cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: Fixed SAML redirect signature
Date Wed, 23 Mar 2016 16:59:33 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master e68df8357 -> 020045463


Fixed SAML redirect signature


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/02004546
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/02004546
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/02004546

Branch: refs/heads/master
Commit: 020045463e720aca1de3466d3480f8b084f400dc
Parents: e68df83
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Mar 23 16:59:16 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Mar 23 16:59:16 2016 +0000

----------------------------------------------------------------------
 .../idp/samlsso/AuthnRequestValidator.java      |  3 ++-
 .../WEB-INF/flows/saml-signin-request.xml       |  6 +++---
 .../WEB-INF/flows/saml-validate-request.xml     | 20 ++++++++++----------
 .../apache/cxf/fediz/systests/idp/IdpTest.java  |  5 ++---
 4 files changed, 17 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java
index b20b1f1..82f3c66 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java
@@ -41,6 +41,7 @@ import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
 import org.apache.wss4j.dom.validate.Credential;
 import org.apache.wss4j.dom.validate.SignatureTrustValidator;
 import org.apache.wss4j.dom.validate.Validator;
+import org.apache.xml.security.utils.Base64;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
 import org.opensaml.security.credential.BasicCredential;
@@ -89,7 +90,7 @@ public class AuthnRequestValidator {
             
             sig.update(requestToSign.getBytes(StandardCharsets.UTF_8));
             
-            if (!sig.verify(signature.getBytes())) {
+            if (!sig.verify(Base64.decode(signature))) {
                 LOG.debug("Signature validation failed");
                 throw new ProcessingException(TYPE.BAD_REQUEST);
             }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index f706f0a..cc7b0f6 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -43,7 +43,7 @@
         <evaluate
             expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)"
/>
         <transition on="yes" to="redirectToLocalIDP" />
-        <transition on="no" to="requestRpToken">
+        <transition on="no" to="parseAndValidateSAMLRequest">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]"
/>
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
@@ -59,7 +59,7 @@
     <action-state id="cacheSecurityToken">
         <secured attributes="IS_AUTHENTICATED_FULLY" />
         <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
-        <transition to="requestRpToken">
+        <transition to="parseAndValidateSAMLRequest">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]"
/>
         </transition>
     </action-state>
@@ -67,7 +67,7 @@
     <!-- =============================================================================================================
-->
 
     <!-- normal exit point -->
-    <end-state id="requestRpToken">
+    <end-state id="parseAndValidateSAMLRequest">
         <output name="homerealm" value="flowScope.homerealm" />
         <output name="idpToken" value="flowScope.idpToken" />
     </end-state>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 52f7960..2578e98 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -33,17 +33,9 @@
         <if test="requestParameters.RelayState == null or requestParameters.RelayState.length()
== 0"
             then="viewBadRequest" />
         <if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
-            then="parseAndValidateSAMLRequest" else="viewBadRequest" />
+            then="signinSAMLRequest" else="viewBadRequest" />
     </decision-state>
     
-    <action-state id="parseAndValidateSAMLRequest">
-        <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext,
flowScope.idpConfig,
-        														  flowScope.Signature, flowScope.RelayState,
-        														  flowScope.SAMLRequest)" />
-        <transition to="signinSAMLRequest"/>
-        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException"
to="viewBadRequest" />
-    </action-state>
-
     <subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
         <input name="idpConfig" value="flowScope.idpConfig" />
         <input name="SAMLRequest" value="flowScope.SAMLRequest" />
@@ -53,7 +45,7 @@
         <output name="idpToken" />
         <output name="trusted_idp_context" />
 
-        <transition on="requestRpToken" to="requestRpToken">
+        <transition on="parseAndValidateSAMLRequest" to="parseAndValidateSAMLRequest">
             <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm"
/>
             <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
         </transition>
@@ -62,6 +54,14 @@
         <transition on="redirectToLocalIDP" to="redirectToLocalIDP" />
     </subflow-state>
     
+    <action-state id="parseAndValidateSAMLRequest">
+        <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext,
flowScope.idpConfig,
+                                                                  flowScope.Signature, flowScope.RelayState,
+                                                                  flowScope.SAMLRequest)"
/>
+        <transition to="requestRpToken"/>
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException"
to="viewBadRequest" />
+    </action-state>
+    
     <!-- produce RP security token (as String type) -->
     <action-state id="requestRpToken">
         <on-entry>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index e43e62f..97137b1 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -388,7 +388,6 @@ public class IdpTest {
     }
     
     @org.junit.Test
-    @org.junit.Ignore
     public void testSeparateSignature() throws Exception {
         OpenSAMLUtil.initSamlEngine();
         
@@ -422,7 +421,7 @@ public class IdpTest {
         java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
         signature.initSign(privateKey);
        
-        String requestToSign = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml?";
+        String requestToSign = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml/up?";
         requestToSign += SSOConstants.RELAY_STATE + "=" + relayState;
         requestToSign += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
         requestToSign += "&" + SSOConstants.SIG_ALG + "=" 
@@ -433,7 +432,7 @@ public class IdpTest {
         
         String encodedSignature = Base64.encode(signBytes);
         
-        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml?";
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml/up?";
         url += SSOConstants.RELAY_STATE + "=" + relayState;
         url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
         url += "&" + SSOConstants.SIGNATURE + "=" + URLEncoder.encode(encodedSignature,
StandardCharsets.UTF_8.name());


Mime
View raw message