Author: coheigea
Date: Tue Jul 10 09:56:30 2012
New Revision: 1359554
URL: http://svn.apache.org/viewvc?rev=1359554&view=rev
Log:
[CXF-4414] - SecurityPolicy validation fails when a KeyValue is used as an
EndorsingSupportingToken
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1359554&r1=1359553&r2=1359554&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
Tue Jul 10 09:56:30 2012
@@ -567,14 +567,14 @@ public abstract class AbstractSupporting
X509Certificate cert =
(X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ PublicKey publicKey =
+ (PublicKey)result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
// Now see if the same credential exists in the tokenResult list
for (WSSecurityEngineResult token : tokenResult) {
Integer actInt =
(Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
BinarySecurity binarySecurity =
(BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- PublicKey publicKey =
- (PublicKey)token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (binarySecurity instanceof X509Security
|| binarySecurity instanceof PKIPathSecurity) {
X509Certificate foundCert =
@@ -590,10 +590,10 @@ public abstract class AbstractSupporting
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
byte[] subjectSecretKey = samlKeyInfo.getSecret();
- if (cert != null && subjectCerts != null &&
cert.equals(subjectCerts[0])) {
- return true;
- }
- if (subjectSecretKey != null &&
Arrays.equals(subjectSecretKey, secret)) {
+ PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
+ if ((cert != null && subjectCerts != null &&
cert.equals(subjectCerts[0]))
+ || (subjectSecretKey != null &&
Arrays.equals(subjectSecretKey, secret))
+ || (subjectPublicKey != null &&
subjectPublicKey.equals(publicKey))) {
return true;
}
}
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1359554&r1=1359553&r2=1359554&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Tue Jul 10 09:56:30 2012
@@ -34,6 +34,7 @@ import org.apache.cxf.systest.ws.common.
import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
import org.apache.cxf.systest.ws.saml.server.Server;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.example.contract.doubleit.DoubleItPortType;
@@ -398,6 +399,36 @@ public class SamlTokenTest extends Abstr
}
@org.junit.Test
+ public void testSaml2EndorsingPKOverTransport() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE,
"DoubleItSaml2EndorsingTransportPort");
+ DoubleItPortType saml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(saml2Port, PORT2);
+
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+ callbackHandler.setKeyInfoIdentifier(CERT_IDENTIFIER.KEY_VALUE);
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", callbackHandler
+ );
+
+ int result = saml2Port.doubleIt(25);
+ assertTrue(result == 50);
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testSaml2EndorsingOverTransportSP11() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java?rev=1359554&r1=1359553&r2=1359554&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
Tue Jul 10 09:56:30 2012
@@ -46,6 +46,7 @@ import org.opensaml.common.SAMLVersion;
public class SamlCallbackHandler implements CallbackHandler {
private boolean saml2 = true;
private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+ private CERT_IDENTIFIER keyInfoIdentifier = CERT_IDENTIFIER.X509_CERT;
public SamlCallbackHandler() {
//
@@ -59,6 +60,10 @@ public class SamlCallbackHandler impleme
this.confirmationMethod = confirmationMethod;
}
+ public void setKeyInfoIdentifier(CERT_IDENTIFIER keyInfoIdentifier) {
+ this.keyInfoIdentifier = keyInfoIdentifier;
+ }
+
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
@@ -114,8 +119,12 @@ public class SamlCallbackHandler impleme
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
KeyInfoBean keyInfo = new KeyInfoBean();
- keyInfo.setCertificate(certs[0]);
- keyInfo.setCertIdentifer(CERT_IDENTIFIER.X509_CERT);
+ keyInfo.setCertIdentifer(keyInfoIdentifier);
+ if (keyInfoIdentifier == CERT_IDENTIFIER.X509_CERT) {
+ keyInfo.setCertificate(certs[0]);
+ } else if (keyInfoIdentifier == CERT_IDENTIFIER.KEY_VALUE) {
+ keyInfo.setPublicKey(certs[0].getPublicKey());
+ }
return keyInfo;
}
