Author: coheigea
Date: Thu May 17 12:44:46 2012
New Revision: 1339577
URL: http://svn.apache.org/viewvc?rev=1339577&view=rev
Log:
Make the enforcement of signed Assertions configurable for Web SSO
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1339577&r1=1339576&r2=1339577&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Thu May 17 12:44:46 2012
@@ -77,6 +77,7 @@ public class RequestAssertionConsumerSer
private boolean supportBase64Encoding = true;
private Crypto signatureCrypto;
private String signaturePropertiesFile;
+ private boolean enforceAssertionsSigned = true;
@Context
private MessageContext jaxrsContext;
@@ -88,6 +89,13 @@ public class RequestAssertionConsumerSer
return supportDeflateEncoding;
}
+ /**
+ * Enforce that Assertions must be signed if the POST binding was used.
The default is true.
+ */
+ public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
+ this.enforceAssertionsSigned = enforceAssertionsSigned;
+ }
+
public void setSupportBase64Encoding(boolean supportBase64Encoding) {
this.supportBase64Encoding = supportBase64Encoding;
}
@@ -294,9 +302,9 @@ public class RequestAssertionConsumerSer
ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
+
ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
- // TODO post binding
- return ssoResponseValidator.validateSamlResponse(samlResponse,
false);
+ return ssoResponseValidator.validateSamlResponse(samlResponse,
postBinding);
} catch (WSSecurityException ex) {
reportError("INVALID_SAML_RESPONSE");
throw new WebApplicationException(400);
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1339577&r1=1339576&r2=1339577&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Thu May 17 12:44:46 2012
@@ -45,6 +45,14 @@ public class SAMLSSOResponseValidator {
private String clientAddress;
private String requestId;
private String spIdentifier;
+ private boolean enforceAssertionsSigned = true;
+
+ /**
+ * Enforce that Assertions must be signed if the POST binding was used.
The default is true.
+ */
+ public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
+ this.enforceAssertionsSigned = enforceAssertionsSigned;
+ }
/**
* Validate a SAML 2 Protocol Response
@@ -86,7 +94,7 @@ public class SAMLSSOResponseValidator {
}
validateIssuer(assertion.getIssuer());
- if (postBinding && assertion.getSignature() == null) {
+ if (enforceAssertionsSigned && postBinding &&
assertion.getSignature() == null) {
LOG.fine("If the HTTP Post binding is used to deliver the
Response, "
+ "the enclosed assertions must be signed");
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
