Repository: cxf-fediz Updated Branches: refs/heads/master 6e38053eb -> feacf96c5
Upgrading CXF and WSS4J dependencies Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/feacf96c Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/feacf96c Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/feacf96c Branch: refs/heads/master Commit: feacf96c5f68a49dcc5e6c7d14214b3bdab4622c Parents: 6e38053 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed May 6 17:10:28 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed May 6 17:10:28 2015 +0100 ---------------------------------------------------------------------- .../fediz/core/processor/SAMLProcessorImpl.java | 19 ++--- .../core/saml/FedizSignatureTrustValidator.java | 8 +- .../cxf/fediz/core/saml/SAMLTokenValidator.java | 38 +++++----- .../fediz/core/saml/SamlAssertionValidator.java | 6 +- .../samlsso/DefaultSAMLPRequestBuilder.java | 22 +++--- .../fediz/core/samlsso/SAMLPRequestBuilder.java | 4 +- .../samlsso/SAMLProtocolResponseValidator.java | 77 +++++--------------- .../core/samlsso/SAMLSSOResponseValidator.java | 23 +++--- .../samlsso/SamlpRequestComponentBuilder.java | 31 ++++---- .../cxf/fediz/core/SAML1CallbackHandler.java | 5 +- .../cxf/fediz/core/SAML2CallbackHandler.java | 6 +- .../samlsso/SAML2PResponseComponentBuilder.java | 21 +++--- .../cxf/fediz/core/samlsso/SAMLRequestTest.java | 5 +- .../samlsso/SAMLResponseConformanceTest.java | 7 +- .../fediz/core/samlsso/SAMLResponseTest.java | 5 +- pom.xml | 15 ++-- .../service/idp/STSAuthenticationProvider.java | 12 +-- .../idp/kerberos/PassThroughKerberosClient.java | 4 +- .../TrustedIdpSAMLProtocolHandler.java | 17 +++-- .../fediz/service/sts/X509TokenValidator.java | 5 +- .../apache/cxf/fediz/sts/AbstractSTSTest.java | 4 +- .../cxf/fediz/sts/realms/ITCrossRealmTest.java | 2 +- .../samlsso/example/SAML2CallbackHandler.java | 4 +- .../example/SAML2PResponseComponentBuilder.java | 21 +++--- .../cxf/fediz/samlsso/example/SamlSso.java | 7 +- 25 files changed, 169 insertions(+), 199 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java index ed6dd31..f93a9ad 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java @@ -34,6 +34,7 @@ import javax.servlet.http.HttpServletRequest; import org.w3c.dom.Document; import org.w3c.dom.Element; + import org.apache.cxf.fediz.core.RequestState; import org.apache.cxf.fediz.core.SAMLSSOConstants; import org.apache.cxf.fediz.core.TokenValidator; @@ -58,10 +59,10 @@ import org.apache.wss4j.common.util.DOM2Writer; import org.apache.wss4j.dom.WSConstants; import org.apache.xml.security.exceptions.Base64DecodingException; import org.apache.xml.security.utils.Base64; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.LogoutRequest; -import org.opensaml.xml.XMLObject; +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.LogoutRequest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -158,15 +159,15 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { LOG.debug(ex.getMessage(), ex); throw new ProcessingException(TYPE.INVALID_REQUEST); } - if (!(responseObject instanceof org.opensaml.saml2.core.Response)) { + if (!(responseObject instanceof org.opensaml.saml.saml2.core.Response)) { throw new ProcessingException(TYPE.INVALID_REQUEST); } // Validate the Response - validateSamlResponseProtocol((org.opensaml.saml2.core.Response)responseObject, config); + validateSamlResponseProtocol((org.opensaml.saml.saml2.core.Response)responseObject, config); SSOValidatorResponse ssoValidatorResponse = - validateSamlSSOResponse((org.opensaml.saml2.core.Response)responseObject, + validateSamlSSOResponse((org.opensaml.saml.saml2.core.Response)responseObject, request.getRequest(), requestState, config); // Validate the internal assertion(s) @@ -225,7 +226,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { * @throws ProcessingException */ protected void validateSamlResponseProtocol( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, FedizContext config ) throws ProcessingException { try { @@ -242,7 +243,7 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { * @throws ProcessingException */ protected SSOValidatorResponse validateSamlSSOResponse( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, HttpServletRequest request, RequestState requestState, FedizContext config http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java index 8c8798f..fd9cd2f 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java @@ -44,12 +44,12 @@ public class FedizSignatureTrustValidator implements Validator { private static final Logger LOG = LoggerFactory.getLogger(FedizSignatureTrustValidator.class); - public enum TRUST_TYPE { CHAIN_TRUST, CHAIN_TRUST_CONSTRAINTS, PEER_TRUST } + public enum TrustType { CHAIN_TRUST, CHAIN_TRUST_CONSTRAINTS, PEER_TRUST } /** * Defines the kind of trust which is required */ - private TRUST_TYPE signatureTrustType = TRUST_TYPE.CHAIN_TRUST; + private TrustType signatureTrustType = TrustType.CHAIN_TRUST; /** * a collection of compiled regular expression patterns for the subject DN @@ -60,7 +60,7 @@ public class FedizSignatureTrustValidator implements Validator { /** * Set the kind of trust. The default is CHAIN_TRUST. */ - public void setSignatureTrustType(TRUST_TYPE trustType) { + public void setSignatureTrustType(TrustType trustType) { this.signatureTrustType = trustType; } @@ -117,7 +117,7 @@ public class FedizSignatureTrustValidator implements Validator { if (certs != null && certs.length > 