Applying Opensaml 3.0.x patch
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2426a087 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2426a087 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2426a087 Branch: refs/heads/master Commit: 2426a0879b06cf6dea32004af16f96f793d568eb Parents: a79bb05 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Feb 24 11:38:13 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Feb 24 11:38:13 2015 +0000 ---------------------------------------------------------------------- parent/pom.xml | 8 +- pom.xml | 8 ++ .../grants/saml/Saml2BearerGrantHandler.java | 5 +- .../oauth2/saml/SamlOAuthValidator.java | 14 +-- ...AbstractRequestAssertionConsumerHandler.java | 15 ++- .../saml/sso/AbstractServiceProviderFilter.java | 2 +- .../security/saml/sso/AuthnRequestBuilder.java | 2 +- .../saml/sso/DefaultAuthnRequestBuilder.java | 14 +-- .../saml/sso/SAMLProtocolResponseValidator.java | 98 ++++++++------------ .../saml/sso/SAMLSSOResponseValidator.java | 22 ++--- .../saml/sso/SamlPostBindingFilter.java | 21 ++--- .../saml/sso/SamlRedirectBindingFilter.java | 2 +- .../saml/sso/SamlpRequestComponentBuilder.java | 25 ++--- .../saml/sso/AuthnRequestBuilderTest.java | 14 +-- .../security/saml/sso/SAML2CallbackHandler.java | 4 +- .../sso/SAML2PResponseComponentBuilder.java | 23 ++--- .../saml/sso/SAMLResponseValidatorTest.java | 28 +++--- .../saml/sso/SAMLSSOResponseValidatorTest.java | 24 +++-- .../rs/security/saml/AbstractSamlInHandler.java | 5 +- .../apache/cxf/rs/security/saml/SAMLUtils.java | 4 +- .../rs/security/xml/XmlSecOutInterceptor.java | 2 +- .../rs/security/xml/XmlSigOutInterceptor.java | 4 +- rt/security/pom.xml | 22 +++++ .../apache/cxf/rt/security/saml/SAMLUtils.java | 14 +-- .../AbstractXACMLAuthorizingInterceptor.java | 34 ++++--- .../security/xacml/RequestComponentBuilder.java | 7 +- .../xacml/SamlRequestComponentBuilder.java | 13 +-- .../rt/security/saml/SamlCallbackHandler.java | 6 +- .../apache/cxf/rt/security/xacml/DummyPDP.java | 11 +-- .../security/xacml/XACMLRequestBuilderTest.java | 16 ++-- .../ws/security/wss4j/SamlTokenInterceptor.java | 7 +- .../policyhandlers/AbstractBindingBuilder.java | 10 +- .../AbstractStaxBindingHandler.java | 6 +- .../AsymmetricBindingHandler.java | 6 +- .../policyhandlers/SymmetricBindingHandler.java | 4 +- .../policyhandlers/TransportBindingHandler.java | 6 +- .../DefaultClaimsPolicyValidator.java | 20 ++-- .../IssuedTokenPolicyValidator.java | 2 +- .../SamlTokenPolicyValidator.java | 2 +- .../wss4j/saml/SAML1CallbackHandler.java | 4 +- .../wss4j/saml/SAML2CallbackHandler.java | 4 +- .../apache/cxf/sts/claims/ClaimsManager.java | 24 ++--- .../token/delegation/SAMLDelegationHandler.java | 8 +- .../sts/token/provider/SAMLTokenProvider.java | 2 +- .../sts/token/provider/SamlCallbackHandler.java | 6 +- .../cxf/sts/token/renewer/SAMLTokenRenewer.java | 22 ++--- .../sts/token/validator/SAMLTokenValidator.java | 10 +- .../cxf/sts/common/CustomClaimsHandler.java | 13 +-- .../cxf/sts/token/provider/SAMLClaimsTest.java | 4 +- .../systest/sts/batch/SAMLBatchUnitTest.java | 2 +- .../cxf/systest/sts/claims/ClaimsValidator.java | 23 +++-- .../systest/sts/claims/StaxClaimsValidator.java | 22 ++--- .../sts/realms/DifferentRealmValidator.java | 2 +- .../sts/secure_conv/SCTSAMLTokenProvider.java | 2 +- .../sts/bearer/Saml2CallbackHandler.java | 4 +- .../OnBehalfOfValidator.java | 8 +- .../sts/sendervouches/Saml2CallbackHandler.java | 4 +- .../sts/username_actas/ActAsValidator.java | 9 +- services/xkms/pom.xml | 2 +- .../security/oauth2/SamlCallbackHandler.java | 4 +- .../security/oauth2/SamlCallbackHandler2.java | 4 +- .../security/saml/SamlCallbackHandler.java | 6 +- .../examples/saml/SamlCallbackHandler.java | 4 +- .../systest/ws/saml/CustomSaml2Validator.java | 4 +- .../ws/saml/PolicyDecisionPointMockImpl.java | 12 +-- .../ws/saml/client/SamlCallbackHandler.java | 6 +- .../ws/saml/client/SamlRoleCallbackHandler.java | 6 +- 67 files changed, 379 insertions(+), 372 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/parent/pom.xml ---------------------------------------------------------------------- diff --git a/parent/pom.xml b/parent/pom.xml index 352244a..ce5d330 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -125,10 +125,8 @@ <cxf.netty.version.range>[4,5)</cxf.netty.version.range> <cxf.oauth.bundle.version>20100527_1</cxf.oauth.bundle.version> <cxf.oauth.version>20100527</cxf.oauth.version> - <cxf.opensaml.version>2.6.1</cxf.opensaml.version> - <cxf.opensaml.osgi.version>2.6.1_1</cxf.opensaml.osgi.version> - <cxf.opensaml.xmltooling.version>1.4.0_1</cxf.opensaml.xmltooling.version> - <cxf.opensamlws.version>1.5.0_1</cxf.opensamlws.version> + <cxf.opensaml.version>3.0.0</cxf.opensaml.version> + <cxf.opensaml.osgi.version>3.0.0_1</cxf.opensaml.osgi.version> <cxf.rhino.version>1.7R2</cxf.rhino.version> <cxf.servlet-api.group>org.apache.geronimo.specs</cxf.servlet-api.group> <cxf.servlet-api.artifact>geronimo-servlet_3.0_spec</cxf.servlet-api.artifact> @@ -147,7 +145,7 @@ <cxf.woodstox.core.version>4.4.1</cxf.woodstox.core.version> <cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version> <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version> - <cxf.wss4j.version>2.0.3</cxf.wss4j.version> + <cxf.wss4j.version>2.1.0-SNAPSHOT</cxf.wss4j.version> <cxf.xerces.version>2.11.0</cxf.xerces.version> <cxf.xmlbeans.version>2.6.0</cxf.xmlbeans.version> <cxf.xmlschema.version>2.2.1</cxf.xmlschema.version> http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index e2d362b..8e3ac45 100644 --- a/pom.xml +++ b/pom.xml @@ -77,6 +77,14 @@ <enabled>false</enabled> </releases> </repository> + <!-- needed for opensaml --> + <repository> + <id>shib-release</id> + <url>https://build.shibboleth.net/nexus/content/groups/public</url> + <snapshots> + <enabled>false</enabled> + </snapshots> + </repository> </repositories> <pluginRepositories> <pluginRepository> http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java index 3be0905..9dbc021 100644 --- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java +++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java @@ -33,7 +33,6 @@ import javax.ws.rs.core.MultivaluedMap; import org.w3c.dom.Document; import org.w3c.dom.Element; - import org.apache.cxf.common.util.Base64Exception; import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.jaxrs.utils.HttpUtils; @@ -69,8 +68,8 @@ import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor; import org.apache.wss4j.dom.validate.Credential; import org.apache.wss4j.dom.validate.SamlAssertionValidator; import org.apache.wss4j.dom.validate.Validator; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; /** * The "SAML2 Bearer" grant handler