svn commit: r1014143 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot Date: Fri Jun 16 16:47:38 2017 New Revision: 1014143 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-jose.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-jose.html == --- websites/production/cxf/content/docs/jax-rs-jose.html (original) +++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Jun 16 16:47:38 2017 @@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE /**/ +/*]]>*/ IntroductionMaven DependenciesJava and JCE PolicyJOSE Overview and Implementation JWA AlgorithmsJWK KeysJWS Signature Signature and Verification ProvidersJWS CompactJWS JSONJWS with Detached ContentJWS with Unencoded Payload @@ -679,7 +679,7 @@ Payload: "ciphertext":"alKm_g", "tag":"DkW2pZCd7lhR0KqIGQ69-A" } -Note the Base64Url encoded protected headers go first, followed by the 'recipients' array, with each element containing the encrypted content encryption key which can be decrypted by the recipient private key, with the array of recipients followed by the IV, ciphertext and authentication tag Base64Url sequences.Linking JWT authentications to JWS or JWE contentCXF introduced a "JWT" HTTP authentication scheme, with a Base64Url encoded JWT token representing a user authentication against an IDP capable of issuing JWT assertions (or simply JWT tokens). JWT assertion is like SAML assertion except that it is in a JSON format. If you'd like to cryptographically bind this JWT token to a data secured by JWS and/or JWE processors then simply add https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/secu rity/jose/jaxrs/JwtAuthenticationClientFilter.java" rel="nofollow">JwtAuthenticationClientFilteron the client side and https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java; rel="nofollow">JwtAuthenticationFilter on the server side. These filters link the authentication token with a randomly generated secure value which is added to both the token and the body JWS/JWE protected headers.This approach is more effective compared to the ones where the body hash is calculated before it is submitted to a signature creation function, with the signature added as HTTP header.Optional protection of HTTP headersStarting from CXF 3.1.12 it is possible to use JWS, JWS JSON, JWE and JWE JSON filters to protect the selected set of HTTP headers. The JOSE payloads produced b y these filters guarantee that the JOSE headers are integrity protected. Given this, if one enables a 'protectHttpHeaders' boolean property on the request filters, then, by default, HTTP Content-Type and Accept header values will be registered as JOSE header properties prefixed with "http.", example, "http.Accept":"text/plain". The list of the headers to be protected can be customized using a 'protectedHttpHeaders' set property.These properties will be compared against the current HTTP headers on the receiving end.This approach does not prevent the streaming of the outgoing data (which will also be protected by the filters) and offers a way to secure the HTTP headers which are really important for the correct processing of the incoming payloadsJOSE in JAX-RS application codeIn some cases you may need to create or process the JOSE data directly in the service or client application code. For example, one of the properties in the request or response payload needs to be JWS signed/verified and/or JWE encrypted/decrypted. The following 2 options can be tried.Option 1: Process JOSE directlyThis option is about using the CXF JOSE library to sign, encrypt, or/and decrypt and verify the data as documented above. This option should be preferred if one needs to keep a closer control, for example, set the custom JWS or JWE headers, etc.Option 2: Use JOSE library helpers and Endpoint ConfigurationThis option makes it straighforward to do JOSE in the application code. One has to extend or delegate to a specific JOSE helper instance and configure the endpoint with the locatiion of the key store.Produce JOSE dataIf you need to protect some non JWT property - extend or delegate to JoseProducer: +Note the
[1/2] cxf git commit: Fixing ports
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 23408fdbb -> 5fd91a935 Fixing ports # Conflicts: # services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/02246545 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/02246545 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/02246545 Branch: refs/heads/3.0.x-fixes Commit: 02246545d12758cf56181f2092eea227df07b621 Parents: 23408fd Author: Colm O hEigeartaighAuthored: Fri Jun 16 11:37:25 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 11:41:20 2017 +0100 -- .../IntermediaryTransformationCachingTest.java | 12 ++-- .../cxf-intermediary-caching.xml| 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/02246545/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java -- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java index 