Repository: cxf Updated Branches: refs/heads/master dd8025a16 -> a614b7538
Enforce stronger constraints on role names for SAML Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a614b753 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a614b753 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a614b753 Branch: refs/heads/master Commit: a614b75389c2758d6d27e598b679ba013bcb72f0 Parents: dd8025a Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Jul 20 19:56:04 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Jul 20 19:56:04 2015 +0100 ---------------------------------------------------------------------- .../rt/security/saml/claims/SAMLSecurityContext.java | 13 +++++++++++-- .../xacml2/AbstractXACMLAuthorizingInterceptor.java | 6 +++++- 2 files changed, 16 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a614b753/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java ---------------------------------------------------------------------- diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java index b9b012a..97fee53 100644 --- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java +++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/claims/SAMLSecurityContext.java @@ -19,6 +19,8 @@ package org.apache.cxf.rt.security.saml.claims; import java.security.Principal; +import java.util.Collections; +import java.util.HashSet; import java.util.Set; import org.w3c.dom.Element; @@ -67,7 +69,7 @@ public class SAMLSecurityContext implements ClaimsSecurityContext { return false; } for (Principal principalRole : roles) { - if (principalRole.getName().equals(role)) { + if (principalRole != principal && principalRole.getName().equals(role)) { return true; } } @@ -83,7 +85,14 @@ public class SAMLSecurityContext implements ClaimsSecurityContext { } public Set<Principal> getUserRoles() { - return roles; + if (roles == null) { + return Collections.emptySet(); + } + Set<Principal> retRoles = new HashSet<Principal>(roles); + if (principal != null && retRoles.contains(principal)) { + retRoles.remove(principal); + } + return retRoles; } public void setAssertionElement(Element assertionElement) { http://git-wip-us.apache.org/repos/asf/cxf/blob/a614b753/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java index f81f07a..39e611d 100644 --- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java +++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java @@ -67,13 +67,17 @@ public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseI if (sc instanceof LoginSecurityContext) { Principal principal = sc.getUserPrincipal(); + String principalName = null; + if (principal != null) { + principalName = principal.getName(); + } LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc; Set<Principal> principalRoles = loginSecurityContext.getUserRoles(); List<String> roles = new ArrayList<>(); if (principalRoles != null) { for (Principal p : principalRoles) { - if (p != principal) { + if (p != null && p.getName() != null && !p.getName().equals(principalName)) { roles.add(p.getName()); } }
