Author: coheigea
Date: Mon Apr 11 16:29:41 2011
New Revision: 1091114
URL: http://svn.apache.org/viewvc?rev=1091114&view=rev
Log:
[CXF-3432] - Support WS-SecurityPolicy SamlToken expressions (Part VI)
- Added support for validation of SAML holder-of-key and sender-vouches
requirements
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Mon Apr 11 16:29:41 2011
@@ -20,6 +20,7 @@
package org.apache.cxf.ws.security.policy.interceptors;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
@@ -55,6 +56,7 @@ import org.apache.ws.security.handler.WS
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.util.WSSecurityUtil;
/**
*
@@ -207,18 +209,7 @@ public class IssuedTokenInterceptorProvi
List<WSHandlerResult> results =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
if (results != null) {
- for (WSHandlerResult rResult : results) {
- WSSecurityEngineResult wser =
- findSecurityResult(rResult.getResults());
- if (wser != null) {
- IssuedTokenPolicyValidator issuedValidator =
- new IssuedTokenPolicyValidator();
- issuedValidator.validatePolicy(aim, wser);
-
- SecurityToken token =
createSecurityToken(wser);
-
message.getExchange().put(SecurityConstants.TOKEN, token);
- }
- }
+ parseHandlerResults(results, message, aim);
}
} else {
//client side should be checked on the way out
@@ -229,6 +220,38 @@ public class IssuedTokenInterceptorProvi
}
}
+ private void parseHandlerResults(
+ List<WSHandlerResult> results,
+ Message message,
+ AssertionInfoMap aim
+ ) {
+ if (results != null) {
+ for (WSHandlerResult rResult : results) {
+ WSSecurityEngineResult wser =
+ findSecurityResult(rResult.getResults());
+ if (wser != null) {
+ List<WSSecurityEngineResult> signedResults =
+ new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(
+ rResult.getResults(), WSConstants.SIGN,
signedResults
+ );
+
+ //
+ // Validate the Issued Token policy
+ //
+ IssuedTokenPolicyValidator issuedValidator =
+ new IssuedTokenPolicyValidator(signedResults,
message);
+ if (!issuedValidator.validatePolicy(aim, wser)) {
+ break;
+ }
+
+ SecurityToken token = createSecurityToken(wser);
+ message.getExchange().put(SecurityConstants.TOKEN,
token);
+ }
+ }
+ }
+ }
+
private WSSecurityEngineResult findSecurityResult(
List<WSSecurityEngineResult> wsSecEngineResults
) {
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Apr 11 16:29:41 2011
@@ -22,6 +22,7 @@ package org.apache.cxf.ws.security.wss4j
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
@@ -82,6 +83,7 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.util.WSSecurityUtil;
/**
*
@@ -518,6 +520,12 @@ public class PolicyBasedWSS4JInIntercept
boolean hasEndorsement = false;
Protections prots = Protections.NONE;
+ //
+ // Prefetch all signature results
+ //
+ List<WSSecurityEngineResult> signedResults = new
ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN,
signedResults);
+
for (WSSecurityEngineResult wser : results) {
Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
switch (actInt.intValue()) {
@@ -574,7 +582,8 @@ public class PolicyBasedWSS4JInIntercept
break;
case WSConstants.ST_SIGNED:
case WSConstants.ST_UNSIGNED:
- SamlTokenPolicyValidator validator = new
SamlTokenPolicyValidator();
+ SamlTokenPolicyValidator validator =
+ new SamlTokenPolicyValidator(soapBody, signedResults, msg);
validator.validatePolicy(aim, wser);
break;
case WSConstants.TS:
@@ -624,7 +633,6 @@ public class PolicyBasedWSS4JInIntercept
assertPolicy(aim,
SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim,
SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
}
-
super.doResults(msg, actor, soapHeader, soapBody, results,
utWithCallbacks);
}
private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg,
Node header)
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Apr 11 16:29:41 2011
@@ -624,8 +624,6 @@ public abstract class AbstractBindingBui
);
if (!selfSignAssertion) {
AssertionWrapper assertionWrapper =
(AssertionWrapper)tempTok;
- part = new WSEncryptionPart(assertionWrapper.getId());
- part.setElement(assertionWrapper.getElement());
// TODO We only support using a KeyIdentifier for the
moment
SecurityTokenReference secRef =
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1091114&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Mon Apr 11 16:29:41 2011
@@ -0,0 +1,120 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+/**
+ * Some abstract functionality for validating SAML Assertions
+ */
+public abstract class AbstractSamlPolicyValidator {
+
+ /**
+ * Check the holder-of-key requirements against the received assertion.
The subject
+ * credential of the SAML Assertion must have been used to sign some
portion of
+ * the message, thus showing proof-of-possession of the private/secret
key. Alternatively,
+ * the subject credential of the SAML Assertion must match a client
certificate credential
+ * when 2-way TLS is used.
