ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1469421 - in /webservices/wss4j/trunk: ws-security-dom/src/main/java/org/apache/wss4j/dom/ ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/ ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/ ws-security-dom/src/test/java/o...
Date Thu, 18 Apr 2013 16:43:22 GMT
Author: coheigea
Date: Thu Apr 18 16:43:22 2013
New Revision: 1469421

URL: http://svn.apache.org/r1469421
Log:
Moved SAML Subject Confirmation Validation into WSS4J from CXF

Added:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/DOMSAMLUtil.java
Modified:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSecurityEngine.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/misc/PrincipalTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlNegativeTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlReferenceTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenCustomSignatureTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenDerivedTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenHOKTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSConfig.java
Thu Apr 18 16:43:22 2013
@@ -306,6 +306,12 @@ public class WSSConfig {
     private boolean passwordsAreEncoded;
     
     /**
+     * Whether to validate the SubjectConfirmation requirements of a received SAML Token
+     * (sender-vouches or holder-of-key). The default is true.
+     */
+    private boolean validateSamlSubjectConfirmation = true;
+    
+    /**
      * The default wsu:Id allocator is a simple "start at 1 and increment up"
      * thing that is very fast.
      */
@@ -749,5 +755,13 @@ public class WSSConfig {
     public void setUtFutureTTL(int utFutureTTL) {
         this.utFutureTTL = utFutureTTL;
     }
+
+    public boolean isValidateSamlSubjectConfirmation() {
+        return validateSamlSubjectConfirmation;
+    }
+
+    public void setValidateSamlSubjectConfirmation(boolean validateSamlSubjectConfirmation)
{
+        this.validateSamlSubjectConfirmation = validateSamlSubjectConfirmation;
+    }
     
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSecurityEngine.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSecurityEngine.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSecurityEngine.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/WSSecurityEngine.java
Thu Apr 18 16:43:22 2013
@@ -19,24 +19,25 @@
 
 package org.apache.wss4j.dom;
 
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.common.bsp.BSPRule;
 import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.derivedKey.ConversationConstants;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.message.CallbackLookup;
 import org.apache.wss4j.dom.processor.Processor;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
-import javax.security.auth.callback.CallbackHandler;
-import javax.xml.namespace.QName;
-
-import java.util.ArrayList;
-import java.util.List;
-
 /**
  * WS-Security Engine.
  */
@@ -441,6 +442,14 @@ public class WSSecurityEngine {
             }
         }
         
+        // Validate SAML Subject Confirmation requirements
+        if (wssConfig.isValidateSamlSubjectConfirmation()) {
+            Element bodyElement = 
+                WSSecurityUtil.findBodyElement(securityHeader.getOwnerDocument());
+            
+            DOMSAMLUtil.validateSAMLResults(returnResults, requestData.getTlsCerts(), bodyElement);
+        }
+        
         return returnResults;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
Thu Apr 18 16:43:22 2013
@@ -19,6 +19,7 @@
 
 package org.apache.wss4j.dom.handler;
 
+import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -98,6 +99,7 @@ public class RequestData {
     private boolean allowRSA15KeyTransportAlgorithm;
     private boolean addUsernameTokenNonce;
     private boolean addUsernameTokenCreated;
+    private Certificate[] tlsCerts;
 
     public void clear() {
         soapConstants = null;
@@ -129,6 +131,7 @@ public class RequestData {
         allowRSA15KeyTransportAlgorithm = false;
         setAddUsernameTokenNonce(false);
         setAddUsernameTokenCreated(false);
+        setTlsCerts(null);
     }
 
     public Object getMsgContext() {
@@ -611,5 +614,13 @@ public class RequestData {
     public void setAddUsernameTokenCreated(boolean addUsernameTokenCreated) {
         this.addUsernameTokenCreated = addUsernameTokenCreated;
     }
+
+    public Certificate[] getTlsCerts() {
+        return tlsCerts;
+    }
+
+    public void setTlsCerts(Certificate[] tlsCerts) {
+        this.tlsCerts = tlsCerts;
+    }
         
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
Thu Apr 18 16:43:22 2013
@@ -294,6 +294,9 @@ public abstract class WSHandler {
         wssConfig.setAllowUsernameTokenNoPassword(
             decodeAllowUsernameTokenNoPassword(reqData)
         );
+        wssConfig.setValidateSamlSubjectConfirmation(
+            decodeSamlSubjectConfirmationValidation(reqData)
+        );
         
         boolean bspCompliant = decodeBSPCompliance(reqData);
         if (!bspCompliant) {
@@ -695,6 +698,13 @@ public abstract class WSHandler {
         );
     }
     
