Repository: cxf Updated Branches: refs/heads/3.0.x-fixes f825cb0e1 -> 06b5f432b
Fixed multiple AudienceRestriction functionality Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4b9aa845 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4b9aa845 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4b9aa845 Branch: refs/heads/3.0.x-fixes Commit: 4b9aa845a22d4ee9e79ce0fb196ea844fd2fd851 Parents: f825cb0 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Jan 13 14:13:40 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Jan 13 15:35:34 2015 +0000 ---------------------------------------------------------------------- .../rs/security/saml/sso/SAMLSSOResponseValidator.java | 12 +++++++++--- .../security/saml/sso/SAMLSSOResponseValidatorTest.java | 7 ++++++- 2 files changed, 15 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/4b9aa845/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index b8a764c..e0117d4 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -275,20 +275,26 @@ public class SAMLSSOResponseValidator { private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { - boolean found = false; + boolean oneMatchFound = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { + boolean matchFound = false; for (org.opensaml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { - return true; + matchFound = true; + oneMatchFound = true; + break; } } + if (!matchFound) { + return false; + } } } } - return found; + return oneMatchFound; } public String getIssuerIDP() { http://git-wip-us.apache.org/repos/asf/cxf/blob/4b9aa845/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java index 6235532..7855c29 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java @@ -478,7 +478,12 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { validator.setRequestId("12345"); validator.setSpIdentifier("http://service.apache.org";); - validator.validateSamlResponse(response, false); + try { + validator.validateSamlResponse(response, false); + fail("Expected failure on bad response"); + } catch (WSSecurityException ex) { + // expected + } } @org.junit.Test
