[CXF-6735] - Add a configuration option to disable the STR Transform
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/46362669 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/46362669 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/46362669 Branch: refs/heads/3.0.x-fixes Commit: 463626698e399b36555a9ca35240f278bfb40153 Parents: 25f1d6d Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Mon Jan 11 16:49:38 2016 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Mon Jan 11 16:58:45 2016 +0000 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 7 +++ .../policyhandlers/AbstractBindingBuilder.java | 45 +++++++++++++------- .../X509SymmetricBindingTest.java | 38 +++++++++++++++++ 3 files changed, 75 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index 286eccb..383369c 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -264,6 +264,13 @@ public final class SecurityConstants { */ public static final String USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM = "ws-security.swa.encryption.attachment.transform.content"; + + /** + * Whether to use the STR (Security Token Reference) Transform when (externally) signing a SAML Token. + * The default is true. Some frameworks cannot handle processing the SecurityTokenReference is created, + * hence set this configuration option to "false" in this case. + */ + public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform"; // // Non-boolean WS-Security Configuration parameters http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 2712d60..4d33fc7 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -605,6 +605,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle protected void addSignatureParts(List<SupportingToken> tokenList, List<WSEncryptionPart> sigParts) { + boolean useSTRTransform = + MessageUtils.getContextualBoolean( + message, SecurityConstants.USE_STR_TRANSFORM, true + ); + for (SupportingToken supportingToken : tokenList) { Object tempTok = supportingToken.getTokenImplementation(); @@ -642,14 +647,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle Document doc = assertionWrapper.getElement().getOwnerDocument(); boolean saml1 = assertionWrapper.getSaml1() != null; - // TODO We only support using a KeyIdentifier for the moment - SecurityTokenReference secRef = - createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); - Element clone = cloneElement(secRef.getElement()); - addSupportingElement(clone); - part = new WSEncryptionPart("STRTransform", null, "Element"); - part.setId(secRef.getID()); - part.setElement(clone); + if (useSTRTransform) { + // TODO We only support using a KeyIdentifier for the moment + SecurityTokenReference secRef = + createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); + Element clone = cloneElement(secRef.getElement()); + addSupportingElement(clone); + part = new WSEncryptionPart("STRTransform", null, "Element"); + part.setId(secRef.getID()); + part.setElement(clone); + } else { + part = new WSEncryptionPart(assertionWrapper.getId()); + part.setElement(assertionWrapper.getElement()); + } } else if (tempTok instanceof WSSecurityTokenHolder) { SecurityToken token = ((WSSecurityTokenHolder)tempTok).getToken(); String tokenType = token.getTokenType(); @@ -668,13 +678,18 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle id = token.getToken().getAttributeNS(null, "ID"); } } - SecurityTokenReference secRef = - createSTRForSamlAssertion(doc, id, saml1, false); - Element clone = cloneElement(secRef.getElement()); - addSupportingElement(clone); - part = new WSEncryptionPart("STRTransform", null, "Element"); - part.setId(secRef.getID()); - part.setElement(clone); + if (useSTRTransform) { + SecurityTokenReference secRef = + createSTRForSamlAssertion(doc, id, saml1, false); + Element clone = cloneElement(secRef.getElement()); + addSupportingElement(clone); + part = new WSEncryptionPart("STRTransform", null, "Element"); + part.setId(secRef.getID()); + part.setElement(clone); + } else { + part = new WSEncryptionPart(id); + part.setElement(token.getToken()); + } } else { String id = token.getId(); if (id != null && id.charAt(0) == '#') { http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java index f019cfe..8527f65 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java @@ -233,6 +233,44 @@ public class X509SymmetricBindingTest extends AbstractBusClientServerTestBase { bus.shutdown(true); } + // Here we refer to the Assertion directly, instead of creating a SecurityTokenReference and using the + // STR Transform + @org.junit.Test + public void testX509SAML2SupportingDirectReferenceToAssertion() throws Exception { + + // TODO Not yet supported for the client streaming code + if (test.isStreaming()) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509SymmetricBindingTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509SymmetricBindingTest.class.getResource("DoubleIt.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2SupportingPort"); + DoubleItPortType symmetricSaml2Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(symmetricSaml2Port, test.getPort()); + + TokenTestUtils.updateSTSPort((BindingProvider)symmetricSaml2Port, test.getStsPort()); + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(symmetricSaml2Port); + } + + ((BindingProvider)symmetricSaml2Port).getRequestContext().put("ws-security.use.str.transform", "false"); + + doubleIt(symmetricSaml2Port, 30); + + ((java.io.Closeable)symmetricSaml2Port).close(); + bus.shutdown(true); + } + private static void doubleIt(DoubleItPortType port, int numToDouble) { int resp = port.doubleIt(numToDouble); assertEquals(numToDouble * 2 , resp);