http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java index dc9eb62..ffb8719 100644 --- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java +++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java @@ -29,12 +29,12 @@ import org.apache.cxf.message.Message; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.SubjectConfirmation; -import org.opensaml.saml2.core.SubjectConfirmationData; +import org.opensaml.saml.saml2.core.Audience; +import org.opensaml.saml.saml2.core.AudienceRestriction; +import org.opensaml.saml.saml2.core.Conditions; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.SubjectConfirmation; +import org.opensaml.saml.saml2.core.SubjectConfirmationData; public class SamlOAuthValidator { private String accessTokenServiceAddress; @@ -116,7 +116,7 @@ public class SamlOAuthValidator { private boolean validateAuthenticationSubject(Message m, Conditions cs, - org.opensaml.saml2.core.Subject subject) { + org.opensaml.saml.saml2.core.Subject subject) { if (subject.getSubjectConfirmations() == null) { return false; } http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java index e20c84f..b66c184 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java @@ -37,7 +37,6 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; import org.w3c.dom.Document; - import org.apache.cxf.Bus; import org.apache.cxf.common.i18n.BundleUtils; import org.apache.cxf.common.logging.LogUtils; @@ -53,7 +52,7 @@ import org.apache.cxf.staxutils.StaxUtils; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.util.DOM2Writer; -import org.opensaml.xml.XMLObject; +import org.opensaml.core.xml.XMLObject; public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandler { private static final Logger LOG = @@ -162,7 +161,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS String relayState, boolean postBinding) { - org.opensaml.saml2.core.Response samlResponse = + org.opensaml.saml.saml2.core.Response samlResponse = readSAMLResponse(postBinding, encodedSamlResponse); // Validate the Response @@ -221,7 +220,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS return requestState; } - private org.opensaml.saml2.core.Response readSAMLResponse( + private org.opensaml.saml.saml2.core.Response readSAMLResponse( boolean postBinding, String samlResponse ) { @@ -276,17 +275,17 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS } catch (WSSecurityException ex) { throw ExceptionUtils.toBadRequestException(ex, null); } - if (!(responseObject instanceof org.opensaml.saml2.core.Response)) { + if (!(responseObject instanceof org.opensaml.saml.saml2.core.Response)) { throw ExceptionUtils.toBadRequestException(null, null); } - return (org.opensaml.saml2.core.Response)responseObject; + return (org.opensaml.saml.saml2.core.Response)responseObject; } /** * Validate the received SAML Response as per the protocol */ protected void validateSamlResponseProtocol( - org.opensaml.saml2.core.Response samlResponse + org.opensaml.saml.saml2.core.Response samlResponse ) { try { SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator(); @@ -304,7 +303,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS */ protected SSOValidatorResponse validateSamlSSOResponse( boolean postBinding, - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, RequestState requestState ) { try { http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java index e96566a..d3ccfac 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java @@ -61,7 +61,7 @@ import org.apache.cxf.staxutils.StaxUtils; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.AuthnRequest; @PreMatching @Priority(Priorities.AUTHENTICATION + 1) http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilder.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilder.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilder.java index a7e1687..c7dc832 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilder.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilder.java @@ -20,7 +20,7 @@ package org.apache.cxf.rs.security.saml.sso; import org.apache.cxf.message.Message; -import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.AuthnRequest; /** * This interface defines a method to create a SAML 2.0 Protocol AuthnRequest. http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/DefaultAuthnRequestBuilder.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/DefaultAuthnRequestBuilder.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/DefaultAuthnRequestBuilder.java index 9fdde89..1aff3b2 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/DefaultAuthnRequestBuilder.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/DefaultAuthnRequestBuilder.java @@ -22,13 +22,13 @@ package org.apache.cxf.rs.security.saml.sso; import java.util.Collections; import org.apache.cxf.message.Message; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameIDPolicy; -import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.NameIDPolicy; +import org.opensaml.saml.saml2.core.RequestedAuthnContext; /** * A default implementation of the AuthnRequestBuilder interface to create a SAML 2.0 http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java index 0444bfa..2ec8aa0 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java @@ -57,14 +57,15 @@ import org.apache.xml.security.encryption.XMLCipher; import org.apache.xml.security.encryption.XMLEncryptionException; import org.apache.xml.security.utils.Constants; import org.joda.time.DateTime; -import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.encryption.EncryptedData; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureValidator; -import org.opensaml.xml.validation.ValidationException; -import org.opensaml.xml.validation.ValidatorSuite; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator; +import org.opensaml.security.credential.BasicCredential; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.encryption.EncryptedData; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureException; +import org.opensaml.xmlsec.signature.support.SignatureValidator; /** * Validate a SAML (1.1 or 2.0) Protocol Response. It validates the Response against the specs, @@ -97,7 +98,7 @@ public class SAMLProtocolResponseValidator { * @throws WSSecurityException */ public void validateSamlResponse( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, Crypto sigCrypto, CallbackHandler callbackHandler ) throws WSSecurityException { @@ -124,13 +125,20 @@ public class SAMLProtocolResponseValidator { } } - validateResponseAgainstSchemas(samlResponse); + if (SAMLVersion.VERSION_20 != samlResponse.getVersion()) { + LOG.fine( + "SAML Version of " + samlResponse.getVersion() + + "does not equal " + SAMLVersion.VERSION_20 + ); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); + } + validateResponseSignature(samlResponse, sigCrypto, callbackHandler); Document doc = samlResponse.getDOM().getOwnerDocument(); // Decrypt any encrypted Assertions and add them to the Response (note that this will break any // signature on the Response) - for (org.opensaml.saml2.core.EncryptedAssertion assertion : samlResponse.getEncryptedAssertions()) { + for (org.opensaml.saml.saml2.core.EncryptedAssertion assertion : samlResponse.getEncryptedAssertions()) { Element decAssertion = decryptAssertion(assertion, sigCrypto, callbackHandler); @@ -139,7 +147,7 @@ public class SAMLProtocolResponseValidator { } // Validate Assertions - for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { + for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertion); validateAssertion(wrapper, sigCrypto, callbackHandler, doc); } @@ -153,7 +161,7 @@ public class SAMLProtocolResponseValidator { * @throws WSSecurityException */ public void validateSamlResponse( - org.opensaml.saml1.core.Response samlResponse, + org.opensaml.saml.saml1.core.Response samlResponse, Crypto sigCrypto, CallbackHandler callbackHandler ) throws WSSecurityException { @@ -182,11 +190,18 @@ public class SAMLProtocolResponseValidator { } } - validateResponseAgainstSchemas(samlResponse); + if (SAMLVersion.VERSION_11 != samlResponse.getVersion()) { + LOG.fine( + "SAML Version of " + samlResponse.getVersion() + + "does not equal " + SAMLVersion.VERSION_11 + ); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); + } + validateResponseSignature(samlResponse, sigCrypto, callbackHandler); // Validate Assertions - for (org.opensaml.saml1.core.Assertion assertion : samlResponse.getAssertions()) { + for (org.opensaml.saml.saml1.core.Assertion assertion : samlResponse.getAssertions()) { SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertion); validateAssertion( wrapper, sigCrypto, callbackHandler, samlResponse.getDOM().getOwnerDocument() @@ -195,44 +210,10 @@ public class SAMLProtocolResponseValidator { } /** - * Validate the Response against the schemas - */ - private void validateResponseAgainstSchemas( - org.opensaml.saml2.core.Response samlResponse - ) throws WSSecurityException { - // Validate SAML Response against schemas - ValidatorSuite schemaValidators = - org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator"); - try { - schemaValidators.validate(samlResponse); - } catch (ValidationException e) { - LOG.log(Level.FINE, "Saml Validation error: " + e.getMessage(), e); - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - } - - /** - * Validate the Response against the schemas - */ - private void validateResponseAgainstSchemas( - org.opensaml.saml1.core.Response samlResponse - ) throws WSSecurityException { - // Validate SAML Response against schemas - ValidatorSuite schemaValidators = - org.opensaml.Configuration.getValidatorSuite("saml1-core-schema-validator"); - try { - schemaValidators.validate(samlResponse); - } catch (ValidationException e) { - LOG.log(Level.FINE, "Saml Validation error: " + e.getMessage(), e); - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - } - - /** * Validate the Response signature (if it exists) */ private void validateResponseSignature( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, Crypto sigCrypto, CallbackHandler callbackHandler ) throws WSSecurityException { @@ -250,7 +231,7 @@ public class SAMLProtocolResponseValidator { * Validate the Response signature (if it exists) */ private void validateResponseSignature( - org.opensaml.saml1.core.Response samlResponse, + org.opensaml.saml.saml1.core.Response samlResponse, Crypto sigCrypto, CallbackHandler callbackHandler ) throws WSSecurityException { @@ -340,24 +321,23 @@ public class SAMLProtocolResponseValidator { SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); try { validator.validate(signature); - } catch (ValidationException ex) { + } catch (SignatureException ex) { LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } - BasicX509Credential credential = new BasicX509Credential(); + BasicCredential credential = null; if (samlKeyInfo.getCerts() != null) { - credential.setEntityCertificate(samlKeyInfo.getCerts()[0]); + credential = new BasicX509Credential(samlKeyInfo.getCerts()[0]); } else if (samlKeyInfo.getPublicKey() != null) { - credential.setPublicKey(samlKeyInfo.getPublicKey()); + credential = new BasicCredential(samlKeyInfo.getPublicKey()); } else { LOG.fine("Can't get X509Certificate or PublicKey to verify signature"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } - SignatureValidator sigValidator = new SignatureValidator(credential); try { - sigValidator.validate(signature); - } catch (ValidationException ex) { + SignatureValidator.validate(signature, credential); + } catch (SignatureException ex) { LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } @@ -432,7 +412,7 @@ public class SAMLProtocolResponseValidator { } private Element decryptAssertion( - org.opensaml.saml2.core.EncryptedAssertion assertion, Crypto sigCrypto, CallbackHandler callbackHandler + org.opensaml.saml.saml2.core.EncryptedAssertion assertion, Crypto sigCrypto, CallbackHandler callbackHandler ) throws WSSecurityException { EncryptedData encryptedData = assertion.getEncryptedData(); Element encryptedDataDOM = encryptedData.getDOM(); http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index e0117d4..e89216e 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -28,8 +28,8 @@ import org.apache.cxf.common.logging.LogUtils; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.builder.SAML2Constants; import org.apache.wss4j.common.util.DOM2Writer; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.AuthnStatement; +import org.opensaml.saml.saml2.core.AudienceRestriction; +import org.opensaml.saml.saml2.core.AuthnStatement; /** * Validate a SAML 2.0 Protocol Response according to the Web SSO profile. The Response @@ -70,7 +70,7 @@ public class SAMLSSOResponseValidator { * @throws WSSecurityException */ public SSOValidatorResponse validateSamlResponse( - org.opensaml.saml2.core.Response samlResponse, + org.opensaml.saml.saml2.core.Response samlResponse, boolean postBinding ) throws WSSecurityException { // Check the Issuer @@ -94,7 +94,7 @@ public class SAMLSSOResponseValidator { // Validate Assertions boolean foundValidSubject = false; Date sessionNotOnOrAfter = null; - for (org.opensaml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { + for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { // Check the Issuer if (assertion.getIssuer() == null) { LOG.fine("Assertion Issuer must not be null"); @@ -111,7 +111,7 @@ public class SAMLSSOResponseValidator { // Check for AuthnStatements and validate the Subject accordingly if (assertion.getAuthnStatements() != null && !assertion.getAuthnStatements().isEmpty()) { - org.opensaml.saml2.core.Subject