[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/750b01a6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/750b01a6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/750b01a6 Branch: refs/heads/3.0.x-fixes Commit: 750b01a6ef16614c0c388537bff2503353831e7e Parents: aa00a2d Author: Colm O hEigeartaigh Authored: Wed Apr 5 13:20:22 2017 +0100 Committer: Colm O hEigeartaigh Committed: Wed Apr 5 13:20:22 2017 +0100 -- .../IssuedTokenInterceptorProvider.java | 73 ++- .../security/trust/DefaultSTSTokenCacher.java | 210 --- 2 files changed, 67 insertions(+), 216 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/750b01a6/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java index a27493a..e2c09b2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java @@ -19,6 +19,8 @@ package org.apache.cxf.ws.security.policy.interceptors; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; @@ -31,7 +33,11 @@ import java.util.logging.Logger; import javax.xml.namespace.QName; +import org.w3c.dom.CDATASection; import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.Text; + import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.helpers.CastUtils; @@ -59,6 +65,7 @@ import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValida import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SAMLKeyInfo; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.handler.WSHandlerConstants; @@ -71,6 +78,7 @@ import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.IssuedToken; import org.apache.wss4j.policy.model.Trust10; import org.apache.wss4j.policy.model.Trust13; +import org.apache.xml.security.utils.Base64; /** * @@ -312,19 +320,72 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro return null; } -private String getIdFromToken(Element token) { +// Get an id from the token that is unique to that token +private static String getIdFromToken(Element token) { if (token != null) { -// Try to find the "Id" on the token. -if (token.hasAttributeNS(WSConstants.WSU_NS, "Id")) { -return token.getAttributeNS(WSConstants.WSU_NS, "Id"); -} else if (token.hasAttributeNS(null, "ID")) { +// For SAML tokens get the ID/AssertionID +if ("Assertion".equals(token.getLocalName()) +&& WSConstants.SAML2_NS.equals(token.getNamespaceURI())) { return token.getAttributeNS(null, "ID"); -} else if (token.hasAttributeNS(null, "AssertionID")) { +} else if ("Assertion".equals(token.getLocalName()) +&& WSConstants.SAML_NS.equals(token.getNamespaceURI())) { return token.getAttributeNS(null, "AssertionID"); } + +// For UsernameTokens get the username +if (WSConstants.USERNAME_TOKEN_LN.equals(token.getLocalName()) +&& WSConstants.WSSE_NS.equals(token.getNamespaceURI())) { +Element usernameElement = +XMLUtils.getDirectChildElement(token, WSConstants.USERNAME_LN, WSConstants.WSSE_NS); +if (usernameElement != null) { +return getElementText(usernameElement); +} +} + +// For BinarySecurityTokens take the hash of the value +if (WSConstants.BINARY_TOKEN_LN.equals(token.getLocalName()) +&& WSConstants.WSSE_NS.equals(token.getNamespaceURI())) { +String text = getElementText(token); +i
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b16f63b2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b16f63b2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b16f63b2 Branch: refs/heads/3.1.x-fixes Commit: b16f63b29a864f3687932f9e664088b79f3c40e9 Parents: 4bca17b Author: Colm O hEigeartaigh Authored: Wed Apr 5 12:49:57 2017 +0100 Committer: Colm O hEigeartaigh Committed: Wed Apr 5 12:49:57 2017 +0100 -- .../org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/b16f63b2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java index c2699fc..972a9fd 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java @@ -21,7 +21,6 @@ package org.apache.cxf.ws.security.trust; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -38,6 +37,7 @@ import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; +import org.apache.xml.security.utils.Base64; public class DefaultSTSTokenCacher implements STSTokenCacher { @@ -197,7 +197,7 @@ public class DefaultSTSTokenCacher implements STSTokenCacher { try { MessageDigest digest = MessageDigest.getInstance("SHA-256"); byte[] bytes = digest.digest(text.getBytes()); -return Base64.getMimeEncoder().encodeToString(bytes); +return Base64.encode(bytes); } catch (NoSuchAlgorithmException e) { // SHA-256 must be supported so not going to happen... }