0) { validateCertificates(certs); verifyTrustInCerts(certs, crypto, data, data.isRevocationEnabled()); - if (signatureTrustType.equals(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS)) { + if (signatureTrustType.equals(TrustType.CHAIN_TRUST_CONSTRAINTS)) { if (matches(certs[0])) { return credential; } else { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java index 0432183..0992105 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java @@ -43,7 +43,7 @@ import org.apache.cxf.fediz.core.config.TrustManager; import org.apache.cxf.fediz.core.config.TrustedIssuer; import org.apache.cxf.fediz.core.exception.ProcessingException; import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE; -import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TRUST_TYPE; +import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TrustType; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.principal.SAMLTokenPrincipal; import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl; @@ -56,10 +56,10 @@ import org.apache.wss4j.dom.handler.RequestData; import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor; import org.apache.wss4j.dom.validate.Credential; import org.joda.time.DateTime; -import org.opensaml.common.SAMLVersion; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -143,9 +143,9 @@ public class SAMLTokenValidator implements TokenValidator { if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) { trustValidator.setSubjectConstraints(subjectConstraints); - trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS); + trustValidator.setSignatureTrustType(TrustType.CHAIN_TRUST_CONSTRAINTS); } else if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) { - trustValidator.setSignatureTrustType(TRUST_TYPE.PEER_TRUST); + trustValidator.setSignatureTrustType(TrustType.PEER_TRUST); } else { throw new IllegalStateException("Unsupported certificate validation method: " + ti.getCertificateValidationMethod()); @@ -254,8 +254,8 @@ public class SAMLTokenValidator implements TokenValidator { } protected List<Claim> parseClaimsInAssertion( - org.opensaml.saml1.core.Assertion assertion) { - List<org.opensaml.saml1.core.AttributeStatement> attributeStatements = assertion + org.opensaml.saml.saml1.core.Assertion assertion) { + List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements = assertion .getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { LOG.debug("No attribute statements found"); @@ -264,12 +264,12 @@ public class SAMLTokenValidator implements TokenValidator { List<Claim> collection = new ArrayList<>(); Map<String, Claim> claimsMap = new HashMap<>(); - for (org.opensaml.saml1.core.AttributeStatement statement : attributeStatements) { + for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) { LOG.debug("parsing statement: {}", statement.getElementQName()); - List<org.opensaml.saml1.core.Attribute> attributes = statement + List<org.opensaml.saml.saml1.core.Attribute> attributes = statement .getAttributes(); - for (org.opensaml.saml1.core.Attribute attribute : attributes) { + for (org.opensaml.saml.saml1.core.Attribute attribute : attributes) { LOG.debug("parsing attribute: {}", attribute.getAttributeName()); Claim c = new Claim(); c.setIssuer(assertion.getIssuer()); @@ -316,8 +316,8 @@ public class SAMLTokenValidator implements TokenValidator { protected List<Claim> parseClaimsInAssertion( - org.opensaml.saml2.core.Assertion assertion) { - List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = assertion + org.opensaml.saml.saml2.core.Assertion assertion) { + List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements = assertion .getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { LOG.debug("No attribute statements found"); @@ -327,11 +327,11 @@ public class SAMLTokenValidator implements TokenValidator { List<Claim> collection = new ArrayList<>(); Map<String, Claim> claimsMap = new HashMap<>(); - for (org.opensaml.saml2.core.AttributeStatement statement : attributeStatements) { + for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) { LOG.debug("parsing statement: {}", statement.getElementQName()); - List<org.opensaml.saml2.core.Attribute> attributes = statement + List<org.opensaml.saml.saml2.core.Attribute> attributes = statement .getAttributes(); - for (org.opensaml.saml2.core.Attribute attribute : attributes) { + for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) { if (LOG.isDebugEnabled()) { LOG.debug("parsing attribute: " + attribute.getName()); } @@ -408,7 +408,7 @@ public class SAMLTokenValidator implements TokenValidator { } protected String getAudienceRestriction( - org.opensaml.saml1.core.Assertion assertion) { + org.opensaml.saml.saml1.core.Assertion assertion) { String audience = null; try { audience = assertion.getConditions() @@ -421,7 +421,7 @@ public class SAMLTokenValidator implements TokenValidator { } protected String getAudienceRestriction( - org.opensaml.saml2.core.Assertion assertion) { + org.opensaml.saml.saml2.core.Assertion assertion) { String audience = null; try { audience = assertion.getConditions().getAudienceRestrictions() http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java index be35c7a..1dd6b01 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java @@ -23,7 +23,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.regex.Pattern; -import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TRUST_TYPE; +import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TrustType; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SAMLKeyInfo; import