subject = assertion.getSubject(); + org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject(); if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) { validateAudienceRestrictionCondition(assertion.getConditions()); foundValidSubject = true; @@ -151,7 +151,7 @@ public class SAMLSSOResponseValidator { /** * Validate the Issuer (if it exists) */ - private void validateIssuer(org.opensaml.saml2.core.Issuer issuer) throws WSSecurityException { + private void validateIssuer(org.opensaml.saml.saml2.core.Issuer issuer) throws WSSecurityException { if (issuer == null) { return; } @@ -176,7 +176,7 @@ public class SAMLSSOResponseValidator { * Validate the Subject (of an Authentication Statement). */ private boolean validateAuthenticationSubject( - org.opensaml.saml2.core.Subject subject, String id, boolean postBinding + org.opensaml.saml.saml2.core.Subject subject, String id, boolean postBinding ) throws WSSecurityException { if (subject.getSubjectConfirmations() == null) { return false; @@ -184,7 +184,7 @@ public class SAMLSSOResponseValidator { boolean foundBearerSubjectConf = false; // We need to find a Bearer Subject Confirmation method - for (org.opensaml.saml2.core.SubjectConfirmation subjectConf + for (org.opensaml.saml.saml2.core.SubjectConfirmation subjectConf : subject.getSubjectConfirmations()) { if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) { foundBearerSubjectConf = true; @@ -199,7 +199,7 @@ public class SAMLSSOResponseValidator { * Validate a (Bearer) Subject Confirmation */ private void validateSubjectConfirmation( - org.opensaml.saml2.core.SubjectConfirmationData subjectConfData, String id, boolean postBinding + org.opensaml.saml.saml2.core.SubjectConfirmationData subjectConfData, String id, boolean postBinding ) throws WSSecurityException { if (subjectConfData == null) { LOG.fine("Subject Confirmation Data of a Bearer Subject Confirmation is null"); @@ -257,7 +257,7 @@ public class SAMLSSOResponseValidator { } private void validateAudienceRestrictionCondition( - org.opensaml.saml2.core.Conditions conditions + org.opensaml.saml.saml2.core.Conditions conditions ) throws WSSecurityException { if (conditions == null) { LOG.fine("Conditions are null"); @@ -280,7 +280,7 @@ public class SAMLSSOResponseValidator { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { boolean matchFound = false; - for (org.opensaml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { + for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { matchFound = true; oneMatchFound = true; http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java index 96b6f94..3f2f09f 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlPostBindingFilter.java @@ -28,7 +28,6 @@ import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; import org.w3c.dom.Element; - import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.jaxrs.ext.MessageContextImpl; import org.apache.cxf.jaxrs.utils.ExceptionUtils; @@ -40,13 +39,13 @@ import org.apache.wss4j.common.crypto.CryptoType; import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.util.DOM2Writer; -import org.opensaml.common.SignableSAMLObject; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.saml.common.SignableSAMLObject; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureConstants; public class SamlPostBindingFilter extends AbstractServiceProviderFilter { @@ -151,9 +150,7 @@ public class SamlPostBindingFilter extends AbstractServiceProviderFilter { signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); signature.setSignatureAlgorithm(sigAlgo); - BasicX509Credential signingCredential = new BasicX509Credential(); - signingCredential.setEntityCertificate(issuerCerts[0]); - signingCredential.setPrivateKey(privateKey); + BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey); signature.setSigningCredential(signingCredential); @@ -163,7 +160,7 @@ public class SamlPostBindingFilter extends AbstractServiceProviderFilter { try { KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential); signature.setKeyInfo(keyInfo); - } catch (org.opensaml.xml.security.SecurityException ex) { + } catch (org.opensaml.security.SecurityException ex) { throw new Exception( "Error generating KeyInfo from signing credential", ex); } http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java index dff282b..1b0ed7a 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRedirectBindingFilter.java @@ -42,7 +42,7 @@ import org.apache.wss4j.common.crypto.CryptoType; import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.util.DOM2Writer; import org.apache.xml.security.utils.Base64; -import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.AuthnRequest; public class SamlRedirectBindingFilter extends AbstractServiceProviderFilter { http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java index 5ce3529..74f9b27 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java @@ -24,17 +24,17 @@ import java.util.List; import java.util.UUID; import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.SAMLObjectBuilder; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.core.AuthnContextDeclRef; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameIDPolicy; -import org.opensaml.saml2.core.RequestedAuthnContext; -import org.opensaml.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.saml.common.SAMLObjectBuilder; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.AuthnContextDeclRef; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.NameIDPolicy; +import org.opensaml.saml.saml2.core.RequestedAuthnContext; /** * A set of utility methods to construct SAMLP Request statements @@ -51,7 +51,8 @@ public final class SamlpRequestComponentBuilder { private static volatile SAMLObjectBuilder<AuthnContextClassRef> requestedAuthnCtxClassRefBuilder; - private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private static volatile XMLObjectBuilderFactory builderFactory = + XMLObjectProviderRegistrySupport.getBuilderFactory(); private SamlpRequestComponentBuilder() { http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilderTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilderTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilderTest.java index 25d5f90..93b0230 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilderTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilderTest.java @@ -30,13 +30,13 @@ import org.w3c.dom.Element; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageImpl; import org.apache.wss4j.common.saml.OpenSAMLUtil; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameIDPolicy; -import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.NameIDPolicy; +import org.opensaml.saml.saml2.core.RequestedAuthnContext; /** * Some unit tests for the SamlpRequestComponentBuilder and AuthnRequestBuilder http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2CallbackHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2CallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2CallbackHandler.java index e1ac491..d298f7d 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2CallbackHandler.