cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [5/6] git commit: Ported Claims changes to rs-security layer
Date Mon, 10 Mar 2014 16:52:11 GMT
Ported Claims changes to rs-security layer


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cde7fd30
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cde7fd30
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cde7fd30

Branch: refs/heads/master
Commit: cde7fd3075e66a693fdcc0f75efd0e81ec0c23ea
Parents: cae108d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 6 16:08:01 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 6 16:08:01 2014 +0000

----------------------------------------------------------------------
 .../grants/saml/Saml2BearerGrantHandler.java    |  6 +-
 .../oauth2/grants/saml/SamlUserSubject.java     |  8 +-
 .../apache/cxf/rs/security/saml/SAMLUtils.java  | 29 -------
 .../cxf/rs/security/saml/assertion/Claim.java   | 90 --------------------
 .../cxf/rs/security/saml/assertion/Claims.java  | 71 ---------------
 .../security/saml/authorization/ClaimBean.java  |  9 +-
 .../ClaimsAuthorizingInterceptor.java           | 36 +++++---
 .../authorization/JAXRSSAMLSecurityContext.java | 77 -----------------
 .../SecurityContextProviderImpl.java            | 39 ++++++---
 .../ClaimsAuthorizingInterceptorTest.java       | 50 ++++++-----
 .../cxf/rt/security/claims/SAMLClaim.java       |  7 ++
 .../apache/cxf/rt/security/saml/SAMLUtils.java  |  9 +-
 .../security/oauth2/SamlCallbackHandler.java    |  6 +-
 .../security/oauth2/SamlCallbackHandler2.java   |  6 +-
 .../saml/CustomSecurityContextProvider.java     |  4 +-
 .../security/saml/SamlCallbackHandler.java      |  6 +-
 16 files changed, 109 insertions(+), 344 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
index e410432..b018147 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
@@ -50,9 +50,9 @@ import org.apache.cxf.rs.security.oauth2.saml.SamlOAuthValidator;
 import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
-import org.apache.cxf.rs.security.saml.authorization.JAXRSSAMLSecurityContext;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
+import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
@@ -133,8 +133,8 @@ public class Saml2BearerGrantHandler extends AbstractGrantHandler {
 
     protected UserSubject getGrantSubject(Message message, SamlAssertionWrapper wrapper)
{
         SecurityContext sc = scProvider.getSecurityContext(message, wrapper);
-        if (sc instanceof JAXRSSAMLSecurityContext) {
-            JAXRSSAMLSecurityContext jaxrsSc = (JAXRSSAMLSecurityContext)sc;
+        if (sc instanceof SAMLSecurityContext) {
+            SAMLSecurityContext jaxrsSc = (SAMLSecurityContext)sc;
             Set<Principal> rolesP = jaxrsSc.getUserRoles();
             List<String> roles = new ArrayList<String>();
             if (roles != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/SamlUserSubject.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/SamlUserSubject.java
b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/SamlUserSubject.java
index b35a3f4..0fe0e1f 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/SamlUserSubject.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/SamlUserSubject.java
@@ -21,18 +21,18 @@ package org.apache.cxf.rs.security.oauth2.grants.saml;
 import java.util.List;
 
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.saml.assertion.Claims;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
 
 public class SamlUserSubject extends UserSubject {
     private static final long serialVersionUID = -1135272749329239037L;
-    private Claims claims;
+    private ClaimCollection claims;
     public SamlUserSubject(String user, 
                            List<String> roles,
-                           Claims claims) {
+                           ClaimCollection claims) {
         super(user, roles);
         this.claims = claims;
     }
-    public Claims getClaims() {
+    public ClaimCollection getClaims() {
         return claims;
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
index fd685ca..f9ef27e 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
@@ -20,8 +20,6 @@ package org.apache.cxf.rs.security.saml;
 
 import java.io.PrintWriter;
 import java.io.StringWriter;
-import java.util.ArrayList;
-import java.util.List;
 import java.util.logging.Logger;
 
 import javax.security.auth.callback.CallbackHandler;
@@ -32,8 +30,6 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
-import org.apache.cxf.rs.security.saml.assertion.Claim;
-import org.apache.cxf.rs.security.saml.assertion.Claims;
 import org.apache.cxf.rs.security.saml.assertion.Subject;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
@@ -41,10 +37,7 @@ import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.saml.SAMLCallback;
 import org.apache.wss4j.common.saml.SAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.AttributeStatement;
 import org.opensaml.saml2.core.NameID;
-import org.opensaml.xml.XMLObject;
 
 public final class SAMLUtils {
     private static final Logger LOG = 
@@ -69,28 +62,6 @@ public final class SAMLUtils {
         return subject;
     }
     