9a5f870..b04caab 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java @@ -40,7 +40,7 @@ import org.junit.BeforeClass; * service provider. The intermediary service provider validates the token, and then the * Intermediary client uses delegation to dispatch the received token (via OnBehalfOf) to another * STS instance. The retrieved token is sent to the service provider via (2-way) TLS. The STSClient is disabled - * after two invocations, meaning that the Intermediary client must rely on its cache to get tokens. + * after two invocations, meaning that the Intermediary client must rely on its cache to get tokens. */ public class IntermediaryTransformationCachingTest extends AbstractBusClientServerTestBase { @@ -51,9 +51,9 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt;; private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); - -private static final String PORT = allocatePort(Intermediary.class); - + +private static final String PORT = allocatePort(IntermediaryCaching.class); + @BeforeClass public static void startServers() throws Exception { assertTrue( @@ -105,7 +105,7 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ // Make initial successful invocation (for "alice") doubleIt(alicePort, 25); - + // Make another successful invocation for "bob" DoubleItPortType bobPort = service.getPort(portQName, DoubleItPortType.class); updateAddressPort(bobPort, PORT); @@ -117,7 +117,7 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ // Make another invocation for "bob" - this should work as the intermediary caches the token // even though its STSClient is disabled after the second invocation doubleIt(bobPort, 35); - + // Make another invocation for "alice" - this should work as the intermediary caches the token // even though its STSClient is disabled after the first invocation doubleIt(alicePort, 40); http://git-wip-us.apache.org/repos/asf/cxf/blob/02246545/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml -- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml index 4f367ab..8072526 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml +++
[2/2] cxf git commit: Recording .gitmergeinfo Changes
Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5fd91a93 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5fd91a93 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5fd91a93 Branch: refs/heads/3.0.x-fixes Commit: 5fd91a935960dd66ba0f28f3662b617ca23d9439 Parents: 0224654 Author: Colm O hEigeartaighAuthored: Fri Jun 16 11:41:21 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 11:41:21 2017 +0100 -- .gitmergeinfo | 2 ++ 1 file changed, 2 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/5fd91a93/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index bea97f4..a32b43e 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -785,6 +785,7 @@ B 6eaa2bd9f48718d241ef6e779285c65a800862a8 B 6ec0e90dc12c2384612f201f54d1e6e7e7f45724 B 6ef5be5869eb0c076f8bc8ed30775028a0b314c7 B 6efe475ad57f042ffc9547f1bb258ab4e16a3f3e +B 6f07ef7b6c5ab9a8c88dd8e4b4d60dac0d2adb6e B 6f2a98efabe16b6e129ca86b292b74d006093541 B 6f31130c52c4f328795c71f7f3891e3b7c899daf B 6f3e4aa162c2ec1c78256b57d98f735cfb15a2fb @@ -1777,6 +1778,7 @@ M 00b626af504d3d59419ec2d1eb5e39943ec5b8aa M 011725e4de2026bbebb6a732764a86d9a2ae4109 M 01860c78f6fd7554cf89a9bc912ca78d2b304efe M 02221113b4c85bc643f18c82a7d59e0179d400ac +M 022c89df45b88284b26286559673fb8de95a0315 M 049fe48c0489cf0e4df632a73bb91a76343d2639 M 0529afb26222feaf5e3954518a8e3bfacd857829 M 05383ffcfc3fe16c6acadf1a343375c00fa1116c
[2/2] cxf git commit: Fixing ports
Fixing ports # Conflicts: # services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/022c89df Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/022c89df Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/022c89df Branch: refs/heads/3.1.x-fixes Commit: 022c89df45b88284b26286559673fb8de95a0315 Parents: 0e83d4a Author: Colm O hEigeartaighAuthored: Fri Jun 16 11:37:25 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 11:38:29 2017 +0100 -- .../IntermediaryTransformationCachingTest.java | 12 ++-- .../cxf-intermediary-caching.xml| 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/022c89df/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java -- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java index d83de84..53bda69 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java @@ -40,7 +40,7 @@ import org.junit.BeforeClass; * service provider. The intermediary service provider validates the token, and then the * Intermediary client uses delegation to dispatch the received token (via OnBehalfOf) to another * STS instance. The retrieved token is sent to the service provider via (2-way) TLS. The STSClient is disabled - * after two invocations, meaning that the Intermediary client must rely on its cache to get tokens. + * after two invocations, meaning that the Intermediary client must rely on its cache to get tokens. */ public