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2CallbackHandler.java @@ -30,8 +30,8 @@ import org.apache.wss4j.common.crypto.CryptoType; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.bean.KeyInfoBean; import org.apache.wss4j.common.saml.bean.SubjectBean; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.opensaml.common.SAMLVersion; /** * A Callback Handler implementation for a SAML 2 assertion. By default it creates an @@ -57,7 +57,7 @@ public class SAML2CallbackHandler extends AbstractSAMLCallbackHandler { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof SAMLCallback) { SAMLCallback callback = (SAMLCallback) callbacks[i]; - callback.setSamlVersion(SAMLVersion.VERSION_20); + callback.setSamlVersion(Version.SAML_20); callback.setIssuer(issuer); if (conditions != null) { callback.setConditions(conditions); http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java index a902cbc..1ab4daa 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java @@ -22,16 +22,16 @@ package org.apache.cxf.rs.security.saml.sso; import java.util.UUID; import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.SAMLObjectBuilder; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.StatusMessage; -import org.opensaml.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.saml.common.SAMLObjectBuilder; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.core.StatusMessage; /** * A (basic) set of utility methods to construct SAML 2.0 Protocol Response statements @@ -50,7 +50,8 @@ public final class SAML2PResponseComponentBuilder { private static SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder; - private static XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private static XMLObjectBuilderFactory builderFactory = + XMLObjectProviderRegistrySupport.getBuilderFactory(); private SAML2PResponseComponentBuilder() { http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java index 6717813..fc9600e 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java @@ -47,16 +47,16 @@ import org.apache.wss4j.common.saml.builder.SAML2Constants; import org.apache.wss4j.common.util.Loader; import org.apache.wss4j.dom.WSSConfig; import org.joda.time.DateTime; -import org.opensaml.common.SAMLVersion; -import org.opensaml.common.SignableSAMLObject; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.common.SignableSAMLObject; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureConstants; /** * Some unit tests for the SAMLProtocolResponseValidator. @@ -830,10 +830,8 @@ public class SAMLResponseValidatorTest extends org.junit.Assert { signature.setSignatureAlgorithm(sigAlgo); - BasicX509Credential signingCredential = new BasicX509Credential(); - signingCredential.setEntityCertificate(issuerCerts[0]); - signingCredential.setPrivateKey(privateKey); - + BasicX509Credential signingCredential = + new BasicX509Credential(issuerCerts[0], privateKey); signature.setSigningCredential(signingCredential); if (useKeyInfo) { @@ -843,7 +841,7 @@ public class SAMLResponseValidatorTest extends org.junit.Assert { try { KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential); signature.setKeyInfo(keyInfo); - } catch (org.opensaml.xml.security.SecurityException ex) { + } catch (org.opensaml.security.SecurityException ex) { throw new Exception( "Error generating KeyInfo from signing credential", ex); } http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java index 7855c29..9d886c3 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java @@ -46,15 +46,15 @@ import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean; import org.apache.wss4j.common.saml.builder.SAML2Constants; import org.apache.wss4j.common.util.Loader; import org.joda.time.DateTime; -import org.opensaml.common.SignableSAMLObject; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.saml.common.SignableSAMLObject; +import org.opensaml.saml.saml2.core.AuthnStatement; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureConstants; /** * Some unit tests for the SAMLSSOResponseValidator. @@ -665,9 +665,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { signature.setSignatureAlgorithm(sigAlgo); - BasicX509Credential signingCredential = new BasicX509Credential(); - signingCredential.setEntityCertificate(issuerCerts[0]); - signingCredential.setPrivateKey(privateKey); + BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey); signature.setSigningCredential(signingCredential); @@ -678,7 +676,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { try { KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential); signature.setKeyInfo(keyInfo); - } catch (org.opensaml.xml.security.SecurityException ex) { + } catch (org.opensaml.security.SecurityException ex) { throw new Exception( "Error generating KeyInfo from signing credential", ex); } http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java index 9d5d257..a8a1be3 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java @@ -37,7 +37,6 @@ import javax.ws.rs.core.Response; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; - import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; @@ -66,8 +65,8 @@ import org.apache.wss4j.dom.validate.Credential; import org.apache.wss4j.dom.validate.SamlAssertionValidator; import org.apache.wss4j.dom.validate.Validator; import org.apache.xml.security.signature.XMLSignature; -import org.opensaml.xml.signature.KeyInfo; -import org.opensaml.xml.signature.Signature; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; @PreMatching public abstract class AbstractSamlInHandler implements ContainerRequestFilter { http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java index f9ef27e..c19d199 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java @@ -37,7 +37,7 @@ import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.SAMLUtil; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.saml2.core.NameID; +import org.opensaml.saml.saml2.core.NameID; public final class SAMLUtils { private static final Logger LOG = @@ -48,7 +48,7 @@ public final class SAMLUtils { } public static Subject getSubject(Message message, SamlAssertionWrapper assertionW) { - org.opensaml.saml2.core.Subject s = assertionW.getSaml2().getSubject(); + org.opensaml.saml.saml2.core.Subject s = assertionW.getSaml2().getSubject(); Subject subject = new Subject(); NameID nameId = s.getNameID(); subject.setNameQualifier(nameId.getNameQualifier()); http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java