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/595c43e2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/595c43e2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/595c43e2 Branch: refs/heads/3.0.x-fixes Commit: 595c43e2131e3b0d483faa821417450ab4701c1f Parents: 4766131 Author: Colm O hEigeartaigh Authored: Tue Sep 6 11:15:14 2016 +0100 Committer: Colm O hEigeartaigh Committed: Tue Sep 6 11:15:14 2016 +0100 -- ...AbstractRequestAssertionConsumerHandler.java | 36 1 file changed, 36 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/595c43e2/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java -- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java index f5c8aae..cbfeab5 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java @@ -70,12 +70,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS private TokenReplayCache replayCache; private MessageContext messageContext; -<<< HEAD -=== -private String applicationURL; -private boolean parseApplicationURLFromRelayState; private String assertionConsumerServiceAddress; ->>> dac029e... CXF-7039 - JAX-RS Security SAML web SSO consumer service can not validate SAML response behind reverse proxy @Context public void setMessageContext(MessageContext mc) { @@ -362,40 +357,9 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS public void setEnforceResponseSigned(boolean enforceResponseSigned) { this.enforceResponseSigned = enforceResponseSigned; } -<<< HEAD -=== - -public String getApplicationURL() { -return applicationURL; -} - -/** - * Set the Application URL to forward to, for the unsolicited IdP case. - * @param applicationURL - */ -public void setApplicationURL(String applicationURL) { -this.applicationURL = applicationURL; -} - -public boolean isParseApplicationURLFromRelayState() { -return parseApplicationURLFromRelayState; -} - -/** - * Whether to parse the application URL to forward to from the RelayState, for the unsolicted IdP case. - * @param parseApplicationURLFromRelayState - */ -public void setParseApplicationURLFromRelayState(boolean parseApplicationURLFromRelayState) { -this.parseApplicationURLFromRelayState = parseApplicationURLFromRelayState; -} - -public String getAssertionConsumerServiceAddress() { -return assertionConsumerServiceAddress; -} public void setAssertionConsumerServiceAddress(String assertionConsumerServiceAddress) { this.assertionConsumerServiceAddress = assertionConsumerServiceAddress; } ->>> dac029e... CXF-7039 - JAX-RS Security SAML web SSO consumer service can not validate SAML response behind reverse proxy }
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/bf3e0eb2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/bf3e0eb2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/bf3e0eb2 Branch: refs/heads/3.0.x-fixes Commit: bf3e0eb2d682e4625fbf3f0a57d59d6f5805363d Parents: f9e78fc Author: Colm O hEigeartaigh Authored: Tue Jan 26 17:11:07 2016 + Committer: Colm O hEigeartaigh Committed: Tue Jan 26 17:11:07 2016 + -- .../security/oauth2/grants/AuthorizationGrantNegativeTest.java | 1 + .../jaxrs/security/oauth2/grants/AuthorizationGrantTest.java | 4 2 files changed, 1 insertion(+), 4 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/bf3e0eb2/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java -- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java index 3bf0457..271e2e3 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java @@ -457,6 +457,7 @@ public class AuthorizationGrantNegativeTest extends AbstractBusClientServerTestB } @org.junit.Test +@org.junit.Ignore public void testAuthorizationCodeGrantWithUnknownAudience() throws Exception { URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); http://git-wip-us.apache.org/repos/asf/cxf/blob/bf3e0eb2/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java -- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java index abdd55e..3de3041 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java @@ -349,10 +349,6 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); } -<<< HEAD */ -=== - ->>> dacc6f8... Adding some audience system tests }
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b1fc5e49 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b1fc5e49 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b1fc5e49 Branch: refs/heads/3.0.x-fixes Commit: b1fc5e49b0f1aa90e529ec473591e6ed735c44da Parents: 808558f Author: Colm O hEigeartaigh Authored: Thu Dec 10 17:07:07 2015 + Committer: Colm O hEigeartaigh Committed: Thu Dec 10 17:07:07 2015 + -- .../rs/security/oidc/idp/IdTokenResponseFilter.java| 13 ++--- .../apache/cxf/rs/security/oidc/utils/OidcUtils.java | 1 + 2 files changed, 3 insertions(+), 11 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/b1fc5e49/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java -- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java index 8f2ef01..2f4e371 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java @@ -33,21 +33,12 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im private String issuer; @Override public void process(ClientAccessToken ct, ServerAccessToken st) { -<<< HEAD -// This may also be done directly inside a data provider code creating the server token -=== // Only add an IdToken if the client has the "openid" scope if (ct.getApprovedScope() == null || !ct.getApprovedScope().contains(OidcUtils.OPENID_SCOPE)) { return; } -String idToken = getProcessedIdToken(st); -if (idToken != null) { -ct.getParameters().put(OidcUtils.ID_TOKEN, idToken); -} - -} -private String getProcessedIdToken(ServerAccessToken st) { ->>> dc1a867... Only issue an IdToken if the client has the correct scope (for OpenId) + +// This may also be done directly inside a data provider code creating the server token if (userInfoProvider != null) { IdToken token = userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes()); http://git-wip-us.apache.org/repos/asf/cxf/blob/b1fc5e49/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java -- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java index 7ced717..7aa06a1 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java @@ -33,6 +33,7 @@ import org.apache.cxf.rt.security.crypto.MessageDigestUtils; public final class OidcUtils { public static final String ID_TOKEN = "id_token"; +public static final String OPENID_SCOPE = "openid"; public static final String OIDC_SCOPE = "oidc"; public static final String PROFILE_SCOPE = "profile"; public static final String EMAIL_SCOPE = "email";
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/191fbf01 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/191fbf01 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/191fbf01 Branch: refs/heads/3.0.x-fixes Commit: 191fbf01488c1bff9603a1196f65aaa859ee3178 Parents: e474a7b Author: Colm O hEigeartaigh Authored: Mon Oct 12 17:26:49 2015 +0100 Committer: Colm O hEigeartaigh Committed: Mon Oct 12 17:26:49 2015 +0100 -- .../cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/191fbf01/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java -- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java index 3c68633..1cc56c46 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java @@ -45,11 +45,8 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements private static final String DEFAULT_AUTH_SCHEME = "JWT"; private String expectedAuthScheme = DEFAULT_AUTH_SCHEME; private int clockOffset; -<<< HEAD private int ttl; -=== private String roleClaim; ->>> d2d8f6d... Allow role processing from JWT tokens @Override public void filter(ContainerRequestContext requestContext) throws IOException { @@ -97,7 +94,6 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements public void setClockOffset(int clockOffset) { this.clockOffset = clockOffset; } -<<< HEAD public int getTtl() { return ttl; @@ -105,7 +101,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements public void setTtl(int ttl) { this.ttl = ttl; -=== +} public String getRoleClaim() { return roleClaim; @@ -113,6 +109,5 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements public void setRoleClaim(String roleClaim) { this.roleClaim = roleClaim; ->>> d2d8f6d... Allow role processing from JWT tokens } }
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f129e0b7 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f129e0b7 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f129e0b7 Branch: refs/heads/3.0.x-fixes Commit: f129e0b783cd426ff5836944ed23303bdcac5ce6 Parents: a5474c5 Author: Colm O hEigeartaigh Authored: Fri Sep 25 11:47:48 2015 +0100 Committer: Colm O hEigeartaigh Committed: Fri Sep 25 11:47:48 2015 +0100 -- .../cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/f129e0b7/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java index 27ac84b..ec0086a 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java @@ -658,7 +658,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { (String)message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM); if (asymSignatureAlgorithm != null || symSignatureAlgorithm != null) { Collection algorithmSuites = -PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE); +getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE); if (algorithmSuites != null && !algorithmSuites.isEmpty()) { for (AssertionInfo algorithmSuite : algorithmSuites) { AlgorithmSuite algSuite = (AlgorithmSuite)algorithmSuite.getAssertion();
