cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] git commit: Some changes to how the security context is populated
Date Thu, 25 Sep 2014 18:22:13 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 9fce11e2a -> a407288b0


Some changes to how the security context is populated


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a407288b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a407288b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a407288b

Branch: refs/heads/master
Commit: a407288b0e129ad03b4bf36535bc06816784c0fa
Parents: ef5192b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Sep 25 19:21:34 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Sep 25 19:22:04 2014 +0100

----------------------------------------------------------------------
 .../ws/security/wss4j/WSS4JInInterceptor.java   | 153 ++++++++++---------
 .../wss4j/saml/CustomSamlValidator.java         |  12 +-
 .../ws/security/wss4j/saml/SamlTokenTest.java   |  64 ++++++--
 .../systest/ws/saml/CustomSaml2Validator.java   |  10 +-
 .../cxf/systest/ws/saml/SamlTokenTest.java      |   8 +-
 .../ws/saml/client/SamlRoleCallbackHandler.java |  19 ++-
 .../org/apache/cxf/systest/ws/saml/server.xml   |   2 +-
 7 files changed, 166 insertions(+), 102 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a407288b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 95b80e7..7b3a66b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -21,7 +21,9 @@ package org.apache.cxf.ws.security.wss4j;
 import java.io.IOException;
 import java.security.Principal;
 import java.security.Provider;
+import java.security.PublicKey;
 import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -45,7 +47,6 @@ import javax.xml.transform.dom.DOMSource;
 
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
-
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.SoapVersion;
@@ -75,8 +76,6 @@ import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.principal.CustomTokenPrincipal;
-import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSConfig;
@@ -85,6 +84,7 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.processor.Processor;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.dom.validate.NoOpValidator;
@@ -276,7 +276,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
             List<WSSecurityEngineResult> wsResult = engine.processSecurityHeader(
                 elem, reqData
             );
-
+            
             if (wsResult != null && !wsResult.isEmpty()) { // security header found
                 if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
                     checkSignatureConfirmation(reqData, wsResult);
@@ -524,92 +524,99 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         }
         WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
         results.add(0, rResult);
-
+        
         for (int i = wsResult.size() - 1; i >= 0; i--) {
             WSSecurityEngineResult o = wsResult.get(i);
+            
             Integer action = (Integer)o.get(WSSecurityEngineResult.TAG_ACTION);
-            if (action == WSConstants.ENCR) {
-                // Don't try to parse a Principal for the Decryption case
-                continue;
-            }
             final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
             final Subject subject = (Subject)o.get(WSSecurityEngineResult.TAG_SUBJECT);
             final boolean useJAASSubject = MessageUtils
                 .getContextualBoolean(msg, SecurityConstants.SC_FROM_JAAS_SUBJECT, true);
-            if ((subject != null) && !(p instanceof KerberosPrincipal) &&
useJAASSubject) {
-                String roleClassifier = 
-                    (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
-                if (roleClassifier != null && !"".equals(roleClassifier)) {
-                    String roleClassifierType = 
-                        (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
-                    if (roleClassifierType == null || "".equals(roleClassifierType)) {
-                        roleClassifierType = "prefix";
+            final Object binarySecurity = o.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+            
+            // UsernameToken, Kerberos, Signed SAML token or XML Signature
+            if (action == WSConstants.UT || action == WSConstants.UT_NOPASSWORD
+                || (action == WSConstants.BST && binarySecurity instanceof KerberosSecurity)
+                || action == WSConstants.ST_SIGNED || action == WSConstants.SIGN) {
+                
+                if (action == WSConstants.SIGN) {
+                    // Check we have a public key / certificate for the signing case
+                    PublicKey publickey = 
+                        (PublicKey)o.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+                    X509Certificate cert = 
+                        (X509Certificate)o.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+                    
+                    if (publickey == null && cert == null) {
+                        continue;
                     }
-                    msg.put(
-                        SecurityContext.class, 
-                        new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType)
-                    );
-                } else {
-                    msg.put(SecurityContext.class, new DefaultSecurityContext(p, subject));
                 }
-                break;
-            } else if (p != null && isSecurityContextPrincipal(p, wsResult)) {
-                msg.put(PRINCIPAL_RESULT, p);
-                if (!utWithCallbacks) {
-                    WSS4JTokenConverter.convertToken(msg, p);
+                SecurityContext context = 
+                    createSecurityContext(msg, subject, p, useJAASSubject, o, utWithCallbacks);
+                if (context != null) {
+                    msg.put(SecurityContext.class, context);
+                    break;
                 }
-                Object receivedAssertion = o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-                if (receivedAssertion == null) {
-                    receivedAssertion  = o.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
+            }
+        }
+    }
+    
+    protected SecurityContext createSecurityContext(
+        SoapMessage msg, Subject subject, Principal p, boolean useJAASSubject,
+        WSSecurityEngineResult wsResult, boolean utWithCallbacks
+    ) {
+        if (subject != null && !(p instanceof KerberosPrincipal) && useJAASSubject)
{
+            String roleClassifier = 
+                (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
+            if (roleClassifier != null && !"".equals(roleClassifier)) {
+                String roleClassifierType = 
+                    (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
+                if (roleClassifierType == null || "".equals(roleClassifierType)) {
+                    roleClassifierType = "prefix";
                 }
-                if (o.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) {
-                    msg.put(SecurityConstants.DELEGATED_CREDENTIAL, 
-                            o.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL));
+                return new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType);
+            } else {
+                return new DefaultSecurityContext(p, subject);
+            }
+        } else if (p != null) {
+            msg.put(PRINCIPAL_RESULT, p);
+            if (!utWithCallbacks) {
+                WSS4JTokenConverter.convertToken(msg, p);
+            }
+            Object receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            if (receivedAssertion == null) {
+                receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
+            }
+            if (wsResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) {
+                msg.put(SecurityConstants.DELEGATED_CREDENTIAL, 
+                        wsResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL));
+            }
+            
+            if (receivedAssertion instanceof SamlAssertionWrapper) {
+                String roleAttributeName = (String)msg.getContextualProperty(
+                        SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+                if (roleAttributeName == null || roleAttributeName.length() == 0) {
+                    roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
                 }
                 
