Author: coheigea
Date: Mon Feb 14 17:04:01 2011
New Revision: 1070574
URL: http://svn.apache.org/viewvc?rev=1070574&view=rev
Log:
Fix for BSP issue.
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
Mon Feb 14 17:04:01 2011
@@ -194,7 +194,9 @@ public class EncryptedKeyProcessor imple
);
}
STRParser strParser = new EncryptedKeySTRParser();
- strParser.setBspCompliant(config.isWsiBSPCompliant());
+ if (config != null) {
+ strParser.setBspCompliant(config.isWsiBSPCompliant());
+ }
strParser.parseSecurityTokenReference(strElement, crypto, cb,
wsDocInfo, null);
X509Certificate[] certs = strParser.getCertificates();
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
Mon Feb 14 17:04:01 2011
@@ -62,7 +62,7 @@ public class SAMLTokenProcessor implemen
if (log.isDebugEnabled()) {
log.debug("Found SAML Assertion element");
}
- AssertionWrapper assertion = handleSAMLToken(elem, crypto, cb);
+ AssertionWrapper assertion = handleSAMLToken(elem, crypto, cb, config);
wsDocInfo.addTokenElement(elem);
WSSecurityEngineResult result = null;
if (assertion.isSigned()) {
@@ -79,16 +79,18 @@ public class SAMLTokenProcessor implemen
public AssertionWrapper handleSAMLToken(
Element token,
Crypto crypto,
- CallbackHandler cb
+ CallbackHandler cb,
+ WSSConfig config
) throws WSSecurityException {
AssertionWrapper assertion = new AssertionWrapper(token);
if (assertion.isSigned()) {
- assertion.verifySignature(crypto);
+ assertion.verifySignature(crypto, config);
}
// Now delegate the rest of the verification to the Validator
validator.setCrypto(crypto);
validator.setCallbackHandler(cb);
+ validator.setWSSConfig(config);
Credential credential = new Credential();
credential.setAssertion(assertion);
validator.validate(credential);
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
Mon Feb 14 17:04:01 2011
@@ -22,6 +22,7 @@ package org.apache.ws.security.saml;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
@@ -101,15 +102,19 @@ public class SAMLUtil {
* @param crypto The Crypto instance to use to obtain certificates
* @param cb The CallbackHandler instance used for secret keys
* @return a SAMLKeyInfo object
+ * @param bspCompliant Whether to process tokens in compliance with the
BSP spec or not
* @throws WSSecurityException
*/
public static SAMLKeyInfo getCredentialFromSubject(
- AssertionWrapper assertion, Crypto crypto, CallbackHandler cb
+ AssertionWrapper assertion,
+ Crypto crypto,
+ CallbackHandler cb,
+ boolean bspCompliant
) throws WSSecurityException {
if (assertion.getSaml1() != null) {
- return getCredentialFromSubject(assertion.getSaml1(), crypto, cb);
+ return getCredentialFromSubject(assertion.getSaml1(), crypto, cb,
bspCompliant);
} else {
- return getCredentialFromSubject(assertion.getSaml2(), crypto, cb);
+ return getCredentialFromSubject(assertion.getSaml2(), crypto, cb,
bspCompliant);
}
}
@@ -143,13 +148,15 @@ public class SAMLUtil {
* @param assertion The SAML 1.1 assertion
* @param crypto The crypto instance used to get the credential
* @param cb The CallbackHandler used for secret keys
+ * @param bspCompliant Whether to process tokens in compliance with the
BSP spec or not
* @return The SAMLKeyInfo object obtained from the Subject
* @throws WSSecurityException
*/
public static SAMLKeyInfo getCredentialFromSubject(
org.opensaml.saml1.core.Assertion assertion,
Crypto crypto,
- CallbackHandler cb
+ CallbackHandler cb,
+ boolean bspCompliant
) throws WSSecurityException {
// First try to get the credential from a CallbackHandler
byte[] key = getSecretKeyFromCallbackHandler(assertion.getID(), cb);
@@ -191,7 +198,7 @@ public class SAMLUtil {
Element keyInfoElement =
WSSecurityUtil.getDirectChildElement(sub, "KeyInfo",
WSConstants.SIG_NS);
if (keyInfoElement != null) {
- return getCredentialFromKeyInfo(keyInfoElement, crypto, cb);
+ return getCredentialFromKeyInfo(keyInfoElement, crypto, cb,
bspCompliant);
}
}
@@ -204,13 +211,15 @@ public class SAMLUtil {
* @param assertion The SAML 2 assertion
* @param crypto The crypto instance used to get the credential
* @param cb The CallbackHandler used for secret keys
+ * @param bspCompliant Whether to process tokens in compliance with the
BSP spec or not
* @return The SAMLKeyInfo object obtained from the Subject
* @throws WSSecurityException
*/
public static SAMLKeyInfo getCredentialFromSubject(
org.opensaml.saml2.core.Assertion assertion,
Crypto crypto,
- CallbackHandler cb
+ CallbackHandler cb,
+ boolean bspCompliant
) throws WSSecurityException {
// First try to get the credential from a CallbackHandler
byte[] key = getSecretKeyFromCallbackHandler(assertion.getID(), cb);
@@ -234,7 +243,7 @@ public class SAMLUtil {
Element keyInfoElement =
WSSecurityUtil.getDirectChildElement(sub, "KeyInfo",
WSConstants.SIG_NS);
if (keyInfoElement != null) {
- return getCredentialFromKeyInfo(keyInfoElement, crypto, cb);
+ return getCredentialFromKeyInfo(keyInfoElement, crypto, cb,
bspCompliant);
}
}
@@ -246,13 +255,15 @@ public class SAMLUtil {
* KeyInfo (DOM Element) argument.
