subject:"cxf git commit\: \[CXF\-5674\] \- CXF Support in Audience Restriction of SAML 2 \(SOAP\)"

cxf git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)

2015-01-16 Thread coheigea

Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes c015b609b -> ff2987db4


[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ff2987db
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ff2987db
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ff2987db

Branch: refs/heads/3.0.x-fixes
Commit: ff2987db4950611b0e770b1fd6bd4e501c997a41
Parents: c015b60
Author: Colm O hEigeartaigh 
Authored: Fri Jan 16 14:58:30 2015 +
Committer: Colm O hEigeartaigh 
Committed: Fri Jan 16 15:44:13 2015 +

--
 .../cxf/ws/security/SecurityConstants.java  | 10 +-
 .../ws/security/wss4j/WSS4JInInterceptor.java   | 20 
 .../security/wss4j/WSS4JStaxInInterceptor.java  | 22 +
 .../saml/Saml2AudienceRestrictionValidator.java | 92 ---
 .../cxf/systest/ws/saml/SamlTokenTest.java  | 96 +++-
 .../StaxSaml2AudienceRestrictionValidator.java  | 82 -
 .../cxf/systest/ws/saml/DoubleItSaml.wsdl   |  3 +
 .../org/apache/cxf/systest/ws/saml/server.xml   | 19 ++--
 .../apache/cxf/systest/ws/saml/stax-server.xml  | 20 ++--
 9 files changed, 168 insertions(+), 196 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/cxf/blob/ff2987db/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
--
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index b5b32b3..daedbb0 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -229,6 +229,13 @@ public final class SecurityConstants {
  */
 public static final String SC_FROM_JAAS_SUBJECT = 
"ws-security.sc.jaas-subject";
 
+/**
+ * Enable SAML AudienceRestriction validation. If this is set to "true", 
then IF the
+ * SAML Token contains Audience Restriction URIs, one of them must match 
either the
+ * request URL or the Service QName. The default is "true".
+ */
+public static final String AUDIENCE_RESTRICTION_VALIDATION = 
"ws-security.validate.audience-restriction";
+
 //
 // Non-boolean WS-Security Configuration parameters
 //
@@ -633,7 +640,8 @@ public final class SecurityConstants {
 CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, 
PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
 DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
 KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, 
STS_TOKEN_IMMINENT_EXPIRY_VALUE,
-KERBEROS_REQUEST_CREDENTIAL_DELEGATION, 
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
+KERBEROS_REQUEST_CREDENTIAL_DELEGATION, 
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
+AUDIENCE_RESTRICTION_VALIDATION
 }));
 ALL_PROPERTIES = Collections.unmodifiableSet(s);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ff2987db/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
--
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 4fec350..2ab48ea 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -216,6 +216,8 @@ public class WSS4JInInterceptor extends 
AbstractWSS4JInterceptor {
 }
 reqData.setWssConfig(config);
 
+// Add Audience Restrictions for SAML
+configureAudienceRestriction(msg, reqData);
 
 SOAPMessage doc = getSOAPMessage(msg);
 
@@ -339,6 +341,24 @@ public class WSS4JInInterceptor extends 
AbstractWSS4JInterceptor {
 reqData = null;
 }
 }
+
+private void configureAudienceRestriction(SoapMessage msg, RequestData 
reqData) {
+// Add Audience Restrictions for SAML
+boolean enableAudienceRestriction = 
+MessageUtils.getContextualBoolean(msg, 
+  
SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, 
+  true);
+if (enableAudienceRestriction) {
+List audiences = new ArrayList();
+if 
(msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) 
{
+
audiences.add((String)msg.getContextualProperty(org.apache.cxf.

[2/2] cxf git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)

2015-01-16 Thread coheigea

[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/abafca6d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/abafca6d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/abafca6d

Branch: refs/heads/master
Commit: abafca6d4a4f48e4affdc67f368a1ab33cdd79e0
Parents: 6359c93
Author: Colm O hEigeartaigh 
Authored: Fri Jan 16 14:58:30 2015 +
Committer: Colm O hEigeartaigh 
Committed: Fri Jan 16 15:43:48 2015 +

--
 .../cxf/ws/security/SecurityConstants.java  | 10 +-
 .../ws/security/wss4j/WSS4JInInterceptor.java   | 20 
 .../security/wss4j/WSS4JStaxInInterceptor.java  | 22 +
 .../saml/Saml2AudienceRestrictionValidator.java | 92 ---
 .../cxf/systest/ws/saml/SamlTokenTest.java  | 96 +++-
 .../StaxSaml2AudienceRestrictionValidator.java  | 82 -
 .../cxf/systest/ws/saml/DoubleItSaml.wsdl   |  3 +
 .../org/apache/cxf/systest/ws/saml/server.xml   | 19 ++--
 .../apache/cxf/systest/ws/saml/stax-server.xml  | 20 ++--
 9 files changed, 168 insertions(+), 196 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
--
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index b5b32b3..daedbb0 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -229,6 +229,13 @@ public final class SecurityConstants {
  */
 public static final String SC_FROM_JAAS_SUBJECT = 
"ws-security.sc.jaas-subject";
 