-    
-    public static Claims getClaims(SamlAssertionWrapper assertionW) {
-        // Should we just do a simple DOM parsing without even relying on
-        // OpenSaml
-        List<Claim> claims = new ArrayList<Claim>();
-        List<AttributeStatement> statements = assertionW.getSaml2().getAttributeStatements();
-        for (AttributeStatement as : statements) {
-            for (Attribute atr : as.getAttributes()) {
-                Claim claim = new Claim();
-                claim.setName(atr.getName());
-                claim.setNameFormat(atr.getNameFormat());
-                claim.setFriendlyName(atr.getFriendlyName());
-                for (XMLObject o : atr.getAttributeValues()) {
-                    String attrValue = o.getDOM().getTextContent();
-                    claim.getValues().add(attrValue);
-                }
-                claims.add(claim);
-            }
-        }
-        return new Claims(claims);
-    }
-    
     public static SamlAssertionWrapper createAssertion(Message message) throws Fault {
         CallbackHandler handler = SecurityUtils.getCallbackHandler(
             message, SAMLUtils.class, SecurityConstants.SAML_CALLBACK_HANDLER);

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claim.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claim.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claim.java
deleted file mode 100644
index 3cf8793..0000000
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claim.java
+++ /dev/null
@@ -1,90 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.saml.assertion;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-public class Claim {
-    public static final String DEFAULT_ROLE_NAME = 
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; 
-    public static final String DEFAULT_NAME_FORMAT = 
-        "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified";
-    
-    private String nameFormat;
-    private String name;
-    private String friendlyName;
-    
-    private List<String> values = new ArrayList<String>();
-
-    public Claim() {
-        
-    }
-    
-    public Claim(String nameFormat, String name) {
-        this.nameFormat = nameFormat;
-        this.name = name;        
-    }
-    
-    public Claim(String nameFormat, String name, String value) {
-        this(nameFormat, name, Collections.singletonList(value));        
-    }
-    
-    public Claim(String nameFormat, String name, List<String> values) {
-        this.nameFormat = nameFormat;
-        this.name = name;
-        this.values = values;
-    }
-    
-    public void setNameFormat(String nameFormat) {
-        this.nameFormat = nameFormat;
-    }
-
-    public String getNameFormat() {
-        return nameFormat;
-    }
-
-    public void setName(String name) {
-        this.name = name;
-    }
-
-    public String getName() {
-        return name;
-    }
-
-    public void setFriendlyName(String friendlyName) {
-        this.friendlyName = friendlyName;
-    }
-
-    public String getFriendlyName() {
-        return friendlyName;
-    }
-
-    public void setValues(List<String> values) {
-        this.values = values;
-    }
-
-    public List<String> getValues() {
-        return values;
-    }
-    
-    
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
deleted file mode 100644
index 548efb7..0000000
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/assertion/Claims.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.saml.assertion;
-
-import java.util.List;
-
-public class Claims {
-
-    private List<Claim> claims;
-    private String realm;
-    
-    public Claims(List<Claim> claims) {
-        this.claims = claims;
-    }
-    
-    public Claims(List<Claim> claims, String realm) {
-        this.claims = claims;
-        this.realm = realm;
-    }
-
-    public String getRealm() {
-        return realm;
-    }
-    public List<Claim> getClaims() {
-        return claims;
-    }
-    
-    public Claim findClaimByFriendlyName(String friendlyName) {
-        for (Claim c : claims) {
-            if (c.getFriendlyName().equals(friendlyName)) {
-                return c;
-            }
-        }
-        return null;
-    }
-   
-    public Claim findClaimByName(String name) {
-        for (Claim c : claims) {
-            if (c.getName().equals(name)) {
-                return c;
-            }
-        }
-        return null;
-    }
-    
-    public Claim findClaimByFormatAndName(String format, String name) {
-        for (Claim c : claims) {
-            if (c.getName().equals(name)
-                && c.getNameFormat().equals(format)) {
-                return c;
-            }
-        }
-        return null;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
index b89b1b8..812bd6e 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimBean.java
@@ -18,19 +18,20 @@
  */
 package org.apache.cxf.rs.security.saml.authorization;
 
