Author: coheigea
Date: Tue Jun 5 16:01:05 2012
New Revision: 1346450
URL: http://svn.apache.org/viewvc?rev=1346450&view=rev
Log:
Making it possible to relax the Issuer checking in the
RequestAssertionConsumerService
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1346450&r1=1346449&r2=1346450&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Tue Jun 5 16:01:05 2012
@@ -68,6 +68,7 @@ public class RequestAssertionConsumerSer
private boolean supportDeflateEncoding = true;
private boolean supportBase64Encoding = true;
private boolean enforceAssertionsSigned = true;
+ private boolean enforceKnownIssuer = true;
private TokenReplayCache<String> replayCache;
private MessageContext messageContext;
@@ -102,6 +103,14 @@ public class RequestAssertionConsumerSer
this.enforceAssertionsSigned = enforceAssertionsSigned;
}
+ /**
+ * Enforce that the Issuer of the received Response/Assertion is known to
this RACS. The
+ * default is true.
+ */
+ public void setEnforceKnownIssuer(boolean enforceKnownIssuer) {
+ this.enforceKnownIssuer = enforceKnownIssuer;
+ }
+
public void setSupportBase64Encoding(boolean supportBase64Encoding) {
this.supportBase64Encoding = supportBase64Encoding;
}
@@ -293,6 +302,7 @@ public class RequestAssertionConsumerSer
ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
+ ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer);
ssoResponseValidator.setReplayCache(getReplayCache());
return ssoResponseValidator.validateSamlResponse(samlResponse,
postBinding);
Modified:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1346450&r1=1346449&r2=1346450&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
(original)
+++
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Tue Jun 5 16:01:05 2012
@@ -45,6 +45,7 @@ public class SAMLSSOResponseValidator {
private String requestId;
private String spIdentifier;
private boolean enforceAssertionsSigned = true;
+ private boolean enforceKnownIssuer = true;
private TokenReplayCache<String> replayCache;
/**
@@ -55,6 +56,13 @@ public class SAMLSSOResponseValidator {
}
/**
+ * Enforce that the Issuer of the received Response/Assertion is known.
The default is true.
+ */
+ public void setEnforceKnownIssuer(boolean enforceKnownIssuer) {
+ this.enforceKnownIssuer = enforceKnownIssuer;
+ }
+
+ /**
* Validate a SAML 2 Protocol Response
* @param samlResponse
* @param postBinding
@@ -142,7 +150,7 @@ public class SAMLSSOResponseValidator {
}
// Issuer value must match (be contained in) Issuer IDP
- if (!issuerIDP.startsWith(issuer.getValue())) {
+ if (enforceKnownIssuer && !issuerIDP.startsWith(issuer.getValue())) {
LOG.fine("Issuer value: " + issuer.getValue() + " does not match
issuer IDP: "
+ issuerIDP);
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
