Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e2fd9159 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e2fd9159 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e2fd9159 Branch: refs/heads/3.1.x-fixes Commit: e2fd915910e19bcc71d722e688e14a94ccae7d90 Parents: 50e08ec Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Apr 4 09:30:43 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Apr 4 09:30:43 2017 +0100 ---------------------------------------------------------------------- .../org/apache/cxf/rt/security/SecurityConstants.java | 6 +----- .../apache/cxf/rt/security/utils/SecurityUtils.java | 8 -------- .../wss4j/DefaultWSS4JSecurityContextCreator.java | 14 +------------- .../wss4j/StaxSecurityContextInInterceptor.java | 12 +----------- 4 files changed, 3 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java index 80cf1bd..aa0106d 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java @@ -159,7 +159,7 @@ public class SecurityConstants { /** * Whether to allow UsernameTokens with no password to be used as SecurityContext Principals. - * The default is false. + * The default is true. */ public static final String ENABLE_UT_NOPASSWORD_PRINCIPAL = "security.enable.ut-no-password.principal"; @@ -352,12 +352,8 @@ public class SecurityConstants { CALLBACK_HANDLER, SAML_CALLBACK_HANDLER, SIGNATURE_PROPERTIES, SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO, ENCRYPT_CERT, ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, -<<<<<<< HEAD - AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME, -======= ENABLE_UT_NOPASSWORD_PRINCIPAL, AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME, ->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT, STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT, DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO, http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java index a0419de..f14b14c 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java @@ -183,16 +183,8 @@ public final class SecurityUtils { * values. If none is configured, then the defaultValue parameter is returned. */ public static boolean getSecurityPropertyBoolean(String property, Message message, boolean defaultValue) { -<<<<<<< HEAD - Object value = message.getContextualProperty(property); - if (value == null) { - value = message.getContextualProperty("ws-" + property); - } - -======= Object value = getSecurityPropertyValue(property, message); ->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal if (value != null) { return PropertyUtils.isTrue(value); } http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java index cd15d46..7855d0e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java @@ -66,29 +66,17 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC * Create a SecurityContext and store it on the SoapMessage parameter */ public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) { -<<<<<<< HEAD - - String allowUnsigned = - (String)SecurityUtils.getSecurityPropertyValue( - SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg - ); - boolean allowUnsignedSamlPrincipals = Boolean.parseBoolean(allowUnsigned); - boolean useJAASSubject = true; - String useJAASSubjectStr = -======= - boolean allowUnsignedSamlPrincipals = SecurityUtils.getSecurityPropertyBoolean( SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false ); boolean allowUTNoPassword = SecurityUtils.getSecurityPropertyBoolean( - SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false + SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, true ); boolean useJAASSubject = true; String useJAASSubjectStr = ->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SC_FROM_JAAS_SUBJECT, msg); if (useJAASSubjectStr != null) { useJAASSubject = Boolean.parseBoolean(useJAASSubjectStr); http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java index 82cc6a1..b5a7e77 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java @@ -212,15 +212,6 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S return token.getPublicKey() != null || (token.getX509Certificates() != null && token.getX509Certificates().length > 0); } -<<<<<<< HEAD - - private boolean isSamlEventSigned(SamlTokenSecurityEvent event) { - if (event == null) { - return false; - } - - return event.getSecurityToken() != null -======= private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) { if (event == null) { @@ -234,7 +225,6 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S // The SAML Assertion must be signed by default return event.getSecurityToken() != null ->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal && event.getSecurityToken().getSamlAssertionWrapper() != null && (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned()); } @@ -246,7 +236,7 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S boolean allowUTNoPassword = SecurityUtils.getSecurityPropertyBoolean( - SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false + SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, true ); // The "no password" case is not allowed by default
