Repository: cxf Updated Branches: refs/heads/2.7.x-fixes 0fbebbbce -> 464bacb3b
Fixed multiple AudienceRestriction functionality Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/df41f504 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/df41f504 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/df41f504 Branch: refs/heads/2.7.x-fixes Commit: df41f5042ce9ab5e609996dbfc99ba217cd376a0 Parents: 0fbebbb Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Jan 13 14:13:40 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Jan 13 15:42:54 2015 +0000 ---------------------------------------------------------------------- .../rs/security/saml/sso/SAMLSSOResponseValidator.java | 12 +++++++++--- .../security/saml/sso/SAMLSSOResponseValidatorTest.java | 7 ++++++- 2 files changed, 15 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/df41f504/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 9de1b85..56d6b5f 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -268,20 +268,26 @@ public class SAMLSSOResponseValidator { private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { - boolean found = false; + boolean oneMatchFound = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { + boolean matchFound = false; for (org.opensaml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { - return true; + matchFound = true; + oneMatchFound = true; + break; } } + if (!matchFound) { + return false; + } } } } - return found; + return oneMatchFound; } public String getIssuerIDP() { http://git-wip-us.apache.org/repos/asf/cxf/blob/df41f504/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java index 11d8471..b8618b7 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java @@ -477,7 +477,12 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { validator.setRequestId("12345"); validator.setSpIdentifier("http://service.apache.org";); - validator.validateSamlResponse(response, false); + try { + validator.validateSamlResponse(response, false); + fail("Expected failure on bad response"); + } catch (WSSecurityException ex) { + // expected + } } @SuppressWarnings("deprecation")
