cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: [CXF-6735] - Add a configuration option to disable the STR Transform
Date Mon, 11 Jan 2016 16:58:33 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes a564aea12 -> 621e9cc86


[CXF-6735] - Add a configuration option to disable the STR Transform


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/621e9cc8
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/621e9cc8
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/621e9cc8

Branch: refs/heads/3.1.x-fixes
Commit: 621e9cc86027ff94330c13b8bcf28c95466cf6c9
Parents: a564aea
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 11 16:49:38 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 11 16:54:39 2016 +0000

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      |  7 +++
 .../policyhandlers/AbstractBindingBuilder.java  | 45 +++++++++++++-------
 .../X509SymmetricBindingTest.java               | 38 +++++++++++++++++
 3 files changed, 75 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/621e9cc8/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index c88a4ec..f9ebaba 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -132,6 +132,13 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
      */
     public static final String USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM = 
         "ws-security.swa.encryption.attachment.transform.content";
+    
+    /**
+     * Whether to use the STR (Security Token Reference) Transform when (externally) signing
a SAML Token.
+     * The default is true. Some frameworks cannot handle processing the SecurityTokenReference
is created,
+     * hence set this configuration option to "false" in this case.
+     */
+    public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform";
 
     //
     // Non-boolean WS-Security Configuration parameters

http://git-wip-us.apache.org/repos/asf/cxf/blob/621e9cc8/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 815cb8f..4d2f2c5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -610,6 +610,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
     protected void addSignatureParts(List<SupportingToken> tokenList, List<WSEncryptionPart>
sigParts) {
         
+        boolean useSTRTransform = 
+            MessageUtils.getContextualBoolean(
+                message, SecurityConstants.USE_STR_TRANSFORM, true
+            );
+        
         for (SupportingToken supportingToken : tokenList) {
             
             Object tempTok = supportingToken.getTokenImplementation();
@@ -647,14 +652,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
                 Document doc = assertionWrapper.getElement().getOwnerDocument();
                 boolean saml1 = assertionWrapper.getSaml1() != null;
-                // TODO We only support using a KeyIdentifier for the moment
-                SecurityTokenReference secRef = 
-                    createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
-                Element clone = cloneElement(secRef.getElement());
-                addSupportingElement(clone);
-                part = new WSEncryptionPart("STRTransform", null, "Element");
-                part.setId(secRef.getID());
-                part.setElement(clone);
+                if (useSTRTransform) {
+                    // TODO We only support using a KeyIdentifier for the moment
+                    SecurityTokenReference secRef = 
+                        createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
+                    Element clone = cloneElement(secRef.getElement());
+                    addSupportingElement(clone);
+                    part = new WSEncryptionPart("STRTransform", null, "Element");
+                    part.setId(secRef.getID());
+                    part.setElement(clone);
+                } else {
+                    part = new WSEncryptionPart(assertionWrapper.getId());
+                    part.setElement(assertionWrapper.getElement());
+                }
             } else if (tempTok instanceof WSSecurityTokenHolder) {
                 SecurityToken token = ((WSSecurityTokenHolder)tempTok).getToken();
                 String tokenType = token.getTokenType();
@@ -673,13 +683,18 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                             id = token.getToken().getAttributeNS(null, "ID");
                         }
                     }
-                    SecurityTokenReference secRef = 
-                        createSTRForSamlAssertion(doc, id, saml1, false);
-                    Element clone = cloneElement(secRef.getElement());
-                    addSupportingElement(clone);
-                    part = new WSEncryptionPart("STRTransform", null, "Element");
-                    part.setId(secRef.getID());
-                    part.setElement(clone);
+                    if (useSTRTransform) {
+                        SecurityTokenReference secRef = 
+                            createSTRForSamlAssertion(doc, id, saml1, false);
+                        Element clone = cloneElement(secRef.getElement());
+                        addSupportingElement(clone);
+                        part = new WSEncryptionPart("STRTransform", null, "Element");
+                        part.setId(secRef.getID());
+                        part.setElement(clone);
+                    } else {
+                        part = new WSEncryptionPart(id);
+                        part.setElement(token.getToken());
+                    }
                 } else {
                     String id = XMLUtils.getIDFromReference(token.getId());
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/621e9cc8/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
index 8962ecf..b89e1be 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
@@ -233,6 +233,44 @@ public class X509SymmetricBindingTest extends AbstractBusClientServerTestBase
{
         bus.shutdown(true);
     }
 
+    // Here we refer to the Assertion directly, instead of creating a SecurityTokenReference
and using the
+    // STR Transform
+    @org.junit.Test
+    public void testX509SAML2SupportingDirectReferenceToAssertion() throws Exception {
+        
+        // TODO Not yet supported for the client streaming code
+        if (test.isStreaming()) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509SymmetricBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509SymmetricBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2SupportingPort");
+        DoubleItPortType symmetricSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(symmetricSaml2Port, test.getPort());
+        
+        TokenTestUtils.updateSTSPort((BindingProvider)symmetricSaml2Port, test.getStsPort());
+        
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(symmetricSaml2Port);
+        }
+        
+        ((BindingProvider)symmetricSaml2Port).getRequestContext().put("ws-security.use.str.transform",
"false");
+        
+        doubleIt(symmetricSaml2Port, 30);
+        
+        ((java.io.Closeable)symmetricSaml2Port).close();
+        bus.shutdown(true);
+    }
+    
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);
         assertEquals(numToDouble * 2, resp);


Mime
View raw message