ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1531927 - in /webservices/wss4j/trunk: ws-security-dom/src/main/java/org/apache/wss4j/dom/action/ ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/ ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ ws-sec...
Date Mon, 14 Oct 2013 14:56:33 GMT
Author: coheigea
Date: Mon Oct 14 14:56:32 2013
New Revision: 1531927

URL: http://svn.apache.org/r1531927
Log:
Add the ability to sign a SAML Assertion using the main signature

Modified:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PrincipalTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenSVTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java?rev=1531927&r1=1531926&r2=1531927&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
Mon Oct 14 14:56:32 2013
@@ -22,6 +22,7 @@ package org.apache.wss4j.dom.action;
 import javax.security.auth.callback.CallbackHandler;
 
 import org.apache.wss4j.common.SecurityActionToken;
+import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.saml.SAMLCallback;
@@ -55,6 +56,21 @@ public class SAMLTokenUnsignedAction imp
         SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
 
         SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+        if (samlCallback.isSignAssertion()) {
+            Crypto signingCrypto = samlCallback.getIssuerCrypto();
+            if (signingCrypto == null) {
+                signingCrypto = handler.loadSignatureCrypto(reqData);
+            }
+            
+            samlAssertion.signAssertion(
+                samlCallback.getIssuerKeyName(),
+                samlCallback.getIssuerKeyPassword(), 
+                samlCallback.getIssuerCrypto(),
+                samlCallback.isSendKeyValue(),
+                samlCallback.getCanonicalizationAlgorithm(),
+                samlCallback.getSignatureAlgorithm()
+            );
+        }
 
         // add the SAMLAssertion Token to the SOAP Envelope
         builder.build(doc, samlAssertion, reqData.getSecHeader());

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java?rev=1531927&r1=1531926&r2=1531927&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
Mon Oct 14 14:56:32 2013
@@ -23,6 +23,7 @@ import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
 
 import javax.crypto.spec.SecretKeySpec;
@@ -68,6 +69,7 @@ public class SAMLTokenOutputProcessor ex
 
     public SAMLTokenOutputProcessor() throws XMLSecurityException {
         super();
+        addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
     }
 
     @Override
@@ -108,9 +110,11 @@ public class SAMLTokenOutputProcessor ex
             final FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor;
             
             XMLSecurityConstants.Action action = getAction();
+            boolean includeSTR = false;
 
             if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && senderVouches) {
                 GenericOutboundSecurityToken securityToken = null;
+                includeSTR = true;
                 
                 // See if a token is already available
                 String sigTokenId = 
@@ -174,7 +178,7 @@ public class SAMLTokenOutputProcessor ex
                 }
 
                 finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(securityToken,
samlAssertionWrapper,
-                        securityTokenReferenceId, senderVouches);
+                        securityTokenReferenceId, senderVouches, includeSTR);
 
                 securityToken.setProcessor(finalSAMLTokenOutputProcessor);
 
@@ -215,7 +219,7 @@ public class SAMLTokenOutputProcessor ex
                 }
 
                 finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
-                        securityTokenReferenceId, senderVouches);
+                        securityTokenReferenceId, senderVouches, includeSTR);
 
                 SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider
=
                         new SecurityTokenProvider<OutboundSecurityToken>() {
@@ -277,16 +281,44 @@ public class SAMLTokenOutputProcessor ex
 
                 outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(tokenId,
securityTokenProvider);
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE,
tokenId);
+            } else if (WSSConstants.SAML_TOKEN_UNSIGNED.equals(getAction())) {
+                // Check to see whether this token is to be signed by the message signature.
If so,
+                // output a STR to be signed instead, and remove this Assertion from the
signature parts
+                // list
+                QName assertionName = new QName(WSSConstants.NS_SAML2, "Assertion");
+                if (samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) {
+                    assertionName = new QName(WSSConstants.NS_SAML, "Assertion");
+                }
+                
+                Iterator<SecurePart> signaturePartsIterator = 
+                    securityProperties.getSignatureSecureParts().iterator();
+                while (signaturePartsIterator.hasNext()) {
+                    SecurePart securePart = signaturePartsIterator.next();
+                    if (samlAssertionWrapper.getId().equals(securePart.getIdToSign())
+                        || assertionName.equals(securePart.getName())) {
+                        includeSTR = true;
+                        signaturePartsIterator.remove();
+                        break;
+                    }
+                }
+                
+                finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
+                                                                                  securityTokenReferenceId,
senderVouches,
+                                                                                  includeSTR);
+                if (includeSTR) {
+                    finalSAMLTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
+                }
             } else {
                 finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
-                                                                                  securityTokenReferenceId,
senderVouches);
+                                                                                  securityTokenReferenceId,
senderVouches,
+                                                                                  includeSTR);
             }
 
             finalSAMLTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
             finalSAMLTokenOutputProcessor.setAction(action);
             finalSAMLTokenOutputProcessor.init(outputProcessorChain);
 
