Repository: cxf
Updated Branches:
refs/heads/2.7.x-fixes b8e446921 -> c7828e8fa
Add certificate path validation for X.509 tokens in the STS
Conflicts:
services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e2fed9f2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e2fed9f2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e2fed9f2
Branch: refs/heads/2.7.x-fixes
Commit: e2fed9f289e92b0674858d6652adb05c846cfb05
Parents: b8e4469
Author: Colm O hEigeartaigh <[email protected]>
Authored: Mon May 26 14:26:15 2014 +0100
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Mon May 26 14:28:57 2014 +0100
----------------------------------------------------------------------
.../cxf/sts/token/realm/CertConstraintsParser.java | 4 ++++
.../sts/token/validator/SAMLTokenValidator.java | 1 +
.../sts/token/validator/X509TokenValidator.java | 17 ++++++++++++++++-
3 files changed, 21 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fed9f2/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
----------------------------------------------------------------------
diff --git
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
index 1eeb075..2f93f3b 100644
---
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
+++
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/realm/CertConstraintsParser.java
@@ -59,6 +59,10 @@ public class CertConstraintsParser {
}
}
+ public Collection<Pattern> getCompiledSubjectContraints() {
+ return subjectDNPatterns;
+ }
+
/**
* @return true if the certificate's SubjectDN matches the
constraints defined in the
* subject DNConstraints; false, otherwise. The certificate
subject DN only
http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fed9f2/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index 64d7398..196eba7 100644
---
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -159,6 +159,7 @@ public class SAMLTokenValidator implements TokenValidator {
requestData.setWssConfig(wssConfig);
requestData.setCallbackHandler(callbackHandler);
requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+
requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
// Verify the signature
assertion.verifySignature(
http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fed9f2/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
----------------------------------------------------------------------
diff --git
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
index 1548dc5..ff63a1d 100644
---
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
+++
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
@@ -19,6 +19,7 @@
package org.apache.cxf.sts.token.validator;
import java.security.cert.X509Certificate;
+import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -26,13 +27,16 @@ import javax.security.auth.callback.CallbackHandler;
import org.w3c.dom.Document;
import org.w3c.dom.Text;
-
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.request.ReceivedToken.STATE;
+<<<<<<< HEAD
+=======
+import org.apache.cxf.sts.token.realm.CertConstraintsParser;
+>>>>>>> cf05755... Add certificate path validation for X.509 tokens in the STS
import
org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType;
import org.apache.ws.security.WSConstants;
@@ -59,8 +63,18 @@ public class X509TokenValidator implements TokenValidator {
private static final Logger LOG =
LogUtils.getL7dLogger(X509TokenValidator.class);
private Validator validator = new SignatureTrustValidator();
+
+ private CertConstraintsParser certConstraints = new
CertConstraintsParser();
/**
+ * Set a list of Strings corresponding to regular expression constraints
on the subject DN
+ * of a certificate
+ */
+ public void setSubjectConstraints(List<String> subjectConstraints) {
+ certConstraints.setSubjectConstraints(subjectConstraints);
+ }
+
+ /**
* Set the WSS4J Validator instance to use to validate the token.
* @param validator the WSS4J Validator instance to use to validate the
token
*/
@@ -103,6 +117,7 @@ public class X509TokenValidator implements TokenValidator {
requestData.setWssConfig(WSSConfig.getNewInstance());
requestData.setCallbackHandler(callbackHandler);
requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+
requestData.setSubjectCertConstraints(certConstraints.getCompiledSubjectContraints());
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
