cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] branch master updated: CXF-7935 - SAML SubjectConfirmation validation in PolicyBasedWSS4JInInterceptor
Date Thu, 03 Jan 2019 17:47:46 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 017ecad  CXF-7935 - SAML SubjectConfirmation validation in PolicyBasedWSS4JInInterceptor
017ecad is described below

commit 017ecadb931732852de7c41bc6dc9c032e505c3a
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Thu Jan 3 17:10:16 2019 +0000

    CXF-7935 - SAML SubjectConfirmation validation in PolicyBasedWSS4JInInterceptor
---
 .../policyvalidators/SamlTokenPolicyValidator.java | 39 ++++++++++++++--------
 .../ws/saml/subjectconf/SamlSubjectConfTest.java   | 15 ++++++++-
 .../saml/subjectconf/DoubleItSamlSubjectConf.wsdl  |  3 ++
 .../cxf/systest/ws/saml/subjectconf/server.xml     |  7 ++++
 .../systest/ws/saml/subjectconf/stax-server.xml    |  8 +++++
 5 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
index 8535fed..22bfedc 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
@@ -24,9 +24,11 @@ import java.util.Collection;
 
 import javax.xml.namespace.QName;
 
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -77,6 +79,14 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator
{
                 continue;
             }
 
+            String valSAMLSubjectConf =
+                (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION,
+                                                               parameters.getMessage());
+            boolean validateSAMLSubjectConf = true;
+            if (valSAMLSubjectConf != null) {
+                validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
+            }
+
             // All of the received SAML Assertions must conform to the policy
             for (WSSecurityEngineResult result : parameters.getSamlResults()) {
                 SamlAssertionWrapper assertionWrapper =
@@ -86,19 +96,22 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator
{
                     ai.setNotAsserted("Wrong SAML Version");
                     continue;
                 }
-                TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
-                Certificate[] tlsCerts = null;
-                if (tlsInfo != null) {
-                    tlsCerts = tlsInfo.getPeerCertificates();
-                }
-                if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts))
{
-                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
-                    continue;
-                }
-                if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(),
-                                                    parameters.getSignedResults())) {
-                    ai.setNotAsserted("Assertion fails sender-vouches requirements");
-                    continue;
+
+                if (validateSAMLSubjectConf) {
+                    TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
+                    Certificate[] tlsCerts = null;
+                    if (tlsInfo != null) {
+                        tlsCerts = tlsInfo.getPeerCertificates();
+                    }
+                    if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(),
tlsCerts)) {
+                        ai.setNotAsserted("Assertion fails holder-of-key requirements");
+                        continue;
+                    }
+                    if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(),
+                                                        parameters.getSignedResults())) {
+                        ai.setNotAsserted("Assertion fails sender-vouches requirements");
+                        continue;
+                    }
                 }
                 /*
                     if (!checkIssuerName(samlToken, assertionWrapper)) {
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/subjectconf/SamlSubjectConfTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/subjectconf/SamlSubjectConfTest.java
index ddbb08f..26613be 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/subjectconf/SamlSubjectConfTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/subjectconf/SamlSubjectConfTest.java
@@ -97,6 +97,7 @@ public class SamlSubjectConfTest extends AbstractBusClientServerTestBase
{
     // HOK requires client auth + a internally signed token. The server is set up not to
     // require client auth to test this.
     //
+
     @org.junit.Test
     public void testHOKClientAuthentication() throws Exception {
 
@@ -182,6 +183,7 @@ public class SamlSubjectConfTest extends AbstractBusClientServerTestBase
{
         }
 
         ((java.io.Closeable)port).close();
+
         bus.shutdown(true);
     }
 
@@ -221,6 +223,18 @@ public class SamlSubjectConfTest extends AbstractBusClientServerTestBase
{
         }
 
         ((java.io.Closeable)port).close();
+
+        // Here we try against a service that has explicitly disabled the SAML Subject Confirmation
Method requirements,
+        // and so the invocation should pass
+        portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
+        port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, test.getPort());
+
+        ((BindingProvider)port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER,
callbackHandler);
+        int result = port.doubleIt(25);
+        assertTrue(result == 50);
+        ((java.io.Closeable)port).close();
+
         bus.shutdown(true);
     }
 
@@ -406,5 +420,4 @@ public class SamlSubjectConfTest extends AbstractBusClientServerTestBase
{
     }
 
 
-
 }
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/DoubleItSamlSubjectConf.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/DoubleItSamlSubjectConf.wsdl
index b520318..0368b4d 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/DoubleItSamlSubjectConf.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/DoubleItSamlSubjectConf.wsdl
@@ -41,6 +41,9 @@
         <wsdl:port name="DoubleItSaml2TransportPort" binding="tns:DoubleItSaml2TransportBinding">
             <soap:address location="https://localhost:9009/DoubleItSaml2Transport"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItSaml2TransportPort2" binding="tns:DoubleItSaml2TransportBinding">
+            <soap:address location="https://localhost:9009/DoubleItSaml2Transport2"/>
+        </wsdl:port>
     </wsdl:service>
     <wsp:Policy wsu:Id="DoubleItSaml2TransportPolicy">
         <wsp:ExactlyOne>
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/server.xml
index 2361d58..99eda4f 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/server.xml
@@ -49,4 +49,11 @@
        </jaxws:properties>
     </jaxws:endpoint>
     
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverTransport2"
address="https://localhost:${testutil.ports.saml.subjectconf.Server}/DoubleItSaml2Transport2"
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/subjectconf//DoubleItSamlSubjectConf.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="security.signature.properties" value="morpit.properties"/>
+            <entry key="security.validate.saml.subject.conf" value="false"/>
+       </jaxws:properties>
+    </jaxws:endpoint>
+    
 </beans>
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/stax-server.xml
index fd0b6fa..28da188 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/subjectconf/stax-server.xml
@@ -50,4 +50,12 @@
        </jaxws:properties>
     </jaxws:endpoint>
     
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverTransport2"
address="https://localhost:${testutil.ports.saml.subjectconf.StaxServer}/DoubleItSaml2Transport2"
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/subjectconf//DoubleItSamlSubjectConf.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="security.signature.properties" value="morpit.properties"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+            <entry key="security.validate.saml.subject.conf" value="false"/>
+       </jaxws:properties>
+    </jaxws:endpoint>
+    
 </beans>


Mime
View raw message