAttributeName());
+                    claim.setNameFormat(atr.getAttributeNamespace());
+
+                    for (XMLObject o : atr.getAttributeValues()) {
+                        String attrValue = o.getDOM().getTextContent();
+                        claim.getValues().add(attrValue);
+                    }
+
+                    claims.add(claim);
+                }
+            } 
+        }
+        
+        return claims;
+    }
+    
+    /**
+     * Extract roles from the given Claims
+     */
+    public static Set<Principal> parseRolesFromClaims(
+        ClaimCollection claims,
+        String name,
+        String nameFormat
+    ) {
+        String roleAttributeName = name;
+        if (roleAttributeName == null) {
+            roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+        }
+        
+        Set<Principal> roles = new HashSet<Principal>();
+        
+        for (Claim claim : claims) {
+            if (claim instanceof SAMLClaim && ((SAMLClaim)claim).getName().equals(name)
+                && (nameFormat == null 
+                    || claim instanceof SAMLClaim && nameFormat.equals(((SAMLClaim)claim).getNameFormat())))
{
+                for (Object claimValue : claim.getValues()) {
+                    if (claimValue instanceof String) {
+                        roles.add(new SimplePrincipal((String)claimValue));
+                    }
+                }
+                if (claim.getValues().size() > 1) {
+                    // Don't search for other attributes with the same name if > 1 claim
value
+                    break;
+                }
+            }
+        }
+        
+        return roles;
+    }
+    
+    public static String getIssuer(Object assertion) {
+        return ((SamlAssertionWrapper)assertion).getIssuerString();
+    }
+
+    public static Element getAssertionElement(Object assertion) {
+        return ((SamlAssertionWrapper)assertion).getElement();
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cae108db/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
deleted file mode 100755
index 72750d3..0000000
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
+++ /dev/null
@@ -1,132 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.ws.security.wss4j;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import org.w3c.dom.Element;
-
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.opensaml.common.SAMLVersion;
-import org.opensaml.xml.XMLObject;
-
-/**
- * internal SAMLUtils to avoid direct reference to opensaml from WSS4J interceptors.
- */
-public final class SAMLUtils {
-    
-    private SAMLUtils() {
-    }
-    
-    public static List<String> parseRolesInAssertion(Object assertion, String roleAttributeName)
{
-        if (((SamlAssertionWrapper) assertion).getSamlVersion().equals(SAMLVersion.VERSION_20))
{
-            return parseRolesInAssertion(((SamlAssertionWrapper)assertion).getSaml2(), roleAttributeName);
-        } else {
-            return parseRolesInAssertion(((SamlAssertionWrapper)assertion).getSaml1(), roleAttributeName);
-        }
-    }
-    
-    public static String getIssuer(Object assertion) {
-        return ((SamlAssertionWrapper)assertion).getIssuerString();
-    }
-    
-    public static Element getAssertionElement(Object assertion) {
-        return ((SamlAssertionWrapper)assertion).getElement();
-    }
-    
-    //
-    // these methods are moved from previous WSS4JInInterceptor
-    //
-    private static List<String> parseRolesInAssertion(org.opensaml.saml1.core.Assertion
assertion,
-            String roleAttributeName) {
-        List<org.opensaml.saml1.core.AttributeStatement> attributeStatements = 
-            assertion.getAttributeStatements();
-        if (attributeStatements == null || attributeStatements.isEmpty()) {
-            return null;
-        }
-        List<String> roles = new ArrayList<String>();
-        
-        for (org.opensaml.saml1.core.AttributeStatement statement : attributeStatements)
{
-            
-            List<org.opensaml.saml1.core.Attribute> attributes = statement.getAttributes();
-            for (org.opensaml.saml1.core.Attribute attribute : attributes) {
-                
-                if (attribute.getAttributeName().equals(roleAttributeName)) {
-                    for (XMLObject attributeValue : attribute.getAttributeValues()) {
-                        Element attributeValueElement = attributeValue.getDOM();
-                        String value = attributeValueElement.getTextContent();
-                        roles.add(value);                    
-                    }
-                    if (attribute.getAttributeValues().size() > 1) {
-//                        Don't search for other attributes with the same name if       
                 
