cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: CXF-7099 - Technical user should be the SAML Subject for the ActAs use-case
Date Wed, 19 Oct 2016 15:30:23 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 319456ecd -> 5c82ab1ca


CXF-7099 - Technical user should be the SAML Subject for the ActAs use-case


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5c82ab1c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5c82ab1c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5c82ab1c

Branch: refs/heads/master
Commit: 5c82ab1ca211be71f3ff68474edeef2cb0ed2bff
Parents: 319456e
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Oct 19 16:08:56 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Oct 19 16:08:56 2016 +0100

----------------------------------------------------------------------
 .../token/provider/DefaultSubjectProvider.java  |  6 ----
 .../sts/delegation/SAMLDelegationTest.java      | 29 +++-----------------
 .../sts/username_actas/ActAsValidator.java      |  8 ++++++
 .../sts/delegation/cxf-sts-transport.xml        |  2 +-
 4 files changed, 13 insertions(+), 32 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index 9f9a51e..114d10f 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -113,7 +113,6 @@ public class DefaultSubjectProvider implements SubjectProvider {
     /**
      * Get the Principal (which is used as the Subject). By default, we check the following
(in order):
      *  - A valid OnBehalfOf principal
-     *  - A valid ActAs principal
      *  - A valid principal associated with a token received as ValidateTarget
      *  - The principal associated with the request. We don't need to check to see if it
is "valid" here, as it
      *    is not parsed by the STS (but rather the WS-Security layer).
@@ -129,11 +128,6 @@ public class DefaultSubjectProvider implements SubjectProvider {
             if (receivedToken.getState().equals(STATE.VALID)) {
                 principal = receivedToken.getPrincipal();
             }
-        } else if (providerParameters.getTokenRequirements().getActAs() != null) {
-            ReceivedToken receivedToken = providerParameters.getTokenRequirements().getActAs();
-            if (receivedToken.getState().equals(STATE.VALID)) {
-                principal = receivedToken.getPrincipal();
-            }
         } else if (providerParameters.getTokenRequirements().getValidateTarget() != null)
{
             ReceivedToken receivedToken = providerParameters.getTokenRequirements().getValidateTarget();
             if (receivedToken.getState().equals(STATE.VALID)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
index dcfe966..fa66846 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java
@@ -40,7 +40,6 @@ import org.apache.cxf.sts.token.provider.TokenProviderParameters;
 import org.apache.cxf.sts.token.provider.TokenProviderResponse;
 import org.apache.cxf.systest.sts.common.CommonCallbackHandler;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
-import org.apache.cxf.systest.sts.issueunit.IssueUnitTest;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -90,7 +89,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase
{
     @org.junit.Test
     public void testSAMLOnBehalfOf() throws Exception {
         SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+        URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
 
         Bus bus = bf.createBus(busFile.toString());
         SpringBusFactory.setDefaultBus(bus);
@@ -127,7 +126,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase
{
     @org.junit.Test
     public void testSAMLActAs() throws Exception {
         SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+        URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
 
         Bus bus = bf.createBus(busFile.toString());
         SpringBusFactory.setDefaultBus(bus);
@@ -162,29 +161,9 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase
{
     }
     
     @org.junit.Test
-    public void testTransportNoDelegationToken() throws Exception {
-        SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
-
-        Bus bus = bf.createBus(busFile.toString());
-        SpringBusFactory.setDefaultBus(bus);
-        SpringBusFactory.setThreadDefaultBus(bus);
-
-        try {
-            requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus, 
-                                 DEFAULT_ADDRESS, "Transport_Port");
-            fail("Failure expected on no delegation token");
-        } catch (Exception ex) {
-            // expected
-        }
-        
-        bus.shutdown(true);
-    }
-    
-    @org.junit.Test
     public void testTransportForgedDelegationToken() throws Exception {
         SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+        URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
 
         Bus bus = bf.createBus(busFile.toString());
         SpringBusFactory.setDefaultBus(bus);
@@ -220,7 +199,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase
{
     @org.junit.Test
     public void testTransportUnsignedDelegationToken() throws Exception {
         SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+        URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");
 
         Bus bus = bf.createBus(busFile.toString());
         SpringBusFactory.setDefaultBus(bus);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
index 4d41397..78db7f6 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
@@ -30,6 +30,7 @@ import org.opensaml.core.xml.XMLObject;
 import org.opensaml.saml.saml2.core.Assertion;
 import org.opensaml.saml.saml2.core.Attribute;
 import org.opensaml.saml.saml2.core.AttributeStatement;
+import org.opensaml.saml.saml2.core.Subject;
 
 /**
  * This class validates a SAML 2 Assertion and checks that it has a CustomActAs Attribute
with
@@ -47,6 +48,13 @@ public class ActAsValidator extends SamlAssertionValidator {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
         }
         
+        // The technical user should be in the Subject
+        Subject subject = saml2Assertion.getSubject();
+        if (subject == null || subject.getNameID() == null
+            || !subject.getNameID().getValue().contains("CN=www.client.com")) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
         List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
         if (attributeStatements == null || attributeStatements.isEmpty()) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
index 2510ebb..665a4ec 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml
@@ -128,7 +128,7 @@
                 <sec:trustManagers>
                     <sec:keyStore type="jks" password="stsspass" resource="keys/stsstore.jks"/>
                 </sec:trustManagers>
-                <sec:clientAuthentication want="false" required="false"/>
+                <sec:clientAuthentication want="true" required="false"/>
             </httpj:tlsServerParameters>
         </httpj:engine>
     </httpj:engine-factory>


Mime
View raw message