+import org.apache.cxf.rt.security.claims.SAMLClaim;
 import org.apache.cxf.security.claims.authorization.ClaimMode;
 
 
 public class ClaimBean {
-    private org.apache.cxf.rs.security.saml.assertion.Claim claim;
+    private SAMLClaim claim;
     private ClaimMode claimMode;
     private boolean matchAll;
     
-    public ClaimBean(org.apache.cxf.rs.security.saml.assertion.Claim claim) {
+    public ClaimBean(SAMLClaim claim) {
         this.claim = claim;
     }
     
-    public ClaimBean(org.apache.cxf.rs.security.saml.assertion.Claim claim,
+    public ClaimBean(SAMLClaim claim,
                      ClaimMode claimMode, 
                      boolean matchAll) {
         this.claim = claim;
@@ -38,7 +39,7 @@ public class ClaimBean {
         this.matchAll = matchAll;
     }
     
-    public org.apache.cxf.rs.security.saml.assertion.Claim getClaim() {
+    public SAMLClaim getClaim() {
         return claim;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
index 0cba1a9..ea83572 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptor.java
@@ -36,6 +36,8 @@ import org.apache.cxf.interceptor.security.AccessDeniedException;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.rt.security.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.claims.authorization.Claim;
 import org.apache.cxf.security.claims.authorization.ClaimMode;
@@ -67,13 +69,13 @@ public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Messa
     
     public void handleMessage(Message message) throws Fault {
         SecurityContext sc = message.get(SecurityContext.class);
-        if (!(sc instanceof JAXRSSAMLSecurityContext)) {
+        if (!(sc instanceof SAMLSecurityContext)) {
             throw new AccessDeniedException("Security Context is unavailable or unrecognized");
         }
         
         Method method = getTargetMethod(message);
         
-        if (authorize((JAXRSSAMLSecurityContext)sc, method)) {
+        if (authorize((SAMLSecurityContext)sc, method)) {
             return;
         }
         
@@ -98,14 +100,21 @@ public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Messa
         throw new AccessDeniedException("Method is not available : Unauthorized");
     }
 
-    protected boolean authorize(JAXRSSAMLSecurityContext sc, Method method) {
+    protected boolean authorize(SAMLSecurityContext sc, Method method) {
         List<ClaimBean> list = claims.get(method.getName());
-        org.apache.cxf.rs.security.saml.assertion.Claims actualClaims = sc.getClaims();
+        org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
         
         for (ClaimBean claimBean : list) {
-            org.apache.cxf.rs.security.saml.assertion.Claim claim =  claimBean.getClaim();
-            org.apache.cxf.rs.security.saml.assertion.Claim matchingClaim = 
-                actualClaims.findClaimByFormatAndName(claim.getNameFormat(), claim.getName());
+            org.apache.cxf.rt.security.claims.Claim claim = claimBean.getClaim();
+            org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
+            for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
+                if (cl instanceof SAMLClaim
+                    && ((SAMLClaim)cl).getName().equals(((SAMLClaim)claim).getName())
+                    && ((SAMLClaim)cl).getNameFormat().equals(((SAMLClaim)claim).getNameFormat()))
{
+                    matchingClaim = cl;
+                    break;
+                }
+            }
             if (matchingClaim == null) {
                 if (claimBean.getClaimMode() == ClaimMode.STRICT) {
                     return false;
@@ -113,14 +122,14 @@ public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Messa
                     continue;
                 }
             }
-            List<String> claimValues = claim.getValues();
-            List<String> matchingClaimValues = matchingClaim.getValues();
+            List<Object> claimValues = claim.getValues();
+            List<Object> matchingClaimValues = matchingClaim.getValues();
             if (claimBean.isMatchAll() 
                 && !matchingClaimValues.containsAll(claimValues)) {    
                 return false;
             } else {
                 boolean matched = false;
-                for (String value : matchingClaimValues) {
+                for (Object value : matchingClaimValues) {
                     if (claimValues.contains(value)) {
                         matched = true;    
                         break;
@@ -201,8 +210,7 @@ public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Messa
             annClaims.add(claimAnn);
         }
         for (Claim ann : annClaims) {
-            org.apache.cxf.rs.security.saml.assertion.Claim claim = 
-                new org.apache.cxf.rs.security.saml.assertion.Claim();
+            SAMLClaim claim = new SAMLClaim();
             