* @param keyInfoElement The KeyInfo as a DOM Element
* @param crypto The crypto instance
+ * @param bspCompliant Whether to process tokens in compliance with the
BSP spec or not
* @return The credential (as a SAMLKeyInfo object)
* @throws WSSecurityException
*/
public static SAMLKeyInfo getCredentialFromKeyInfo(
Element keyInfoElement,
Crypto crypto,
- CallbackHandler cb
+ CallbackHandler cb,
+ boolean bspCompliant
) throws WSSecurityException {
//
// First try to find an EncryptedKey or a BinarySecret via DOM
@@ -264,8 +275,10 @@ public class SAMLUtil {
if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
WSDocInfo docInfo = new WSDocInfo(node.getOwnerDocument());
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setWsiBSPCompliant(bspCompliant);
List<WSSecurityEngineResult> result =
- proc.handleToken((Element)node, null, crypto, cb,
docInfo, null);
+ proc.handleToken((Element)node, null, crypto, cb,
docInfo, config);
byte[] secret =
(byte[])result.get(0).get(
WSSecurityEngineResult.TAG_SECRET
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
Mon Feb 14 17:04:01 2011
@@ -248,7 +248,9 @@ public class WSSecSignatureSAML extends
}
if (secretKey == null) {
SAMLKeyInfo samlKeyInfo =
- SAMLUtil.getCredentialFromSubject(assertion, userCrypto,
null);
+ SAMLUtil.getCredentialFromSubject(
+ assertion, userCrypto, null,
wssConfig.isWsiBSPCompliant()
+ );
publicKey = samlKeyInfo.getPublicKey();
certs = samlKeyInfo.getCerts();
wsDocInfo.setCrypto(userCrypto);
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
Mon Feb 14 17:04:01 2011
@@ -22,6 +22,7 @@ package org.apache.ws.security.saml.ext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.saml.SAMLKeyInfo;
@@ -499,7 +500,7 @@ public class AssertionWrapper {
*
* @throws ValidationException
*/
- public void verifySignature(Crypto crypto) throws WSSecurityException {
+ public void verifySignature(Crypto crypto, WSSConfig config) throws
WSSecurityException {
Signature sig = null;
if (saml2 != null && saml2.getSignature() != null) {
sig = saml2.getSignature();
@@ -509,7 +510,9 @@ public class AssertionWrapper {
if (sig != null) {
KeyInfo keyInfo = sig.getKeyInfo();
SAMLKeyInfo samlKeyInfo =
- SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), crypto,
null);
+ SAMLUtil.getCredentialFromKeyInfo(
+ keyInfo.getDOM(), crypto, null, config.isWsiBSPCompliant()
+ );
if (samlKeyInfo == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "invalidSAMLsecurity",
@@ -552,7 +555,9 @@ public class AssertionWrapper {
* has been obtained for future processing by the SignatureProcessor.
