Author: coheigea
Date: Tue May 15 08:47:51 2012
New Revision: 1338600
URL: http://svn.apache.org/viewvc?rev=1338600&view=rev
Log:
Some RelayState updates to the SAML SSO code
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties?rev=1338600&r1=1338599&r2=1338600&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
(original)
+++
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/Messages.properties
Tue May 15 08:47:51 2012
@@ -21,6 +21,7 @@
MISSING_TARGET_URI=Target URI is missing
INVALID_TARGET_URI=Target URI is invalid
MISSING_RELAY_STATE=RelayState parameter is missing
+INVALID_RELAY_STATE=RelayState parameter is invalid
MISSING_REQUEST_STATE=Request State is not available
EXPIRED_REQUEST_STATE=Request State has expired
MISSING_SAML_RESPONSE=SamlResponse parameter is missing
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1338600&r1=1338599&r2=1338600&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Tue May 15 08:47:51 2012
@@ -91,6 +91,10 @@ public class RequestAssertionConsumerSer
reportError("MISSING_RELAY_STATE");
throw new WebApplicationException(400);
}
+ if (relayState.getBytes().length < 0 || relayState.getBytes().length >
80) {
+ reportError("INVALID_RELAY_STATE");
+ throw new WebApplicationException(400);
+ }
RequestState requestState =
getStateProvider().removeRequestState(relayState);
if (requestState == null) {
reportError("MISSING_REQUEST_STATE");
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1338600&r1=1338599&r2=1338600&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
(original)
+++
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Tue May 15 08:47:51 2012
@@ -67,6 +67,15 @@ public class SAMLSSOResponseValidator {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
}
+ // The Response must contain a Destination that matches the
assertionConsumerURL if it is
+ // signed and received over the POST Binding.
+ String destination = samlResponse.getDestination();
+ if (postBinding && samlResponse.isSigned()
+ && (destination == null ||
!destination.equals(assertionConsumerURL))) {
+ LOG.fine("The Response must contain a destination that matches the
assertion consumer URL");
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
+ }
+
// Validate Assertions
boolean foundValidSubject = false;
for (org.opensaml.saml2.core.Assertion assertion :
samlResponse.getAssertions()) {
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java?rev=1338600&r1=1338599&r2=1338600&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java
(original)
+++
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/sso/filter/AbstractServiceProviderFilter.java
Tue May 15 08:47:51 2012
@@ -196,7 +196,7 @@ public abstract class AbstractServicePro
webAppContext,
System.currentTimeMillis());
- String relayState = UUID.randomUUID().toString();
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(),
"UTF-8");
getStateProvider().setRequestState(relayState, requestState);
info.setRelayState(relayState);
info.setWebAppContext(webAppContext);