             String claimName = ann.name();
             if (nameAliases.containsKey(claimName)) {
@@ -215,7 +223,9 @@ public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Messa
             
             claim.setName(claimName);
             claim.setNameFormat(claimFormat);
-            claim.setValues(Arrays.asList(ann.value()));
+            for (String value : ann.value()) {
+                claim.addValue(value);
+            }
             
             claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll()));
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/JAXRSSAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/JAXRSSAMLSecurityContext.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/JAXRSSAMLSecurityContext.java
deleted file mode 100644
index 9e8739c..0000000
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/JAXRSSAMLSecurityContext.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.saml.authorization;
-
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.cxf.common.security.SimplePrincipal;
-import org.apache.cxf.rs.security.saml.assertion.Claim;
-import org.apache.cxf.rs.security.saml.assertion.Claims;
-import org.apache.cxf.rs.security.saml.assertion.Subject;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-
-public class JAXRSSAMLSecurityContext extends SAMLSecurityContext {
-    
-    private Claims claims;
-    
-    public JAXRSSAMLSecurityContext(Subject subject, List<Claim> claims) {
-        this(new SubjectPrincipal(subject.getName(), subject), new Claims(claims));
-    }
-    
-    public JAXRSSAMLSecurityContext(SubjectPrincipal p, Claims claims) {
-        this(p, claims, Claim.DEFAULT_ROLE_NAME, Claim.DEFAULT_NAME_FORMAT);
-    }
-    
-    public JAXRSSAMLSecurityContext(SubjectPrincipal p, 
-                               Claims cs,
-                               String roleClaimNameQualifier,
-                               String roleClaimNameFormat) {
-        super(p);
-        
-        Claim rolesClaim = null;
-        for (Claim c : cs.getClaims()) {
-            if (c.getName().equals(roleClaimNameQualifier)
-                && c.getNameFormat().equals(roleClaimNameFormat)) {
-                rolesClaim = c;
-                break;
-            }
-        }
-        this.claims = cs;
-
-        Set<Principal> userRoles;
-        if (rolesClaim != null) {
-            userRoles = new HashSet<Principal>();
-            for (String role : rolesClaim.getValues()) {
-                userRoles.add(new SimplePrincipal(role));
-            }
-        } else {
-            userRoles = null;
-        }
-        
-        setUserRoles(userRoles);
-    }
-    
-    public Claims getClaims() {
-        return claims;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
index ec9aafb..604efb5 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java
@@ -18,15 +18,19 @@
  */
 package org.apache.cxf.rs.security.saml.authorization;
 
+import java.security.Principal;
+import java.util.Set;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.rs.security.saml.SAMLUtils;
-import org.apache.cxf.rs.security.saml.assertion.Claim;
-import org.apache.cxf.rs.security.saml.assertion.Claims;
 import org.apache.cxf.rs.security.saml.assertion.Subject;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.claims.SAMLClaim;
 import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
 
 public class SecurityContextProviderImpl implements SecurityContextProvider {
 
@@ -35,7 +39,7 @@ public class SecurityContextProviderImpl implements SecurityContextProvider
{
     
     public SecurityContext getSecurityContext(Message message,
             SamlAssertionWrapper wrapper) {
-        Claims claims = getClaims(wrapper);
+        ClaimCollection claims = getClaims(wrapper);
         Subject subject = getSubject(message, wrapper, claims);
         SecurityContext securityContext = doGetSecurityContext(message, subject, claims);
         if (securityContext instanceof SAMLSecurityContext) {
@@ -45,15 +49,17 @@ public class SecurityContextProviderImpl implements SecurityContextProvider
{
         return securityContext;
     }
 