+ * @param assertionWrapper the SAML Assertion wrapper object
+ * @param signedResults a list of all of the signed results
+ */
+ public boolean checkHolderOfKey(
+ AssertionWrapper assertionWrapper,
+ List<WSSecurityEngineResult> signedResults,
+ Certificate[] tlsCerts
+ ) {
+ List<String> confirmationMethods =
assertionWrapper.getConfirmationMethods();
+ for (String confirmationMethod : confirmationMethods) {
+ if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+ if (tlsCerts == null && (signedResults == null ||
signedResults.isEmpty())) {
+ return false;
+ }
+ SAMLKeyInfo subjectKeyInfo =
assertionWrapper.getSubjectKeyInfo();
+ if (!compareCredentials(subjectKeyInfo, signedResults,
tlsCerts)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Compare the credentials of the assertion to the credentials used in
2-way TLS or those
+ * used to verify signatures.
+ * Return true on a match
+ * @param subjectKeyInfo the SAMLKeyInfo object
+ * @param signedResults a list of all of the signed results
+ * @return true if the credentials of the assertion were used to verify a
signature
+ */
+ private boolean compareCredentials(
+ SAMLKeyInfo subjectKeyInfo,
+ List<WSSecurityEngineResult> signedResults,
+ Certificate[] tlsCerts
+ ) {
+ X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
+ PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
+ byte[] subjectSecretKey = subjectKeyInfo.getSecret();
+
+ //
+ // Try to match the TLS certs first
+ //
+ if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null
+ && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0]))
{
+ return true;
+ } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey
!= null
+ && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
+ return true;
+ }
+
+ //
+ // Now try the message-level signatures
+ //
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ X509Certificate[] certs =
+
(X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ PublicKey publicKey =
+
(PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+ byte[] secretKey =
+ (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
+ if (certs != null && certs.length > 0 && subjectCerts != null
+ && subjectCerts.length > 0 &&
certs[0].equals(subjectCerts[0])) {
+ return true;
+ }
+ if (publicKey != null && publicKey.equals(subjectPublicKey)) {
+ return true;
+ }
+ if (secretKey != null && subjectSecretKey != null
+ && Arrays.equals(secretKey, subjectSecretKey)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Mon Apr 11 16:29:41 2011
@@ -19,11 +19,15 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
+import java.security.cert.Certificate;
import java.util.Collection;
+import java.util.List;
import org.w3c.dom.Element;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
@@ -39,7 +43,18 @@ import org.opensaml.common.SAMLVersion;
* Validate a WSSecurityEngineResult corresponding to the processing of a SAML
Assertion
* against an IssuedToken policy.
*/
-public class IssuedTokenPolicyValidator {
+public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
+
+ private List<WSSecurityEngineResult> signedResults;
+ private Message message;
+
+ public IssuedTokenPolicyValidator(
+ List<WSSecurityEngineResult> signedResults,
+ Message message
+ ) {
+ this.signedResults = signedResults;
+ this.message = message;
+ }
public boolean validatePolicy(
AssertionInfoMap aim,
@@ -51,13 +66,23 @@ public class IssuedTokenPolicyValidator
AssertionWrapper assertionWrapper =
(AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+ ai.setAsserted(true);
+
Element template = issuedToken.getRstTemplate();
if (template != null && !checkIssuedTokenTemplate(template,
assertionWrapper)) {
ai.setNotAsserted("Error in validating the IssuedToken
policy");
return false;
}
-
- ai.setAsserted(true);
+
+ TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+ Certificate[] tlsCerts = null;
+ if (tlsInfo != null) {
+ tlsCerts = tlsInfo.getPeerCertificates();
+ }
+ if (!checkHolderOfKey(assertionWrapper, signedResults,
tlsCerts)) {
+ ai.setNotAsserted("Assertion fails holder-of-key
requirements");
+ return false;
+ }
}
}
return true;
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Mon Apr 11 16:29:41 2011
@@ -19,14 +19,23 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
+import java.security.cert.Certificate;
import java.util.Collection;
+import java.util.List;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.opensaml.common.SAMLVersion;
@@ -34,7 +43,21 @@ import org.opensaml.common.SAMLVersion;
* Validate a WSSecurityEngineResult corresponding to the processing of a SAML
Assertion
* against the appropriate policy.
*/
-public class SamlTokenPolicyValidator {
+public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator {
+
+ private List<WSSecurityEngineResult> signedResults;
+ private Element soapBody;
+ private Message message;
+
+ public SamlTokenPolicyValidator(
+ Element soapBody,
+ List<WSSecurityEngineResult> signedResults,
+ Message message
+ ) {
+ this.soapBody = soapBody;
+ this.signedResults = signedResults;
+ this.message = message;
+ }
public boolean validatePolicy(
AssertionInfoMap aim,
@@ -52,6 +75,19 @@ public class SamlTokenPolicyValidator {
ai.setNotAsserted("Wrong SAML Version");
return false;
}
+ TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+ Certificate[] tlsCerts = null;
+ if (tlsInfo != null) {
+ tlsCerts = tlsInfo.getPeerCertificates();
+ }
+ if (!checkHolderOfKey(assertionWrapper, signedResults,
tlsCerts)) {
+ ai.setNotAsserted("Assertion fails holder-of-key
requirements");
+ return false;
+ }
+ if (!checkSenderVouches(assertionWrapper, tlsCerts)) {
+ ai.setNotAsserted("Assertion fails sender-vouches
requirements");
+ return false;
+ }
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
@@ -90,5 +126,64 @@ public class SamlTokenPolicyValidator {
}
return true;
}
-
+
+ /**
+ * Check the sender-vouches requirements against the received assertion.