+/**
+ * Enable SAML AudienceRestriction validation. If this is set to "true", 
then IF the
+ * SAML Token contains Audience Restriction URIs, one of them must match 
either the
+ * request URL or the Service QName. The default is "true".
+ */
+public static final String AUDIENCE_RESTRICTION_VALIDATION = 
"ws-security.validate.audience-restriction";
+
 //
 // Non-boolean WS-Security Configuration parameters
 //
@@ -633,7 +640,8 @@ public final class SecurityConstants {
 CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, 
PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
 DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
 KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, 
STS_TOKEN_IMMINENT_EXPIRY_VALUE,
-KERBEROS_REQUEST_CREDENTIAL_DELEGATION, 
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
+KERBEROS_REQUEST_CREDENTIAL_DELEGATION, 
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
+AUDIENCE_RESTRICTION_VALIDATION
 }));
 ALL_PROPERTIES = Collections.unmodifiableSet(s);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
--
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 4fec350..2ab48ea 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -216,6 +216,8 @@ public class WSS4JInInterceptor extends 
AbstractWSS4JInterceptor {
 }
 reqData.setWssConfig(config);
 
+// Add Audience Restrictions for SAML
+configureAudienceRestriction(msg, reqData);
 
 SOAPMessage doc = getSOAPMessage(msg);
 
@@ -339,6 +341,24 @@ public class WSS4JInInterceptor extends 
AbstractWSS4JInterceptor {
 reqData = null;
 }
 }
+
+private void configureAudienceRestriction(SoapMessage msg, RequestData 
reqData) {
+// Add Audience Restrictions for SAML
+boolean enableAudienceRestriction = 
+MessageUtils.getContextualBoolean(msg, 
+  
SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, 
+  true);
+if (enableAudienceRestriction) {
+List audiences = new ArrayList();
+if 
(msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) 
{
+
audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+}
+if (msg.getContextualProperty(

[2/3] cxf git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)

2015-01-16 Thread coheigea

[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)

Conflicts:

rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java

systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java

systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java

systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml

systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/737a1b13
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/737a1b13
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/737a1b13

Branch: refs/heads/2.7.x-fixes
Commit: 737a1b13a3182855ce07a6e1257f81608c24cbb7
Parents: d9ecc37
Author: Colm O hEigeartaigh 
Authored: Fri Jan 16 14:58:30 2015 +
Committer: Colm O hEigeartaigh 
Committed: Fri Jan 16 16:23:18 2015 +

--
 .../cxf/ws/security/SecurityConstants.java  |  10 +-
 .../ws/security/wss4j/WSS4JInInterceptor.java   |  20 +
 .../security/wss4j/WSS4JStaxInInterceptor.java  | 480 +++
 .../cxf/systest/ws/saml/SamlTokenTest.java  | 103 
 .../cxf/systest/ws/saml/DoubleItSaml.wsdl   |   3 +
 .../org/apache/cxf/systest/ws/saml/server.xml   | 270 +++
 .../apache/cxf/systest/ws/saml/stax-server.xml  | 298 
 7 files changed, 1183 insertions(+), 1 deletion(-)
--


http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
--
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index f2f2201..61691a1 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -230,6 +230,13 @@ public final class SecurityConstants {
 public static final String KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM = 
 "ws-security.kerberos.is.username.in.servicename.form";
 
+/**
+ * Enable SAML AudienceRestriction validation. If this is set to "true", 
then IF the
+ * SAML Token contains Audience Restriction URIs, one of them must match 
either the
+ * request URL or the Service QName. The default is "true".
+ */
+public static final String AUDIENCE_RESTRICTION_VALIDATION = 
"ws-security.validate.audience-restriction";
+
 //
 // Non-boolean WS-Security Configuration parameters
 //
@@ -608,7 +615,8 @@ public final class SecurityConstants {
 CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, 
PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
 DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
 KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, 
STS_TOKEN_IMMINENT_EXPIRY_VALUE,
-KERBEROS_REQUEST_CREDENTIAL_DELEGATION, 
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
+KERBEROS_REQUEST_CREDENTIAL_DELEGATION, 
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
+AUDIENCE_RESTRICTION_VALIDATION
 }));
 ALL_PROPERTIES = Collections.unmodifiableSet(s);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
--
diff --git 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index c8318f1..860a09f 100644
--- 
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ 
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -215,6 +215,8 @@ public class WSS4JInInterceptor extends 
AbstractWSS4JInterceptor {
 }
 reqData.setWssConfig(config);
 
+// Add Audience Restrictions for SAML
+configureAudienceRestriction(msg, reqData);
 
 SOAPMessage doc = getSOAPMessage(msg);
 
@@ -337,6 +339,24 @@ public class WSS4JInInterceptor extends 
AbstractWSS4JInterceptor {
 reqData = null;
 }
 }
+
+private void configureAudienceRestriction(SoapMessage msg, RequestData 
reqData) {
+// Add Audience Restrictions for SAML
+boolean enableAudienceRestriction = 
+MessageUtils.getContextualBoolean(msg, 
+  
SecurityConstants.AUDIENCE_RESTRICTION_V

cxf git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)

[2/2] cxf git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)

[2/3] cxf git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)

3 matches

Site Navigation

Mail list logo

Footer information