+    protected boolean decodeSamlSubjectConfirmationValidation(RequestData reqData)
+        throws WSSecurityException {
+        return decodeBooleanConfigValue(
+            reqData, WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true
+        );
+    }
+    
     protected boolean decodeBSPCompliance(RequestData reqData)
         throws WSSecurityException {
         return decodeBooleanConfigValue(

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
Thu Apr 18 16:43:22 2013
@@ -484,6 +484,13 @@ public final class WSHandlerConstants {
      */
     public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM = "allowRSA15KeyTransportAlgorithm";
 
+    /**
+     * Whether to validate the SubjectConfirmation requirements of a received SAML Token
+     * (sender-vouches or holder-of-key). The default is true.
+     */
+    public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = 
+        "validateSamlSubjectConfirmation";
+    
     //
     // (Non-boolean) Configuration parameters for the actions/processors
     //

Added: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/DOMSAMLUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/DOMSAMLUtil.java?rev=1469421&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/DOMSAMLUtil.java
(added)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/saml/DOMSAMLUtil.java
Thu Apr 18 16:43:22 2013
@@ -0,0 +1,263 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.dom.saml;
+
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.w3c.dom.Element;
+
+/**
+ * Some SAML Utility methods only for use in the DOM code.
+ */
+public final class DOMSAMLUtil  {
+    
+    private static org.slf4j.Logger log = 
+        org.slf4j.LoggerFactory.getLogger(DOMSAMLUtil.class);
+    
+    private DOMSAMLUtil() {
+        // complete
+    }
+    
+    public static void validateSAMLResults(
+        List<WSSecurityEngineResult> results,
+        Certificate[] tlsCerts,
+        Element body
+    ) throws WSSecurityException {
+        final List<Integer> samlActions = new ArrayList<Integer>(2);
+        samlActions.add(WSConstants.ST_SIGNED);
+        samlActions.add(WSConstants.ST_UNSIGNED);
+        List<WSSecurityEngineResult> samlResults = 
+            WSSecurityUtil.fetchAllActionResults(results, samlActions);
+
+        if (samlResults.isEmpty()) {
+            return;
+        }
+
+        final List<Integer> signedActions = new ArrayList<Integer>(2);
+        signedActions.add(WSConstants.SIGN);
+        signedActions.add(WSConstants.UT_SIGN);
+        List<WSSecurityEngineResult> signedResults = 
+            WSSecurityUtil.fetchAllActionResults(results, signedActions);
+
+        for (WSSecurityEngineResult samlResult : samlResults) {
+            SamlAssertionWrapper assertionWrapper = 
+                (SamlAssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+
+            if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+                log.warn("Assertion fails holder-of-key requirements");
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+            }
+            if (!checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) {
+                log.warn("Assertion fails sender-vouches requirements");
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+            }
+        }
+
+    }
+
+    /**
+     * Check the holder-of-key requirements against the received assertion. The subject
+     * credential of the SAML Assertion must have been used to sign some portion of
+     * the message, thus showing proof-of-possession of the private/secret key. Alternatively,
+     * the subject credential of the SAML Assertion must match a client certificate credential
+     * when 2-way TLS is used.
+     * @param assertionWrapper the SAML Assertion wrapper object
+     * @param signedResults a list of all of the signed results
+     */
+    public static boolean checkHolderOfKey(
+        SamlAssertionWrapper assertionWrapper,
+        List<WSSecurityEngineResult> signedResults,
+        Certificate[] tlsCerts
+    ) {
+        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+        for (String confirmationMethod : confirmationMethods) {
+            if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+                if (tlsCerts == null && (signedResults == null || signedResults.isEmpty()))
{
+                    return false;
+                }
+                SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Compare the credentials of the assertion to the credentials used in 2-way TLS or those
+     * used to verify signatures.
+     * Return true on a match
+     * @param subjectKeyInfo the SAMLKeyInfo object
+     * @param signedResults a list of all of the signed results
+     * @return true if the credentials of the assertion were used to verify a signature
+     */
+    public static boolean compareCredentials(
+        SAMLKeyInfo subjectKeyInfo,
+        List<WSSecurityEngineResult> signedResults,
+        Certificate[] tlsCerts
+    ) {
+        X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
+        PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
+        byte[] subjectSecretKey = subjectKeyInfo.getSecret();
+
+        //
+        // Try to match the TLS certs first
+        //
+        if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts !=
null 
+            && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0]))
{
+            return true;
+        } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey
!= null
+            && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
+            return true;
+        }
+
+        //
+        // Now try the message-level signatures
+        //
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            X509Certificate[] certs =
+                (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+            PublicKey publicKey =
+                (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+            byte[] secretKey =
+                (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
+            if (certs != null && certs.length > 0 && subjectCerts != null
+                && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0]))
{
+                return true;
+            }
+            if (publicKey != null && publicKey.equals(subjectPublicKey)) {
+                return true;
+            }
+            if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private static boolean checkSecretKey(
+        byte[] secretKey,
+        byte[] subjectSecretKey,
+        WSSecurityEngineResult signedResult
+    ) {
+        if (secretKey != null && subjectSecretKey != null) {
+            if (Arrays.equals(secretKey, subjectSecretKey)) {
+                return true;
+            } else {
+                Principal principal =
+                    (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                if (principal instanceof WSDerivedKeyTokenPrincipal) {
+                    secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
+                    if (Arrays.equals(secretKey, subjectSecretKey)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Check the sender-vouches requirements against the received assertion. The SAML
+     * Assertion and the SOAP Body must be signed by the same signature.
+     */
+    public static boolean checkSenderVouches(
+        SamlAssertionWrapper assertionWrapper,
+        Certificate[] tlsCerts,
+        Element body,
+        List<WSSecurityEngineResult> signed
+    ) {
+        //
+        // If we have a 2-way TLS connection, then we don't have to check that the
+        // assertion + SOAP body are signed
+        //
+        if (tlsCerts != null && tlsCerts.length > 0) {
+            return true;
+        }
+        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+        for (String confirmationMethod : confirmationMethods) {
+            if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+                if (signed == null || signed.isEmpty()) {
+                    return false;
+                }
+                if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Return true if there is a signature which references the Assertion and the SOAP Body.
+     * @param assertionWrapper the SamlAssertionWrapper object
+     * @param body The SOAP body
+     * @param signed The List of signed results
+     * @return true if there is a signature which references the Assertion and the SOAP Body.
+     */
+    private static boolean checkAssertionAndBodyAreSigned(
+        SamlAssertionWrapper assertionWrapper,
+        Element body,
+        List<WSSecurityEngineResult> signed
+    ) {
+        for (WSSecurityEngineResult signedResult : signed) {
+            @SuppressWarnings("unchecked")
+            List<WSDataRef> sl =
+                (List<WSDataRef>)signedResult.get(
+                    WSSecurityEngineResult.TAG_DATA_REF_URIS
+                );
+            boolean assertionIsSigned = false;
+            boolean bodyIsSigned = false;
+            if (sl != null) {
+                for (WSDataRef dataRef : sl) {
+                    Element se = dataRef.getProtectedElement();
+                    if (se == assertionWrapper.getElement()) {
+                        assertionIsSigned = true;
+                    }
+                    if (se == body) {
+                        bodyIsSigned = true;
+                    }
+                    if (assertionIsSigned && bodyIsSigned) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
+
+}