index 16ac06f..602f5bc 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java @@ -67,7 +67,7 @@ import org.apache.xml.security.stax.securityToken.SecurityToken; import org.apache.xml.security.stax.securityToken.SecurityTokenConstants; import org.apache.xml.security.utils.Constants; import org.apache.xml.security.utils.EncryptionConstants; -import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.xmlsec.signature.support.SignatureConstants; /** * A new StAX-based interceptor for creating messages with XML Signature + Encryption content. http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java index d7379ae..9c415ee 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java @@ -30,7 +30,6 @@ import javax.xml.namespace.QName; import org.w3c.dom.Document; import org.w3c.dom.Element; - import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.helpers.DOMUtils; @@ -44,7 +43,8 @@ import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.xml.security.signature.XMLSignature; import org.apache.xml.security.transforms.Transforms; import org.apache.xml.security.utils.Constants; -import org.opensaml.xml.signature.SignatureConstants; + +import org.opensaml.xmlsec.signature.support.SignatureConstants; //TODO: Make sure that enveloped signatures can be applied to individual // child nodes of an envelope root element, a new property such as http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/pom.xml ---------------------------------------------------------------------- diff --git a/rt/security/pom.xml b/rt/security/pom.xml index 1a1ca60..1d487f2 100644 --- a/rt/security/pom.xml +++ b/rt/security/pom.xml @@ -47,6 +47,28 @@ <version>${cxf.wss4j.version}</version> </dependency> <dependency> + <groupId>org.opensaml</groupId> + <artifactId>opensaml-xacml-impl</artifactId> + <version>${cxf.opensaml.version}</version> + <exclusions> + <exclusion> + <groupId>com.google.code.findbugs</groupId> + <artifactId>jsr305</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.opensaml</groupId> + <artifactId>opensaml-xacml-saml-impl</artifactId> + <version>${cxf.opensaml.version}</version> + <exclusions> + <exclusion> + <groupId>com.google.code.findbugs</groupId> + <artifactId>jsr305</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-jdk14</artifactId> <scope>test</scope> http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java index 69c3a6d..bec5702 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java @@ -30,10 +30,10 @@ import org.apache.cxf.rt.security.claims.Claim; import org.apache.cxf.rt.security.claims.ClaimCollection; import org.apache.cxf.rt.security.claims.SAMLClaim; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeStatement; -import org.opensaml.xml.XMLObject; +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.Attribute; +import org.opensaml.saml.saml2.core.AttributeStatement; public final class SAMLUtils { @@ -67,11 +67,11 @@ public final class SAMLUtils { } } } else { - List<org.opensaml.saml1.core.AttributeStatement> attributeStatements = + List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements = assertion.getSaml1().getAttributeStatements(); - for (org.opensaml.saml1.core.AttributeStatement statement : attributeStatements) { - for (org.opensaml.saml1.core.Attribute atr : statement.getAttributes()) { + for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) { + for (org.opensaml.saml.saml1.core.Attribute atr : statement.getAttributes()) { SAMLClaim claim = new SAMLClaim(); String claimType = atr.getAttributeName(); http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java index 51e45cd..c0e6da0 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java @@ -128,25 +128,29 @@ public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseI ResponseType response = performRequest(request, message); - ResultType result = response.getResult(); + List<ResultType> results = response.getResults(); - // Handle any Obligations returned by the PDP - handleObligations(request, principal, message, result); - - if (result == null) { + if (results == null) { return false; } - - DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny; - String code = ""; - String statusMessage = ""; - if (result.getStatus() != null) { - StatusType status = result.getStatus(); - code = status.getStatusCode() != null ? status.getStatusCode().getValue() : ""; - statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : ""; + + for (ResultType result : results) { + // Handle any Obligations returned by the PDP + handleObligations(request, principal, message, result); + + DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny; + String code = ""; + String statusMessage = ""; + if (result.getStatus() != null) { + StatusType status = result.getStatus(); + code = status.getStatusCode() != null ? status.getStatusCode().getValue() : ""; + statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : ""; + } + LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage); + return decision == DECISION.Permit; } - LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage); - return decision == DECISION.Permit; + + return false; } public abstract ResponseType performRequest(RequestType request, Message message) throws Exception; http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java index c73bfd3..1086364 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java @@ -21,7 +21,8 @@ package org.apache.cxf.rt.security.xacml; import java.util.List; -import org.opensaml.Configuration; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.xacml.XACMLObjectBuilder; import org.opensaml.xacml.ctx.ActionType; import org.opensaml.xacml.ctx.AttributeType; @@ -31,7 +32,6 @@ import org.opensaml.xacml.ctx.RequestType; import org.opensaml.xacml.ctx.ResourceContentType; import org.opensaml.xacml.ctx.ResourceType; import org.opensaml.xacml.ctx.SubjectType; -import org.opensaml.xml.XMLObjectBuilderFactory; /** * A set of utility methods to construct XACML 2.0 Request statements @@ -51,7 +51,8 @@ public final class RequestComponentBuilder { private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder; - private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private static volatile XMLObjectBuilderFactory builderFactory = + XMLObjectProviderRegistrySupport.getBuilderFactory(); private RequestComponentBuilder() { // complete http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java index 1928f63..353815c 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java @@ -22,15 +22,15 @@ package org.apache.cxf.rt.security.xacml; import java.util.UUID; import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.SAMLObjectBuilder; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.Issuer; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.saml.common.SAMLObjectBuilder; +import