-            if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && senderVouches) {
+            if (includeSTR) {
                 SecurePart securePart =
                         new SecurePart(
                                 new QName(WSSConstants.SOAPMESSAGE_NS10_STRTransform),
@@ -306,9 +338,11 @@ public class SAMLTokenOutputProcessor ex
         private final SamlAssertionWrapper samlAssertionWrapper;
         private final String securityTokenReferenceId;
         private boolean senderVouches = false;
+        private boolean includeSTR = false;
 
         FinalSAMLTokenOutputProcessor(OutboundSecurityToken securityToken, SamlAssertionWrapper
samlAssertionWrapper,
-                                      String securityTokenReferenceId, boolean senderVouches)
throws XMLSecurityException {
+                                      String securityTokenReferenceId, boolean senderVouches,
+                                      boolean includeSTR) throws XMLSecurityException {
             super();
             this.addAfterProcessor(UsernameTokenOutputProcessor.class.getName());
             this.addAfterProcessor(SAMLTokenOutputProcessor.class.getName());
@@ -316,6 +350,7 @@ public class SAMLTokenOutputProcessor ex
             this.securityTokenReferenceId = securityTokenReferenceId;
             this.senderVouches = senderVouches;
             this.securityToken = securityToken;
+            this.includeSTR = includeSTR;
         }
 
         @Override
@@ -346,7 +381,7 @@ public class SAMLTokenOutputProcessor ex
                 WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName,
getAction(), false);
 
                 outputSamlAssertion(samlAssertionWrapper.toDOM(null), subOutputProcessorChain);
-                if (senderVouches && WSSConstants.SAML_TOKEN_SIGNED.equals(getAction()))
{                    
+                if (includeSTR) {
                     WSSUtils.updateSecurityHeaderOrder(
                             outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference,
getAction(), false);                    
                     outputSecurityTokenReference(subOutputProcessorChain, samlAssertionWrapper,

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PrincipalTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PrincipalTest.java?rev=1531927&r1=1531926&r2=1531927&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PrincipalTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PrincipalTest.java
Mon Oct 14 14:56:32 2013
@@ -117,6 +117,7 @@ public class PrincipalTest extends Abstr
             SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
             callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
             callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java?rev=1531927&r1=1531926&r2=1531927&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java
Mon Oct 14 14:56:32 2013
@@ -197,6 +197,7 @@ public class SAMLTokenNegativeTest exten
             callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
             callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
             callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED;

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenSVTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenSVTest.java?rev=1531927&r1=1531926&r2=1531927&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenSVTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenSVTest.java
Mon Oct 14 14:56:32 2013
@@ -328,6 +328,7 @@ public class SAMLTokenSVTest extends Abs
             callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHZ);
             callbackHandler.setIssuer("www.example.com");
             callbackHandler.setResource("http://resource.org");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED;

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java?rev=1531927&r1=1531926&r2=1531927&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
Mon Oct 14 14:56:32 2013
@@ -101,6 +101,7 @@ public class SAMLTokenTest extends Abstr
             SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
             callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
             callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
@@ -173,6 +174,7 @@ public class SAMLTokenTest extends Abstr
             SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
             callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
             callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
@@ -247,6 +249,7 @@ public class SAMLTokenTest extends Abstr
             callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHZ);
             callbackHandler.setIssuer("www.example.com");
             callbackHandler.setResource("http://resource.org");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
@@ -320,6 +323,7 @@ public class SAMLTokenTest extends Abstr
             SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
             callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
             callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
@@ -393,6 +397,7 @@ public class SAMLTokenTest extends Abstr
             SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
             callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
             callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
@@ -468,6 +473,7 @@ public class SAMLTokenTest extends Abstr
             callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHZ);
             callbackHandler.setIssuer("www.example.com");
             callbackHandler.setResource("http://resource.org");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
@@ -786,6 +792,7 @@ public class SAMLTokenTest extends Abstr
             SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
             callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
             callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
 
             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
             String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;



Mime
View raw message