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/misc/PrincipalTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/misc/PrincipalTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/misc/PrincipalTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/misc/PrincipalTest.java
Thu Apr 18 16:43:22 2013
@@ -308,8 +308,11 @@ public class PrincipalTest extends org.j
         Crypto crypto
     ) throws Exception {
         WSSConfig config = WSSConfig.getNewInstance();
+        config.setValidateSamlSubjectConfirmation(false);
+        
         WSSecurityEngine secEngine = new WSSecurityEngine();
         secEngine.setWssConfig(config);
+        
         if (validator != null && validatorName != null) {
             config.setValidator(validatorName, validator);
         }

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
Thu Apr 18 16:43:22 2013
@@ -201,6 +201,10 @@ public class SamlAlgorithmSuiteTest exte
         boolean saml2
     ) throws Exception {
         WSSecurityEngine secEngine = new WSSecurityEngine();
+        WSSConfig config = WSSConfig.getNewInstance();
+        config.setValidateSamlSubjectConfirmation(false);
+        secEngine.setWssConfig(config);
+        
         RequestData data = new RequestData();
         data.setSigVerCrypto(sigVerCrypto);
         data.setSamlAlgorithmSuite(algorithmSuite);

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
Thu Apr 18 16:43:22 2013
@@ -53,6 +53,7 @@ public class SamlConditionsTest extends 
         WSSConfig config = WSSConfig.getNewInstance();
         config.setValidator(WSSecurityEngine.SAML_TOKEN, new CustomSamlAssertionValidator());
         config.setValidator(WSSecurityEngine.SAML2_TOKEN, new CustomSamlAssertionValidator());
+        config.setValidateSamlSubjectConfirmation(false);
         secEngine.setWssConfig(config);
     }
     

