Repository: cxf Updated Branches: refs/heads/master ded06c40b -> d2dca6796
Use the LDAP API to get the CN of a Certificate DN in the DefaultSubjectProvider in the STS Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d2dca679 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d2dca679 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d2dca679 Branch: refs/heads/master Commit: d2dca67967f5cf49efec503102bb82e999a54cc0 Parents: ded06c4 Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Oct 20 10:52:52 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Oct 20 10:52:52 2016 +0100 ---------------------------------------------------------------------- .../sts/token/provider/DefaultSubjectProvider.java | 14 ++++++++++---- .../systest/sts/username_actas/ActAsValidator.java | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d2dca679/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java index 114d10f..9433039 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java @@ -27,6 +27,8 @@ import java.util.logging.Level; import java.util.logging.Logger; import java.util.regex.Pattern; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.x500.X500Principal; @@ -160,10 +162,14 @@ public class DefaultSubjectProvider implements SubjectProvider { && principal instanceof X500Principal) { // Just use the "cn" instead of the entire DN try { - String principalName = principal.getName(); - int index = principalName.indexOf('='); - principalName = principalName.substring(index + 1, principalName.indexOf(',', index)); - subjectName = principalName; + LdapName ln = new LdapName(principal.getName()); + + for (Rdn rdn : ln.getRdns()) { + if ("CN".equalsIgnoreCase(rdn.getType()) && (rdn.getValue() instanceof String)) { + subjectName = (String)rdn.getValue(); + break; + } + } } catch (Throwable ex) { subjectName = principal.getName(); //Ignore, not X500 compliant thus use the whole string as the value http://git-wip-us.apache.org/repos/asf/cxf/blob/d2dca679/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java index 78db7f6..610fb45 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java @@ -51,7 +51,7 @@ public class ActAsValidator extends SamlAssertionValidator { // The technical user should be in the Subject Subject subject = saml2Assertion.getSubject(); if (subject == null || subject.getNameID() == null - || !subject.getNameID().getValue().contains("CN=www.client.com")) { + || !subject.getNameID().getValue().contains("www.client.com")) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); }