-                if (receivedAssertion instanceof SamlAssertionWrapper) {
-                    String roleAttributeName = (String)msg.getContextualProperty(
-                            SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
-                    if (roleAttributeName == null || roleAttributeName.length() == 0) {
-                        roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
-                    }
-                    
-                    ClaimCollection claims = 
-                        SAMLUtils.getClaims((SamlAssertionWrapper)receivedAssertion);
-                    Set<Principal> roles = 
-                        SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
-                    
-                    SAMLSecurityContext context = 
-                        new SAMLSecurityContext(p, roles, claims);
-                    context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
-                    context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
-                    msg.put(SecurityContext.class, context);
-                } else {
-                    msg.put(SecurityContext.class, createSecurityContext(p));
-                }
-                break;
+                ClaimCollection claims = 
+                    SAMLUtils.getClaims((SamlAssertionWrapper)receivedAssertion);
+                Set<Principal> roles = 
+                    SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+                
+                SAMLSecurityContext context = 
+                    new SAMLSecurityContext(p, roles, claims);
+                context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
+                context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
+                return context;
+            } else {
+                return createSecurityContext(p);
             }
         }
+        
+        return null;
     }
 
-    /**
-     * Checks if a given WSS4J Principal can be represented as a user principal
-     * inside SecurityContext. Example, UsernameToken or PublicKey principals can
-     * be used to facilitate checking the user roles, etc.
-     */
-    protected boolean isSecurityContextPrincipal(Principal p, List<WSSecurityEngineResult>
wsResult) {
-        boolean derivedKeyPrincipal = p instanceof WSDerivedKeyTokenPrincipal;
-        if (derivedKeyPrincipal || p instanceof CustomTokenPrincipal) {
-            // If it is a derived key principal or a Custom Token Principal then let it 
-            // be a SecurityContext principal only if no other principals are available.
-            // The principal will still be visible to custom interceptors as part of the

-            // WSHandlerConstants.RECV_RESULTS value
-            return wsResult.size() > 1 ? false : true;
-        } else {
-            return true;
-        }
-    }
-    
     protected void advanceBody(
         SoapMessage msg, Node body
     ) throws SOAPException, XMLStreamException, WSSecurityException {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a407288b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
index ada86e2..ff38815 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j.saml;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.validate.Credential;
 import org.apache.wss4j.dom.validate.SamlAssertionValidator;
@@ -35,6 +37,7 @@ public class CustomSamlValidator extends SamlAssertionValidator {
     
     private boolean requireSAML1Assertion = true;
     private boolean requireSenderVouches = true;
+    private boolean requireBearer;
     
     public void setRequireSAML1Assertion(boolean requireSAML1Assertion) {
         this.requireSAML1Assertion = requireSAML1Assertion;
@@ -44,6 +47,10 @@ public class CustomSamlValidator extends SamlAssertionValidator {
         this.requireSenderVouches = requireSenderVouches;
     }
     
