Author: sergeyb
Date: Thu Sep 1 08:57:25 2011
New Revision: 1163951
URL: http://svn.apache.org/viewvc?rev=1163951&view=rev
Log:
[CXF-3587] Some more fixes to the way enveloped saml tokens are signed
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlEnvelopedOutInterceptor.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlEnvelopedOutInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlEnvelopedOutInterceptor.java?rev=1163951&r1=1163950&r2=1163951&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlEnvelopedOutInterceptor.java
(original)
+++
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SamlEnvelopedOutInterceptor.java
Thu Sep 1 08:57:25 2011
@@ -25,6 +25,7 @@ import org.w3c.dom.Element;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.XMLUtils;
+import org.apache.cxf.io.CachedOutputStream;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.xml.AbstractXmlSecOutInterceptor;
import org.apache.cxf.rs.security.xml.XmlEncOutInterceptor;
@@ -38,6 +39,7 @@ public class SamlEnvelopedOutInterceptor
private static final QName DEFAULT_ENV_QNAME =
new QName("http://org.apache.cxf/rs/env";, "Envelope",
DEFAULT_ENV_PREFIX);
private QName envelopeQName = DEFAULT_ENV_QNAME;
+ private boolean signLater;
public SamlEnvelopedOutInterceptor() {
// SAML assertions may contain enveloped XML signatures so
@@ -49,10 +51,11 @@ public class SamlEnvelopedOutInterceptor
public SamlEnvelopedOutInterceptor(boolean signLater) {
if (signLater) {
- super.addAfter(XmlSigOutInterceptor.class.getName());
+ super.addBefore(XmlSigOutInterceptor.class.getName());
} else {
super.addAfter(XmlSigOutInterceptor.class.getName());
}
+ this.signLater = signLater;
super.addBefore(XmlEncOutInterceptor.class.getName());
}
@@ -89,7 +92,20 @@ public class SamlEnvelopedOutInterceptor
payloadDoc.removeChild(docEl);
newDoc.adoptNode(docEl);
root.appendChild(docEl);
- return newDoc;
+
+ if (signLater) {
+ // it appears all the above manipulation with
+ // adopting and removing nodes
+ // leaves some stale refs/state and thus the digest ends uo being
wrong
+ // on the server side if XML sig is applied later in the enveloped
mode
+ // TODO: this is not critical now - but figure iut if we can avoid
copying
+ // DOMs
+ CachedOutputStream bos = new CachedOutputStream();
+ DOMUtils.writeXml(newDoc, bos);
+ return DOMUtils.readXml(bos.getInputStream());
+ } else {
+ return newDoc;
+ }
}
Modified:
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java?rev=1163951&r1=1163950&r2=1163951&view=diff
==============================================================================
---
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
(original)
+++
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java
Thu Sep 1 08:57:25 2011
@@ -114,7 +114,9 @@ public class JAXRSSamlTest extends Abstr
WebClient wc = createWebClient(address, new
SamlEnvelopedOutInterceptor(!signed),
null, signed);
XmlSigOutInterceptor xmlSig = new XmlSigOutInterceptor();
- xmlSig.setStyle(XmlSigOutInterceptor.DETACHED_SIG);
+ if (signed) {
+ xmlSig.setStyle(XmlSigOutInterceptor.DETACHED_SIG);
+ }
WebClient.getConfig(wc).getOutInterceptors().add(xmlSig);
wc.type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
Modified:
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java?rev=1163951&r1=1163950&r2=1163951&view=diff
==============================================================================
---
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
(original)
+++
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
Thu Sep 1 08:57:25 2011
@@ -72,7 +72,9 @@ public class JAXRSXmlSecTest extends Abs
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor();
- sigInterceptor.setStyle(XmlSigOutInterceptor.ENVELOPING_SIG);
+ if (enveloping) {
+ sigInterceptor.setStyle(XmlSigOutInterceptor.ENVELOPING_SIG);
+ }
bean.getOutInterceptors().add(sigInterceptor);
bean.setServiceClass(BookStore.class);
@@ -120,7 +122,9 @@ public class JAXRSXmlSecTest extends Abs
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor();
- sigInterceptor.setStyle(XmlSigOutInterceptor.ENVELOPING_SIG);
+ if (enveloping) {
+ sigInterceptor.setStyle(XmlSigOutInterceptor.ENVELOPING_SIG);
+ }
bean.getOutInterceptors().add(sigInterceptor);
