SAMLTokenValidatorTest.java

coheigea Fri, 11 Jan 2013 06:56:55 -0800

Author: coheigea
Date: Fri Jan 11 14:56:33 2013
New Revision: 1432076

URL: http://svn.apache.org/viewvc?rev=1432076&view=rev
Log:
Merged revisions 1432070 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk


........
  r1432070 | coheigea | 2013-01-11 14:45:58 +0000 (Fri, 11 Jan 2013) | 2 lines

  [CXF-4746] - STS issues invalid SAML 1.1 Assertions under certain conditions

........

Modified:
    
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SamlCallbackHandler.java
    
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java

Modified: 
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SamlCallbackHandler.java
URL: 
http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SamlCallbackHandler.java?rev=1432076&r1=1432075&r2=1432076&view=diff
==============================================================================
--- 
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SamlCallbackHandler.java
 (original)
+++ 
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SamlCallbackHandler.java
 Fri Jan 11 14:56:33 2013
@@ -19,6 +19,7 @@
 package org.apache.cxf.sts.token.provider;
 
 import java.io.IOException;
+import java.util.Collections;
 import java.util.List;
 
 import javax.security.auth.callback.Callback;
@@ -112,11 +113,13 @@ public class SamlCallbackHandler impleme
                 // Set the token Type.
                 TokenRequirements tokenRequirements = 
tokenParameters.getTokenRequirements();
                 String tokenType = tokenRequirements.getTokenType();
+                boolean saml1 = false;
                 if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
                     || WSConstants.SAML2_NS.equals(tokenType)) {
                     callback.setSamlVersion(SAMLVersion.VERSION_20);
                 } else {
                     callback.setSamlVersion(SAMLVersion.VERSION_11);
+                    saml1 = true;
                     setSubjectOnBeans();
                 }
                 
@@ -129,14 +132,26 @@ public class SamlCallbackHandler impleme
                 }
 
                 // Set the statements
+                boolean statementAdded = false;
                 if (attributeBeans != null && !attributeBeans.isEmpty()) {
                     callback.setAttributeStatementData(attributeBeans);
+                    statementAdded = true;
                 }
                 if (authBeans != null && !authBeans.isEmpty()) {
                     callback.setAuthenticationStatementData(authBeans);
+                    statementAdded = true;
                 }
                 if (authDecisionBeans != null && !authDecisionBeans.isEmpty()) 
{
                     callback.setAuthDecisionStatementData(authDecisionBeans);
+                    statementAdded = true;
+                }
+                
+                // If SAML 1.1 we *must* add a Statement
+                if (saml1 && !statementAdded) {
+                    AttributeStatementBean defaultStatement = 
+                        new 
DefaultAttributeStatementProvider().getStatement(tokenParameters);
+                    defaultStatement.setSubject(subjectBean);
+                    
callback.setAttributeStatementData(Collections.singletonList(defaultStatement));
                 }
                 
                 // Set the conditions

Modified: 
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
URL: 
http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java?rev=1432076&r1=1432075&r2=1432076&view=diff
==============================================================================
--- 
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
 (original)
+++ 
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
 Fri Jan 11 14:56:33 2013
@@ -21,6 +21,7 @@ package org.apache.cxf.sts.token.validat
 import java.io.IOException;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Date;
 import java.util.List;
 import java.util.Properties;
@@ -38,6 +39,7 @@ import org.apache.cxf.message.MessageImp
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.StaticSTSProperties;
 import org.apache.cxf.sts.cache.DefaultInMemoryTokenStore;
+import org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider;
 import org.apache.cxf.sts.common.PasswordCallbackHandler;
 import org.apache.cxf.sts.request.KeyRequirements;
 import org.apache.cxf.sts.request.Lifetime;
@@ -45,6 +47,7 @@ import org.apache.cxf.sts.request.Receiv
 import org.apache.cxf.sts.request.ReceivedToken.STATE;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.token.provider.AttributeStatementProvider;
 import org.apache.cxf.sts.token.provider.DefaultConditionsProvider;
 import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
 import org.apache.cxf.sts.token.provider.TokenProvider;
@@ -140,6 +143,41 @@ public class SAMLTokenValidatorTest exte
     }
     
     /**
+     * Test a SAML 1.1 Assertion that is configured with the 
ClaimsAttributeStatementProvider,
+     * but does not contain any claims. In older versions of the STS, this 
generated an invalid
+     * SAML Assertion.
+     */
+    @org.junit.Test
+    public void testSAML1AssertionWithClaims() throws Exception {
+        TokenValidator samlTokenValidator = new SAMLTokenValidator();
+        TokenValidatorParameters validatorParameters = 
createValidatorParameters();
+        validatorParameters.setTokenStore(null);
+        TokenRequirements tokenRequirements = 
validatorParameters.getTokenRequirements();
+        
+        // Create a ValidateTarget consisting of a SAML Assertion
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertionWithClaimsProvider(
+                WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", 
callbackHandler
+            );
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        
+        ReceivedToken validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        TokenValidatorResponse validatorResponse = 
+            samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+    }
+    
+    /**
      * Test a SAML 1.1 Assertion with an invalid signature
      */
     @org.junit.Test
@@ -357,6 +395,23 @@ public class SAMLTokenValidatorTest exte
         return providerResponse.getToken();
     }
     
+    private Element createSAMLAssertionWithClaimsProvider(
+        String tokenType, Crypto crypto, String signatureUsername, 
CallbackHandler callbackHandler
+    ) throws WSSecurityException {
+        SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+        AttributeStatementProvider statementProvider = new 
ClaimsAttributeStatementProvider();
+        
samlTokenProvider.setAttributeStatementProviders(Collections.singletonList(statementProvider));
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, 
signatureUsername, callbackHandler
+            );
+        TokenProviderResponse providerResponse = 
samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && 
providerResponse.getTokenId() != null);
+
+        return providerResponse.getToken();
+    }
+    
     private Element createSAMLAssertion(
             String tokenType, Crypto crypto, String signatureUsername,
             CallbackHandler callbackHandler, long ttlMs

svn commit: r1432076 - in /cxf/branches/2.7.x-fixes/services/sts/sts-core/src: main/java/org/apache/cxf/sts/token/provider/SamlCallbackHandler.java test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java

Reply via email to