cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] branch master updated: CXF-7536 - Add a STRTransform when signing a SAML Token via a SignedElements policy
Date Mon, 23 Oct 2017 13:59:45 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 76905b0  CXF-7536 - Add a STRTransform when signing a SAML Token via a SignedElements
policy
76905b0 is described below

commit 76905b09c7f47b4fd9b48b53f9747984cece9a30
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Mon Oct 23 14:59:06 2017 +0100

    CXF-7536 - Add a STRTransform when signing a SAML Token via a SignedElements policy
---
 .../policyhandlers/AbstractBindingBuilder.java     | 54 +++++++++++++++-------
 1 file changed, 38 insertions(+), 16 deletions(-)

diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index ce484d0..96702dd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -223,7 +223,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             }
         }
         expandXopInclude = mtomEnabled;
-        
+
         wsDocInfo = new WSDocInfo(secHeader.getSecurityHeaderElement().getOwnerDocument());
 
         Element soapBody = SAAJUtils.getBody(saaj);
@@ -549,9 +549,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
         return ret;
     }
-    
-    private SupportingToken signSupportingToken(SecurityToken secToken, String id, 
-                                                AbstractToken token, SupportingTokens suppTokens)

+
+    private SupportingToken signSupportingToken(SecurityToken secToken, String id,
+                                                AbstractToken token, SupportingTokens suppTokens)
         throws SOAPException {
         WSSecSignature sig = new WSSecSignature(secHeader);
         sig.setIdAllocator(wssConfig.getIdAllocator());
@@ -563,7 +563,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         sig.setExpandXopInclude(isExpandXopInclude());
         sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
         sig.setStoreBytesInAttachment(storeBytesInAttachment);
-        
+
         String tokenType = secToken.getTokenType();
         if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
             || WSS4JConstants.SAML_NS.equals(tokenType)) {
@@ -1321,7 +1321,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         List<WSEncryptionPart> result = new ArrayList<>();
         Element soapBody = SAAJUtils.getBody(this.saaj);
         soapBody = (Element)DOMUtils.getDomElement(soapBody);
-        
+
         if (includeBody && !found.contains(soapBody)) {
             found.add(soapBody);
             final String id = this.addWsuIdToElement(soapBody);
@@ -1405,6 +1405,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         List<WSEncryptionPart> result = new ArrayList<>();
 
         if (xpaths != null && !xpaths.isEmpty()) {
+            boolean useSTRTransform =
+                MessageUtils.getContextualBoolean(
+                    message, SecurityConstants.USE_STR_TRANSFORM, true
+                );
+
             XPathFactory factory = XPathFactory.newInstance();
             for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
                 XPath xpath = factory.newXPath();
@@ -1413,7 +1418,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                 }
 
                 NodeList list = null;
-                
+
                 try {
                     Element envelope = saaj.getSOAPPart().getEnvelope();
                     envelope = (Element)DOMUtils.getDomElement(envelope);
@@ -1428,10 +1433,27 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
                         if (!found.contains(el)) {
                             found.add(el);
-                            String id = setIdOnElement(el, forceId);
-                            WSEncryptionPart part =
-                                new WSEncryptionPart(id, encryptionModifier);
-                            part.setElement(el);
+                            WSEncryptionPart part = null;
+                            boolean saml1 = WSS4JConstants.SAML_NS.equals(el.getNamespaceURI())
+                                && "Assertion".equals(el.getLocalName());
+                            boolean saml2 = WSS4JConstants.SAML2_NS.equals(el.getNamespaceURI())
+                                && "Assertion".equals(el.getLocalName());
+
+                            if (useSTRTransform && (saml1 || saml2)) {
+                                String id = saml2 ? el.getAttributeNS(null, "ID")
+                                    : el.getAttributeNS(null, "AssertionID");
+                                SecurityTokenReference secRef =
+                                    createSTRForSamlAssertion(el.getOwnerDocument(), id,
saml1, false);
+                                Element clone = cloneElement(secRef.getElement());
+                                addSupportingElement(clone);
+                                part = new WSEncryptionPart("STRTransform", null, "Element");
+                                part.setId(secRef.getID());
+                                part.setElement(clone);
+                            } else {
+                                String id = setIdOnElement(el, forceId);
+                                part = new WSEncryptionPart(id, encryptionModifier);
+                                part.setElement(el);
+                            }
                             part.setXpath(xPath.getXPath());
 
                             result.add(part);
@@ -1751,7 +1773,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         sig.setStoreBytesInAttachment(storeBytesInAttachment);
         sig.setExpandXopInclude(isExpandXopInclude());
         sig.setWsDocInfo(wsDocInfo);
-        
+
         checkForX509PkiPath(sig, token);
         if (token instanceof IssuedToken || token instanceof SamlToken) {
             assertToken(token);
@@ -1938,9 +1960,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
                 Instant created = Instant.now();
                 Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message)
/ 1000L);
-                SecurityToken secToken = new SecurityToken(id, 
-                                                           utBuilder.getUsernameTokenElement(),

-                                                           created, 
+                SecurityToken secToken = new SecurityToken(id,
+                                                           utBuilder.getUsernameTokenElement(),
+                                                           created,
                                                            expires);
 
                 if (isTokenProtection) {
@@ -2341,7 +2363,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             signatures.add(Arrays.hashCode(val));
         }
     }
-    
+
     public boolean isExpandXopInclude() {
         return expandXopInclude;
     }

-- 
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <commits@cxf.apache.org>'].

Mime
View raw message