Repository: cxf Updated Branches: refs/heads/master 319456ecd -> 5c82ab1ca
CXF-7099 - Technical user should be the SAML Subject for the ActAs use-case Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5c82ab1c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5c82ab1c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5c82ab1c Branch: refs/heads/master Commit: 5c82ab1ca211be71f3ff68474edeef2cb0ed2bff Parents: 319456e Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Oct 19 16:08:56 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Oct 19 16:08:56 2016 +0100 ---------------------------------------------------------------------- .../token/provider/DefaultSubjectProvider.java | 6 ---- .../sts/delegation/SAMLDelegationTest.java | 29 +++----------------- .../sts/username_actas/ActAsValidator.java | 8 ++++++ .../sts/delegation/cxf-sts-transport.xml | 2 +- 4 files changed, 13 insertions(+), 32 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java index 9f9a51e..114d10f 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java @@ -113,7 +113,6 @@ public class DefaultSubjectProvider implements SubjectProvider { /** * Get the Principal (which is used as the Subject). By default, we check the following (in order): * - A valid OnBehalfOf principal - * - A valid ActAs principal * - A valid principal associated with a token received as ValidateTarget * - The principal associated with the request. We don't need to check to see if it is "valid" here, as it * is not parsed by the STS (but rather the WS-Security layer). @@ -129,11 +128,6 @@ public class DefaultSubjectProvider implements SubjectProvider { if (receivedToken.getState().equals(STATE.VALID)) { principal = receivedToken.getPrincipal(); } - } else if (providerParameters.getTokenRequirements().getActAs() != null) { - ReceivedToken receivedToken = providerParameters.getTokenRequirements().getActAs(); - if (receivedToken.getState().equals(STATE.VALID)) { - principal = receivedToken.getPrincipal(); - } } else if (providerParameters.getTokenRequirements().getValidateTarget() != null) { ReceivedToken receivedToken = providerParameters.getTokenRequirements().getValidateTarget(); if (receivedToken.getState().equals(STATE.VALID)) { http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java index dcfe966..fa66846 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java @@ -40,7 +40,6 @@ import org.apache.cxf.sts.token.provider.TokenProviderParameters; import org.apache.cxf.sts.token.provider.TokenProviderResponse; import org.apache.cxf.systest.sts.common.CommonCallbackHandler; import org.apache.cxf.systest.sts.common.SecurityTestUtil; -import org.apache.cxf.systest.sts.issueunit.IssueUnitTest; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; @@ -90,7 +89,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { @org.junit.Test public void testSAMLOnBehalfOf() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); @@ -127,7 +126,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { @org.junit.Test public void testSAMLActAs() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); @@ -162,29 +161,9 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { } @org.junit.Test - public void testTransportNoDelegationToken() throws Exception { - SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); - - Bus bus = bf.createBus(busFile.toString()); - SpringBusFactory.setDefaultBus(bus); - SpringBusFactory.setThreadDefaultBus(bus); - - try { - requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus, - DEFAULT_ADDRESS, "Transport_Port"); - fail("Failure expected on no delegation token"); - } catch (Exception ex) { - // expected - } - - bus.shutdown(true); - } - - @org.junit.Test public void testTransportForgedDelegationToken() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); @@ -220,7 +199,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { @org.junit.Test public void testTransportUnsignedDelegationToken() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java index 4d41397..78db7f6 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java @@ -30,6 +30,7 @@ import org.opensaml.core.xml.XMLObject; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.Attribute; import org.opensaml.saml.saml2.core.AttributeStatement; +import org.opensaml.saml.saml2.core.Subject; /** * This class validates a SAML 2 Assertion and checks that it has a CustomActAs Attribute with @@ -47,6 +48,13 @@ public class ActAsValidator extends SamlAssertionValidator { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } + // The technical user should be in the Subject + Subject subject = saml2Assertion.getSubject(); + if (subject == null || subject.getNameID() == null + || !subject.getNameID().getValue().contains("CN=www.client.com")) { + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); + } + List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); http://git-wip-us.apache.org/repos/asf/cxf/blob/5c82ab1c/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml index 2510ebb..665a4ec 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml @@ -128,7 +128,7 @@ <sec:trustManagers> <sec:keyStore type="jks" password="stsspass" resource="keys/stsstore.jks"/> </sec:trustManagers> - <sec:clientAuthentication want="false" required="false"/> + <sec:clientAuthentication want="true" required="false"/> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory>
