cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/4] cxf git commit: Enforce stronger constraints on role names for SAML
Date Mon, 20 Jul 2015 21:21:21 GMT
Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes 70bf6e3f8 -> a70005059


Enforce stronger constraints on role names for SAML

Conflicts:
	rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b9bf76cd
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b9bf76cd
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b9bf76cd

Branch: refs/heads/2.7.x-fixes
Commit: b9bf76cd6c1aae1446774c22f135b60f27c6029e
Parents: 70bf6e3
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jul 20 19:56:04 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jul 20 21:45:08 2015 +0100

----------------------------------------------------------------------
 .../rt/security/saml/SAMLSecurityContext.java   | 113 +++++++++++++++++++
 .../AbstractXACMLAuthorizingInterceptor.java    |   6 +-
 2 files changed, 118 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b9bf76cd/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
new file mode 100644
index 0000000..2784a18
--- /dev/null
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
@@ -0,0 +1,113 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.saml;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.w3c.dom.Element;
+import org.apache.cxf.rt.security.claims.ClaimCollection;
+import org.apache.cxf.rt.security.claims.ClaimsSecurityContext;
+
+public class SAMLSecurityContext implements ClaimsSecurityContext {
+    
+    private final Principal principal;
+    private Set<Principal> roles;
+    private Element assertionElement;
+    private String issuer;
+    private ClaimCollection claims;
+    
+    public SAMLSecurityContext(Principal principal) {
+        this(principal, null);
+    }
+    
+    public SAMLSecurityContext(
+        Principal principal, 
+        Set<Principal> roles
+    ) {
+        this(principal, roles, null);
+    }
+    
+    public SAMLSecurityContext(
+        Principal principal, 
+        Set<Principal> roles,
+        ClaimCollection claims
+    ) {
+        this.principal = principal;
+        this.roles = roles;
+        this.claims = claims;
+    }
+    
+    public ClaimCollection getClaims() {
+        return claims;
+    }
+    
+    public Principal getUserPrincipal() {
+        return principal;
+    }
+
+    public boolean isUserInRole(String role) {
+        if (roles == null) {
+            return false;
+        }
+        for (Principal principalRole : roles) {
+            if (principalRole != principal && principalRole.getName().equals(role))
{
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    public javax.security.auth.Subject getSubject() {
+        return null;
+    }
+
+    public void setUserRoles(Set<Principal> userRoles) {
+        this.roles = userRoles;
+    }
+    
+    public Set<Principal> getUserRoles() {
+        if (roles == null) {
+            return Collections.emptySet();
+        }
+        Set<Principal> retRoles = new HashSet<Principal>(roles);
+        if (principal != null && retRoles.contains(principal)) {
+            retRoles.remove(principal);
+        }
+        return retRoles;
+    }
+    
+    public void setAssertionElement(Element assertionElement) {
+        this.assertionElement = assertionElement;
+    }
+    
+    public Element getAssertionElement() {
+        return assertionElement;
+    }
+    
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
+    
+    public String getIssuer() {
+        return issuer;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/b9bf76cd/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
index 87fc83b..dd54dc5 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
@@ -70,13 +70,17 @@ public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseI
         
         if (sc instanceof LoginSecurityContext) {
             Principal principal = sc.getUserPrincipal();
+            String principalName = null;
+            if (principal != null) {
+                principalName = principal.getName();
+            }
             
             LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
             Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
             List<String> roles = new ArrayList<String>();
             if (principalRoles != null) {
                 for (Principal p : principalRoles) {
-                    if (p != principal) {
+                    if (p != null && p.getName() != null && !p.getName().equals(principalName))
{
                         roles.add(p.getName());
                     }
                 }


Mime
View raw message