class IntermediaryTransformationCachingTest extends AbstractBusClientServerTestBase { @@ -51,9 +51,9 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt;; private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); - -private static final String PORT = allocatePort(Intermediary.class); - + +private static final String PORT = allocatePort(IntermediaryCaching.class); + @BeforeClass public static void startServers() throws Exception { assertTrue( @@ -102,7 +102,7 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ // Make initial successful invocation (for "alice") doubleIt(alicePort, 25); - + // Make another successful invocation for "bob" DoubleItPortType bobPort = service.getPort(portQName, DoubleItPortType.class); updateAddressPort(bobPort, PORT); @@ -114,7 +114,7 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ // Make another invocation for "bob" - this should work as the intermediary caches the token // even though its STSClient is disabled after the second invocation doubleIt(bobPort, 35); - + // Make another invocation for "alice" - this should work as the intermediary caches the token // even though its STSClient is disabled after the first invocation doubleIt(alicePort, 40); http://git-wip-us.apache.org/repos/asf/cxf/blob/022c89df/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml -- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml index 2e51b3d..7a0baba 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml @@ -24,7 +24,7 @@ -
[1/2] cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 0e83d4aa1 -> 6f07ef7b6 Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6f07ef7b Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6f07ef7b Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6f07ef7b Branch: refs/heads/3.1.x-fixes Commit: 6f07ef7b6c5ab9a8c88dd8e4b4d60dac0d2adb6e Parents: 022c89d Author: Colm O hEigeartaighAuthored: Fri Jun 16 11:38:29 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 11:38:29 2017 +0100 -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/6f07ef7b/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index f8d5c77..e1d1f726 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -474,6 +474,7 @@ M 3b7587395586f59d0fe9427038dd2d891fbe223d M 3b967cf6d9c67bebb6e0705a3fdede4d2a6b1015 M 3bbfc22e182ffea8c98ba8f84b4f55abfce353e7 M 3be9aac26a003ef43995054da875ffd5fa5a2eb4 +M 3d02791f001faf35ea585ce67d3f4564f5c25c1b M 3d1c69dbe3c1f4ce1e9fe0a962fd022b17dac773 M 3d783a5a17c03348da031865fb5278fe777f0fc9 M 3d85f3179ffae6eadd5174ace6df015494d995bc
cxf git commit: Fixing ports
Repository: cxf Updated Branches: refs/heads/master 77e0ffed1 -> 3d02791f0 Fixing ports Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3d02791f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3d02791f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3d02791f Branch: refs/heads/master Commit: 3d02791f001faf35ea585ce67d3f4564f5c25c1b Parents: 77e0ffe Author: Colm O hEigeartaighAuthored: Fri Jun 16 11:37:25 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 11:37:25 2017 +0100 -- .../IntermediaryTransformationCachingTest.java | 8 .../intermediary_transformation/cxf-intermediary-caching.xml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/3d02791f/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java -- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java index ef90341..b42f3f7 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryTransformationCachingTest.java @@ -41,7 +41,7 @@ import org.junit.BeforeClass; * service provider. The intermediary service provider validates the token, and then the * Intermediary client uses delegation to dispatch the received token (via OnBehalfOf) to another * STS instance. The retrieved token is sent to the service provider via (2-way) TLS. The STSClient is disabled - * after two invocations, meaning that the Intermediary client must rely on its cache to get tokens. + * after two invocations, meaning that the Intermediary client must rely on its cache to get tokens. */ public class IntermediaryTransformationCachingTest extends AbstractBusClientServerTestBase { @@ -53,7 +53,7 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt;; private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); -private static final String PORT = allocatePort(Intermediary.class); +private static final String PORT = allocatePort(IntermediaryCaching.class); @BeforeClass public static void startServers() throws Exception { @@ -103,7 +103,7 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ // Make initial successful invocation (for "alice") doubleIt(alicePort, 25); - + // Make another successful invocation for "bob" DoubleItPortType bobPort = service.getPort(portQName, DoubleItPortType.class); updateAddressPort(bobPort, PORT); @@ -115,7 +115,7 @@ public class IntermediaryTransformationCachingTest extends AbstractBusClientServ // Make another invocation for "bob" - this should work as the intermediary caches the token // even though its STSClient is disabled after the second invocation doubleIt(bobPort, 35); - + // Make another invocation for "alice" - this should work as the intermediary caches the token // even though its STSClient is disabled after the first invocation doubleIt(alicePort, 40); http://git-wip-us.apache.org/repos/asf/cxf/blob/3d02791f/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml -- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml index 3748f56..ddd9dd2 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/intermediary_transformation/cxf-intermediary-caching.xml @@ -24,7 +24,7 @@ -http://www.example.org/contract/DoubleIt; id="doubleittransportsaml1endorsing"
