cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jp...@apache.org
Subject git commit: CXF-6054 add a property to allow unsigned saml tokens
Date Thu, 16 Oct 2014 23:40:34 GMT
Repository: cxf
Updated Branches:
  refs/heads/master e97552774 -> 007b6e17b


CXF-6054 add a property to allow unsigned saml tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/007b6e17
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/007b6e17
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/007b6e17

Branch: refs/heads/master
Commit: 007b6e17b6a15159db77a709bb43be53e7b737ec
Parents: e975527
Author: Jason Pell <jpell@apache.org>
Authored: Fri Oct 17 10:30:54 2014 +1100
Committer: Jason Pell <jpell@apache.org>
Committed: Fri Oct 17 10:39:12 2014 +1100

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      |  8 ++++++-
 .../ws/security/wss4j/WSS4JInInterceptor.java   | 11 ++++++++--
 .../ws/security/wss4j/saml/SamlTokenTest.java   | 23 ++++++++++++++++----
 3 files changed, 35 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/007b6e17/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 96165bd..b5b32b3 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -162,6 +162,12 @@ public final class SecurityConstants {
     public static final String IS_BSP_COMPLIANT = "ws-security.is-bsp-compliant";
     
     /**
+     * Whether to allow unsigned saml assertions as SecurityContext Principals. The default
is false.
+     */
+    public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL = 
+            "ws-security.enable.unsigned-saml-assertion.principal";
+    
+    /**
      * Whether to cache UsernameToken nonces. The default value is "true" for message recipients,
and 
      * "false" for message initiators. Set it to true to cache for both cases. Set this to
"false" to
      * not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken
@@ -627,7 +633,7 @@ public final class SecurityConstants {
             CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
             DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
             KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
-            KERBEROS_REQUEST_CREDENTIAL_DELEGATION
+            KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/007b6e17/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 014361f..98650fb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -525,6 +525,10 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
         results.add(0, rResult);
         
+        Boolean allowUnsignedSamlPrincipals = 
+                MessageUtils.getContextualBoolean(msg, 
+                        SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, false);
+        
         for (int i = wsResult.size() - 1; i >= 0; i--) {
             WSSecurityEngineResult o = wsResult.get(i);
             
@@ -535,10 +539,13 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
                 .getContextualBoolean(msg, SecurityConstants.SC_FROM_JAAS_SUBJECT, true);
             final Object binarySecurity = o.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
             
-            // UsernameToken, Kerberos, Signed SAML token or XML Signature
+            final boolean isValidSamlToken = action == WSConstants.ST_SIGNED 
+                    || (allowUnsignedSamlPrincipals && action == WSConstants.ST_UNSIGNED);
+            
+            // UsernameToken, Kerberos, SAML token or XML Signature
             if (action == WSConstants.UT || action == WSConstants.UT_NOPASSWORD
                 || (action == WSConstants.BST && binarySecurity instanceof KerberosSecurity)
-                || action == WSConstants.ST_SIGNED || action == WSConstants.SIGN) {
+                || isValidSamlToken || action == WSConstants.SIGN) {
                 
                 if (action == WSConstants.SIGN) {
                     // Check we have a public key / certificate for the signing case

http://git-wip-us.apache.org/repos/asf/cxf/blob/007b6e17/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index a5ca0cc..1e021ea 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -53,7 +53,7 @@ import org.apache.cxf.ws.security.wss4j.AbstractSecurityTest;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
 import org.apache.cxf.ws.security.wss4j.saml.AbstractSAMLCallbackHandler.Statement;
-
+import org.apache.wss4j.common.principal.SAMLTokenPrincipal;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
@@ -65,7 +65,6 @@ import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.junit.Test;
 
-
 /**
  * Some tests for creating and processing (signed) SAML Assertions.
  */
@@ -73,12 +72,22 @@ public class SamlTokenTest extends AbstractSecurityTest {
 
     public SamlTokenTest() {
     }
-
+    
     /**
      * This test creates a SAML1 Assertion and sends it in the security header to the provider.

      */
     @Test
-    public void testSaml1Token() throws Exception {
+    public void testUnsignedSaml1Token() throws Exception {
+        assertNull(testSaml1Token(false));
+    }
+
+    @Test
+    public void testUnsignedSaml1TokenWithPrincipal() throws Exception {
+        SecurityContext ctx = testSaml1Token(true);
+        assertTrue(ctx.getUserPrincipal() instanceof SAMLTokenPrincipal);
+    }
+        
+    private SecurityContext testSaml1Token(boolean allowUnsignedPrincipal) throws Exception
{
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
         outProperties.put(
@@ -99,6 +108,10 @@ public class SamlTokenTest extends AbstractSecurityTest {
         xpaths.add("//wsse:Security/saml1:Assertion");
 
         Map<String, String> inMessageProperties = new HashMap<String, String>();
+        if (allowUnsignedPrincipal) {
+            inMessageProperties.put(SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
"true");
+        }
+
         inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
         Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
         
@@ -111,6 +124,8 @@ public class SamlTokenTest extends AbstractSecurityTest {
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
         assert !receivedAssertion.isSigned();
+        
+        return message.get(SecurityContext.class);
     }
     
     @Test


Mime
View raw message