org.apache.wss4j.common.saml.SamlAssertionWrapper; @@ -37,7 +37,7 @@ import org.apache.wss4j.dom.validate.Credential; */ public class SamlAssertionValidator extends org.apache.wss4j.dom.validate.SamlAssertionValidator { - private TRUST_TYPE signatureTrustType = TRUST_TYPE.CHAIN_TRUST; + private TrustType signatureTrustType = TrustType.CHAIN_TRUST; /** * a collection of compiled regular expression patterns for the subject DN @@ -58,7 +58,7 @@ public class SamlAssertionValidator extends org.apache.wss4j.dom.validate.SamlAs /** * Set the kind of trust. The default is CHAIN_TRUST. */ - public void setSignatureTrustType(TRUST_TYPE trustType) { + public void setSignatureTrustType(TrustType trustType) { this.signatureTrustType = trustType; } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java index 75f04bd..3e61592 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java @@ -24,16 +24,16 @@ import java.util.Collections; import java.util.List; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.LogoutRequest; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.NameIDPolicy; -import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.AuthnStatement; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.LogoutRequest; +import org.opensaml.saml.saml2.core.NameID; +import org.opensaml.saml.saml2.core.NameIDPolicy; +import org.opensaml.saml.saml2.core.RequestedAuthnContext; /** * A default implementation of the SAMLPRequestBuilder interface to create a SAML 2.0 @@ -122,7 +122,7 @@ public class DefaultSAMLPRequestBuilder implements SAMLPRequestBuilder { if (authenticatedAssertion != null) { if (authenticatedAssertion.getSaml2() != null) { - org.opensaml.saml2.core.Subject subject = + org.opensaml.saml.saml2.core.Subject subject = authenticatedAssertion.getSaml2().getSubject(); if (subject != null && subject.getNameID() != null) { nameID = subject.getNameID(); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java index ba7efba..597cc0d 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java @@ -20,8 +20,8 @@ package org.apache.cxf.fediz.core.samlsso; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.LogoutRequest; /** * This interface defines a methods to create a SAML 2.0 Protocol AuthnRequest and LogoutRequest. http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java index 3bcf807..20d6550 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java @@ -28,7 +28,7 @@ import org.apache.cxf.fediz.core.config.FedizContext; import org.apache.cxf.fediz.core.config.TrustManager; import org.apache.cxf.fediz.core.config.TrustedIssuer; import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator; -import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TRUST_TYPE; +import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TrustType; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SAMLKeyInfo; import org.apache.wss4j.common.saml.SAMLUtil; @@ -37,13 +37,13 @@ import org.apache.wss4j.dom.WSSConfig; import org.apache.wss4j.dom.handler.RequestData; import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor; import org.apache.wss4j.dom.validate.Credential; -import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureValidator; -import org.opensaml.xml.validation.ValidationException; -import org.opensaml.xml.validation.ValidatorSuite; +import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator; +import org.opensaml.security.credential.BasicCredential; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureException; +import org.opensaml.xmlsec.signature.support.SignatureValidator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -68,7 +68,7 @@ public class SAMLProtocolResponseValidator { * @throws WSSecurityException */ public void validateSamlResponse( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, FedizContext config ) throws WSSecurityException { // Check the Status Code @@ -85,7 +85,6 @@ public class SAMLProtocolResponseValidator { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } - validateResponseAgainstSchemas(samlResponse); validateResponseSignature(samlResponse, config); } @@ -95,7 +94,7 @@ public class SAMLProtocolResponseValidator { * @throws WSSecurityException */ public void validateSamlResponse( - org.opensaml.saml1.core.Response samlResponse, + org.opensaml.saml.saml1.core.Response samlResponse, FedizContext config ) throws WSSecurityException { // Check the Status Code @@ -114,49 +113,14 @@ public class SAMLProtocolResponseValidator { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } - validateResponseAgainstSchemas(samlResponse); validateResponseSignature(samlResponse, config); } /** - * Validate the Response against the schemas - */ - private void validateResponseAgainstSchemas( - org.opensaml.saml2.core.Response samlResponse - ) throws WSSecurityException { - // Validate SAML Response against schemas - ValidatorSuite schemaValidators = - org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator"); - try { - schemaValidators.validate(samlResponse); - } catch (ValidationException e) { - LOG.debug("Saml Validation error: " + e.getMessage(), e); - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - } - - /** - * Validate the Response against the schemas - */ - private void validateResponseAgainstSchemas( - org.opensaml.saml1.core.Response samlResponse - ) throws WSSecurityException { - // Validate SAML Response against schemas - ValidatorSuite schemaValidators = - org.opensaml.Configuration.getValidatorSuite("saml1-core-schema-validator"); - try { - schemaValidators.validate(samlResponse); - } catch (ValidationException e) { - LOG.debug("Saml Validation error: " + e.getMessage(), e); - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - } - - /** * Validate the Response signature (if it exists) */ private void validateResponseSignature( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, FedizContext config ) throws WSSecurityException { if (!samlResponse.isSigned()) { @@ -172,7 +136,7 @@ public class SAMLProtocolResponseValidator { * Validate the Response signature (if it exists) */ private void validateResponseSignature( - org.opensaml.saml1.core.Response samlResponse, + org.opensaml.saml.saml1.core.Response samlResponse, FedizContext config ) throws WSSecurityException { if (!samlResponse.isSigned()) { @@ -238,9 +202,9 @@ public class SAMLProtocolResponseValidator { if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) { trustValidator.setSubjectConstraints(subjectConstraints); - trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS); + trustValidator.setSignatureTrustType(TrustType.CHAIN_TRUST_CONSTRAINTS); } else if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) { - trustValidator.setSignatureTrustType(TRUST_TYPE.PEER_TRUST); + trustValidator.setSignatureTrustType(TrustType.PEER_TRUST); } else { throw new IllegalStateException("Unsupported certificate validation method: " + ti.getCertificateValidationMethod()); @@ -284,24 +248,23 @@ public class SAMLProtocolResponseValidator { SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); try { validator.validate(signature); - } catch (ValidationException ex) { + } catch (SignatureException ex) { LOG.debug("Error in validating the SAML Signature: " + ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } - BasicX509Credential credential = new BasicX509Credential(); + BasicCredential credential = null; if (samlKeyInfo.getCerts() != null) { - credential.setEntityCertificate(samlKeyInfo.getCerts()[0]); + credential = new BasicX509Credential(samlKeyInfo.getCerts()[0]); } else if (samlKeyInfo.getPublicKey() != null) { - credential.setPublicKey(samlKeyInfo.getPublicKey()); + credential = new BasicCredential(samlKeyInfo.getPublicKey()); } else { LOG.debug("Can't get X509Certificate or PublicKey to verify signature"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } - SignatureValidator sigValidator = new SignatureValidator(credential); try { - sigValidator.validate(signature); - } catch (ValidationException ex) { + SignatureValidator.validate(signature, credential); + } catch (SignatureException ex) { LOG.debug("Error in validating the SAML Signature: " + ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java index 86bb005..7313406 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java @@ -27,9 +27,8 @@ import org.apache.wss4j.common.cache.ReplayCache; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.builder.SAML2Constants; import org.apache.wss4j.common.util.DOM2Writer; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.AuthnStatement; - +import org.opensaml.saml.saml2.core.AudienceRestriction; +import org.opensaml.saml.saml2.core.AuthnStatement; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -72,7 +71,7 @@ public class SAMLSSOResponseValidator { * @throws WSSecurityException */ public SSOValidatorResponse validateSamlResponse( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, boolean postBinding ) throws WSSecurityException { // Check the Issuer @@ -96,7 +95,7 @@ public class SAMLSSOResponseValidator { // Validate Assertions boolean foundValidSubject = false; Date sessionNotOnOrAfter = null; - for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { + for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { // Check the Issuer if (assertion.getIssuer() == null) { LOG.debug("Assertion Issuer must not be null"); @@ -113,7 +112,7 @@ public class SAMLSSOResponseValidator { // Check for AuthnStatements and validate the Subject accordingly if (assertion.getAuthnStatements() != null && !assertion.getAuthnStatements().isEmpty()) { - org.opensaml.saml2.core.Subject subject = assertion.getSubject(); + org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject(); if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) { validateAudienceRestrictionCondition(assertion.getConditions()); foundValidSubject = true; @@ -146,7 +145,7 @@ public class SAMLSSOResponseValidator { /** * Validate the Issuer (if it exists) */ - private void validateIssuer(org.opensaml.saml2.core.Issuer issuer) throws WSSecurityException { + private void validateIssuer(org.opensaml.saml.saml2.core.Issuer issuer) throws WSSecurityException { if (issuer == null) { return; } @@ -171,7 +170,7 @@ public class SAMLSSOResponseValidator { * Validate the Subject (of an Authentication Statement). */ private boolean validateAuthenticationSubject( - org.opensaml.saml2.core.Subject subject, String id, boolean postBinding + org.opensaml.saml.saml2.core.Subject subject, String id, boolean postBinding ) throws WSSecurityException { if (subject.getSubjectConfirmations() == null) { return false; @@ -179,7 +178,7 @@ public class SAMLSSOResponseValidator { boolean foundBearerSubjectConf = false; // We need to find a Bearer Subject Confirmation method - for (org.opensaml.saml2.core.SubjectConfirmation subjectConf + for (org.opensaml.saml.saml2.core.SubjectConfirmation subjectConf : subject.getSubjectConfirmations()) { if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) { foundBearerSubjectConf = true; @@ -194,7 +193,7 @@ public class SAMLSSOResponseValidator { * Validate a (Bearer) Subject Confirmation */ private void validateSubjectConfirmation( - org.opensaml.saml2.core.SubjectConfirmationData subjectConfData, String id, boolean postBinding + org.opensaml.saml.saml2.core.SubjectConfirmationData subjectConfData, String id, boolean postBinding ) throws WSSecurityException { if (subjectConfData == null) { LOG.debug("Subject Confirmation Data of a Bearer Subject Confirmation is null"); @@ -253,7 +252,7 @@ public class SAMLSSOResponseValidator { } private void validateAudienceRestrictionCondition( - org.opensaml.saml2.core.Conditions conditions + org.opensaml.saml.saml2.core.Conditions conditions ) throws WSSecurityException { if (conditions == null) { LOG.debug("Conditions are null"); @@ -275,7 +274,7 @@ public class SAMLSSOResponseValidator { if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { - for (org.opensaml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { + for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { return true; } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java index 883eca2..53d4d83 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SamlpRequestComponentBuilder.java @@ -24,20 +24,20 @@ import java.util.List; import java.util.UUID; import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.SAMLObjectBuilder; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.core.AuthnContextDeclRef; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.LogoutRequest; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.NameIDPolicy; -import org.opensaml.saml2.core.RequestedAuthnContext; -import org.opensaml.saml2.core.SessionIndex; -import org.opensaml.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.saml.common.SAMLObjectBuilder; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.AuthnContextDeclRef; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.LogoutRequest; +import org.opensaml.saml.saml2.core.NameID; +import org.opensaml.saml.saml2.core.NameIDPolicy; +import org.opensaml.saml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml.saml2.core.SessionIndex; /** * A set of utility methods to construct SAMLP Request statements @@ -58,7 +58,8 @@ public final class SamlpRequestComponentBuilder { private static volatile SAMLObjectBuilder<AuthnContextClassRef> requestedAuthnCtxClassRefBuilder; - private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private static volatile XMLObjectBuilderFactory builderFactory = + XMLObjectProviderRegistrySupport.getBuilderFactory(); private SamlpRequestComponentBuilder() { } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML1CallbackHandler.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML1CallbackHandler.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML1CallbackHandler.java index 5e8b3bc..10fb4ce 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML1CallbackHandler.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML1CallbackHandler.java @@ -27,10 +27,9 @@ import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.bean.KeyInfoBean; import org.apache.wss4j.common.saml.bean.SubjectBean; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.saml.builder.SAML1Constants; import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.opensaml.common.SAMLVersion; - /** * A Callback Handler implementation for a SAML 1.1 assertion. By default it creates an @@ -59,7 +58,7 @@ public class SAML1CallbackHandler extends AbstractSAMLCallbackHandler { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof SAMLCallback) { SAMLCallback callback = (SAMLCallback) callbacks[i]; - callback.setSamlVersion(SAMLVersion.VERSION_11); + callback.setSamlVersion(Version.SAML_11); callback.setIssuer(issuer); if (conditions != null) { callback.setConditions(conditions); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML2CallbackHandler.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML2CallbackHandler.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML2CallbackHandler.java index ef2ec02..754d430 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML2CallbackHandler.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/SAML2CallbackHandler.java @@ -27,10 +27,8 @@ import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.bean.KeyInfoBean; import org.apache.wss4j.common.saml.bean.SubjectBean; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.opensaml.common.SAMLVersion; - - /** * A Callback Handler implementation for a SAML 2 assertion. By default it creates an @@ -59,7 +57,7 @@ public class SAML2CallbackHandler extends AbstractSAMLCallbackHandler { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof SAMLCallback) { SAMLCallback callback = (SAMLCallback) callbacks[i]; - callback.setSamlVersion(SAMLVersion.VERSION_20); + callback.setSamlVersion(Version.SAML_20); callback.setIssuer(issuer); if (conditions != null) { callback.setConditions(conditions); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAML2PResponseComponentBuilder.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAML2PResponseComponentBuilder.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAML2PResponseComponentBuilder.java index 29f03d2..068bd29 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAML2PResponseComponentBuilder.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAML2PResponseComponentBuilder.java @@ -22,15 +22,15 @@ package org.apache.cxf.fediz.core.samlsso; import java.util.UUID; import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.SAMLObjectBuilder; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.StatusMessage; -import org.opensaml.