This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/coheigea/saml-refactor-new by
this push:
new 28552ff36 Removing SAML Assertion from BSP check
28552ff36 is described below
commit 28552ff36e618196f92c24057d4a04756b3a858d
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Mon Jun 23 16:52:45 2025 +0100
Removing SAML Assertion from BSP check
---
.../apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java | 2 +-
.../org/apache/wss4j/dom/str/EncryptedKeySTRParser.java | 4 ++--
.../java/org/apache/wss4j/dom/str/STRParserUtil.java | 16 +++++++---------
.../apache/wss4j/dom/str/SecurityTokenRefSTRParser.java | 2 +-
.../org/apache/wss4j/dom/str/SignatureSTRParser.java | 6 +++---
5 files changed, 14 insertions(+), 16 deletions(-)
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
index f30282a1d..c5573a6cf 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.java
@@ -107,7 +107,7 @@ public class DerivedKeyTokenSTRParser implements STRParser {
&& (WSConstants.ST_UNSIGNED == action.intValue() ||
WSConstants.ST_SIGNED == action.intValue())) {
SamlAssertionWrapper samlAssertion =
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion,
data.getBSPEnforcer());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
SAMLKeyInfo keyInfo =
SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto());
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
index 85eee80a3..da0540e92 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/EncryptedKeySTRParser.java
@@ -107,7 +107,7 @@ public class EncryptedKeySTRParser implements STRParser {
&& (WSConstants.ST_UNSIGNED == action.intValue() ||
WSConstants.ST_SIGNED == action.intValue())) {
SamlAssertionWrapper samlAssertion =
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion,
data.getBSPEnforcer());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
SAMLKeyInfo keyInfo =
SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(data),
@@ -144,7 +144,7 @@ public class EncryptedKeySTRParser implements STRParser {
STRParserUtil.getAssertionFromKeyIdentifier(
secRef, strElement, data
);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion, data.getBSPEnforcer());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(samlAssertion,
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java
index d324657fc..1e1c5b083 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/STRParserUtil.java
@@ -185,24 +185,22 @@ public final class STRParserUtil {
* Check that the SAML token referenced by the SecurityTokenReference
argument
* is BSP compliant.
* @param secRef The SecurityTokenReference to the SAML token
- * @param samlAssertion The SAML Token SamlAssertionWrapper object
+ * @param saml2Token If the STR refers to a SAML 2 token or not
* @param bspEnforcer a BSPEnforcer instance to enforce BSP rules
* @throws WSSecurityException
*/
public static void checkSamlTokenBSPCompliance(
SecurityTokenReference secRef,
- SamlAssertionWrapper samlAssertion,
+ boolean saml2Token,
BSPEnforcer bspEnforcer
) throws WSSecurityException {
// Check the KeyIdentifier ValueType attributes
if (secRef.containsKeyIdentifier()) {
String valueType = secRef.getKeyIdentifierValueType();
- if (samlAssertion.getSaml1() != null
- && !WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)) {
+ if (!saml2Token &&
!WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)) {
bspEnforcer.handleBSPRule(BSPRule.R6603);
}
- if (samlAssertion.getSaml2() != null
- && !WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
+ if (saml2Token &&
!WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
bspEnforcer.handleBSPRule(BSPRule.R6616);
}
String encoding = secRef.getKeyIdentifierEncodingType();
@@ -213,15 +211,15 @@ public final class STRParserUtil {
// Check the TokenType attribute
String tokenType = secRef.getTokenType();
- if (samlAssertion.getSaml1() != null &&
!WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
+ if (!saml2Token && !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType))
{
bspEnforcer.handleBSPRule(BSPRule.R6611);
}
- if (samlAssertion.getSaml2() != null &&
!WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) {
+ if (saml2Token && !WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType))
{
bspEnforcer.handleBSPRule(BSPRule.R6617);
}
// Check the ValueType attribute of the Reference for SAML2
- if (samlAssertion.getSaml2() != null && secRef.containsReference()) {
+ if (saml2Token && secRef.containsReference()) {
String valueType = secRef.getReference().getValueType();
if (valueType != null && valueType.length() != 0) {
bspEnforcer.handleBSPRule(BSPRule.R6614);
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
index 703d02165..cf119571d 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
@@ -94,7 +94,7 @@ public class SecurityTokenRefSTRParser implements STRParser {
SecurityTokenReference secRef,
RequestData data
) throws WSSecurityException {
- STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion,
data.getBSPEnforcer());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(samlAssertion, new
WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto());
if (samlKi == null) {
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
index 3a6d3ee6d..caa4780b0 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
@@ -134,7 +134,7 @@ public class SignatureSTRParser implements STRParser {
STRParserUtil.getAssertionFromKeyIdentifier(
secRef, secRef.getElement(), data
);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion,
data.getBSPEnforcer());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(samlAssertion,
@@ -299,7 +299,7 @@ public class SignatureSTRParser implements STRParser {
&& (WSConstants.ST_UNSIGNED == action.intValue() ||
WSConstants.ST_SIGNED == action.intValue())) {
SamlAssertionWrapper samlAssertion =
(SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- STRParserUtil.checkSamlTokenBSPCompliance(secRef, samlAssertion,
data.getBSPEnforcer());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
if (keyInfo == null) {
@@ -383,7 +383,7 @@ public class SignatureSTRParser implements STRParser {
new WSSSAMLKeyInfoProcessor(data),
data.getSigVerCrypto()
);
}
- STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion, data.getBSPEnforcer());
+ STRParserUtil.checkSamlTokenBSPCompliance(secRef,
samlAssertion.getSaml2() != null, data.getBSPEnforcer());
SAMLKeyInfo keyInfo = samlAssertion.getSubjectKeyInfo();
X509Certificate[] foundCerts = keyInfo.getCerts();
