Return-Path: 
 <commits-return-33729-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 98E0111658
	for <apmail-cxf-commits-archive@www.apache.org>;
 Wed, 10 Sep 2014 16:07:54 +0000 (UTC)
Received: (qmail 42810 invoked by uid 500); 10 Sep 2014 16:07:54 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 42747 invoked by uid 500); 10 Sep 2014 16:07:54 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 42738 invoked by uid 99); 10 Sep 2014 16:07:54 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Sep 2014 16:07:54 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 20C341EA1E; Wed, 10 Sep 2014 16:07:54 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Message-Id: <182fb9ab3b51409aad55a07662df0a52@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: git commit: Add a test plus some fixes to allow for SignedElements
 evaluation of SAML Tokens
Date: Wed, 10 Sep 2014 16:07:54 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 4f308df6b -> 03eca7af8


Add a test plus some fixes to allow for SignedElements evaluation of SAML Tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/03eca7af
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/03eca7af
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/03eca7af

Branch: refs/heads/3.0.x-fixes
Commit: 03eca7af8b03c10e3f2a6d9915bf5a06e6627879
Parents: 4f308df
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Sep 10 17:06:21 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Sep 10 17:07:46 2014 +0100

----------------------------------------------------------------------
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    |  1 +
 .../AbstractBindingPolicyValidator.java         | 42 ++++++++++----------
 .../policyvalidators/LayoutPolicyValidator.java |  3 +-
 .../cxf/systest/ws/saml/DoubleItSaml.wsdl       |  4 ++
 4 files changed, 29 insertions(+), 21 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/03eca7af/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 39d84ba..f118eeb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -761,6 +761,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         final List<Integer> actions = new ArrayList<Integer>(2);
         actions.add(WSConstants.SIGN);
         actions.add(WSConstants.UT_SIGN);
+        actions.add(WSConstants.ST_SIGNED);
         List<WSSecurityEngineResult> signedResults = 
             WSSecurityUtil.fetchAllActionResults(results, actions);
         for (WSSecurityEngineResult result : signedResults) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/03eca7af/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index cbc0e69..8387317 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -124,27 +124,29 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> dataRefs = 
                     CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-            for (WSDataRef dataRef : dataRefs) {
-                String xpath = dataRef.getXpath();
-                if (xpath != null) {
-                    String[] nodes = StringUtils.split(xpath, "/");
-                    // envelope/Body || envelope/Header/header || envelope/Header/wsse:Security/header
-                    if (nodes.length < 3 || nodes.length > 5) {
-                        return false;
-                    }
-                    
-                    if (!(nodes[2].contains("Header") || nodes[2].contains("Body"))) {
-                        return false;
-                    }
-                    
-                    if (nodes.length == 5 && !nodes[3].contains("Security")) {
-                        return false;
-                    }
-                    
-                    if (nodes.length == 4 && nodes[2].contains("Body")) {
-                        return false;
+            if (dataRefs != null) {
+                for (WSDataRef dataRef : dataRefs) {
+                    String xpath = dataRef.getXpath();
+                    if (xpath != null) {
+                        String[] nodes = StringUtils.split(xpath, "/");
+                        // envelope/Body || envelope/Header/header || envelope/Header/wsse:Security/header
+                        if (nodes.length < 3 || nodes.length > 5) {
+                            return false;
+                        }
+                        
+                        if (!(nodes[2].contains("Header") || nodes[2].contains("Body"))) {
+                            return false;
+                        }
+                        
+                        if (nodes.length == 5 && !nodes[3].contains("Security")) {
+                            return false;
+                        }
+                        
+                        if (nodes.length == 4 && nodes[2].contains("Body")) {
+                            return false;
+                        }
+                        
                     }
-                    
                 }
             }
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/03eca7af/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 9506dae..370906b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -131,7 +131,8 @@ public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> sl = 
                 CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-            if (sl == null) {
+            Integer actInt = (Integer)signedResult.get(WSSecurityEngineResult.TAG_ACTION);
+            if (sl == null || WSConstants.ST_SIGNED == actInt) {
                 continue;
             }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/03eca7af/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
index 755e2e1..09ce8b8 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
@@ -507,6 +507,10 @@
                         </sp:SamlToken>
                     </wsp:Policy>
                 </sp:SignedSupportingTokens>
+                <!-- Just check that SignedElements actually works here -->
+                <sp:SignedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <sp:XPath xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">/soap:Envelope/soap:Header/wsse:Security/saml1:Assertion</sp:XPath>
+                </sp:SignedElements>
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>