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.saml.common.SAMLObjectBuilder; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.core.StatusMessage; /** * A (basic) set of utility methods to construct SAML 2.0 Protocol Response statements @@ -47,7 +47,8 @@ public final class SAML2PResponseComponentBuilder { private static SAMLObjectBuilder<StatusMessage> statusMessageBuilder; - private static XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private static XMLObjectBuilderFactory builderFactory = + XMLObjectProviderRegistrySupport.getBuilderFactory(); private SAML2PResponseComponentBuilder() { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java index 05c4f7a..d09e7df 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLRequestTest.java @@ -30,6 +30,7 @@ import javax.servlet.http.HttpServletRequest; import javax.xml.parsers.DocumentBuilderFactory; import org.w3c.dom.Document; + import org.apache.cxf.fediz.common.SecurityTestUtil; import org.apache.cxf.fediz.core.RequestState; import org.apache.cxf.fediz.core.config.FedizConfigurator; @@ -44,8 +45,8 @@ import org.easymock.EasyMock; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.LogoutRequest; /** * Some tests for creating SAMLRequests using the SAMLProcessorImpl http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java index 1c698c6..3df4cc8 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseConformanceTest.java @@ -35,6 +35,7 @@ import javax.xml.parsers.DocumentBuilderFactory; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; + import org.apache.cxf.fediz.common.SecurityTestUtil; import org.apache.cxf.fediz.core.KeystoreCallbackHandler; import org.apache.cxf.fediz.core.RequestState; @@ -67,9 +68,9 @@ import org.joda.time.DateTime; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; import static org.junit.Assert.fail; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java index 8fc10a5..a3b8bcb 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java @@ -38,6 +38,7 @@ import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; + import org.apache.cxf.fediz.common.STSUtil; import org.apache.cxf.fediz.common.SecurityTestUtil; import org.apache.cxf.fediz.core.AbstractSAMLCallbackHandler; @@ -80,8 +81,8 @@ import org.joda.time.DateTimeZone; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; import static org.junit.Assert.fail; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 4189747..6bbd1d6 100644 --- a/pom.xml +++ b/pom.xml @@ -39,10 +39,10 @@ <apacheds.version>2.0.0-M19</apacheds.version> <commons.lang.version>3.3.2</commons.lang.version> <commons.logging.version>1.1.3</commons.logging.version> - <cxf.version>3.0.4</cxf.version> - <cxf.build-utils.version>3.0.0</cxf.build-utils.version> + <cxf.version>3.1.0</cxf.version> + <cxf.build-utils.version>3.1.0</cxf.build-utils.version> <easymock.version>3.3</easymock.version> - <ehcache.version>2.8.5</ehcache.version> + <ehcache.version>2.9.0</ehcache.version> <httpclient.version>4.3.5</httpclient.version> <hsqldb.version>1.8.0.10</hsqldb.version> <htmlunit.version>2.15</htmlunit.version> @@ -60,7 +60,7 @@ <spring.version>3.2.6.RELEASE</spring.version> <spring.security.version>3.1.4.RELEASE</spring.security.version> <tomcat.version>7.0.54</tomcat.version> - <wss4j.version>2.0.3</wss4j.version> + <wss4j.version>2.1.0</wss4j.version> <xalan.version>2.7.2</xalan.version> <bval.version>0.5</bval.version> @@ -454,13 +454,18 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-checkstyle-plugin</artifactId> - <version>2.12.1</version> + <version>2.15</version> <dependencies> <dependency> <groupId>org.apache.cxf.build-utils</groupId> <artifactId>cxf-buildtools</artifactId> <version>${cxf.build-utils.version}</version> </dependency> + <dependency> + <groupId>com.puppycrawl.tools</groupId> + <artifactId>checkstyle</artifactId> + <version>6.4.1</version> + </dependency> </dependencies> <configuration> <encoding>UTF-8</encoding> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java index 846b5e3..dd30a4a 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java @@ -35,7 +35,7 @@ import org.apache.cxf.fediz.core.ClaimTypes; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.xml.XMLObject; +import org.opensaml.core.xml.XMLObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.AuthenticationProvider; @@ -182,8 +182,8 @@ public abstract class STSAuthenticationProvider implements AuthenticationProvide this.lifetime = lifetime; } - protected List<Claim> parseClaimsInAssertion(org.opensaml.saml2.core.Assertion assertion) { - List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = assertion + protected List<Claim> parseClaimsInAssertion(org.opensaml.saml.saml2.core.Assertion assertion) { + List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements = assertion .getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { LOG.debug("No attribute statements found"); @@ -193,11 +193,11 @@ public abstract class STSAuthenticationProvider implements AuthenticationProvide List<Claim> collection = new ArrayList<>(); Map<String, Claim> claimsMap = new HashMap<>(); - for (org.opensaml.saml2.core.AttributeStatement statement : attributeStatements) { + for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) { LOG.debug("parsing statement: {}", statement.getElementQName()); - List<org.opensaml.saml2.core.Attribute> attributes = statement + List<org.opensaml.saml.saml2.core.Attribute> attributes = statement .getAttributes(); - for (org.opensaml.saml2.core.Attribute attribute : attributes) { + for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) { LOG.debug("parsing attribute: {}", attribute.getName()); Claim c = new Claim(); // Workaround for CXF-4484 http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java index 66d995b..6088bed 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java @@ -22,10 +22,10 @@ package org.apache.cxf.fediz.service.idp.kerberos; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.ws.security.kerberos.KerberosClient; import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSConfig; import org.apache.wss4j.dom.message.token.KerberosSecurity; -import org.apache.wss4j.dom.util.WSSecurityUtil; import org.apache.xml.security.utils.Base64; /** @@ -53,7 +53,7 @@ public class PassThroughKerberosClient extends KerberosClient { securityToken.setToken(bst.getElement()); securityToken.setWsuId(bst.getID()); securityToken.setData(bst.getToken()); - String sha1 = Base64.encode(WSSecurityUtil.generateDigest(bst.getToken())); + String sha1 = Base64.encode(KeyUtils.generateDigest(bst.getToken())); securityToken.setSHA1(sha1); securityToken.setTokenType(bst.getValueType()); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java index bab707a..b2cfdea 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java @@ -42,6 +42,7 @@ import javax.ws.rs.core.UriBuilder; import org.w3c.dom.Document; import org.w3c.dom.Element; + import org.apache.cxf.common.util.Base64Exception; import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.common.util.StringUtils; @@ -71,8 +72,8 @@ import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.util.DOM2Writer; import org.apache.xml.security.stax.impl.util.IDGenerator; import org.apache.xml.security.utils.Base64; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.xml.XMLObject; +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.saml2.core.AuthnRequest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Component; @@ -195,7 +196,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler SSOConstants.SAML_RESPONSE); // Read the response + convert to an OpenSAML Response Object - org.opensaml.saml2.core.Response samlResponse = + org.opensaml.saml.saml2.core.Response samlResponse = readSAMLResponse(encodedSAMLResponse, trustedIdp); Crypto crypto = getCrypto(trustedIdp.getCertificate()); @@ -336,7 +337,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler return CertsUtils.createCrypto(certificate); } - private org.opensaml.saml2.core.Response readSAMLResponse(String samlResponse, TrustedIdp trustedIdp) { + private org.opensaml.saml.saml2.core.Response readSAMLResponse(String samlResponse, TrustedIdp trustedIdp) { if (StringUtils.isEmpty(samlResponse)) { throw ExceptionUtils.toBadRequestException(null, null); } @@ -378,10 +379,10 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler } catch (WSSecurityException ex) { throw ExceptionUtils.toBadRequestException(ex, null); } - if (!(responseObject instanceof org.opensaml.saml2.core.Response)) { + if (!(responseObject instanceof org.opensaml.saml.saml2.core.Response)) { throw ExceptionUtils.toBadRequestException(null, null); } - return (org.opensaml.saml2.core.Response)responseObject; + return (org.opensaml.saml.saml2.core.Response)responseObject; } @@ -389,7 +390,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler * Validate the received SAML Response as per the protocol */ private void validateSamlResponseProtocol( - org.opensaml.saml2.core.Response samlResponse, Crypto crypto, TrustedIdp trustedIdp + org.opensaml.saml.saml2.core.Response samlResponse, Crypto crypto, TrustedIdp trustedIdp ) { try { SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator(); @@ -407,7 +408,7 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler * Validate the received SAML Response as per the Web SSO profile */ private SSOValidatorResponse validateSamlSSOResponse( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, Idp idp, TrustedIdp trustedIdp, RequestContext requestContext http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java ---------------------------------------------------------------------- diff --git a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java index c2bf638..8ce3693 100644 --- a/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java +++ b/services/sts/src/main/java/org/apache/cxf/fediz/service/sts/X509TokenValidator.java @@ -29,6 +29,7 @@ import javax.security.auth.callback.CallbackHandler; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Text; + import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.sts.STSPropertiesMBean; @@ -41,11 +42,11 @@ import org.apache.cxf.sts.token.validator.TokenValidatorResponse; import org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.token.BinarySecurity; +import org.apache.wss4j.common.token.X509Security; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSConfig; import org.apache.wss4j.dom.handler.RequestData; -import org.apache.wss4j.dom.message.token.BinarySecurity; -import org.apache.wss4j.dom.message.token.X509Security; import org.apache.wss4j.dom.validate.Credential; import org.apache.wss4j.dom.validate.SignatureTrustValidator; import org.apache.wss4j.dom.validate.Validator; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/services/sts/src/test/java/org/apache/cxf/fediz/sts/AbstractSTSTest.java ---------------------------------------------------------------------- diff --git a/services/sts/src/test/java/org/apache/cxf/fediz/sts/AbstractSTSTest.java b/services/sts/src/test/java/org/apache/cxf/fediz/sts/AbstractSTSTest.java index 832ec35..57ff904 100644 --- a/services/sts/src/test/java/org/apache/cxf/fediz/sts/AbstractSTSTest.java +++ b/services/sts/src/test/java/org/apache/cxf/fediz/sts/AbstractSTSTest.java @@ -38,9 +38,7 @@ import javax.xml.stream.XMLStreamException; import org.w3c.dom.Document; import org.w3c.dom.Element; - import org.xml.sax.SAXException; - import org.apache.cxf.Bus; import org.apache.cxf.configuration.jsse.TLSClientParameters; import org.apache.cxf.staxutils.StaxUtils; @@ -57,7 +55,7 @@ import org.apache.cxf.ws.security.trust.STSUtils; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.dom.WSConstants; import org.junit.Assert; -import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml.saml2.core.Attribute; public abstract class AbstractSTSTest { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/services/sts/src/test/java/org/apache/cxf/fediz/sts/realms/ITCrossRealmTest.java ---------------------------------------------------------------------- diff --git a/services/sts/src/test/java/org/apache/cxf/fediz/sts/realms/ITCrossRealmTest.java b/services/sts/src/test/java/org/apache/cxf/fediz/sts/realms/ITCrossRealmTest.java index 48ff9a6..6187a2c 100644 --- a/services/sts/src/test/java/org/apache/cxf/fediz/sts/realms/ITCrossRealmTest.java +++ b/services/sts/src/test/java/org/apache/cxf/fediz/sts/realms/ITCrossRealmTest.java @@ -33,7 +33,7 @@ import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.junit.Assert; import org.junit.BeforeClass; -import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml.saml2.core.Attribute; /** * Some unit tests for the CXF STSClient Issue Binding. http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2CallbackHandler.java ---------------------------------------------------------------------- diff --git a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2CallbackHandler.java b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2CallbackHandler.java index cb5bce9..b4c3db4 100644 --- a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2CallbackHandler.java +++ b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2CallbackHandler.java @@ -35,8 +35,8 @@ import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean; import org.apache.wss4j.common.saml.bean.ConditionsBean; import org.apache.wss4j.common.saml.bean.SubjectBean; import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.opensaml.common.SAMLVersion; /** * A Callback Handler implementation for a SAML 2 assertion for use by the SAML SSO IdP. By @@ -85,7 +85,7 @@ public class SAML2CallbackHandler implements CallbackHandler { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof SAMLCallback) { SAMLCallback callback = (SAMLCallback) callbacks[i]; - callback.setSamlVersion(SAMLVersion.VERSION_20); + callback.setSamlVersion(Version.SAML_20); callback.setIssuer(issuer); if (conditions != null) { callback.setConditions(conditions); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2PResponseComponentBuilder.java ---------------------------------------------------------------------- diff --git a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2PResponseComponentBuilder.java b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2PResponseComponentBuilder.java index e53f443..9934dc1 100644 --- a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2PResponseComponentBuilder.java +++ b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SAML2PResponseComponentBuilder.java @@ -22,15 +22,15 @@ package org.apache.cxf.fediz.samlsso.example; import java.util.UUID; import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.SAMLObjectBuilder; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.StatusMessage; -import org.opensaml.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.saml.common.SAMLObjectBuilder; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.core.StatusMessage; /** * A (basic) set of utility methods to construct SAML 2.0 Protocol Response statements @@ -47,7 +47,8 @@ public final class SAML2PResponseComponentBuilder { private static SAMLObjectBuilder<StatusMessage> statusMessageBuilder; - private static XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private static XMLObjectBuilderFactory builderFactory = + XMLObjectProviderRegistrySupport.getBuilderFactory(); private SAML2PResponseComponentBuilder() { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/feacf96c/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java ---------------------------------------------------------------------- diff --git a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java index 6df23c1..cf43784 100644 --- a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java +++ b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java @@ -35,7 +35,6 @@ import javax.xml.parsers.DocumentBuilderFactory; import org.w3c.dom.Document; import org.w3c.dom.Element; - import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder; @@ -51,9 +50,9 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean; import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean; import org.apache.wss4j.common.util.DOM2Writer; import org.joda.time.DateTime; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; /** * A mock IdP for SAML SSO. The user is already authenticated via HTTP/BA.