cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf-fediz git commit: Some changes
Date Mon, 01 Feb 2016 14:51:08 GMT
Some changes


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/8d86d6b6
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/8d86d6b6
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/8d86d6b6

Branch: refs/heads/1.2.x-fixes
Commit: 8d86d6b6dba18feacfb3de1d808fff0e59c09df8
Parents: b680cf5
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Feb 1 14:48:31 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Feb 1 14:51:02 2016 +0000

----------------------------------------------------------------------
 .../core/samlsso/SAMLSSOResponseValidator.java  | 24 ++++++++++++++++----
 .../fediz/core/samlsso/SAMLResponseTest.java    |  4 +---
 2 files changed, 21 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8d86d6b6/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 609103e..820c940 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -46,12 +46,14 @@ public class SAMLSSOResponseValidator {
     private String clientAddress;
     private String requestId;
     private String spIdentifier;
+    private boolean enforceResponseSigned;
     private boolean enforceAssertionsSigned = true;
     private boolean enforceKnownIssuer = true;
     private ReplayCache replayCache;
     
     /**
-     * Enforce that Assertions must be signed if the POST binding was used. The default is
true.
+     * Enforce that Assertions contained in the Response must be signed (if the Response
itself is not
+     * signed). The default is true.
      */
     public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
         this.enforceAssertionsSigned = enforceAssertionsSigned;
@@ -93,6 +95,11 @@ public class SAMLSSOResponseValidator {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
         }
         
+        if (enforceResponseSigned && !samlResponse.isSigned()) {
+            LOG.debug("The Response must be signed!");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
         // Validate Assertions
         org.opensaml.saml2.core.Assertion validAssertion = null;
         Date sessionNotOnOrAfter = null;
@@ -104,9 +111,8 @@ public class SAMLSSOResponseValidator {
             }
             validateIssuer(assertion.getIssuer());
             
-            if (enforceAssertionsSigned && postBinding && assertion.getSignature()
== null) {
-                LOG.debug("If the HTTP Post binding is used to deliver the Response, "
-                         + "the enclosed assertions must be signed");
+            if (!samlResponse.isSigned() && enforceAssertionsSigned && assertion.getSignature()
== null) {
+                LOG.debug("The enclosed assertions in the SAML Response must be signed");
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
             }
             
@@ -334,4 +340,14 @@ public class SAMLSSOResponseValidator {
         this.replayCache = replayCache;
     }
     
+    public boolean isEnforceResponseSigned() {
+        return enforceResponseSigned;
+    }
+
+    /**
+     * Enforce whether a SAML Response must be signed.
+     */
+    public void setEnforceResponseSigned(boolean enforceResponseSigned) {
+        this.enforceResponseSigned = enforceResponseSigned;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8d86d6b6/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
index 8fc10a5..39d76a9 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
@@ -664,9 +664,7 @@ public class SAMLResponseTest {
             wfProc.processRequest(wfReq, config);
             Assert.fail("Processing must fail because of missing signature");
         } catch (ProcessingException ex) {
-            if (!TYPE.TOKEN_NO_SIGNATURE.equals(ex.getType())) {
-                fail("Expected ProcessingException with TOKEN_NO_SIGNATURE type");
-            }
+            // expected
         }
     }
     


Mime
View raw message