cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] cxf git commit: Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP
Date Wed, 04 Feb 2015 17:11:49 GMT
Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes a9251eca7 -> cfd1ae315


Add the ability to validate SAML Audience Restrictions. Defaults to false unlike for SOAP

Conflicts:
	rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ac1573cf
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ac1573cf
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ac1573cf

Branch: refs/heads/2.7.x-fixes
Commit: ac1573cf09da4dffe63462a6db077a6fde129864
Parents: a9251ec
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Feb 3 16:21:47 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Feb 4 17:08:18 2015 +0000

----------------------------------------------------------------------
 .../rs/security/saml/AbstractSamlInHandler.java | 37 ++++++++++++++++++++
 1 file changed, 37 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/ac1573cf/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index 78c80c5..cc4e1f1 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -25,6 +25,7 @@ import java.io.InputStreamReader;
 import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Logger;
 
@@ -116,6 +117,10 @@ public abstract class AbstractSamlInHandler implements RequestHandler
{
     protected void validateToken(Message message, AssertionWrapper assertion) {
         try {
             RequestData data = new RequestData();
+            
+            // Add Audience Restrictions for SAML
+            configureAudienceRestriction(message, data);
+            
             if (assertion.isSigned()) {
                 WSSConfig cfg = WSSConfig.getNewInstance(); 
                 data.setWssConfig(cfg);
@@ -149,7 +154,39 @@ public abstract class AbstractSamlInHandler implements RequestHandler
{
         }
     }
     
+<<<<<<< HEAD
     protected void checkSubjectConfirmationData(Message message, AssertionWrapper assertion)
{
+=======
+    protected void configureAudienceRestriction(Message msg, RequestData reqData) {
+        // Add Audience Restrictions for SAML
+        boolean enableAudienceRestriction = 
+            MessageUtils.getContextualBoolean(msg, 
+                                              SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,

+                                              false);
+        if (enableAudienceRestriction) {
+            List<String> audiences = new ArrayList<String>();
+            if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) !=
null) {
+                audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+            }
+            reqData.setAudienceRestrictions(audiences);
+        }
+    }
+    
+    protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException
{
+        try {
+            X509Certificate[] certs = SecurityUtils.getCertificates(sigCrypto, 
+                                                                    sigCrypto.getDefaultX509Identifier());
+            SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(new X509Certificate[]{certs[0]});
+            samlKeyInfo.setPublicKey(certs[0].getPublicKey());
+            return samlKeyInfo;
+        } catch (Exception ex) {
+            LOG.log(Level.FINE, "Error in loading the certificates: " + ex.getMessage(),
ex);
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE,
ex);
+        }
+    }
+    
+    protected void checkSubjectConfirmationData(Message message, SamlAssertionWrapper assertion)
{
+>>>>>>> 0377022... Add the ability to validate SAML Audience Restrictions.
Defaults to false unlike for SOAP
         Certificate[] tlsCerts = getTLSCertificates(message);
         if (!checkHolderOfKey(message, assertion, tlsCerts)) {
             throwFault("Holder Of Key claim fails", null);


Mime
View raw message