[2/2] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/72c4194a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/72c4194a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/72c4194a Branch: refs/heads/2.6.x-fixes Commit: 72c4194a634a40265171b4288927f35dc329c552 Parents: f318ee6 Author: Colm O hEigeartaighAuthored: Fri Jun 16 10:21:38 2017 +0100 Committer: Colm O hEigeartaigh Committed: Fri Jun 16 10:21:38 2017 +0100 -- .../saml/sso/SAMLSSOResponseValidator.java | 95 +++--- .../saml/sso/CombinedValidatorTest.java | 329 ++- 2 files changed, 305 insertions(+), 119 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/72c4194a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java -- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 096468c..0bb1c79 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -36,32 +36,33 @@ import org.opensaml.saml2.core.AuthnStatement; * should be validated by the SAMLProtocolResponseValidator first. */ public class SAMLSSOResponseValidator { - + private static final Logger LOG = LogUtils.getL7dLogger(SAMLSSOResponseValidator.class); - + private String issuerIDP; private String assertionConsumerURL; private String clientAddress; private String requestId; private String spIdentifier; +private boolean enforceResponseSigned; private boolean enforceAssertionsSigned = true; private boolean enforceKnownIssuer = true; private TokenReplayCache replayCache; - + /** * Enforce that Assertions must be signed if the POST binding was used. The default is true. */ public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) { this.enforceAssertionsSigned = enforceAssertionsSigned; } - + /** * Enforce that the Issuer of the received Response/Assertion is known. The default is true. */ public void setEnforceKnownIssuer(boolean enforceKnownIssuer) { this.enforceKnownIssuer = enforceKnownIssuer; } - + /** * Validate a SAML 2 Protocol Response * @param samlResponse @@ -81,7 +82,7 @@ public class SAMLSSOResponseValidator { LOG.fine("The Response must contain at least one Assertion"); throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } - + // The Response must contain a Destination that matches the assertionConsumerURL if it is // signed String destination = samlResponse.getDestination(); @@ -90,9 +91,14 @@ public class SAMLSSOResponseValidator { LOG.fine("The Response must contain a destination that matches the assertion consumer URL"); throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } - + +if (enforceResponseSigned && !samlResponse.isSigned()) { +LOG.fine("The Response must be signed!"); +throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); +} + // Validate Assertions -org.opensaml.saml.saml2.core.Assertion validAssertion = null; +org.opensaml.saml2.core.Assertion validAssertion = null; Date sessionNotOnOrAfter = null; for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { // Check the Issuer @@ -101,13 +107,13 @@ public class SAMLSSOResponseValidator { throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } validateIssuer(assertion.getIssuer()); - + if (enforceAssertionsSigned && postBinding && assertion.getSignature() == null) { LOG.fine("If the HTTP Post binding is used to deliver the Response, " + "the enclosed assertions must be signed"); throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } - + // Check for AuthnStatements and validate the Subject accordingly if (assertion.getAuthnStatements() != null && !assertion.getAuthnStatements().isEmpty()) { @@
[2/2] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f91bdce0 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f91bdce0 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f91bdce0 Branch: refs/heads/3.0.x-fixes Commit: f91bdce0a219e273c4f6b0e990074cb16ae0ab07 Parents: a493b7f Author: Colm O hEigeartaighAuthored: Mon Oct 17 11:39:58 2016 +0100 Committer: Colm O hEigeartaigh Committed: Mon Oct 17 11:39:58 2016 +0100 -- .../cxf/systest/ws/tokens/tls-stax-server.xml | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/f91bdce0/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-stax-server.xml -- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-stax-server.xml index 240e83c..4a42010 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-stax-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-stax-server.xml @@ -29,10 +29,10 @@ - + - + @@ -40,10 +40,10 @@ http://www.example.org/contract/DoubleIt; id="EncryptedSupportingTokens4" address="https://localhost:${testutil.ports.tokens.TLSStaxServer}/DoubleItEncryptedSupporting4; serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedSupportingPort4" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl" depends-on="tls-settings"> - - - - + + + + @@ -54,10 +54,10 @@ http://www.example.org/contract/DoubleIt; id="EncryptedSupportingTokens5" address="https://localhost:${testutil.ports.tokens.TLSStaxServer}/DoubleItEncryptedSupporting5; serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedSupportingPort5" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl" depends-on="tls-settings"> - - - - + + + +
[2/2] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6cdfe4ba Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6cdfe4ba Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6cdfe4ba Branch: refs/heads/3.0.x-fixes Commit: 6cdfe4babfd9f8bd066f8d39ed0049001ac2fd0d Parents: 99276ba Author: Colm O hEigeartaighAuthored: Fri Jan 8 16:53:42 2016 + Committer: Colm O hEigeartaigh Committed: Fri Jan 8 16:53:42 2016 + -- .../https/httpclient/PublicSuffixListParser.java | 10 +- .../https/httpclient/DefaultHostnameVerifierTest.java | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/6cdfe4ba/rt/transports/http/src/main/java/org/apache/cxf/transport/https/httpclient/PublicSuffixListParser.java -- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/httpclient/PublicSuffixListParser.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/httpclient/PublicSuffixListParser.java index 5c4df13..2e1c124 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/httpclient/PublicSuffixListParser.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/httpclient/PublicSuffixListParser.java @@ -52,8 +52,8 @@ public final class PublicSuffixListParser { * @throws java.io.IOException on error while reading from list */ public PublicSuffixList parse(final Reader reader) throws IOException { -final List rules = new ArrayList<>(); -final List exceptions = new ArrayList<>(); +final List rules = new ArrayList(); +final List exceptions = new ArrayList(); final BufferedReader r = new BufferedReader(reader); String line; @@ -94,7 +94,7 @@ public final class PublicSuffixListParser { * @since 4.5 */ public List parseByType(final Reader reader) throws IOException { -final List result = new ArrayList<>(2); +final List result = new ArrayList(2); final BufferedReader r = new BufferedReader(reader); @@ -142,12 +142,12 @@ public final class PublicSuffixListParser { if (isException) { if (exceptions == null) { -exceptions = new ArrayList<>(); +exceptions = new ArrayList(); } exceptions.add(line); } else { if (rules == null) { -rules = new ArrayList<>(); +rules = new ArrayList(); } rules.add(line); } http://git-wip-us.apache.org/repos/asf/cxf/blob/6cdfe4ba/rt/transports/http/src/test/java/org/apache/cxf/transport/https/httpclient/DefaultHostnameVerifierTest.java -- diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/https/httpclient/DefaultHostnameVerifierTest.java b/rt/transports/http/src/test/java/org/apache/cxf/transport/https/httpclient/DefaultHostnameVerifierTest.java index 3ec14d1..b16dbfa 100644 --- a/rt/transports/http/src/test/java/org/apache/cxf/transport/https/httpclient/DefaultHostnameVerifierTest.java +++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/https/httpclient/DefaultHostnameVerifierTest.java @@ -50,7 +50,7 @@ public class DefaultHostnameVerifierTest { private DefaultHostnameVerifier implWithPublicSuffixCheck; @Before -public void setup() { +public void setUp() { impl = new DefaultHostnameVerifier(); publicSuffixMatcher = new PublicSuffixMatcher(DomainType.ICANN, Arrays.asList("com", "co.jp", "gov.uk"), null); implWithPublicSuffixCheck = new DefaultHostnameVerifier(publicSuffixMatcher);