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fea7b4dc Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fea7b4dc Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fea7b4dc Branch: refs/heads/3.0.x-fixes Commit: fea7b4dc8fbace5264a7cc6b448cbbbc969ab2b7 Parents: 8cc16fc Author: Colm O hEigeartaigh Authored: Mon Sep 7 16:41:11 2015 +0100 Committer: Colm O hEigeartaigh Committed: Mon Sep 7 16:41:11 2015 +0100 -- .../org/apache/cxf/ws/security/SecurityConstants.java | 10 ++ .../security/wss4j/PolicyBasedWSS4JOutInterceptor.java | 13 + .../org/apache/cxf/systest/ws/x509/client.xml | 4 ++-- .../org/apache/cxf/systest/ws/x509/server.xml | 4 ++-- .../org/apache/cxf/systest/ws/x509/stax-server.xml | 4 ++-- 5 files changed, 13 insertions(+), 22 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/fea7b4dc/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index ae8b26b..9b797bd 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -671,18 +671,12 @@ public final class SecurityConstants { TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND, ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE, SAML_ONE_TIME_USE_CACHE_INSTANCE, ENABLE_STREAMING_SECURITY, RETURN_SECURITY_ERROR, -<<< HEAD CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE, KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, -AUDIENCE_RESTRICTION_VALIDATION, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM -=== -CACHE_IDENTIFIER, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, -KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION, -POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM, -SYMMETRIC_SIGNATURE_ALGORITHM ->>> 5fbe7b4... [CXF-6582] - Support newer symmetric signature algorithms with WS-SecurityPolicy +AUDIENCE_RESTRICTION_VALIDATION, STORE_BYTES_IN_ATTACHMENT, +USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM, SYMMETRIC_SIGNATURE_ALGORITHM })); ALL_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/fea7b4dc/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java index a603c4e..99eea8e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java @@ -168,7 +168,6 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor>> 5fbe7b4... [CXF-6582] - Support newer symmetric signature algorithms with WS-SecurityPolicy +String symSignatureAlgorithm = + (String)message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM); +if (symSignatureAlgorithm != null && transport.getAlgorithmSuite() != null) { + transport.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm); +} if (transport instanceof TransportBinding) { new TransportBindingHandler(config, (TransportBinding)transport, saaj, http://git-wip-us.apache.org/repos/asf/cxf/blob/fea7b4dc/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml -- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/s
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/986cae31 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/986cae31 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/986cae31 Branch: refs/heads/2.7.x-fixes Commit: 986cae31ac3532fcdbd375a7bdd1fc7fb5477dd7 Parents: 7e6f1e0 Author: Colm O hEigeartaigh Authored: Fri Aug 21 17:01:27 2015 +0100 Committer: Colm O hEigeartaigh Committed: Fri Aug 21 17:01:27 2015 +0100 -- .../cxf/sts/cache/AbstractIdentityCache.java| 147 --- .../cxf/sts/cache/EHCacheIdentityCache.java | 10 ++ .../cxf/sts/cache/MemoryIdentityCache.java | 10 ++ 3 files changed, 20 insertions(+), 147 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/986cae31/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/AbstractIdentityCache.java -- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/AbstractIdentityCache.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/AbstractIdentityCache.java deleted file mode 100644 index d98d161..000 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/AbstractIdentityCache.java +++ /dev/null @@ -1,147 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.sts.cache; - -import java.security.Principal; -import java.util.HashMap; -import java.util.Map; -import java.util.logging.Level; -import java.util.logging.Logger; - -import org.apache.cxf.Bus; -import org.apache.cxf.common.logging.LogUtils; -import org.apache.cxf.management.ManagedComponent; -import org.apache.cxf.sts.IdentityMapper; -import org.apache.wss4j.common.principal.CustomTokenPrincipal; - -public abstract class AbstractIdentityCache implements IdentityCache, IdentityMapper, ManagedComponent { - -private static final Logger LOG = LogUtils.getL7dLogger(AbstractIdentityCache.class); - -private final IdentityMapper identityMapper; -private final Bus bus; -private MemoryIdentityCacheStatistics statistics; - -public AbstractIdentityCache(IdentityMapper identityMapper) { -this(null, identityMapper); -} - -public AbstractIdentityCache(Bus bus, IdentityMapper identityMapper) { -this.identityMapper = identityMapper; -this.bus = bus; -} - -public Principal mapPrincipal(String sourceRealm, -Principal sourcePrincipal, String targetRealm) { - -Principal targetPrincipal = null; -Map identities = this.get(sourcePrincipal.getName(), sourceRealm); -if (identities != null) { -if (LOG.isLoggable(Level.FINE)) { -LOG.fine("Identities found for '" + sourcePrincipal.getName() + "@" + sourceRealm + "'"); -} -// Identities object found for key sourceUser@sourceRealm -String targetUser = identities.get(targetRealm); -if (targetUser == null) { -getStatistics().increaseCacheMiss(); -if (LOG.isLoggable(Level.FINE)) { -LOG.fine("No mapping found for realm " + targetRealm + " of user '" - + sourcePrincipal.getName() + "@" + sourceRealm + "'"); -} -// User identity of target realm not cached yet -targetPrincipal = this.identityMapper.mapPrincipal( -sourceRealm, sourcePrincipal, targetRealm); - -if (targetPrincipal == null || targetPrincipal.getName() == null) { -if (LOG.isLoggable(Level.FINE)) { -LOG.fine("Failed to map user '" + sourcePrincipal.getName() -+ "' [" + sourceRealm + "] to realm '" -+ targetRealm + "'"); -} -return null; -} - -// Add the identity fo
[4/4] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5988f473 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5988f473 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5988f473 Branch: refs/heads/2.7.x-fixes Commit: 5988f47316feb71692d98f372e7c4992fa0ca4af Parents: fdaf2f3 Author: Colm O hEigeartaigh Authored: Thu Jul 30 21:59:25 2015 +0100 Committer: Colm O hEigeartaigh Committed: Thu Jul 30 21:59:25 2015 +0100 -- .../saml/sso/SAMLSSOResponseValidator.java | 11 + .../saml/sso/CombinedValidatorTest.java | 48 ++-- 2 files changed, 27 insertions(+), 32 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/5988f473/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java -- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 65fe7b5..2d864a5 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -134,17 +134,10 @@ public class SAMLSSOResponseValidator { SSOValidatorResponse validatorResponse = new SSOValidatorResponse(); validatorResponse.setResponseId(samlResponse.getID()); validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter); -// the assumption for now is that SAMLResponse will contain only a single assertion -<<< HEAD -Element assertionElement = samlResponse.getAssertions().get(0).getDOM(); - validatorResponse.setAssertion(DOM2Writer.nodeToString(assertionElement.cloneNode(true))); -=== + Element assertionElement = validAssertion.getDOM(); -Element clonedAssertionElement = (Element)assertionElement.cloneNode(true); -validatorResponse.setAssertionElement(clonedAssertionElement); - validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement)); + validatorResponse.setAssertion(DOM2Writer.nodeToString(assertionElement.cloneNode(true))); ->>> 1c2a530... Adding SAML SSO tests. return validatorResponse; } http://git-wip-us.apache.org/repos/asf/cxf/blob/5988f473/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java -- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java index 5893af8..7b9a9c1 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.saml.sso; import java.io.InputStream; +import java.io.StringReader; import java.security.KeyStore; import java.util.Collections; @@ -28,20 +29,19 @@ import javax.xml.parsers.DocumentBuilderFactory; import org.w3c.dom.Document; import org.w3c.dom.Element; - -import org.apache.wss4j.common.crypto.Crypto; -import org.apache.wss4j.common.crypto.Merlin; -import org.apache.wss4j.common.saml.OpenSAMLUtil; -import org.apache.wss4j.common.saml.SAMLCallback; -import org.apache.wss4j.common.saml.SAMLUtil; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean; -import org.apache.wss4j.common.saml.bean.ConditionsBean; -import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean; -import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.apache.wss4j.common.util.Loader; -import org.apache.wss4j.dom.WSConstants; -import org.apache.wss4j.dom.WSSConfig; +import org.apache.cxf.staxutils.StaxUtils; +import org.apache.ws.security.WSConstants; +import org.apache.ws.security.WSSConfig; +import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.components.crypto.Merlin; +import org.apache.ws.security.saml.ext.AssertionWrapper; +import org.apache.ws.security.saml.ext.OpenSAMLUtil; +import org.apache.ws.security.saml.ext.SAMLParms; +import org.apache.ws.security.saml.ext.bean.AudienceRestrictionBean; +import org.apache.ws.security.saml.ext.bean.ConditionsBean; +import org.apache.ws.security.saml.ext.bean.SubjectConfirmationDataBean; +import org.apache.ws.security.saml.ext.bui