Author: coheigea
Date: Fri May 25 11:51:14 2012
New Revision: 1342584
URL: http://svn.apache.org/viewvc?rev=1342584&view=rev
Log:
Changing POST binding not to use Deflate encoding by default + changing deflate
encoder to also support gzip
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java?rev=1342584&r1=1342583&r2=1342584&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
Fri May 25 11:51:14 2012
@@ -40,13 +40,11 @@ import org.w3c.dom.Element;
import org.apache.cxf.common.i18n.BundleUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
-import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
import org.apache.cxf.jaxrs.impl.UriInfoImpl;
import org.apache.cxf.message.Message;
-import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.cxf.rs.security.saml.SAMLUtils;
import org.apache.cxf.rs.security.saml.assertion.Subject;
import org.apache.cxf.rs.security.saml.sso.state.RequestState;
@@ -54,7 +52,6 @@ import org.apache.cxf.rs.security.saml.s
import org.apache.cxf.security.SecurityContext;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
-import org.apache.ws.security.util.DOM2Writer;
import org.opensaml.saml2.core.AuthnRequest;
public abstract class AbstractServiceProviderFilter extends
AbstractSSOSpHandler
@@ -229,16 +226,6 @@ public abstract class AbstractServicePro
return responseState;
}
- protected String deflateEncodeAuthnRequest(Element authnRequestElement)
- throws IOException {
- String requestMessage = DOM2Writer.nodeToString(authnRequestElement);
-
- DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
- byte[] deflatedBytes =
encoder.deflateToken(requestMessage.getBytes("UTF-8"));
-
- return Base64Utility.encode(deflatedBytes);
- }
-
protected SamlRequestInfo createSamlRequestInfo(Message m) throws
Exception {
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
@@ -252,7 +239,7 @@ public abstract class AbstractServicePro
signAuthnRequest(authnRequest);
}
Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
- String authnRequestEncoded =
deflateEncodeAuthnRequest(authnRequestElement);
+ String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
SamlRequestInfo info = new SamlRequestInfo();
info.setSamlRequest(authnRequestEncoded);
@@ -277,6 +264,8 @@ public abstract class AbstractServicePro
return info;
}
+ protected abstract String encodeAuthnRequest(Element authnRequest) throws
IOException;
+
protected abstract void signAuthnRequest(AuthnRequest authnRequest) throws
Exception;
private String getAbsoluteAssertionServiceAddress(Message m) {
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1342584&r1=1342583&r2=1342584&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Fri May 25 11:51:14 2012
@@ -23,7 +23,6 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.URI;
-import java.net.URLDecoder;
import java.util.Date;
import java.util.ResourceBundle;
import java.util.UUID;
@@ -112,28 +111,29 @@ public class RequestAssertionConsumerSer
@Produces(MediaType.APPLICATION_FORM_URLENCODED)
public Response processSamlResponse(@FormParam(SSOConstants.SAML_RESPONSE)
String encodedSamlResponse,
@FormParam(SSOConstants.RELAY_STATE)
String relayState) {
- return doProcessSamlResponse(encodedSamlResponse, relayState);
+ return doProcessSamlResponse(encodedSamlResponse, relayState, true);
}
@GET
public Response getSamlResponse(@QueryParam(SSOConstants.SAML_RESPONSE)
String encodedSamlResponse,
@QueryParam(SSOConstants.RELAY_STATE)
String relayState) {
- return doProcessSamlResponse(encodedSamlResponse, relayState);
+ return doProcessSamlResponse(encodedSamlResponse, relayState, false);
}
protected Response doProcessSamlResponse(String encodedSamlResponse,
- String relayState) {
+ String relayState,
+ boolean postBinding) {
RequestState requestState = processRelayState(relayState);
URI targetURI = getTargetURI(requestState.getTargetAddress());
org.opensaml.saml2.core.Response samlResponse =
- readSAMLResponse(true, encodedSamlResponse);
+ readSAMLResponse(postBinding, encodedSamlResponse);
// Validate the Response
validateSamlResponseProtocol(samlResponse);
SSOValidatorResponse validatorResponse =
- validateSamlSSOResponse(true, samlResponse, requestState);
+ validateSamlSSOResponse(postBinding, samlResponse, requestState);
// Set the security context
String securityContextKey = UUID.randomUUID().toString();
@@ -197,6 +197,7 @@ public class RequestAssertionConsumerSer
}
String samlResponseDecoded = samlResponse;