+    public void setRequireBearer(boolean requireBearer) {
+        this.requireBearer = requireBearer;
+    }
+    
     @Override
     public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
         Credential returnedCredential = super.validate(credential, data);
@@ -68,7 +75,10 @@ public class CustomSamlValidator extends SamlAssertionValidator {
         }
         if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod))
{
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        } else if (!requireSenderVouches 
+        } else if (requireBearer && !(SAML2Constants.CONF_BEARER.equals(confirmationMethod)
+            || SAML1Constants.CONF_BEARER.equals(confirmationMethod))) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        } else if (!requireBearer && !requireSenderVouches 
             && !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a407288b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index dfe4714..a5ca0cc 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -376,23 +376,34 @@ public class SamlTokenTest extends AbstractSecurityTest {
     public void testSaml2TokenWithRoles() throws Exception {
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
-        
+        outProperties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        outProperties.put(WSHandlerConstants.USER, "alice");
+        outProperties.put("password", "password");
+        outProperties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        callbackHandler.setSignAssertion(true);
         callbackHandler.setStatement(Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
         outProperties.put(
             WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
         );
         
         Map<String, Object> inProperties = new HashMap<String, Object>();
-        inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+        inProperties.put(
+            WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED 
+        );
+        inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
         final Map<QName, Object> customMap = new HashMap<QName, Object>();
         CustomSamlValidator validator = new CustomSamlValidator();
         validator.setRequireSAML1Assertion(false);
+        validator.setRequireSenderVouches(false);
+        validator.setRequireBearer(true);
         customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
         customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
         inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
         
-        
         List<String> xpaths = new ArrayList<String>();
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml2:Assertion");
@@ -410,11 +421,11 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
-        assert !receivedAssertion.isSigned();
+        assertTrue(receivedAssertion.isSigned());
     }
     
     /**
@@ -425,23 +436,34 @@ public class SamlTokenTest extends AbstractSecurityTest {
     public void testSaml2TokenWithRolesSingleValue() throws Exception {
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
-        
+        outProperties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        outProperties.put(WSHandlerConstants.USER, "alice");
+        outProperties.put("password", "password");
+        outProperties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(false);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        callbackHandler.setSignAssertion(true);
         callbackHandler.setStatement(Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
         outProperties.put(
             WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
         );
         
         Map<String, Object> inProperties = new HashMap<String, Object>();
-        inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+        inProperties.put(
+            WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED 
+        );
+        inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
         final Map<QName, Object> customMap = new HashMap<QName, Object>();
         CustomSamlValidator validator = new CustomSamlValidator();
         validator.setRequireSAML1Assertion(false);
+        validator.setRequireSenderVouches(false);
+        validator.setRequireBearer(true);
         customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
         customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
         inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
         
-        
         List<String> xpaths = new ArrayList<String>();
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml2:Assertion");
@@ -459,11 +481,11 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
-        assert !receivedAssertion.isSigned();
+        assertTrue(receivedAssertion.isSigned());
     }
     
     /**
@@ -473,22 +495,34 @@ public class SamlTokenTest extends AbstractSecurityTest {
     public void testSaml1TokenWithRoles() throws Exception {
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
-        
+        outProperties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        outProperties.put(WSHandlerConstants.USER, "alice");
+        outProperties.put("password", "password");
+        outProperties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
         SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
+        callbackHandler.setSignAssertion(true);
         callbackHandler.setStatement(Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
+        
         outProperties.put(
             WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
         );
         
         Map<String, Object> inProperties = new HashMap<String, Object>();
-        inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+        inProperties.put(
+            WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED 
+        );
+        inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
         final Map<QName, Object> customMap = new HashMap<QName, Object>();
         CustomSamlValidator validator = new CustomSamlValidator();
+        validator.setRequireSAML1Assertion(true);
+        validator.setRequireSenderVouches(false);
+        validator.setRequireBearer(true);
         customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
         customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
         inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
         
-        
         List<String> xpaths = new ArrayList<String>();
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml1:Assertion");
@@ -506,11 +540,11 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
-        assert !receivedAssertion.isSigned();
+        assertTrue(receivedAssertion.isSigned());
     }
     
     private SoapMessage makeInvocation(

http://git-wip-us.apache.org/repos/asf/cxf/blob/a407288b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
index 459dece..e5c63fb 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
@@ -21,7 +21,6 @@ package org.apache.cxf.systest.ws.saml;
 import java.util.List;
 
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.validate.Credential;
@@ -31,8 +30,7 @@ import org.opensaml.saml2.core.AttributeStatement;
 
 /**
  * This class does some trivial validation of a received SAML Assertion. It checks that it
is
- * a SAML 2 Assertion, and checks the issuer name and confirmation method, and that it has
- * an Attribute Statement. 
+ * a SAML 2 Assertion, and checks the issuer name and that it has an Attribute Statement.

