Fallback to the SubjectConfirmationData NotOnOrAfter if there is no Session NotOnOrAfter value
# Conflicts: # rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3940f80c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3940f80c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3940f80c Branch: refs/heads/3.0.x-fixes Commit: 3940f80c19c32e0b465b796e1366f023b9f82c60 Parents: e3ada01 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Jan 12 14:08:37 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Jan 12 14:10:38 2016 +0000 ---------------------------------------------------------------------- .../saml/sso/SAMLSSOResponseValidator.java | 24 ++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/3940f80c/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index d41f3bd..e7aabcf 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -117,8 +117,15 @@ public class SAMLSSOResponseValidator { // Check for AuthnStatements and validate the Subject accordingly if (assertion.getAuthnStatements() != null && !assertion.getAuthnStatements().isEmpty()) { +<<<<<<< HEAD org.opensaml.saml2.core.Subject subject = assertion.getSubject(); if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) { +======= + org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject(); + org.opensaml.saml.saml2.core.SubjectConfirmation subjectConf = + validateAuthenticationSubject(subject, assertion.getID(), postBinding); + if (subjectConf != null) { +>>>>>>> ebc5032... Fallback to the SubjectConfirmationData NotOnOrAfter if there is no Session NotOnOrAfter value validateAudienceRestrictionCondition(assertion.getConditions()); validAssertion = assertion; // Store Session NotOnOrAfter @@ -127,6 +134,10 @@ public class SAMLSSOResponseValidator { sessionNotOnOrAfter = authnStatment.getSessionNotOnOrAfter().toDate(); } } + // Fall back to the SubjectConfirmationData NotOnOrAfter if we have no session NotOnOrAfter + if (sessionNotOnOrAfter == null) { + sessionNotOnOrAfter = subjectConf.getSubjectConfirmationData().getNotOnOrAfter().toDate(); + } } } } @@ -179,24 +190,29 @@ public class SAMLSSOResponseValidator { /** * Validate the Subject (of an Authentication Statement). */ +<<<<<<< HEAD private boolean validateAuthenticationSubject( org.opensaml.saml2.core.Subject subject, String id, boolean postBinding +======= + private org.opensaml.saml.saml2.core.SubjectConfirmation validateAuthenticationSubject( + org.opensaml.saml.saml2.core.Subject subject, String id, boolean postBinding +>>>>>>> ebc5032... Fallback to the SubjectConfirmationData NotOnOrAfter if there is no Session NotOnOrAfter value ) throws WSSecurityException { if (subject.getSubjectConfirmations() == null) { - return false; + return null; } - boolean foundBearerSubjectConf = false; + org.opensaml.saml.saml2.core.SubjectConfirmation validSubjectConf = null; // We need to find a Bearer Subject Confirmation method for (org.opensaml.saml2.core.SubjectConfirmation subjectConf : subject.getSubjectConfirmations()) { if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) { - foundBearerSubjectConf = true; validateSubjectConfirmation(subjectConf.getSubjectConfirmationData(), id, postBinding); + validSubjectConf = subjectConf; } } - return foundBearerSubjectConf; + return validSubjectConf; } /**