+ /*
// URL Decoding only applies for the re-direct binding
if (!postBinding) {
try {
@@ -205,11 +206,12 @@ public class RequestAssertionConsumerSer
throw new WebApplicationException(400);
}
}
+ */
InputStream tokenStream = null;
if (isSupportBase64Encoding()) {
try {
byte[] deflatedToken =
Base64Utility.decode(samlResponseDecoded);
- tokenStream = isSupportDeflateEncoding()
+ tokenStream = !postBinding && isSupportDeflateEncoding()
? new DeflateEncoderDecoder().inflateToken(deflatedToken)
: new ByteArrayInputStream(deflatedToken);
} catch (Base64Exception ex) {
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java?rev=1342584&r1=1342583&r2=1342584&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java
Fri May 25 11:51:14 2012
@@ -18,6 +18,7 @@
*/
package org.apache.cxf.rs.security.saml.sso;
+import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
@@ -26,14 +27,19 @@ import javax.ws.rs.WebApplicationExcepti
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.jaxrs.ext.MessageContextImpl;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.util.DOM2Writer;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.xml.security.x509.BasicX509Credential;
@@ -44,6 +50,12 @@ import org.opensaml.xml.signature.Signat
public class SamlPostBindingFilter extends AbstractServiceProviderFilter {
+ private boolean useDeflateEncoding;
+
+ public void setUseDeflateEncoding(boolean useDeflateEncoding) {
+ this.useDeflateEncoding = useDeflateEncoding;
+ }
+
public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
if (checkSecurityContext(m)) {
return null;
@@ -76,6 +88,21 @@ public class SamlPostBindingFilter exten
}
}
+ protected String encodeAuthnRequest(Element authnRequest) throws
IOException {
+ String requestMessage = DOM2Writer.nodeToString(authnRequest);
+
+ byte[] deflatedBytes = null;
+ // Not correct according to the spec but required by some IDPs.
+ if (useDeflateEncoding) {
+ DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
+ deflatedBytes =
encoder.deflateToken(requestMessage.getBytes("UTF-8"));
+ } else {
+ deflatedBytes = requestMessage.getBytes("UTF-8");
+ }
+
+ return Base64Utility.encode(deflatedBytes);
+ }
+
protected void signAuthnRequest(AuthnRequest authnRequest) throws
Exception {
Crypto crypto = getSignatureCrypto();
if (crypto == null) {
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java?rev=1342584&r1=1342583&r2=1342584&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java
Fri May 25 11:51:14 2012
@@ -18,6 +18,7 @@
*/
package org.apache.cxf.rs.security.saml.sso;
+import java.io.IOException;
import java.net.URLEncoder;
import java.security.PrivateKey;
import java.security.Signature;
@@ -28,13 +29,18 @@ import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.util.Base64;
+import org.apache.ws.security.util.DOM2Writer;
import org.opensaml.saml2.core.AuthnRequest;
public class SamlRedirectBindingFilter extends AbstractServiceProviderFilter {
@@ -77,6 +83,15 @@ public class SamlRedirectBindingFilter e
// Do nothing as we sign the request in a different way for the
redirect binding
}
+ protected String encodeAuthnRequest(Element authnRequest) throws
IOException {
+ String requestMessage = DOM2Writer.nodeToString(authnRequest);
+
+ DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
+ byte[] deflatedBytes =
encoder.deflateToken(requestMessage.getBytes("UTF-8"));
+
+ return Base64Utility.encode(deflatedBytes);
+ }
+
/**
* Sign a request according to the redirect binding spec for Web SSO
*/
Modified:
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java?rev=1342584&r1=1342583&r2=1342584&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java
(original)
+++
cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java
Fri May 25 11:51:14 2012
@@ -28,11 +28,10 @@ import java.util.zip.Inflater;
public class DeflateEncoderDecoder {
public InputStream inflateToken(byte[] deflatedToken)
throws DataFormatException {
- Inflater inflater = new Inflater();
+ Inflater inflater = new Inflater(true);
inflater.setInput(deflatedToken);
byte[] input = new byte[deflatedToken.length * 2];
-
int inflatedLen = 0;
int inputLen = 0;
byte[] inflatedToken = input;
@@ -53,7 +52,7 @@ public class DeflateEncoderDecoder {
}
public byte[] deflateToken(byte[] tokenBytes) {
- Deflater compresser = new Deflater();
+ Deflater compresser = new Deflater(Deflater.DEFLATED, true);
compresser.setInput(tokenBytes);
compresser.finish();
