This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/main by this push:
new 8ab0d8bc99f Fix bug with SAML clientAddress (#3298)
8ab0d8bc99f is described below
commit 8ab0d8bc99f83fb2cae973e0202ef9176589defa
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri Jul 10 10:34:50 2026 +0100
Fix bug with SAML clientAddress (#3298)
---
rt/rs/security/oauth-parent/oauth2-saml/pom.xml | 5 +
.../security/oauth2/saml/SamlOAuthValidator.java | 2 +-
.../oauth2/saml/SamlOAuthValidatorTest.java | 127 +++++++++++++++++++++
3 files changed, 133 insertions(+), 1 deletion(-)
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/pom.xml
b/rt/rs/security/oauth-parent/oauth2-saml/pom.xml
index bb0595011a3..d417395050e 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/pom.xml
+++ b/rt/rs/security/oauth-parent/oauth2-saml/pom.xml
@@ -47,5 +47,10 @@
<artifactId>cxf-rt-rs-security-xml</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</project>
diff --git
a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index 27ccf9ebfb7..94a15e2a564 100644
---
a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++
b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -58,7 +58,7 @@ public class SamlOAuthValidator {
}
public void setClientAddress(String value) {
- issuer = value;
+ clientAddress = value;
}
public void validate(Message message, SamlAssertionWrapper wrapper) {
diff --git
a/rt/rs/security/oauth-parent/oauth2-saml/src/test/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidatorTest.java
b/rt/rs/security/oauth-parent/oauth2-saml/src/test/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidatorTest.java
new file mode 100644
index 00000000000..a127ae9bfb2
--- /dev/null
+++
b/rt/rs/security/oauth-parent/oauth2-saml/src/test/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidatorTest.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.saml;
+
+import java.io.IOException;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Collections;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import jakarta.ws.rs.NotAuthorizedException;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
+import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
+import org.apache.wss4j.common.saml.bean.Version;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.dom.engine.WSSConfig;
+
+import org.junit.Test;
+
+public class SamlOAuthValidatorTest {
+
+ static {
+ WSSConfig.init();
+ }
+
+ @Test
+ public void testValidateWithMatchingClientAddress() throws Exception {
+ String tokenServiceAddress = "https://service.example.org/token";
+ String clientAddress = "192.0.2.10";
+
+ SamlOAuthValidator validator = new SamlOAuthValidator();
+ validator.setAccessTokenServiceAddress(tokenServiceAddress);
+ validator.setClientAddress(clientAddress);
+
+ SamlAssertionWrapper wrapper = createAssertion(tokenServiceAddress,
clientAddress);
+
+ // This should pass for a valid assertion but currently fails because
+ // setClientAddress incorrectly updates issuer instead of
clientAddress.
+ validator.validate(null, wrapper);
+ }
+
+ @Test(expected = NotAuthorizedException.class)
+ public void testValidateWithMismatchingClientAddress() throws Exception {
+ String tokenServiceAddress = "https://service.example.org/token";
+
+ SamlOAuthValidator validator = new SamlOAuthValidator();
+ validator.setAccessTokenServiceAddress(tokenServiceAddress);
+ validator.setClientAddress("192.0.2.10");
+
+ SamlAssertionWrapper wrapper = createAssertion(tokenServiceAddress,
"192.0.2.20");
+ validator.validate(null, wrapper);
+ }
+
+ private SamlAssertionWrapper createAssertion(String recipient, String
clientAddress) throws Exception {
+ SubjectConfirmationDataBean confirmationData = new
SubjectConfirmationDataBean();
+ confirmationData.setRecipient(recipient);
+ confirmationData.setAddress(clientAddress);
+
confirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
+
+ ConditionsBean conditions = new ConditionsBean();
+ conditions.setNotBefore(Instant.now().minusSeconds(30));
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
+ AudienceRestrictionBean audienceRestriction = new
AudienceRestrictionBean();
+
audienceRestriction.setAudienceURIs(Collections.singletonList(recipient));
+
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(new TestSaml2CallbackHandler(conditions,
confirmationData), samlCallback);
+ return new SamlAssertionWrapper(samlCallback);
+ }
+
+ private static class TestSaml2CallbackHandler implements CallbackHandler {
+ private final ConditionsBean conditions;
+ private final SubjectConfirmationDataBean confirmationData;
+
+ TestSaml2CallbackHandler(ConditionsBean conditions,
SubjectConfirmationDataBean confirmationData) {
+ this.conditions = conditions;
+ this.confirmationData = confirmationData;
+ }
+
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ for (Callback callback : callbacks) {
+ if (!(callback instanceof SAMLCallback)) {
+ throw new UnsupportedCallbackException(callback,
"Unrecognized Callback");
+ }
+
+ SAMLCallback samlCallback = (SAMLCallback)callback;
+ samlCallback.setSamlVersion(Version.SAML_20);
+ samlCallback.setIssuer("https://issuer.example.org");
+ samlCallback.setConditions(conditions);
+
+ SubjectBean subject = new SubjectBean(
+ "alice",
+ "service.example.org",
+ SAML2Constants.CONF_BEARER
+ );
+ subject.setSubjectConfirmationData(confirmationData);
+ samlCallback.setSubject(subject);
+ }
+ }
+ }
+}