cxf git commit: Backporting fix for CVE-2017-5656
Repository: cxf Updated Branches: refs/heads/2.6.x-fixes 72c4194a6 -> f25f4a51b Backporting fix for CVE-2017-5656 Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f25f4a51 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f25f4a51 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f25f4a51 Branch: refs/heads/2.6.x-fixes Commit: f25f4a51bf0de5255414c233f41ccc35cf00a073 Parents: 72c4194 Author: Colm O hEigeartaighAuthored: Fri Jun 16 10:58:11 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 10:58:11 2017 +0100 -- .../IssuedTokenInterceptorProvider.java | 171 --- 1 file changed, 113 insertions(+), 58 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/f25f4a51/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java index 35fb3aa..25577bb 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java @@ -19,6 +19,8 @@ package org.apache.cxf.ws.security.policy.interceptors; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; @@ -27,7 +29,10 @@ import java.util.List; import java.util.Map; import java.util.Properties; +import org.w3c.dom.CDATASection; import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.Text; import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.helpers.CastUtils; @@ -64,36 +69,37 @@ import org.apache.ws.security.message.token.BinarySecurity; import org.apache.ws.security.saml.SAMLKeyInfo; import org.apache.ws.security.saml.ext.AssertionWrapper; import org.apache.ws.security.util.WSSecurityUtil; +import org.apache.xml.security.utils.Base64; /** - * + * */ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorProvider { - + private static final long serialVersionUID = -6936475570762840527L; -private static final String ASSOCIATED_TOKEN = +private static final String ASSOCIATED_TOKEN = IssuedTokenInterceptorProvider.class.getName() + "-" + "Associated_Token"; public IssuedTokenInterceptorProvider() { super(Arrays.asList(SP11Constants.ISSUED_TOKEN, SP12Constants.ISSUED_TOKEN)); - + //issued tokens can be attached as a supporting token without //any type of binding. Make sure we can support that. this.getOutInterceptors().add(PolicyBasedWSS4JOutInterceptor.INSTANCE); this.getOutFaultInterceptors().add(PolicyBasedWSS4JOutInterceptor.INSTANCE); this.getInInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE); this.getInFaultInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE); - + this.getOutInterceptors().add(new IssuedTokenOutInterceptor()); this.getOutFaultInterceptors().add(new IssuedTokenOutInterceptor()); this.getInInterceptors().add(new IssuedTokenInInterceptor()); this.getInFaultInterceptors().add(new IssuedTokenInInterceptor()); } - + static final TokenStore createTokenStore(Message message) { EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo(); synchronized (info) { -TokenStore tokenStore = +TokenStore tokenStore = (TokenStore)message.getContextualProperty(SecurityConstants.TOKEN_STORE_CACHE_INSTANCE); if (tokenStore == null) { tokenStore = (TokenStore)info.getProperty(SecurityConstants.TOKEN_STORE_CACHE_INSTANCE); @@ -121,7 +127,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro static class IssuedTokenOutInterceptor extends AbstractPhaseInterceptor { public IssuedTokenOutInterceptor() { super(Phase.PREPARE_SEND); -} +} private static void mapSecurityProps(Message message, Map ctx) { for (String s : SecurityConstants.ALL_PROPERTIES) { Object v = message.getContextualProperty(s + ".it"); @@ -143,7 +149,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
