cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP
Date Wed, 04 Feb 2015 11:29:55 GMT
Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/514e7c10
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/514e7c10
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/514e7c10

Branch: refs/heads/master
Commit: 514e7c10913d73b5fd363f6475eb1396301af41d
Parents: 3aec3e2
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Feb 3 16:21:47 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Feb 4 11:28:55 2015 +0000

----------------------------------------------------------------------
 .../rs/security/saml/AbstractSamlInHandler.java | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/514e7c10/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index ea4bd63..9d5d257 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -25,6 +25,7 @@ import java.io.InputStreamReader;
 import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -126,6 +127,10 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter
{
     protected void validateToken(Message message, SamlAssertionWrapper assertion) {
         try {
             RequestData data = new RequestData();
+            
+            // Add Audience Restrictions for SAML
+            configureAudienceRestriction(message, data);
+            
             if (assertion.isSigned()) {
                 WSSConfig cfg = WSSConfig.getNewInstance(); 
                 data.setWssConfig(cfg);
@@ -177,6 +182,21 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter
{
         }
     }
     
+    protected void configureAudienceRestriction(Message msg, RequestData reqData) {
+        // Add Audience Restrictions for SAML
+        boolean enableAudienceRestriction = 
+            MessageUtils.getContextualBoolean(msg, 
+                                              SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,

+                                              false);
+        if (enableAudienceRestriction) {
+            List<String> audiences = new ArrayList<String>();
+            if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) !=
null) {
+                audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+            }
+            reqData.setAudienceRestrictions(audiences);
+        }
+    }
+    
     protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException
{
         try {
             X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto, 


Mime
View raw message