cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: [CXF-6543] - It's not possible to specify the signature + digest algorithms for self-signed SAML Assertions with JAX-RS
Date Fri, 14 Aug 2015 13:07:15 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 7dec3c88a -> 953d23f38


[CXF-6543] - It's not possible to specify the signature + digest algorithms for self-signed
SAML Assertions with JAX-RS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/953d23f3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/953d23f3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/953d23f3

Branch: refs/heads/master
Commit: 953d23f38ddfe044a4dff4783498ebe5d68d76c1
Parents: 7dec3c8
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Aug 14 14:06:51 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Aug 14 14:07:09 2015 +0100

----------------------------------------------------------------------
 .../apache/cxf/rs/security/saml/SAMLUtils.java  |  5 ++-
 .../jaxrs/security/saml/JAXRSSamlTest.java      | 37 ++++++++++++++++----
 .../security/saml/SamlCallbackHandler.java      | 34 +++++++++++++++++-
 3 files changed, 67 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
index 1471191..60c755d 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
@@ -112,7 +112,10 @@ public final class SAMLUtils {
                     RSSecurityUtils.getPassword(message, user, WSPasswordCallback.SIGNATURE,

                             SAMLUtils.class);
                 
-                assertion.signAssertion(user, password, crypto, false);
+                assertion.signAssertion(user, password, crypto, false,
+                                        samlCallback.getCanonicalizationAlgorithm(),
+                                        samlCallback.getSignatureAlgorithm(),
+                                        samlCallback.getSignatureDigestAlgorithm());
             }
             return assertion;
         } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
index ccbabf4..7949c13 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
@@ -23,6 +23,7 @@ import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.security.auth.callback.CallbackHandler;
 import javax.ws.rs.ProcessingException;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Form;
@@ -41,9 +42,11 @@ import org.apache.cxf.rs.security.saml.SamlEnvelopedOutInterceptor;
 import org.apache.cxf.rs.security.saml.SamlFormOutInterceptor;
 import org.apache.cxf.rs.security.saml.SamlHeaderOutInterceptor;
 import org.apache.cxf.rs.security.xml.XmlSigOutInterceptor;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.systest.jaxrs.security.Book;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.dom.WSConstants;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
@@ -125,6 +128,16 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
     }
     
     @Test
+    public void testBearerSignedDifferentAlgorithms() throws Exception {
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
+        callbackHandler.setDigestAlgorithm(WSConstants.SHA256);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setSignAssertion(true);
+        doTestEnvelopedSAMLToken(true, callbackHandler);
+    }
+    
+    @Test
     public void testEnvelopedUnsignedSAMLToken() throws Exception {
         doTestEnvelopedSAMLToken(false);
     }
@@ -177,8 +190,12 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
     }
     
     public void doTestEnvelopedSAMLToken(boolean signed) throws Exception {
+        doTestEnvelopedSAMLToken(signed, new SamlCallbackHandler());
+    }
+    
+    public void doTestEnvelopedSAMLToken(boolean signed, CallbackHandler samlCallbackHandler)
throws Exception {
         String address = "https://localhost:" + PORT + "/samlxml/bookstore/books";
-        WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed),
null);
+        WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed),
null, samlCallbackHandler);
         XmlSigOutInterceptor xmlSig = new XmlSigOutInterceptor();
         if (signed) {
             xmlSig.setStyle(XmlSigOutInterceptor.DETACHED_SIG);
@@ -204,6 +221,13 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
     private WebClient createWebClient(String address, 
                                       Interceptor<Message> outInterceptor,
                                       Object provider) {
+        return createWebClient(address, outInterceptor, provider, new SamlCallbackHandler());
+    }
+    
+    private WebClient createWebClient(String address, 
+                                      Interceptor<Message> outInterceptor,
+                                      Object provider,
+                                      CallbackHandler samlCallbackHandler) {
         JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
         bean.setAddress(address);
         
@@ -213,12 +237,11 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase {
         bean.setBus(springBus);
 
         Map<String, Object> properties = new HashMap<String, Object>();
-        properties.put("security.callback-handler", 
+        properties.put(SecurityConstants.CALLBACK_HANDLER, 
                        "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
-        properties.put("security.saml-callback-handler", 
-                       "org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
-        properties.put("security.signature.username", "alice");
-        properties.put("security.signature.properties", 
+        properties.put(SecurityConstants.SAML_CALLBACK_HANDLER, samlCallbackHandler);
+        properties.put(SecurityConstants.SIGNATURE_USERNAME, "alice");
+        properties.put(SecurityConstants.SIGNATURE_PROPERTIES, 
                        "org/apache/cxf/systest/jaxrs/security/alice.properties");
         bean.setProperties(properties);
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
index 81e4448..5a6b26f 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
@@ -59,6 +59,9 @@ import org.joda.time.DateTime;
 public class SamlCallbackHandler implements CallbackHandler {
     private boolean saml2 = true;
     private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+    private String signatureAlgorithm;
+    private String digestAlgorithm;
+    private boolean signAssertion;
     
     public SamlCallbackHandler() {
         //
@@ -106,7 +109,7 @@ public class SamlCallbackHandler implements CallbackHandler {
                                                          SecurityConstants.SIGNATURE_PROPERTIES);
                         X509Certificate cert = 
                             RSSecurityUtils.getCertificates(crypto, 
-                                RSSecurityUtils.getUserName(m, crypto, "security.signature.username"))[0];
+                                RSSecurityUtils.getUserName(m, crypto, SecurityConstants.SIGNATURE_USERNAME))[0];
                         
                         KeyInfoBean keyInfo = new KeyInfoBean();
                         keyInfo.setCertificate(cert);
@@ -172,8 +175,37 @@ public class SamlCallbackHandler implements CallbackHandler {
                 
                 attrBean.setSamlAttributes(claims);
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));
+                
+                callback.setSignatureAlgorithm(signatureAlgorithm);
+                callback.setSignatureDigestAlgorithm(digestAlgorithm);
+                
+                callback.setSignAssertion(signAssertion);
             }
         }
     }
+
+    public String getSignatureAlgorithm() {
+        return signatureAlgorithm;
+    }
+
+    public void setSignatureAlgorithm(String signatureAlgorithm) {
+        this.signatureAlgorithm = signatureAlgorithm;
+    }
+
+    public String getDigestAlgorithm() {
+        return digestAlgorithm;
+    }
+
+    public void setDigestAlgorithm(String digestAlgorithm) {
+        this.digestAlgorithm = digestAlgorithm;
+    }
+
+    public boolean isSignAssertion() {
+        return signAssertion;
+    }
+
+    public void setSignAssertion(boolean signAssertion) {
+        this.signAssertion = signAssertion;
+    }
     
 }


Mime
View raw message