[2/2] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/72c4194a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/72c4194a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/72c4194a Branch: refs/heads/2.6.x-fixes Commit: 72c4194a634a40265171b4288927f35dc329c552 Parents: f318ee6 Author: Colm O hEigeartaighAuthored: Fri Jun 16 10:21:38 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 10:21:38 2017 +0100 -- .../saml/sso/SAMLSSOResponseValidator.java | 95 +++--- .../saml/sso/CombinedValidatorTest.java | 329 ++- 2 files changed, 305 insertions(+), 119 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/72c4194a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java -- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 096468c..0bb1c79 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -36,32 +36,33 @@ import org.opensaml.saml2.core.AuthnStatement; * should be validated by the SAMLProtocolResponseValidator first. */ public class SAMLSSOResponseValidator { - + private static final Logger LOG = LogUtils.getL7dLogger(SAMLSSOResponseValidator.class); - + private String issuerIDP; private String assertionConsumerURL; private String clientAddress; private String requestId; private String spIdentifier; +private boolean enforceResponseSigned; private boolean enforceAssertionsSigned = true; private boolean enforceKnownIssuer = true; private TokenReplayCache replayCache; - + /** * Enforce that Assertions must be signed if the POST binding was used. The default is true. */ public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) { this.enforceAssertionsSigned = enforceAssertionsSigned; } - + /** * Enforce that the Issuer of the received Response/Assertion is known. The default is true. */ public void setEnforceKnownIssuer(boolean enforceKnownIssuer) { this.enforceKnownIssuer = enforceKnownIssuer; } - + /** * Validate a SAML 2 Protocol Response * @param samlResponse @@ -81,7 +82,7 @@ public class SAMLSSOResponseValidator { LOG.fine("The Response must contain at least one Assertion"); throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } - + // The Response must contain a Destination that matches the assertionConsumerURL if it is // signed String destination = samlResponse.getDestination(); @@ -90,9 +91,14 @@ public class SAMLSSOResponseValidator { LOG.fine("The Response must contain a destination that matches the assertion consumer URL"); throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } - + +if (enforceResponseSigned && !samlResponse.isSigned()) { +LOG.fine("The Response must be signed!"); +throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); +} + // Validate Assertions -org.opensaml.saml.saml2.core.Assertion validAssertion = null; +org.opensaml.saml2.core.Assertion validAssertion = null; Date sessionNotOnOrAfter = null; for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { // Check the Issuer @@ -101,13 +107,13 @@ public class SAMLSSOResponseValidator { throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } validateIssuer(assertion.getIssuer()); - + if (enforceAssertionsSigned && postBinding && assertion.getSignature() == null) { LOG.fine("If the HTTP Post binding is used to deliver the Response, " + "the enclosed assertions must be signed"); throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } - + // Check for AuthnStatements and validate the Subject accordingly if (assertion.getAuthnStatements() != null && !assertion.getAuthnStatements().isEmpty()) { @@
[1/2] cxf git commit: Adding SAML SSO tests.
Repository: cxf Updated Branches: refs/heads/2.6.x-fixes 7aa3f2da2 -> 72c4194a6 Adding SAML SSO tests. Conflicts: rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f318ee61 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f318ee61 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f318ee61 Branch: refs/heads/2.6.x-fixes Commit: f318ee614c8cdc6f2c485d42ff2d670d67e6455a Parents: 7aa3f2d Author: Colm O hEigeartaighAuthored: Thu Jul 30 17:55:32 2015 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 10:08:56 2017 +0100 -- .../saml/sso/SAMLSSOResponseValidator.java | 15 +- .../saml/sso/AbstractSAMLCallbackHandler.java | 4 + .../saml/sso/CombinedValidatorTest.java | 218 +++ 3 files changed, 233 insertions(+), 4 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/f318ee61/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java -- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 370a3ce..096468c 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -92,7 +92,7 @@ public class SAMLSSOResponseValidator { } // Validate Assertions -boolean foundValidSubject = false; +org.opensaml.saml.saml2.core.Assertion validAssertion = null; Date sessionNotOnOrAfter = null; for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { // Check the Issuer @@ -114,7 +114,7 @@ public class SAMLSSOResponseValidator { org.opensaml.saml2.core.Subject subject = assertion.getSubject(); if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) { validateAudienceRestrictionCondition(assertion.getConditions()); -foundValidSubject = true; +validAssertion = assertion; // Store Session NotOnOrAfter for (AuthnStatement authnStatment : assertion.getAuthnStatements()) { if (authnStatment.getSessionNotOnOrAfter() != null) { @@ -123,10 +123,9 @@ public class SAMLSSOResponseValidator { } } } - } -if (!foundValidSubject) { +if (validAssertion == null) { LOG.fine("The Response did not contain any Authentication Statement that matched " + "the Subject Confirmation criteria"); throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); @@ -136,8 +135,16 @@ public class SAMLSSOResponseValidator { validatorResponse.setResponseId(samlResponse.getID()); validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter); // the assumption for now is that SAMLResponse will contain only a single assertion +<<< HEAD Element assertionElement = samlResponse.getAssertions().get(0).getDOM(); validatorResponse.setAssertion(DOM2Writer.nodeToString(assertionElement.cloneNode(true))); +=== +Element assertionElement = validAssertion.getDOM(); +Element clonedAssertionElement = (Element)assertionElement.cloneNode(true); +validatorResponse.setAssertionElement(clonedAssertionElement); + validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement)); + +>>> 1c2a530... Adding SAML SSO tests. return validatorResponse; } http://git-wip-us.apache.org/repos/asf/cxf/blob/f318ee61/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java -- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java index c09d2e3..90e9f9b 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java +++
cxf git commit: [CXF-7411]ensure tests passed with java9-ea+174
Repository: cxf Updated Branches: refs/heads/master 63e100e48 -> 77e0ffed1 [CXF-7411]ensure tests passed with java9-ea+174 Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/77e0ffed Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/77e0ffed Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/77e0ffed Branch: refs/heads/master Commit: 77e0ffed1a647a159d7b249071de87c049803885 Parents: 63e100e Author: Freeman FangAuthored: Fri Jun 16 14:57:33 2017 +0800 Committer: Freeman Fang Committed: Fri Jun 16 14:57:33 2017 +0800 -- .../cdi/cdi-weld/cdi-producers-weld/pom.xml | 45 +++- 1 file changed, 44 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/77e0ffed/systests/cdi/cdi-weld/cdi-producers-weld/pom.xml -- diff --git a/systests/cdi/cdi-weld/cdi-producers-weld/pom.xml b/systests/cdi/cdi-weld/cdi-producers-weld/pom.xml index a626bba..ec5041d 100644 --- a/systests/cdi/cdi-weld/cdi-producers-weld/pom.xml +++ b/systests/cdi/cdi-weld/cdi-producers-weld/pom.xml @@ -48,4 +48,47 @@ abdera-parser - \ No newline at end of file + + + +java9 + +-ea --patch-module java.xml.ws.annotation=${project.basedir}/target/java9/javax.annotation-api-${cxf.javax.annotation-api.version}.jar --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens java.xml.ws/javax.xml.ws=ALL-UNNAMED --add-opens jdk.xml.bind/com.sun.codemodel.internal=ALL-UNNAMED --add-opens jdk.xml.bind/com.sun.tools.internal.xjc.api.impl.s2j=ALL-UNNAMED --add-opens java.xml.ws/javax.xml.ws.wsaddressing=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.util.concurrent=ALL-UNNAMED --add-exports=java.base/sun.security.util=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.impl.xs=ALL-UNNAMED --add-exports=java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.impl.xs.util=ALL- UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.jaxp=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.dom=ALL-UNNAMED --add-exports=java.xml.bind/com.sun.xml.internal.bind.marshaller=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xml.internal.resolver=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xml.internal.resolver.tools=ALL-UNNAMED --add-exports=java.xml.ws/com.sun.xml.internal.messaging.saaj.soap=ALL-UNNAMED --add-exports=jdk.xml.bind/com.sun.tools.internal.xjc.api.impl.s2j=ALL-UNNAMED --add-exports=jdk.xml.bind/com.sun.tools.internal.xjc=ALL-UNNAMED --add-exports=jdk.xml.bind/com.sun.tools.internal.xjc.api=ALL-UNNAMED --add-exports=jdk.xml.bind/com.sun.codemodel.internal=ALL-UNNAMED --add-exports=jdk.xml.bind/com.sun.codemodel.internal.writer=ALL-UNNAMED --add-exports=java.xml.ws.annotation/javax.annotation.security=ALL-UNNAMED --add-modules java.activation,java.xml.bind,java.xml.ws,jdk.xml.bind +-ea --patch-module java.xml.ws.annotation=${project.basedir}/target/java9/javax.annotation-api-${cxf.javax.annotation-api.version}.jar --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens java.xml.ws/javax.xml.ws=ALL-UNNAMED --add-opens jdk.xml.bind/com.sun.codemodel.internal=ALL-UNNAMED --add-opens jdk.xml.bind/com.sun.tools.internal.xjc.api.impl.s2j=ALL-UNNAMED --add-opens java.xml.ws/javax.xml.ws.wsaddressing=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.util.concurrent=ALL-UNNAMED --add-exports=java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED --add-exports=java.base/sun.security.util=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.impl.xs=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.impl.xs.util=AL L-UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.jaxp=ALL-UNNAMED --add-exports=java.xml.bind/com.sun.xml.internal.bind.marshaller=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xerces.internal.dom=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xml.internal.resolver=ALL-UNNAMED --add-exports=java.xml/com.sun.org.apache.xml.internal.resolver.tools=ALL-UNNAMED --add-exports=java.xml.ws/com.sun.xml.internal.messaging.saaj.soap=ALL-UNNAMED