-//                        <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
-//                             AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
-//                        <saml:AttributeValue>Value1</saml:AttributeValue>
-//                        <saml:AttributeValue>Value2</saml:AttributeValue>
-//                        </saml:Attribute>
-                        break;
-                    }
-                }
-                
-            }
-        }
-        return Collections.unmodifiableList(roles);
-    }
-    
-
-    private static List<String> parseRolesInAssertion(org.opensaml.saml2.core.Assertion
assertion,
-            String roleAttributeName) {
-        List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = 
-            assertion.getAttributeStatements();
-        if (attributeStatements == null || attributeStatements.isEmpty()) {
-            return null;
-        }
-        List<String> roles = new ArrayList<String>();
-        
-        for (org.opensaml.saml2.core.AttributeStatement statement : attributeStatements)
{
-            
-            List<org.opensaml.saml2.core.Attribute> attributes = statement.getAttributes();
-            for (org.opensaml.saml2.core.Attribute attribute : attributes) {
-                
-                if (attribute.getName().equals(roleAttributeName)) {
-                    for (XMLObject attributeValue : attribute.getAttributeValues()) {
-                        Element attributeValueElement = attributeValue.getDOM();
-                        String value = attributeValueElement.getTextContent();
-                        roles.add(value);                    
-                    }
-                    if (attribute.getAttributeValues().size() > 1) {
-//                        Don't search for other attributes with the same name if       
                 
-//                        <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
-//                             AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
-//                        <saml:AttributeValue>Value1</saml:AttributeValue>
-//                        <saml:AttributeValue>Value2</saml:AttributeValue>
-//                        </saml:Attribute>
-                        break;
-                    }
-                }
-                
-            }
-        }
-        return Collections.unmodifiableList(roles);
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cae108db/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
index 7d20d22..7d03253 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
@@ -19,7 +19,6 @@
 package org.apache.cxf.ws.security.wss4j;
 
 import java.security.Principal;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
@@ -28,18 +27,20 @@ import javax.security.auth.Subject;
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.SoapVersion;
-import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.principal.CustomTokenPrincipal;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
@@ -110,7 +111,6 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
 
                     Object receivedAssertion = null;
                     
-                    List<String> roles = null;
                     if (event.getSecurityEventType() == WSSecurityEventConstants.SamlToken)
{
                         String roleAttributeName = (String)msg.getContextualProperty(
                                 SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
@@ -121,10 +121,14 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
                         SamlTokenSecurityEvent samlEvent = (SamlTokenSecurityEvent)event;
                         receivedAssertion = samlEvent.getSamlAssertionWrapper();
                         if (receivedAssertion != null) {
-                            roles = SAMLUtils.parseRolesInAssertion(receivedAssertion, roleAttributeName);
-                            SAMLSecurityContext context = createSecurityContext(p, roles);
-                            context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
-                            context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
+                            ClaimCollection claims = 
+                                SAMLUtils.getClaims((SamlAssertionWrapper)receivedAssertion);
+                            Set<Principal> roles = 
+                                SAMLUtils.parseRolesFromClaims(claims, roleAttributeName,
null);
+                            
+                            SAMLSecurityContext context = 
+                                new SAMLSecurityContext(p, roles, claims);
+                            
                             msg.put(SecurityContext.class, context);
                         }
                     } else {
@@ -182,20 +186,6 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
         };
     }
     
-    private SAMLSecurityContext createSecurityContext(final Principal p, final List<String>
roles) {
-        final Set<Principal> userRoles;
-        if (roles != null) {
-            userRoles = new HashSet<Principal>();
-            for (String role : roles) {
-                userRoles.add(new SimplePrincipal(role));
-            }
-        } else {
-            userRoles = null;
-        }
-        
-        return new SAMLSecurityContext(p, userRoles);
-    }
-    
     /**
      * Create a SoapFault from a WSSecurityException, following the SOAP Message Security
      * 1.1 specification, chapter 12 "Error Handling".