org.opensaml.saml.common.SAMLVersion; +import org.opensaml.saml.saml2.core.Issuer; import org.opensaml.xacml.XACMLObjectBuilder; import org.opensaml.xacml.ctx.RequestType; import org.opensaml.xacml.profile.saml.SAMLProfileConstants; import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType; -import org.opensaml.xml.XMLObjectBuilderFactory; /** * A set of utility methods to construct XACML SAML Request statements, based on the @@ -41,7 +41,8 @@ public final class SamlRequestComponentBuilder { private static volatile SAMLObjectBuilder<Issuer> issuerBuilder; - private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private static volatile XMLObjectBuilderFactory builderFactory = + XMLObjectProviderRegistrySupport.getBuilderFactory(); private SamlRequestComponentBuilder() { // complete http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java ---------------------------------------------------------------------- diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java b/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java index ba8220a..6703ac5 100644 --- a/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java +++ b/rt/security/src/test/java/org/apache/cxf/rt/security/saml/SamlCallbackHandler.java @@ -31,9 +31,9 @@ import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.bean.AttributeBean; import org.apache.wss4j.common.saml.bean.AttributeStatementBean; import org.apache.wss4j.common.saml.bean.SubjectBean; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.saml.builder.SAML1Constants; import org.apache.wss4j.common.saml.builder.SAML2Constants; -import org.opensaml.common.SAMLVersion; /** * A CallbackHandler instance to mock up a SAML Attribute Assertion. @@ -60,9 +60,9 @@ public class SamlCallbackHandler implements CallbackHandler { if (callbacks[i] instanceof SAMLCallback) { SAMLCallback callback = (SAMLCallback) callbacks[i]; if (saml2) { - callback.setSamlVersion(SAMLVersion.VERSION_20); + callback.setSamlVersion(Version.SAML_20); } else { - callback.setSamlVersion(SAMLVersion.VERSION_11); + callback.setSamlVersion(Version.SAML_11); } callback.setIssuer("sts"); http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java ---------------------------------------------------------------------- diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java index 39b3c99..45222b3 100644 --- a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java +++ b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyPDP.java @@ -30,12 +30,12 @@ import javax.xml.transform.dom.DOMSource; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; - import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.OpenSAMLUtil; -import org.opensaml.Configuration; +import org.opensaml.core.xml.XMLObjectBuilderFactory; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.xacml.XACMLObjectBuilder; import org.opensaml.xacml.ctx.AttributeType; import org.opensaml.xacml.ctx.DecisionType; @@ -46,7 +46,6 @@ import org.opensaml.xacml.ctx.ResultType; import org.opensaml.xacml.ctx.StatusCodeType; import org.opensaml.xacml.ctx.StatusType; import org.opensaml.xacml.ctx.SubjectType; -import org.opensaml.xml.XMLObjectBuilderFactory; /** * A test implementation of AbstractXACMLAuthorizingInterceptor. It just mocks up a Response @@ -90,7 +89,7 @@ public class DummyPDP implements PolicyDecisionPoint { } private ResponseType createResponse(DECISION decision) { - XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory(); @SuppressWarnings("unchecked") XACMLObjectBuilder<ResponseType> responseTypeBuilder = @@ -130,7 +129,7 @@ public class DummyPDP implements PolicyDecisionPoint { result.setStatus(status); ResponseType response = responseTypeBuilder.buildObject(); - response.setResult(result); + response.getResults().add(result); return response; } @@ -141,7 +140,7 @@ public class DummyPDP implements PolicyDecisionPoint { List<AttributeType> attributes = subject.getAttributes(); if (attributes != null) { for (AttributeType attribute : attributes) { - if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeID())) { + if (XACMLConstants.SUBJECT_ROLE.equals(attribute.getAttributeId())) { return attribute.getAttributeValues().get(0).getValue(); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java ---------------------------------------------------------------------- diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java index c746336..29ab5d5 100644 --- a/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java +++ b/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java @@ -164,17 +164,17 @@ public class XACMLRequestBuilderTest extends org.junit.Assert { boolean resourceURISatisfied = false; for (AttributeType attribute : resource.getAttributes()) { String attributeValue = attribute.getAttributeValues().get(0).getValue(); - if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeID()) + if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId()) && "{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt".equals( attributeValue)) { resourceIdSatisfied = true; - } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeID()) + } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId()) && service.equals(attributeValue)) { soapServiceSatisfied = true; - } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeID()) + } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId()) && operation.equals(attributeValue)) { soapOperationSatisfied = true; - } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeID()) + } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId()) && resourceURL.equals(attributeValue)) { resourceURISatisfied = true; } @@ -221,16 +221,16 @@ public class XACMLRequestBuilderTest extends org.junit.Assert { service + "#" + operation; for (AttributeType attribute : resource.getAttributes()) { String attributeValue = attribute.getAttributeValues().get(0).getValue(); - if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeID()) + if (XACMLConstants.RESOURCE_ID.equals(attribute.getAttributeId()) && expectedResourceId.equals(attributeValue)) { resourceIdSatisfied = true; - } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeID()) + } else if (XACMLConstants.RESOURCE_WSDL_SERVICE_ID.equals(attribute.getAttributeId()) && service.equals(attributeValue)) { soapServiceSatisfied = true; - } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeID()) + } else if (XACMLConstants.RESOURCE_WSDL_OPERATION_ID.equals(attribute.getAttributeId()) && operation.equals(attributeValue)) { soapOperationSatisfied = true; - } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeID()) + } else if (XACMLConstants.RESOURCE_WSDL_ENDPOINT.equals(attribute.getAttributeId()) && resourceURL.equals(attributeValue)) { resourceURISatisfied = true; } http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java index 0c39dbf..ea9d4b4 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java @@ -51,6 +51,7 @@ import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.SAMLUtil; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSDocInfo; import org.apache.wss4j.dom.WSSConfig; @@ -66,7 +67,7 @@ import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.SamlToken; import org.apache.wss4j.policy.model.SamlToken.SamlTokenType; -import org.opensaml.common.SAMLVersion; +import org.opensaml.saml.common.SAMLVersion; /** * An interceptor to create and add a SAML token to the security header of an outbound @@ -267,12 +268,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor { SAMLCallback samlCallback = new SAMLCallback(); SamlTokenType tokenType = token.getSamlTokenType(); if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) { - samlCallback.setSamlVersion(SAMLVersion.VERSION_11); + samlCallback.setSamlVersion(Version.SAML_11); assertPolicy(aim, "WssSamlV11Token10"); assertPolicy(aim, "WssSamlV11Token11"); } else if (tokenType == SamlTokenType.WssSamlV20Token11) { - samlCallback.setSamlVersion(SAMLVersion.VERSION_20); + samlCallback.setSamlVersion(Version.SAML_20); assertPolicy(aim, "WssSamlV20Token11"); } SAMLUtil.doSAMLCallback(handler, samlCallback); http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index bb8f9bf..a6cd14a 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -87,6 +87,7 @@ import org.apache.wss4j.common.principal.UsernameTokenPrincipal; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.SAMLUtil; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.util.Loader; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSConfig; @@ -139,7 +140,6 @@ import org.apache.wss4j.policy.model.Wss10; import org.apache.wss4j.policy.model.Wss11; import org.apache.wss4j.policy.model.X509Token; import org.apache.wss4j.policy.model.X509Token.TokenType; -import org.opensaml.common.SAMLVersion; /** * @@ -841,9 +841,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle SAMLCallback samlCallback = new SAMLCallback(); SamlTokenType tokenType = token.getSamlTokenType(); if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) { - samlCallback.setSamlVersion(SAMLVersion.VERSION_11); + samlCallback.setSamlVersion(Version.SAML_11); } else if (tokenType == SamlTokenType.WssSamlV20Token11) { - samlCallback.setSamlVersion(SAMLVersion.VERSION_20); + samlCallback.setSamlVersion(Version.SAML_20); } SAMLUtil.doSAMLCallback(handler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); @@ -1945,7 +1945,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle sigParts.add(new WSEncryptionPart(sigTokId)); } - dkSign.setParts(sigParts); + dkSign.getParts().addAll(sigParts); List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader); @@ -2014,7 +2014,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); sig.prepare(doc, getSignatureCrypto(null), secHeader); - sig.setParts(sigParts); + sig.getParts().addAll(sigParts); List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader); //Do signature http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java index 5f80221..f65085a 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java @@ -51,6 +51,7 @@ import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.bean.KeyInfoBean; import org.apache.wss4j.common.saml.bean.SubjectBean; +import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.policy.SPConstants; @@ -100,7 +101,6 @@ import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent; import org.apache.xml.security.stax.securityToken.OutboundSecurityToken; import org.apache.xml.security.stax.securityToken.SecurityTokenConstants; import org.apache.xml.security.stax.securityToken.SecurityTokenProvider; -import org.opensaml.common.SAMLVersion; /** * @@ -357,9 +357,9 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa samlCallback.setSubject(subjectBean); if (WSConstants.SAML_NS.equals(el.getNamespaceURI())) { - samlCallback.setSamlVersion(SAMLVersion.VERSION_11); + samlCallback.setSamlVersion(Version.SAML_11); } else { - samlCallback.setSamlVersion(SAMLVersion.VERSION_20); + samlCallback.setSamlVersion(Version.SAML_20); } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index 8329647..ddacef4 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -70,7 +70,7 @@ import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType; import org.apache.wss4j.policy.model.AsymmetricBinding; import org.apache.wss4j.policy.model.IssuedToken; import org.apache.wss4j.policy.model.SamlToken; -import org.opensaml.common.SAMLVersion; +import org.opensaml.saml.common.SAMLVersion; /** * @@ -461,7 +461,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId); - dkEncr.setParts(encrParts); + dkEncr.getParts().addAll(encrParts); dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE); AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); @@ -648,7 +648,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } } - dkSign.setParts(sigParts); + dkSign.getParts().addAll(sigParts); List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader); http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index ff072c0..8fa9972 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -718,7 +718,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS)); } - dkSign.setParts(sigs); + dkSign.getParts().addAll(sigs); List<Reference> referenceList = dkSign.addReferencesToSign(sigs, secHeader); //Add elements to header @@ -838,7 +838,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto); sig.prepare(saaj.getSOAPPart(), crypto, secHeader); - sig.setParts(sigs); + sig.getParts().addAll(sigs); List<Reference> referenceList = sig.addReferencesToSign(sigs, secHeader); //Do signature http://git-wip-us.apache.org/repos/asf/cxf/blob/2426a087/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java index 113e507..5ec749e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java @@ -377,7 +377,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { dkSig.prepare(doc, secHeader); - dkSig.setParts(sigParts); + dkSig.getParts().addAll(sigParts); List<Reference> referenceList = dkSig.addReferencesToSign(sigParts, secHeader); //Do signature @@ -484,7 +484,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { addDerivedKeyElement(dkSign.getdktElement()); - dkSign.setParts(sigParts); + dkSign.getParts().addAll(sigParts); List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader); //Do signature @@ -583,7 +583,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { Document doc = saaj.getSOAPPart(); sig.prepare(doc, crypto, secHeader); - sig.setParts(sigParts); + sig.getParts().addAll(sigParts); List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader); //Do signature