  */
 public class CustomSaml2Validator extends SamlAssertionValidator {
     
@@ -45,12 +43,6 @@ public class CustomSaml2Validator extends SamlAssertionValidator {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
         }
         
-        String confirmationMethod = assertion.getConfirmationMethods().get(0);
-        if (!(OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)
-            || OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod))) {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-        
         Assertion saml2Assertion = assertion.getSaml2();
         if (saml2Assertion == null) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");

http://git-wip-us.apache.org/repos/asf/cxf/blob/a407288b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index a664025..f8d2227 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -342,8 +342,10 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
                        || ex.getMessage().contains("enforces SamlVersion20Profile11 but we
got 1.1"));
         }
         
+        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
+        samlCallbackHandler.setSignAssertion(true);
         ((BindingProvider)saml2Port).getRequestContext().put(
-            "ws-security.saml-callback-handler", new SamlCallbackHandler()
+            "ws-security.saml-callback-handler", samlCallbackHandler
         );
         int result = saml2Port.doubleIt(25);
         assertTrue(result == 50);
@@ -584,8 +586,9 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         
         // This test only works for DOM
         if (!test.isStreaming() && PORT.equals(test.getPort())) {
+            SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
             ((BindingProvider)saml2Port).getRequestContext().put(
-                "ws-security.saml-callback-handler", new SamlCallbackHandler()
+                "ws-security.saml-callback-handler", samlCallbackHandler
             );
             int result = saml2Port.doubleIt(25);
             assertTrue(result == 50);
@@ -913,6 +916,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         
         SamlRoleCallbackHandler roleCallbackHandler = 
             new SamlRoleCallbackHandler();
+        roleCallbackHandler.setSignAssertion(true);
         roleCallbackHandler.setRoleName("manager");
         ((BindingProvider)saml2Port).getRequestContext().put(
             "ws-security.saml-callback-handler", roleCallbackHandler

http://git-wip-us.apache.org/repos/asf/cxf/blob/a407288b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
index b12959c..3b59e88 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
@@ -47,9 +47,13 @@ public class SamlRoleCallbackHandler implements CallbackHandler {
     private static final String ROLE_URI = 
         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
     private boolean saml2 = true;
-    private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+    private String confirmationMethod = SAML2Constants.CONF_BEARER;
     private CERT_IDENTIFIER keyInfoIdentifier = CERT_IDENTIFIER.X509_CERT;
     private String roleName;
+    private boolean signAssertion;
+    private String cryptoAlias = "alice";
+    private String cryptoPassword = "password";
+    private String cryptoPropertiesFile = "alice.properties";
     
     public SamlRoleCallbackHandler() {
         //
@@ -122,6 +126,16 @@ public class SamlRoleCallbackHandler implements CallbackHandler {
                 attributeBean.addAttributeValue(roleName);
                 attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));
+                
+                try {
+                    Crypto crypto = CryptoFactory.getInstance(cryptoPropertiesFile);
+                    callback.setIssuerCrypto(crypto);
+                    callback.setIssuerKeyName(cryptoAlias);
+                    callback.setIssuerKeyPassword(cryptoPassword);
+                    callback.setSignAssertion(signAssertion);
+                } catch (Exception ex) {
+                    throw new IOException("Problem creating KeyInfo: " +  ex.getMessage());
+                }
             }
         }
     }
@@ -152,4 +166,7 @@ public class SamlRoleCallbackHandler implements CallbackHandler {
         this.roleName = roleName;
     }
     
+    public void setSignAssertion(boolean signAssertion) {
+        this.signAssertion = signAssertion;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a407288b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
index 97a6bfa..6027841 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -140,7 +140,7 @@
             <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
         </jaxws:properties>
     </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
             <entry key="ws-security.signature.properties" value="bob.properties"/>


Mime
View raw message