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlNegativeTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlNegativeTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlNegativeTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlNegativeTest.java
Thu Apr 18 16:43:22 2013
@@ -72,7 +72,10 @@ public class SamlNegativeTest extends or
     private Crypto userCrypto = CryptoFactory.getInstance("wss40.properties");
     
     public SamlNegativeTest() throws Exception {
-        WSSConfig.init();
+        WSSConfig config = WSSConfig.getNewInstance();
+        config.setValidateSamlSubjectConfirmation(false);
+        secEngine.setWssConfig(config);
+        
         // Load the issuer keystore
         issuerCrypto = new Merlin();
         KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlReferenceTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlReferenceTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlReferenceTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlReferenceTest.java
Thu Apr 18 16:43:22 2013
@@ -68,7 +68,10 @@ public class SamlReferenceTest extends o
     private Crypto userCrypto = CryptoFactory.getInstance("wss40.properties");
     
     public SamlReferenceTest() throws Exception {
-        WSSConfig.init();
+        WSSConfig config = WSSConfig.getNewInstance();
+        config.setValidateSamlSubjectConfirmation(false);
+        secEngine.setWssConfig(config);
+        
         // Load the issuer keystore
         issuerCrypto = new Merlin();
         KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenCustomSignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenCustomSignatureTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenCustomSignatureTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenCustomSignatureTest.java
Thu Apr 18 16:43:22 2013
@@ -176,6 +176,10 @@ public class SamlTokenCustomSignatureTes
      */
     private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
         WSSecurityEngine secEngine = new WSSecurityEngine();
+        WSSConfig config = WSSConfig.getNewInstance();
+        config.setValidateSamlSubjectConfirmation(false);
+        secEngine.setWssConfig(config);
+        
         List<WSSecurityEngineResult> results = 
             secEngine.processSecurityHeader(
                 doc, null, null, crypto

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenDerivedTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenDerivedTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenDerivedTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenDerivedTest.java
Thu Apr 18 16:43:22 2013
@@ -62,7 +62,9 @@ public class SamlTokenDerivedTest extend
     private Crypto crypto = null;
     
     public SamlTokenDerivedTest() throws Exception {
-        WSSConfig.init();
+        WSSConfig config = WSSConfig.getNewInstance();
+        config.setValidateSamlSubjectConfirmation(false);
+        secEngine.setWssConfig(config);
         crypto = CryptoFactory.getInstance("crypto.properties");
     }
     

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenHOKTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenHOKTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenHOKTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenHOKTest.java
Thu Apr 18 16:43:22 2013
@@ -55,7 +55,10 @@ public class SamlTokenHOKTest extends or
     private Crypto crypto = null;
     
     public SamlTokenHOKTest() throws Exception {
-        WSSConfig.init();
+        WSSConfig config = WSSConfig.getNewInstance();
+        config.setValidateSamlSubjectConfirmation(false);
+        secEngine.setWssConfig(config);
+        
         crypto = CryptoFactory.getInstance("crypto.properties");
     }
 

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
Thu Apr 18 16:43:22 2013
@@ -67,6 +67,7 @@ public class SamlTokenTest extends org.j
         WSSConfig config = WSSConfig.getNewInstance();
         config.setValidator(WSSecurityEngine.SAML_TOKEN, new CustomSamlAssertionValidator());
         config.setValidator(WSSecurityEngine.SAML2_TOKEN, new CustomSamlAssertionValidator());
+        config.setValidateSamlSubjectConfirmation(false);
         secEngine.setWssConfig(config);
     }
     

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java?rev=1469421&r1=1469420&r2=1469421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
Thu Apr 18 16:43:22 2013
@@ -220,6 +220,7 @@ public abstract class AbstractTestBase {
             messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, new WSS4JCallbackHandlerImpl());
         }
 
+        messageContext.put(WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
         Enumeration<?> enumeration = properties.propertyNames();
         while (enumeration.hasMoreElements()) {
             String s = (String) enumeration.nextElement();
@@ -244,7 +245,7 @@ public abstract class AbstractTestBase {
         } else if (WSHandlerConstants.USERNAME_TOKEN_SIGNATURE.equals(action)) {
             messageContext.put(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, "true");
         }
-
+        
         // Disable PrefixList checking as the stax code doesn't support this yet
         List<BSPRule> ignoredRules = new ArrayList<BSPRule>();
         ignoredRules.add(BSPRule.R5404);
@@ -428,8 +429,8 @@ public abstract class AbstractTestBase {
             org.apache.wss4j.dom.SOAPConstants soapConstants =
                     WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
             if (WSSecurityUtil.findElement(
-                    doc.getDocumentElement(), "Fault", soapConstants.getEnvelopeURI()) !=
null
-                    ) {
+                doc.getDocumentElement(), "Fault", soapConstants.getEnvelopeURI()) != null
+            ) {
                 return false;
             }
 



Mime
View raw message