Repository: cxf-fediz Updated Branches: refs/heads/master b5011300a -> cae5c37f3
Precompile Subject Constraints Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cae5c37f Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cae5c37f Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cae5c37f Branch: refs/heads/master Commit: cae5c37f3cb6a9250fb2c5c52c16cd0cc759dd6b Parents: b501130 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Mon Jul 21 17:33:40 2014 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Mon Jul 21 17:33:40 2014 +0100 ---------------------------------------------------------------------- .../cxf/fediz/core/config/TrustedIssuer.java | 16 ++++++++++++++++ .../core/saml/FedizSignatureTrustValidator.java | 20 -------------------- .../cxf/fediz/core/saml/SAMLTokenValidator.java | 8 +++++++- .../fediz/core/saml/SamlAssertionValidator.java | 14 +++----------- .../samlsso/SAMLProtocolResponseValidator.java | 10 ++++++++-- 5 files changed, 34 insertions(+), 34 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cae5c37f/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/TrustedIssuer.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/TrustedIssuer.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/TrustedIssuer.java index 713b2b4..697fa87 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/TrustedIssuer.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/TrustedIssuer.java @@ -19,11 +19,14 @@ package org.apache.cxf.fediz.core.config; +import java.util.regex.Pattern; + import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType; import org.apache.cxf.fediz.core.config.jaxb.ValidationType; public class TrustedIssuer { private final TrustedIssuerType trustedIssuerType; + private Pattern subject; public TrustedIssuer(TrustedIssuerType trustedIssuerType) { @@ -39,12 +42,25 @@ public class TrustedIssuer { trustedIssuerType.setName(name); } + public Pattern getCompiledSubject() { + if (subject != null) { + return subject; + } + + if (trustedIssuerType.getSubject() != null) { + subject = Pattern.compile(trustedIssuerType.getSubject()); + } + + return subject; + } + public String getSubject() { return trustedIssuerType.getSubject(); } public void setSubject(String subject) { trustedIssuerType.setSubject(subject); + this.subject = null; } public CertificateValidationMethod getCertificateValidationMethod() { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cae5c37f/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java index 0a2ff81..5ee33eb 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java @@ -26,10 +26,8 @@ import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; -import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; -import java.util.regex.PatternSyntaxException; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.ext.WSSecurityException; @@ -78,24 +76,6 @@ public class FedizSignatureTrustValidator implements Validator { } /** - * Set a list of Strings corresponding to regular expression constraints on - * the subject DN of a certificate - */ - public void setSubjectConstraints(List<String> constraints) { - if (constraints != null) { - subjectDNPatterns = new ArrayList<Pattern>(); - for (String constraint : constraints) { - try { - subjectDNPatterns.add(Pattern.compile(constraint.trim())); - } catch (PatternSyntaxException ex) { - // LOG.severe(ex.getMessage()); - throw ex; - } - } - } - } - - /** * Validate the credential argument. It must contain either some Certificates or a PublicKey. * * A Crypto and a CallbackHandler implementation is required to be set. http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cae5c37f/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java index 0b9b68a..81f73f8 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java @@ -27,6 +27,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.StringTokenizer; +import java.util.regex.Pattern; import org.w3c.dom.Element; import org.apache.cxf.fediz.core.Claim; @@ -134,7 +135,12 @@ public class SAMLTokenValidator implements TokenValidator { List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers(); for (TrustedIssuer ti : trustedIssuers) { - List<String> subjectConstraints = Collections.singletonList(ti.getSubject()); + Pattern subjectConstraint = ti.getCompiledSubject(); + List<Pattern> subjectConstraints = new ArrayList<Pattern>(1); + if (subjectConstraint != null) { + subjectConstraints.add(subjectConstraint); + } + if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) { trustValidator.setSubjectConstraints(subjectConstraints); trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cae5c37f/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java index e72f021..f48945c 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java @@ -24,7 +24,6 @@ import java.util.Collection; import java.util.Date; import java.util.List; import java.util.regex.Pattern; -import java.util.regex.PatternSyntaxException; import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TRUST_TYPE; import org.apache.wss4j.common.cache.ReplayCache; @@ -91,17 +90,10 @@ public class SamlAssertionValidator implements Validator { * Set a list of Strings corresponding to regular expression constraints on * the subject DN of a certificate */ - public void setSubjectConstraints(List<String> constraints) { + public void setSubjectConstraints(Collection<Pattern> constraints) { if (constraints != null) { - subjectDNPatterns = new ArrayList<Pattern>(); - for (String constraint : constraints) { - try { - subjectDNPatterns.add(Pattern.compile(constraint.trim())); - } catch (PatternSyntaxException ex) { - // LOG.severe(ex.getMessage()); - throw ex; - } - } + subjectDNPatterns.clear(); + subjectDNPatterns.addAll(constraints); } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cae5c37f/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java ---------------------------------------------------------------------- diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java index d086aee..c674f9e 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java @@ -18,8 +18,9 @@ */ package org.apache.cxf.fediz.core.samlsso; -import java.util.Collections; +import java.util.ArrayList; import java.util.List; +import java.util.regex.Pattern; import org.w3c.dom.Document; import org.apache.cxf.fediz.core.config.CertificateValidationMethod; @@ -229,7 +230,12 @@ public class SAMLProtocolResponseValidator { List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers(); for (TrustedIssuer ti : trustedIssuers) { - List<String> subjectConstraints = Collections.singletonList(ti.getSubject()); + Pattern subjectConstraint = ti.getCompiledSubject(); + List<Pattern> subjectConstraints = new ArrayList<Pattern>(1); + if (subjectConstraint != null) { + subjectConstraints.add(subjectConstraint); + } + if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) { trustValidator.setSubjectConstraints(subjectConstraints); trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS);