Repository: cxf Updated Branches: refs/heads/master 7dec3c88a -> 953d23f38
[CXF-6543] - It's not possible to specify the signature + digest algorithms for self-signed SAML Assertions with JAX-RS Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/953d23f3 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/953d23f3 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/953d23f3 Branch: refs/heads/master Commit: 953d23f38ddfe044a4dff4783498ebe5d68d76c1 Parents: 7dec3c8 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Aug 14 14:06:51 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Aug 14 14:07:09 2015 +0100 ---------------------------------------------------------------------- .../apache/cxf/rs/security/saml/SAMLUtils.java | 5 ++- .../jaxrs/security/saml/JAXRSSamlTest.java | 37 ++++++++++++++++---- .../security/saml/SamlCallbackHandler.java | 34 +++++++++++++++++- 3 files changed, 67 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java index 1471191..60c755d 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java @@ -112,7 +112,10 @@ public final class SAMLUtils { RSSecurityUtils.getPassword(message, user, WSPasswordCallback.SIGNATURE, SAMLUtils.class); - assertion.signAssertion(user, password, crypto, false); + assertion.signAssertion(user, password, crypto, false, + samlCallback.getCanonicalizationAlgorithm(), + samlCallback.getSignatureAlgorithm(), + samlCallback.getSignatureDigestAlgorithm()); } return assertion; } catch (Exception ex) { http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java index ccbabf4..7949c13 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/JAXRSSamlTest.java @@ -23,6 +23,7 @@ import java.net.URL; import java.util.HashMap; import java.util.Map; +import javax.security.auth.callback.CallbackHandler; import javax.ws.rs.ProcessingException; import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Form; @@ -41,9 +42,11 @@ import org.apache.cxf.rs.security.saml.SamlEnvelopedOutInterceptor; import org.apache.cxf.rs.security.saml.SamlFormOutInterceptor; import org.apache.cxf.rs.security.saml.SamlHeaderOutInterceptor; import org.apache.cxf.rs.security.xml.XmlSigOutInterceptor; +import org.apache.cxf.rt.security.SecurityConstants; import org.apache.cxf.systest.jaxrs.security.Book; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; - +import org.apache.wss4j.common.saml.builder.SAML2Constants; +import org.apache.wss4j.dom.WSConstants; import org.junit.BeforeClass; import org.junit.Test; @@ -125,6 +128,16 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase { } @Test + public void testBearerSignedDifferentAlgorithms() throws Exception { + SamlCallbackHandler callbackHandler = new SamlCallbackHandler(); + callbackHandler.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";); + callbackHandler.setDigestAlgorithm(WSConstants.SHA256); + callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); + callbackHandler.setSignAssertion(true); + doTestEnvelopedSAMLToken(true, callbackHandler); + } + + @Test public void testEnvelopedUnsignedSAMLToken() throws Exception { doTestEnvelopedSAMLToken(false); } @@ -177,8 +190,12 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase { } public void doTestEnvelopedSAMLToken(boolean signed) throws Exception { + doTestEnvelopedSAMLToken(signed, new SamlCallbackHandler()); + } + + public void doTestEnvelopedSAMLToken(boolean signed, CallbackHandler samlCallbackHandler) throws Exception { String address = "https://localhost:"; + PORT + "/samlxml/bookstore/books"; - WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed), null); + WebClient wc = createWebClient(address, new SamlEnvelopedOutInterceptor(!signed), null, samlCallbackHandler); XmlSigOutInterceptor xmlSig = new XmlSigOutInterceptor(); if (signed) { xmlSig.setStyle(XmlSigOutInterceptor.DETACHED_SIG); @@ -204,6 +221,13 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase { private WebClient createWebClient(String address, Interceptor<Message> outInterceptor, Object provider) { + return createWebClient(address, outInterceptor, provider, new SamlCallbackHandler()); + } + + private WebClient createWebClient(String address, + Interceptor<Message> outInterceptor, + Object provider, + CallbackHandler samlCallbackHandler) { JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); bean.setAddress(address); @@ -213,12 +237,11 @@ public class JAXRSSamlTest extends AbstractBusClientServerTestBase { bean.setBus(springBus); Map<String, Object> properties = new HashMap<String, Object>(); - properties.put("security.callback-handler", + properties.put(SecurityConstants.CALLBACK_HANDLER, "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"); - properties.put("security.saml-callback-handler", - "org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler"); - properties.put("security.signature.username", "alice"); - properties.put("security.signature.properties", + properties.put(SecurityConstants.SAML_CALLBACK_HANDLER, samlCallbackHandler); + properties.put(SecurityConstants.SIGNATURE_USERNAME, "alice"); + properties.put(SecurityConstants.SIGNATURE_PROPERTIES, "org/apache/cxf/systest/jaxrs/security/alice.properties"); bean.setProperties(properties); http://git-wip-us.apache.org/repos/asf/cxf/blob/953d23f3/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java index 81e4448..5a6b26f 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java @@ -59,6 +59,9 @@ import org.joda.time.DateTime; public class SamlCallbackHandler implements CallbackHandler { private boolean saml2 = true; private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES; + private String signatureAlgorithm; + private String digestAlgorithm; + private boolean signAssertion; public SamlCallbackHandler() { // @@ -106,7 +109,7 @@ public class SamlCallbackHandler implements CallbackHandler { SecurityConstants.SIGNATURE_PROPERTIES); X509Certificate cert = RSSecurityUtils.getCertificates(crypto, - RSSecurityUtils.getUserName(m, crypto, "security.signature.username"))[0]; + RSSecurityUtils.getUserName(m, crypto, SecurityConstants.SIGNATURE_USERNAME))[0]; KeyInfoBean keyInfo = new KeyInfoBean(); keyInfo.setCertificate(cert); @@ -172,8 +175,37 @@ public class SamlCallbackHandler implements CallbackHandler { attrBean.setSamlAttributes(claims); callback.setAttributeStatementData(Collections.singletonList(attrBean)); + + callback.setSignatureAlgorithm(signatureAlgorithm); + callback.setSignatureDigestAlgorithm(digestAlgorithm); + + callback.setSignAssertion(signAssertion); } } } + + public String getSignatureAlgorithm() { + return signatureAlgorithm; + } + + public void setSignatureAlgorithm(String signatureAlgorithm) { + this.signatureAlgorithm = signatureAlgorithm; + } + + public String getDigestAlgorithm() { + return digestAlgorithm; + } + + public void setDigestAlgorithm(String digestAlgorithm) { + this.digestAlgorithm = digestAlgorithm; + } + + public boolean isSignAssertion() { + return signAssertion; + } + + public void setSignAssertion(boolean signAssertion) { + this.signAssertion = signAssertion; + } }
