Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 945e96af7 -> 4cde67174
CXF-7099 - Technical user should be the SAML Subject for the ActAs use-case # Conflicts: # services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c340fdc1 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c340fdc1 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c340fdc1 Branch: refs/heads/3.0.x-fixes Commit: c340fdc1130871bae879a16e2826df857de44222 Parents: 945e96a Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Oct 19 16:08:56 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Oct 19 17:05:23 2016 +0100 ---------------------------------------------------------------------- .../token/provider/DefaultSubjectProvider.java | 6 ---- .../sts/delegation/SAMLDelegationTest.java | 29 +++----------------- .../sts/username_actas/ActAsValidator.java | 8 ++++++ .../sts/delegation/cxf-sts-transport.xml | 2 +- 4 files changed, 13 insertions(+), 32 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/c340fdc1/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java index 1de4576..f6500b6 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java @@ -110,7 +110,6 @@ public class DefaultSubjectProvider implements SubjectProvider { /** * Get the Principal (which is used as the Subject). By default, we check the following (in order): * - A valid OnBehalfOf principal - * - A valid ActAs principal * - A valid principal associated with a token received as ValidateTarget * - The principal associated with the request. We don't need to check to see if it is "valid" here, as it * is not parsed by the STS (but rather the WS-Security layer). @@ -124,11 +123,6 @@ public class DefaultSubjectProvider implements SubjectProvider { if (receivedToken.getState().equals(STATE.VALID)) { principal = receivedToken.getPrincipal(); } - } else if (providerParameters.getTokenRequirements().getActAs() != null) { - ReceivedToken receivedToken = providerParameters.getTokenRequirements().getActAs(); - if (receivedToken.getState().equals(STATE.VALID)) { - principal = receivedToken.getPrincipal(); - } } else if (providerParameters.getTokenRequirements().getValidateTarget() != null) { ReceivedToken receivedToken = providerParameters.getTokenRequirements().getValidateTarget(); if (receivedToken.getState().equals(STATE.VALID)) { http://git-wip-us.apache.org/repos/asf/cxf/blob/c340fdc1/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java index 4126a44..6194e81 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java @@ -41,7 +41,6 @@ import org.apache.cxf.sts.token.provider.TokenProviderParameters; import org.apache.cxf.sts.token.provider.TokenProviderResponse; import org.apache.cxf.systest.sts.common.CommonCallbackHandler; import org.apache.cxf.systest.sts.common.SecurityTestUtil; -import org.apache.cxf.systest.sts.issueunit.IssueUnitTest; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; @@ -91,7 +90,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { @org.junit.Test public void testSAMLOnBehalfOf() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); @@ -128,7 +127,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { @org.junit.Test public void testSAMLActAs() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); @@ -163,29 +162,9 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { } @org.junit.Test - public void testTransportNoDelegationToken() throws Exception { - SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); - - Bus bus = bf.createBus(busFile.toString()); - SpringBusFactory.setDefaultBus(bus); - SpringBusFactory.setThreadDefaultBus(bus); - - try { - requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus, - DEFAULT_ADDRESS, "Transport_Port"); - fail("Failure expected on no delegation token"); - } catch (Exception ex) { - // expected - } - - bus.shutdown(true); - } - - @org.junit.Test public void testTransportForgedDelegationToken() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); @@ -221,7 +200,7 @@ public class SAMLDelegationTest extends AbstractBusClientServerTestBase { @org.junit.Test public void testTransportUnsignedDelegationToken() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); http://git-wip-us.apache.org/repos/asf/cxf/blob/c340fdc1/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java index 137fb21..1e5a2a1 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java @@ -30,6 +30,7 @@ import org.apache.wss4j.dom.validate.SamlAssertionValidator; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; +import org.opensaml.saml2.core.Subject; import org.opensaml.xml.XMLObject; /** @@ -48,6 +49,13 @@ public class ActAsValidator extends SamlAssertionValidator { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } + // The technical user should be in the Subject + Subject subject = saml2Assertion.getSubject(); + if (subject == null || subject.getNameID() == null + || !subject.getNameID().getValue().contains("CN=www.client.com")) { + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); + } + List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); http://git-wip-us.apache.org/repos/asf/cxf/blob/c340fdc1/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml index eb2f175..651e6c1 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml @@ -135,7 +135,7 @@ <sec:trustManagers> <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> </sec:trustManagers> - <sec:clientAuthentication want="false" required="false"/> + <sec:clientAuthentication want="true" required="false"/> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory>
