[FEDIZ-163] - Default to disabling Deflate Encoding for the SAML SSO response
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/768a3855 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/768a3855 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/768a3855 Branch: refs/heads/master Commit: 768a38556dc08051e1bf0f83cce5497bf7fcb0e1 Parents: 8de90b1 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Apr 11 15:29:03 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Apr 11 15:44:42 2016 +0100 ---------------------------------------------------------------------- .../idp/beans/samlsso/AuthnRequestParser.java | 14 +++++++------ .../idp/beans/samlsso/SamlResponseCreator.java | 2 +- .../beans/samlsso/SamlResponseErrorCreator.java | 2 +- .../cxf/fediz/samlsso/example/SamlSso.java | 22 +++++++++++++------- .../src/test/resources/entities-realma.xml | 2 -- .../apache/cxf/fediz/systests/idp/IdpTest.java | 10 ++++++--- 6 files changed, 32 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java index c36f3d9..8a09b03 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java @@ -46,11 +46,11 @@ import org.springframework.webflow.execution.RequestContext; public class AuthnRequestParser { private static final Logger LOG = LoggerFactory.getLogger(AuthnRequestParser.class); - private boolean supportDeflateEncoding = true; + private boolean supportDeflateEncoding; public void parseSAMLRequest(RequestContext context, Idp idp, String samlRequest) throws ProcessingException { LOG.debug("Received SAML Request: {}", samlRequest); - + AuthnRequest parsedRequest = null; if (samlRequest == null) { WebUtils.removeAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); @@ -59,7 +59,7 @@ public class AuthnRequestParser { (AuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); if (parsedRequest == null) { try { - parsedRequest = extractRequest(samlRequest); + parsedRequest = extractRequest(context, samlRequest); WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, parsedRequest); LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID()); } catch (Exception ex) { @@ -135,10 +135,12 @@ public class AuthnRequestParser { return false; } - private AuthnRequest extractRequest(String samlRequest) throws Exception { + protected AuthnRequest extractRequest(RequestContext context, String samlRequest) throws Exception { byte[] deflatedToken = Base64Utility.decode(samlRequest); - InputStream tokenStream = supportDeflateEncoding - ? new DeflateEncoderDecoder().inflateToken(deflatedToken) + String httpMethod = WebUtils.getHttpServletRequest(context).getMethod(); + + InputStream tokenStream = supportDeflateEncoding || "GET".equals(httpMethod) + ? new DeflateEncoderDecoder().inflateToken(deflatedToken) : new ByteArrayInputStream(deflatedToken); Document responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, "UTF-8")); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java index a9aadf5..3bc36ea 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java @@ -64,7 +64,7 @@ import org.springframework.webflow.execution.RequestContext; public class SamlResponseCreator { private static final Logger LOG = LoggerFactory.getLogger(SamlResponseCreator.class); - private boolean supportDeflateEncoding = true; + private boolean supportDeflateEncoding; public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken, String consumerURL, String requestId, String requestIssuer) http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java index 24b21f4..ce257e0 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java @@ -46,7 +46,7 @@ import org.springframework.webflow.execution.RequestContext; public class SamlResponseErrorCreator { private static final Logger LOG = LoggerFactory.getLogger(SamlResponseErrorCreator.class); - private boolean supportDeflateEncoding = true; + private boolean supportDeflateEncoding; public String createSAMLResponse(RequestContext context, boolean requestor, Idp idp, String requestID) throws ProcessingException { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java ---------------------------------------------------------------------- diff --git a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java index 4d62d87..34db1cd 100644 --- a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java +++ b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java @@ -20,6 +20,7 @@ package org.apache.cxf.fediz.samlsso.example; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; @@ -100,9 +101,10 @@ public class SamlSso { // Create the response Element response = createResponse(request.getID(), racs, requestIssuer); - String responseStr = encodeResponse(response); + boolean redirect = "REDIRECT".equals(binding); + String responseStr = encodeResponse(response, redirect); - if ("REDIRECT".equals(binding)) { + if (redirect) { return redirectResponse(relayState, racs, responseStr); } else { return postBindingResponse(relayState, racs, responseStr); @@ -164,19 +166,25 @@ public class SamlSso { return policyElement; } - protected String encodeResponse(Element response) throws IOException { + protected String encodeResponse(Element response, boolean redirect) throws IOException { String responseMessage = DOM2Writer.nodeToString(response); System.out.println("RESP: " + responseMessage); - DeflateEncoderDecoder encoder = new DeflateEncoderDecoder(); - byte[] deflatedBytes = encoder.deflateToken(responseMessage.getBytes("UTF-8")); + byte[] deflatedBytes = null; + if (redirect) { + DeflateEncoderDecoder encoder = new DeflateEncoderDecoder(); + deflatedBytes = encoder.deflateToken(responseMessage.getBytes("UTF-8")); + } else { + deflatedBytes = responseMessage.getBytes("UTF-8"); + } return Base64Utility.encode(deflatedBytes); } - protected AuthnRequest extractRequest(String samlRequest) throws Base64Exception, DataFormatException, - XMLStreamException, UnsupportedEncodingException, WSSecurityException { + protected AuthnRequest extractRequest(String samlRequest) throws Base64Exception, + DataFormatException, XMLStreamException, UnsupportedEncodingException, WSSecurityException { byte[] deflatedToken = Base64Utility.decode(samlRequest); + InputStream tokenStream = new DeflateEncoderDecoder().inflateToken(deflatedToken); Document responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, "UTF-8")); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/systests/federation/samlsso/src/test/resources/entities-realma.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/entities-realma.xml b/systests/federation/samlsso/src/test/resources/entities-realma.xml index 83cc384..d6965d0 100644 --- a/systests/federation/samlsso/src/test/resources/entities-realma.xml +++ b/systests/federation/samlsso/src/test/resources/entities-realma.xml @@ -118,7 +118,6 @@ <property name="parameters"> <util:map> <entry key="sign.request" value="true" /> - <entry key="support.deflate.encoding" value="true" /> </util:map> </property> </bean> @@ -138,7 +137,6 @@ <property name="parameters"> <util:map> <entry key="sign.request" value="true" /> - <entry key="support.deflate.encoding" value="true" /> </util:map> </property> </bean> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java ---------------------------------------------------------------------- diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java index 3c34f55..6a4df36 100644 --- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java +++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -19,6 +19,7 @@ package org.apache.cxf.fediz.systests.idp; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.IOException; import java.io.InputStream; @@ -254,7 +255,10 @@ public class IdpTest { signAuthnRequest(authnRequest); Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc); - String authnRequestEncoded = encodeAuthnRequest(authnRequestElement); + + // Don't inflate the token... + String requestMessage = DOM2Writer.nodeToString(authnRequestElement); + String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8")); String relayState = UUID.randomUUID().toString(); String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml/up"; @@ -587,7 +591,7 @@ public class IdpTest { // Don't inflate the token... String requestMessage = DOM2Writer.nodeToString(authnRequestElement); - String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8")); + String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8")); String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8"); @@ -698,7 +702,7 @@ public class IdpTest { // Decode + verify response byte[] deflatedToken = Base64Utility.decode(samlResponse); - InputStream inputStream = new DeflateEncoderDecoder().inflateToken(deflatedToken); + InputStream inputStream = new ByteArrayInputStream(deflatedToken); Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));