* @throws WSSecurityException
*/
- public void parseHOKSubject(Crypto crypto, CallbackHandler cb) throws
WSSecurityException {
+ public void parseHOKSubject(
+ Crypto crypto, CallbackHandler cb, WSSConfig config
+ ) throws WSSecurityException {
String confirmMethod = null;
List<String> methods = getConfirmationMethods();
if (methods != null && methods.size() > 0) {
@@ -560,9 +565,11 @@ public class AssertionWrapper {
}
if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
if (saml1 != null) {
- subjectKeyInfo = SAMLUtil.getCredentialFromSubject(saml1,
crypto, cb);
+ subjectKeyInfo =
+ SAMLUtil.getCredentialFromSubject(saml1, crypto, cb,
config.isWsiBSPCompliant());
} else if (saml2 != null) {
- subjectKeyInfo = SAMLUtil.getCredentialFromSubject(saml2,
crypto, cb);
+ subjectKeyInfo =
+ SAMLUtil.getCredentialFromSubject(saml2, crypto, cb,
config.isWsiBSPCompliant());
}
}
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
Mon Feb 14 17:04:01 2011
@@ -114,7 +114,7 @@ public class DerivedKeyTokenSTRParser im
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
+ SAMLUtil.getCredentialFromSubject(assertion, crypto, cb,
bspCompliant);
// TODO Handle malformed SAML tokens where they don't have the
// secret in them
secretKey = keyInfo.getSecret();
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
Mon Feb 14 17:04:01 2011
@@ -107,7 +107,8 @@ public class EncryptedKeySTRParser imple
SAMLUtil.getAssertionFromKeyIdentifier(
secRef, strElement, crypto, cb, wsDocInfo
);
- SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
+ SAMLKeyInfo samlKi =
+ SAMLUtil.getCredentialFromSubject(assertion, crypto, cb,
bspCompliant);
certs = samlKi.getCerts();
} else {
certs = secRef.getKeyIdentifier(crypto);
@@ -128,7 +129,7 @@ public class EncryptedKeySTRParser imple
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(assertion,
crypto, cb);
+ SAMLUtil.getCredentialFromSubject(assertion,
crypto, cb, bspCompliant);
certs = keyInfo.getCerts();
} else {
throw new WSSecurityException(
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Mon Feb 14 17:04:01 2011
@@ -108,7 +108,7 @@ public class SecurityTokenRefSTRParser i
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(assertion, crypto,
cb);
+ SAMLUtil.getCredentialFromSubject(assertion, crypto,
cb, bspCompliant);
// TODO Handle malformed SAML tokens where they don't have
the
// secret in them
secretKey = keyInfo.getSecret();
@@ -131,7 +131,8 @@ public class SecurityTokenRefSTRParser i
SAMLUtil.getAssertionFromKeyIdentifier(
secRef, strElement, crypto, cb, wsDocInfo
);
- SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
+ SAMLKeyInfo samlKi =
+ SAMLUtil.getCredentialFromSubject(assertion, crypto, cb,
bspCompliant);
// TODO Handle malformed SAML tokens where they don't have the
// secret in them
secretKey = samlKi.getSecret();
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Mon Feb 14 17:04:01 2011
@@ -127,7 +127,8 @@ public class SignatureSTRParser implemen
|| el.equals(WSSecurityEngine.SAML2_TOKEN)) {
AssertionWrapper assertion = new AssertionWrapper(token);
- SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
+ SAMLKeyInfo samlKi =
+ SAMLUtil.getCredentialFromSubject(assertion, crypto,
cb, bspCompliant);
X509Certificate[] foundCerts = samlKi.getCerts();
if (foundCerts != null) {
certs = new X509Certificate[]{foundCerts[0]};
@@ -220,7 +221,7 @@ public class SignatureSTRParser implemen
SAMLUtil.getAssertionFromKeyIdentifier(
secRef, strElement, crypto, cb, wsDocInfo
);
- SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
+ SAMLKeyInfo samlKi =
SAMLUtil.getCredentialFromSubject(assertion, crypto, cb, bspCompliant);
X509Certificate[] foundCerts = samlKi.getCerts();
if (foundCerts != null) {
certs = new X509Certificate[]{foundCerts[0]};
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1070574&r1=1070573&r2=1070574&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Mon Feb 14 17:04:01 2011
@@ -23,6 +23,7 @@ import java.util.List;
import javax.security.auth.callback.CallbackHandler;
+import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
@@ -38,6 +39,7 @@ import org.apache.ws.security.saml.ext.O
public class SamlAssertionValidator extends SignatureTrustValidator {
private CallbackHandler callbackHandler;
+ private WSSConfig wssConfig;
/**
* Validate the credential argument. It must contain a non-null
AssertionWrapper.
@@ -60,7 +62,7 @@ public class SamlAssertionValidator exte
}
if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
// The Subject KeyInfo must not be null (and must be successfully
parsed)
- assertion.parseHOKSubject(crypto, callbackHandler);
+ assertion.parseHOKSubject(crypto, callbackHandler, wssConfig);
if (assertion.getSubjectKeyInfo() == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noKeyInSAMLToken");
}
@@ -89,4 +91,14 @@ public class SamlAssertionValidator exte
this.callbackHandler = callbackHandler;
}
+ /**
+ * Set a WSSConfig instance used to extract configured options used to
+ * validate credentials.
+ * @param wssConfig a WSSConfig instance
+ */
+ @Override
+ public void setWSSConfig(WSSConfig wssConfig) {
+ this.wssConfig = wssConfig;
+ }
+
}
