cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: [CXF-6735] - Add a configuration option to disable the STR Transform
Date Mon, 11 Jan 2016 17:02:04 GMT
[CXF-6735] - Add a configuration option to disable the STR Transform


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/46362669
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/46362669
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/46362669

Branch: refs/heads/3.0.x-fixes
Commit: 463626698e399b36555a9ca35240f278bfb40153
Parents: 25f1d6d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 11 16:49:38 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 11 16:58:45 2016 +0000

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      |  7 +++
 .../policyhandlers/AbstractBindingBuilder.java  | 45 +++++++++++++-------
 .../X509SymmetricBindingTest.java               | 38 +++++++++++++++++
 3 files changed, 75 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 286eccb..383369c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -264,6 +264,13 @@ public final class SecurityConstants {
      */
     public static final String USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM = 
         "ws-security.swa.encryption.attachment.transform.content";
+    
+    /**
+     * Whether to use the STR (Security Token Reference) Transform when (externally) signing
a SAML Token.
+     * The default is true. Some frameworks cannot handle processing the SecurityTokenReference
is created,
+     * hence set this configuration option to "false" in this case.
+     */
+    public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform";
 
     //
     // Non-boolean WS-Security Configuration parameters

http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 2712d60..4d33fc7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -605,6 +605,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     protected void addSignatureParts(List<SupportingToken> tokenList,
                                        List<WSEncryptionPart> sigParts) {
         
+        boolean useSTRTransform = 
+            MessageUtils.getContextualBoolean(
+                message, SecurityConstants.USE_STR_TRANSFORM, true
+            );
+        
         for (SupportingToken supportingToken : tokenList) {
             
             Object tempTok = supportingToken.getTokenImplementation();
@@ -642,14 +647,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
                 Document doc = assertionWrapper.getElement().getOwnerDocument();
                 boolean saml1 = assertionWrapper.getSaml1() != null;
-                // TODO We only support using a KeyIdentifier for the moment
-                SecurityTokenReference secRef = 
-                    createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
-                Element clone = cloneElement(secRef.getElement());
-                addSupportingElement(clone);
-                part = new WSEncryptionPart("STRTransform", null, "Element");
-                part.setId(secRef.getID());
-                part.setElement(clone);
+                if (useSTRTransform) {
+                    // TODO We only support using a KeyIdentifier for the moment
+                    SecurityTokenReference secRef = 
+                        createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
+                    Element clone = cloneElement(secRef.getElement());
+                    addSupportingElement(clone);
+                    part = new WSEncryptionPart("STRTransform", null, "Element");
+                    part.setId(secRef.getID());
+                    part.setElement(clone);
+                } else {
+                    part = new WSEncryptionPart(assertionWrapper.getId());
+                    part.setElement(assertionWrapper.getElement());
+                }
             } else if (tempTok instanceof WSSecurityTokenHolder) {
                 SecurityToken token = ((WSSecurityTokenHolder)tempTok).getToken();
                 String tokenType = token.getTokenType();
@@ -668,13 +678,18 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                             id = token.getToken().getAttributeNS(null, "ID");
                         }
                     }
-                    SecurityTokenReference secRef = 
-                        createSTRForSamlAssertion(doc, id, saml1, false);
-                    Element clone = cloneElement(secRef.getElement());
-                    addSupportingElement(clone);
-                    part = new WSEncryptionPart("STRTransform", null, "Element");
-                    part.setId(secRef.getID());
-                    part.setElement(clone);
+                    if (useSTRTransform) {
+                        SecurityTokenReference secRef = 
+                            createSTRForSamlAssertion(doc, id, saml1, false);
+                        Element clone = cloneElement(secRef.getElement());
+                        addSupportingElement(clone);
+                        part = new WSEncryptionPart("STRTransform", null, "Element");
+                        part.setId(secRef.getID());
+                        part.setElement(clone);
+                    } else {
+                        part = new WSEncryptionPart(id);
+                        part.setElement(token.getToken());
+                    }
                 } else {
                     String id = token.getId();
                     if (id != null && id.charAt(0) == '#') {

http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
index f019cfe..8527f65 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
@@ -233,6 +233,44 @@ public class X509SymmetricBindingTest extends AbstractBusClientServerTestBase
{
         bus.shutdown(true);
     }
 
+    // Here we refer to the Assertion directly, instead of creating a SecurityTokenReference
and using the
+    // STR Transform
+    @org.junit.Test
+    public void testX509SAML2SupportingDirectReferenceToAssertion() throws Exception {
+        
+        // TODO Not yet supported for the client streaming code
+        if (test.isStreaming()) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509SymmetricBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509SymmetricBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2SupportingPort");
+        DoubleItPortType symmetricSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(symmetricSaml2Port, test.getPort());
+        
+        TokenTestUtils.updateSTSPort((BindingProvider)symmetricSaml2Port, test.getStsPort());
+        
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(symmetricSaml2Port);
+        }
+        
+        ((BindingProvider)symmetricSaml2Port).getRequestContext().put("ws-security.use.str.transform",
"false");
+        
+        doubleIt(symmetricSaml2Port, 30);
+        
+        ((java.io.Closeable)symmetricSaml2Port).close();
+        bus.shutdown(true);
+    }
+    
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);
         assertEquals(numToDouble * 2 , resp);


Mime
View raw message