Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.6
-
None
-
CXF 2.4.0, WS4J 1.6.0, Windows XP, Apache Tomcat 7.0.5
Description
Running SOAPUI test, the SAML AuthzDecisionStatement evidence element is not present. The code worked with openSAML2.0 and CXF 2.3.x (via interceptors) before SAMLCallBackHandler in CXF 2.4.0. Resolved issue below example.
Example:
<saml2:AuthzDecisionStatement>
<saml2:Action.../>
<saml2:Evidence...> <!-this is missing – >
<saml2:Assertion...>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
//Build Evidence
EvidenceBuilder evidenceBuilder = new EvidenceBuilder(); Evidence
evidence = evidenceBuilder.buildObject();
//Build assertion for Evidence
AssertionBuilder assertionBuilder = new AssertionBuilder(); Assertion
assertion = assertionBuilder.buildObject();
assertion.setVersion(SAMLVersion.VERSION_20);
...
authDecisionStatementBean.setEvidence(evidence);
Resolution updated the createAuthorizationDecisionStatement method in org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder:
/**
- Create SAML2 AuthorizationDecisionStatement(s)
* - @param decisionData A list of AuthDecisionStatementBean instances
- @return SAML2 AuthorizationDecisionStatement(s)
*/
@SuppressWarnings("unchecked")
public static List<AuthzDecisionStatement> createAuthorizationDecisionStatement(
List<AuthDecisionStatementBean> decisionData
) {
List<AuthzDecisionStatement> authDecisionStatements = new ArrayList();
if (authorizationDecisionStatementBuilder == null)
if (decisionData != null && decisionData.size() > 0) {
for (AuthDecisionStatementBean decisionStatementBean : decisionData) {
AuthzDecisionStatement authDecision =
authorizationDecisionStatementBuilder.buildObject();
authDecision.setResource(decisionStatementBean.getResource());
authDecision.setDecision(
transformDecisionType(decisionStatementBean.getDecision())
);
for (ActionBean actionBean : decisionStatementBean.getActions())
{ Action actionElement = createSamlAction(actionBean); authDecision.getActions().add(actionElement); } //Check for Evidence
if (decisionStatementBean.getEvidence()!=null && decisionStatementBean.getEvidence() instanceof Evidence)
authDecisionStatements.add(authDecision);
}
}
return authDecisionStatements;
}