cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: Enforce stronger constraints on role names for SAML
Date Mon, 20 Jul 2015 20:44:40 GMT
Enforce stronger constraints on role names for SAML


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1b310154
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1b310154
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1b310154

Branch: refs/heads/3.0.x-fixes
Commit: 1b3101542c14b6c761a83d39547d79fa732e9603
Parents: af03a16
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jul 20 19:56:04 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jul 20 20:49:45 2015 +0100

----------------------------------------------------------------------
 .../cxf/rt/security/saml/SAMLSecurityContext.java      | 13 +++++++++++--
 .../xacml/AbstractXACMLAuthorizingInterceptor.java     |  6 +++++-
 2 files changed, 16 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/1b310154/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
index 4287eb2..2784a18 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
@@ -19,6 +19,8 @@
 package org.apache.cxf.rt.security.saml;
 
 import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
 import org.w3c.dom.Element;
@@ -67,7 +69,7 @@ public class SAMLSecurityContext implements ClaimsSecurityContext {
             return false;
         }
         for (Principal principalRole : roles) {
-            if (principalRole.getName().equals(role)) {
+            if (principalRole != principal && principalRole.getName().equals(role))
{
                 return true;
             }
         }
@@ -83,7 +85,14 @@ public class SAMLSecurityContext implements ClaimsSecurityContext {
     }
     
     public Set<Principal> getUserRoles() {
-        return roles;
+        if (roles == null) {
+            return Collections.emptySet();
+        }
+        Set<Principal> retRoles = new HashSet<Principal>(roles);
+        if (principal != null && retRoles.contains(principal)) {
+            retRoles.remove(principal);
+        }
+        return retRoles;
     }
     
     public void setAssertionElement(Element assertionElement) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/1b310154/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
index 51e45cd..f7a8697 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
@@ -74,13 +74,17 @@ public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseI
         
         if (sc instanceof LoginSecurityContext) {
             Principal principal = sc.getUserPrincipal();
+            String principalName = null;
+            if (principal != null) {
+                principalName = principal.getName();
+            }
             
             LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
             Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
             List<String> roles = new ArrayList<String>();
             if (principalRoles != null) {
                 for (Principal p : principalRoles) {
-                    if (p != principal) {
+                    if (p != null && p.getName() != null && !p.getName().equals(principalName))
{
                         roles.add(p.getName());
                     }
                 }


Mime
View raw message