cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jp...@apache.org
Subject git commit: CXF-6054 add a property to allow unsigned saml tokens
Date Thu, 16 Oct 2014 22:19:09 GMT
Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes 7c8b9c566 -> 3b0d0d60c


CXF-6054 add a property to allow unsigned saml tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3b0d0d60
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3b0d0d60
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3b0d0d60

Branch: refs/heads/2.7.x-fixes
Commit: 3b0d0d60c4db065a1baf60713b79fe2bbf870dd7
Parents: 7c8b9c5
Author: Jason Pell <jpell@apache.org>
Authored: Fri Oct 17 09:07:16 2014 +1100
Committer: Jason Pell <jpell@apache.org>
Committed: Fri Oct 17 09:07:16 2014 +1100

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      |  8 ++++++-
 .../ws/security/wss4j/WSS4JInInterceptor.java   | 11 +++++++--
 .../ws/security/wss4j/saml/SamlTokenTest.java   | 24 +++++++++++++++++---
 3 files changed, 37 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/3b0d0d60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index ac7b4dd..f2f2201 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -168,6 +168,12 @@ public final class SecurityConstants {
     public static final String SELF_SIGN_SAML_ASSERTION = "ws-security.self-sign-saml-assertion";
     
     /**
+     * Whether to allow unsigned saml assertions as SecurityContext Principals. The default
is false.
+     */
+    public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL = 
+            "ws-security.enable.unsigned-saml-assertion.principal";
+    
+    /**
      * Whether to cache UsernameToken nonces. The default value is "true" for message recipients,
and 
      * "false" for message initiators. Set it to true to cache for both cases. Set this to
"false" to
      * not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken
@@ -602,7 +608,7 @@ public final class SecurityConstants {
             CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
             DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
             KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
-            KERBEROS_REQUEST_CREDENTIAL_DELEGATION
+            KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b0d0d60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index ada29bc..e1c5b52 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -523,6 +523,10 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
         results.add(0, rResult);
         
+        Boolean allowUnsignedSamlPrincipals = 
+                MessageUtils.getContextualBoolean(msg, 
+                        SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, false);
+        
         for (int i = wsResult.size() - 1; i >= 0; i--) {
             WSSecurityEngineResult o = wsResult.get(i);
             
@@ -533,10 +537,13 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
                 .getContextualBoolean(msg, SecurityConstants.SC_FROM_JAAS_SUBJECT, true);
             final Object binarySecurity = o.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
             
-            // UsernameToken, Kerberos, Signed SAML token or XML Signature
+            final boolean isValidSamlToken = action == WSConstants.ST_SIGNED 
+                    || (allowUnsignedSamlPrincipals && action == WSConstants.ST_UNSIGNED);
+            
+            // UsernameToken, Kerberos, SAML token or XML Signature
             if (action == WSConstants.UT || action == WSConstants.UT_NOPASSWORD
                 || (action == WSConstants.BST && binarySecurity instanceof KerberosSecurity)
-                || action == WSConstants.ST_SIGNED || action == WSConstants.SIGN) {
+                || isValidSamlToken || action == WSConstants.SIGN) {
                 
                 if (action == WSConstants.SIGN) {
                     // Check we have a public key / certificate for the signing case

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b0d0d60/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index aca3e98..d40636d 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -36,7 +36,6 @@ import javax.xml.stream.XMLStreamWriter;
 import javax.xml.transform.dom.DOMSource;
 
 import org.w3c.dom.Document;
-
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils.NullResolver;
@@ -54,7 +53,7 @@ import org.apache.cxf.ws.security.wss4j.AbstractSecurityTest;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
 import org.apache.cxf.ws.security.wss4j.saml.AbstractSAMLCallbackHandler.Statement;
-
+import org.apache.ws.security.SAMLTokenPrincipal;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.WSSecurityEngineResult;
@@ -79,7 +78,17 @@ public class SamlTokenTest extends AbstractSecurityTest {
      * This test creates a SAML1 Assertion and sends it in the security header to the provider.

      */
     @Test
-    public void testSaml1Token() throws Exception {
+    public void testUnsignedSaml1Token() throws Exception {
+        assertNull(testSaml1Token(false));
+    }
+    
+    @Test
+    public void testUnsignedSaml1TokenWithPrincipal() throws Exception {
+        SecurityContext ctx = testSaml1Token(true);
+        assertTrue(ctx.getUserPrincipal() instanceof SAMLTokenPrincipal);
+    }
+    
+    private SecurityContext testSaml1Token(boolean allowUnsignedPrincipal) throws Exception
{
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
         outProperties.put(WSHandlerConstants.SAML_PROP_FILE, "saml_sv.properties");
@@ -88,7 +97,9 @@ public class SamlTokenTest extends AbstractSecurityTest {
             "org.apache.cxf.ws.security.wss4j.saml.SAML1CallbackHandler"
         );
         
+        
         Map<String, Object> inProperties = new HashMap<String, Object>();
+
         inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
         final Map<QName, Object> customMap = new HashMap<QName, Object>();
         CustomSamlValidator validator = new CustomSamlValidator();
@@ -101,6 +112,11 @@ public class SamlTokenTest extends AbstractSecurityTest {
         xpaths.add("//wsse:Security/saml1:Assertion");
 
         Map<String, String> inMessageProperties = new HashMap<String, String>();
+
+        if (allowUnsignedPrincipal) {
+            inMessageProperties.put(SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
"true");
+        }
+        
         inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
         Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
         
@@ -113,6 +129,8 @@ public class SamlTokenTest extends AbstractSecurityTest {
             (AssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
         assert !receivedAssertion.isSigned();
+        
+        return message.get(SecurityContext.class);
     }
     
     /**


Mime
View raw message