-    protected Claims getClaims(SamlAssertionWrapper wrapper) {
+    protected ClaimCollection getClaims(SamlAssertionWrapper wrapper) {
         return SAMLUtils.getClaims(wrapper);
     }
     
-    protected Subject getSubject(Message message, SamlAssertionWrapper wrapper, Claims claims)
{
-        return SAMLUtils.getSubject(message, wrapper);
+    protected Subject getSubject(Message message, SamlAssertionWrapper wrapper, ClaimCollection
claims) {
+        return org.apache.cxf.rs.security.saml.SAMLUtils.getSubject(message, wrapper);
     }
     
-    protected SecurityContext doGetSecurityContext(Message message, Subject subject, Claims
claims) {
+    protected SecurityContext doGetSecurityContext(
+        Message message, Subject subject, ClaimCollection claims
+    ) {
         String defaultRoleName = (String)message.getContextualProperty(ROLE_QUALIFIER_PROPERTY);
         String defaultNameFormat = (String)message.getContextualProperty(ROLE_NAMEFORMAT_PROPERTY);
         
@@ -61,15 +67,20 @@ public class SecurityContextProviderImpl implements SecurityContextProvider
{
         SubjectPrincipal subjectPrincipal = 
             new SubjectPrincipal(subjectPrincipalName, subject);
         
-        SecurityContext sc = new JAXRSSAMLSecurityContext(subjectPrincipal,
-                claims,
-                defaultRoleName == null ? Claim.DEFAULT_ROLE_NAME : defaultRoleName,
-                defaultNameFormat == null ? Claim.DEFAULT_NAME_FORMAT : defaultNameFormat);
-        return sc;
+        String roleName = 
+            defaultRoleName == null ? SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT : defaultRoleName;
+        String nameFormat = 
+            defaultNameFormat == null ? SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED : defaultNameFormat;
+        Set<Principal> roles = 
+            SAMLUtils.parseRolesFromClaims(claims, roleName, nameFormat);
+        
+        SAMLSecurityContext context = 
+            new SAMLSecurityContext(subjectPrincipal, roles, claims);
+        return context;
     }
     
     //TODO: This can be overridden, but consider also introducing dedicated handlers
-    protected String getSubjectPrincipalName(Subject subject, Claims claims) {
+    protected String getSubjectPrincipalName(Subject subject, ClaimCollection claims) {
         // parse/decipher subject name, or check claims such as 
         // givenName, email, firstName
         // and use it to authenticate with the external system if needed

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/rs/security/xml/src/test/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/test/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptorTest.java
b/rt/rs/security/xml/src/test/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptorTest.java
index d8f6eb4..9ebc050 100644
--- a/rt/rs/security/xml/src/test/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptorTest.java
+++ b/rt/rs/security/xml/src/test/java/org/apache/cxf/rs/security/saml/authorization/ClaimsAuthorizingInterceptorTest.java
@@ -22,22 +22,26 @@ import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
-import java.util.ArrayList;
+import java.security.Principal;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.List;
+import java.util.Set;
 
+import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.interceptor.security.AccessDeniedException;
 import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor;
 import org.apache.cxf.message.ExchangeImpl;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.rs.security.saml.assertion.Subject;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.claims.SAMLClaim;
+import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
+import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.claims.authorization.Claim;
 import org.apache.cxf.security.claims.authorization.ClaimMode;
 import org.apache.cxf.security.claims.authorization.Claims;
-
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -176,8 +180,11 @@ public class ClaimsAuthorizingInterceptorTest extends Assert {
         in.handleMessage(m);
         
         ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
-        org.apache.cxf.rs.security.saml.assertion.Claim claim =
-            new org.apache.cxf.rs.security.saml.assertion.Claim("a", "b", "c");
+        org.apache.cxf.rt.security.claims.SAMLClaim claim =
+            new org.apache.cxf.rt.security.claims.SAMLClaim();
+        claim.setNameFormat("a");
+        claim.setName("b");
+        claim.addValue("c");
         in2.setClaims(Collections.singletonMap("test", 
                 Collections.singletonList(
                    new ClaimBean(claim))));
@@ -194,7 +201,7 @@ public class ClaimsAuthorizingInterceptorTest extends Assert {
     
     
     private void doTestClaims(String methodName,
-            org.apache.cxf.rs.security.saml.assertion.Claim... claim) 
+            org.apache.cxf.rt.security.claims.Claim... claim) 
         throws Exception {
         Message m = prepareMessage(TestService.class, methodName, claim);
         interceptor.handleMessage(m);
@@ -202,12 +209,16 @@ public class ClaimsAuthorizingInterceptorTest extends Assert {
     
     private Message prepareMessage(Class<?> cls,
             String methodName,
-            org.apache.cxf.rs.security.saml.assertion.Claim... claim) 
+            org.apache.cxf.rt.security.claims.Claim... claim) 
         throws Exception {
-        List<org.apache.cxf.rs.security.saml.assertion.Claim> claims =
-            new ArrayList<org.apache.cxf.rs.security.saml.assertion.Claim>(Arrays.asList(claim));
-        SecurityContext sc = new JAXRSSAMLSecurityContext(
-                new Subject("user"), claims);
+        ClaimCollection claims = new ClaimCollection();
+        claims.addAll(Arrays.asList(claim));
+        
+        Set<Principal> roles = 
+            SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,

+                                           SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
+        
+        SecurityContext sc = new SAMLSecurityContext(new SimplePrincipal("user"), roles,
claims);
         Message m = new MessageImpl();
         m.setExchange(new ExchangeImpl());
         m.put(SecurityContext.class, sc);
@@ -216,17 +227,16 @@ public class ClaimsAuthorizingInterceptorTest extends Assert {
         return m;
     }
     
-    private org.apache.cxf.rs.security.saml.assertion.Claim createDefaultClaim(
-            String... values) {
-        return createClaim(org.apache.cxf.rs.security.saml.assertion.Claim.DEFAULT_ROLE_NAME,

-                           org.apache.cxf.rs.security.saml.assertion.Claim.DEFAULT_NAME_FORMAT,

+    private org.apache.cxf.rt.security.claims.Claim createDefaultClaim(
+            Object... values) {
+        return createClaim(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
+                           SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED,
                            values);
     }
     
-    private org.apache.cxf.rs.security.saml.assertion.Claim createClaim(
-            String name, String format, String... values) {
-        org.apache.cxf.rs.security.saml.assertion.Claim claim = 
-            new org.apache.cxf.rs.security.saml.assertion.Claim();
+    private org.apache.cxf.rt.security.claims.Claim createClaim(
+            String name, String format, Object... values) {
+        SAMLClaim claim = new SAMLClaim();
         claim.setName(name);
         claim.setNameFormat(format);
         claim.setValues(Arrays.asList(values));

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
index abe629d..a76747c 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
@@ -25,6 +25,13 @@ package org.apache.cxf.rt.security.claims;
  */
 public class SAMLClaim extends Claim {
     
+    /**
+     * This configuration tag specifies the default attribute name where the roles are present
+     * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
+     */
+    public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT =
+        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
+    
     private static final long serialVersionUID = 5530712294179589442L;
 
     private String nameFormat;

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
index b5801a8..ac0fcde 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
@@ -38,13 +38,6 @@ import org.opensaml.xml.XMLObject;
 
 public final class SAMLUtils {
     
-    /**
-     * This configuration tag specifies the default attribute name where the roles are present
-     * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
-     */
-    public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT =
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
-    
     private SAMLUtils() {
         
     }
@@ -114,7 +107,7 @@ public final class SAMLUtils {
     ) {
         String roleAttributeName = name;
         if (roleAttributeName == null) {
-            roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+            roleAttributeName = SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
         }
         