http://git-wip-us.apache.org/repos/asf/cxf/blob/cae108db/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 0422845..2d00d8b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -23,7 +23,6 @@ import java.security.Principal;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -53,7 +52,6 @@ import org.apache.cxf.binding.soap.saaj.SAAJUtils;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.i18n.Message;
 import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.Fault;
@@ -61,7 +59,9 @@ import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
@@ -544,15 +544,20 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
                     receivedAssertion  = o.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
                 }
                 
-                List<String> roles = null;
                 if (receivedAssertion instanceof SamlAssertionWrapper) {
                     String roleAttributeName = (String)msg.getContextualProperty(
                             SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
                     if (roleAttributeName == null || roleAttributeName.length() == 0) {
                         roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
                     }
-                    roles = SAMLUtils.parseRolesInAssertion(receivedAssertion, roleAttributeName);
-                    SAMLSecurityContext context = createSecurityContext(p, roles);
+                    
+                    ClaimCollection claims = 
+                        SAMLUtils.getClaims((SamlAssertionWrapper)receivedAssertion);
+                    Set<Principal> roles = 
+                        SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+                    
+                    SAMLSecurityContext context = 
+                        new SAMLSecurityContext(p, roles, claims);
                     context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
                     context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
                     msg.put(SecurityContext.class, context);
@@ -610,20 +615,6 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         };
     }
     
-    protected SAMLSecurityContext createSecurityContext(final Principal p, final List<String>
roles) {
-        final Set<Principal> userRoles;
-        if (roles != null) {
-            userRoles = new HashSet<Principal>();
-            for (String role : roles) {
-                userRoles.add(new SimplePrincipal(role));
-            }
-        } else {
-            userRoles = null;
-        }
-        
-        return new SAMLSecurityContext(p, userRoles);
-    }
-    
     private String getAction(SoapMessage msg, SoapVersion version) {
         String action = (String)getOption(WSHandlerConstants.ACTION);
         if (action == null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/cae108db/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index e221efe..dfe4714 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -470,7 +470,6 @@ public class SamlTokenTest extends AbstractSecurityTest {
      * This test creates a SAML1 Assertion and sends it in the security header to the provider.
      */
     @Test
-    //@Ignore
     public void testSaml1TokenWithRoles() throws Exception {
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);

http://git-wip-us.apache.org/repos/asf/cxf/blob/cae108db/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
index 175135d..5a336d5 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/DefaultSAMLRoleParser.java
@@ -19,17 +19,15 @@
 package org.apache.cxf.sts.token.validator;
 
 import java.security.Principal;
-import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 
 import javax.security.auth.Subject;
 
-import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.ws.security.wss4j.SAMLUtils;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 
 /**
@@ -67,28 +65,18 @@ public class DefaultSAMLRoleParser implements SAMLRoleParser {
             } else {
                 return new DefaultSecurityContext(principal, subject).getUserRoles();
             }
-        } 
+        }
+        
+        ClaimCollection claims = SAMLUtils.getClaims(assertion);
+        Set<Principal> roles = 
+            SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+        
+        SAMLSecurityContext context = 
+            new SAMLSecurityContext(principal, roles, claims);
         
-        List<String> roles = 
-            SAMLUtils.parseRolesInAssertion(assertion, roleAttributeName);
-        SAMLSecurityContext context = createSecurityContext(principal, roles);
         return context.getUserRoles();
     }
     
-    private SAMLSecurityContext createSecurityContext(final Principal p, final List<String>
roles) {
-        final Set<Principal> userRoles;
-        if (roles != null) {
-            userRoles = new HashSet<Principal>();
-            for (String role : roles) {
-                userRoles.add(new SimplePrincipal(role));
-            }
-        } else {
-            userRoles = null;
-        }
-        
-        return new SAMLSecurityContext(p, userRoles);
-    }
-
     public boolean isUseJaasSubject() {
         return useJaasSubject;
     }


Mime
View raw message