The SAML
+ * Assertion and the SOAP Body must be signed by the same signature.
+ */
+ private boolean checkSenderVouches(
+ AssertionWrapper assertionWrapper,
+ Certificate[] tlsCerts
+ ) {
+ //
+ // If we have a 2-way TLS connection, then we don't have to check that
the
+ // assertion + SOAP body are signed
+ //
+ if (tlsCerts != null && tlsCerts.length > 0) {
+ return true;
+ }
+ List<String> confirmationMethods =
assertionWrapper.getConfirmationMethods();
+ for (String confirmationMethod : confirmationMethods) {
+ if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+ if (signedResults == null || signedResults.isEmpty()) {
+ return false;
+ }
+ if (!checkAssertionAndBodyAreSigned(assertionWrapper)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Return true if there is a signature which references the Assertion and
the SOAP Body.
+ * @param assertionWrapper the AssertionWrapper object
+ * @return true if there is a signature which references the Assertion and
the SOAP Body.
+ */
+ private boolean checkAssertionAndBodyAreSigned(AssertionWrapper
assertionWrapper) {
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ List<WSDataRef> sl =
+ CastUtils.cast((List<?>)signedResult.get(
+ WSSecurityEngineResult.TAG_DATA_REF_URIS
+ ));
+ boolean assertionIsSigned = false;
+ boolean bodyIsSigned = false;
+ if (sl != null) {
+ for (WSDataRef dataRef : sl) {
+ Element se = dataRef.getProtectedElement();
+ if (se == assertionWrapper.getElement()) {
+ assertionIsSigned = true;
+ }
+ if (se == soapBody) {
+ bodyIsSigned = true;
+ }
+ if (assertionIsSigned && bodyIsSigned) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
}
Modified:
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
(original)
+++
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
Mon Apr 11 16:29:41 2011
@@ -2,7 +2,7 @@
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
- <saml2:Assertion ID="4D2CF5C052E2084C8F13014023747597"
IssueInstant="2011-03-29T12:39:34.759Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="saml2:AssertionType"><saml2:Issuer>www.example.com</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"><saml2:SubjectConfirmationData/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-03-29T12:39:34.763Z"
NotOnOrAfter="2011-03-29T12:44:34.763Z"/><saml2:AuthzDecisionStatement
Decision="Permit"
Resource="endpoint"><saml2:Action>Read</saml2:Action></saml2:AuthzDecisionStatement></saml2:Assertion>
+ <saml2:Assertion ID="4D2CF5C052E2084C8F13014023747597"
IssueInstant="2011-03-29T12:39:34.759Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="saml2:AssertionType"><saml2:Issuer>www.example.com</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-03-29T12:39:34.763Z"
NotOnOrAfter="2011-03-29T12:44:34.763Z"/><saml2:AuthzDecisionStatement
Decision="Permit"
Resource="endpoint"><saml2:Action>Read</saml2:Action></saml2:AuthzDecisionStatement></saml2:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
Modified:
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml?rev=1091114&r1=1091113&r2=1091114&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
(original)
+++
cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
Mon Apr 11 16:29:41 2011
@@ -2,7 +2,7 @@
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
- <saml1:Assertion AssertionID="4D2CF5C052E2084C8F13014023748318"
IssueInstant="2011-03-29T12:39:34.831Z" Issuer="www.example.com"
MajorVersion="1" MinorVersion="1"
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="saml1:AssertionType"><saml1:ConditionsType
NotBefore="2011-03-29T12:39:34.832Z"
NotOnOrAfter="2011-03-29T12:44:34.832Z"/><saml1:AuthenticationStatement
AuthenticationInstant="2011-03-29T12:39:34.831Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
xsi:type="saml1:AuthenticationStatementType"><saml1:Subject><saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement
></saml1:Assertion>
+ <saml1:Assertion AssertionID="4D2CF5C052E2084C8F13014023748318"
IssueInstant="2011-03-29T12:39:34.831Z" Issuer="www.example.com"
MajorVersion="1" MinorVersion="1"
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="saml1:AssertionType"><saml1:ConditionsType
NotBefore="2011-03-29T12:39:34.832Z"
NotOnOrAfter="2011-03-29T12:44:34.832Z"/><saml1:AuthenticationStatement
AuthenticationInstant="2011-03-29T12:39:34.831Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
xsi:type="saml1:AuthenticationStatementType"><saml1:Subject><saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></saml1
:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