         Set<Principal> roles = new HashSet<Principal>();

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
index df9ad44..8d70a94 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler.java
@@ -31,7 +31,7 @@ import javax.security.auth.callback.UnsupportedCallbackException;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
-import org.apache.cxf.rs.security.saml.assertion.Claim;
+import org.apache.cxf.rt.security.claims.SAMLClaim;
 import org.apache.wss4j.common.saml.SAMLCallback;
 import org.apache.wss4j.common.saml.bean.ActionBean;
 import org.apache.wss4j.common.saml.bean.AttributeBean;
@@ -112,8 +112,8 @@ public class SamlCallbackHandler implements CallbackHandler {
                 List<AttributeBean> claims = new ArrayList<AttributeBean>();
                 AttributeBean roleClaim = new AttributeBean();
                 roleClaim.setSimpleName("subject-role");
-                roleClaim.setQualifiedName(Claim.DEFAULT_ROLE_NAME);
-                roleClaim.setNameFormat(Claim.DEFAULT_NAME_FORMAT);
+                roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
+                roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
                 roleClaim.setAttributeValues(new ArrayList<Object>(roles));
                 claims.add(roleClaim);
                 

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
index 2c177c0..ec4f0fd 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/SamlCallbackHandler2.java
@@ -31,7 +31,7 @@ import javax.security.auth.callback.UnsupportedCallbackException;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
-import org.apache.cxf.rs.security.saml.assertion.Claim;
+import org.apache.cxf.rt.security.claims.SAMLClaim;
 import org.apache.wss4j.common.saml.SAMLCallback;
 import org.apache.wss4j.common.saml.bean.ActionBean;
 import org.apache.wss4j.common.saml.bean.AttributeBean;
@@ -112,8 +112,8 @@ public class SamlCallbackHandler2 implements CallbackHandler {
                 List<AttributeBean> claims = new ArrayList<AttributeBean>();
                 AttributeBean roleClaim = new AttributeBean();
                 roleClaim.setSimpleName("subject-role");
-                roleClaim.setQualifiedName(Claim.DEFAULT_ROLE_NAME);
-                roleClaim.setNameFormat(Claim.DEFAULT_NAME_FORMAT);
+                roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
+                roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
                 roleClaim.setAttributeValues(new ArrayList<Object>(roles));
                 claims.add(roleClaim);
                 

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
index e51c352..d9e59be 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java
@@ -18,13 +18,13 @@
  */
 package org.apache.cxf.systest.jaxrs.security.saml;
 
-import org.apache.cxf.rs.security.saml.assertion.Claims;
 import org.apache.cxf.rs.security.saml.assertion.Subject;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
 
 public class CustomSecurityContextProvider extends SecurityContextProviderImpl {
     @Override
-    protected String getSubjectPrincipalName(Subject subject, Claims claims) {
+    protected String getSubjectPrincipalName(Subject subject, ClaimCollection claims) {
         int index = subject.getName().indexOf("@");
         return index == -1 
             ? super.getSubjectPrincipalName(subject, claims)

http://git-wip-us.apache.org/repos/asf/cxf/blob/cde7fd30/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
index 2f39491..f6bf2b4 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
@@ -34,7 +34,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
-import org.apache.cxf.rs.security.saml.assertion.Claim;
+import org.apache.cxf.rt.security.claims.SAMLClaim;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.saml.SAMLCallback;
@@ -148,8 +148,8 @@ public class SamlCallbackHandler implements CallbackHandler {
                 List<AttributeBean> claims = new ArrayList<AttributeBean>();
                 AttributeBean roleClaim = new AttributeBean();
                 roleClaim.setSimpleName("subject-role");
-                roleClaim.setQualifiedName(Claim.DEFAULT_ROLE_NAME);
-                roleClaim.setNameFormat(Claim.DEFAULT_NAME_FORMAT);
+                roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
+                roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
                 roleClaim.setAttributeValues(new ArrayList<Object>(roles));
                 claims.add(roleClaim);
                 


Mime
View raw message