Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-286

Evidence element not present in SAML AuthzDecisionStatement

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.6
    • 1.6.1
    • WSS4J Core, WSS4J Handlers
    • None
    • CXF 2.4.0, WS4J 1.6.0, Windows XP, Apache Tomcat 7.0.5

    Description

      Running SOAPUI test, the SAML AuthzDecisionStatement evidence element is not present. The code worked with openSAML2.0 and CXF 2.3.x (via interceptors) before SAMLCallBackHandler in CXF 2.4.0. Resolved issue below example.

      Example:

      <saml2:AuthzDecisionStatement>
      <saml2:Action.../>
      <saml2:Evidence...> <!-this is missing – >
      <saml2:Assertion...>
      </saml2:Evidence>
      </saml2:AuthzDecisionStatement>

      //Build Evidence
      EvidenceBuilder evidenceBuilder = new EvidenceBuilder(); Evidence
      evidence = evidenceBuilder.buildObject();

      //Build assertion for Evidence
      AssertionBuilder assertionBuilder = new AssertionBuilder(); Assertion
      assertion = assertionBuilder.buildObject();
      assertion.setVersion(SAMLVersion.VERSION_20);
      ...
      authDecisionStatementBean.setEvidence(evidence);

      Resolution updated the createAuthorizationDecisionStatement method in org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder:

      /**

      • Create SAML2 AuthorizationDecisionStatement(s)
        *
      • @param decisionData A list of AuthDecisionStatementBean instances
      • @return SAML2 AuthorizationDecisionStatement(s)
        */
        @SuppressWarnings("unchecked")
        public static List<AuthzDecisionStatement> createAuthorizationDecisionStatement(
        List<AuthDecisionStatementBean> decisionData
        ) {

      List<AuthzDecisionStatement> authDecisionStatements = new ArrayList();
      if (authorizationDecisionStatementBuilder == null)

      { authorizationDecisionStatementBuilder = (SAMLObjectBuilder<AuthzDecisionStatement>) builderFactory.getBuilder(AuthzDecisionStatement.DEFAULT_ELEMENT_NAME); }

      if (decisionData != null && decisionData.size() > 0) {
      for (AuthDecisionStatementBean decisionStatementBean : decisionData) {
      AuthzDecisionStatement authDecision =
      authorizationDecisionStatementBuilder.buildObject();
      authDecision.setResource(decisionStatementBean.getResource());
      authDecision.setDecision(
      transformDecisionType(decisionStatementBean.getDecision())
      );

      for (ActionBean actionBean : decisionStatementBean.getActions())

      { Action actionElement = createSamlAction(actionBean); authDecision.getActions().add(actionElement); }

      //Check for Evidence
      if (decisionStatementBean.getEvidence()!=null && decisionStatementBean.getEvidence() instanceof Evidence)

      { authDecision.setEvidence((Evidence)decisionStatementBean.getEvidence()); }

      authDecisionStatements.add(authDecision);
      }
      }

      return authDecisionStatements;
      }

      Attachments

        1. SAML2ComponentBuilder.java
          24 kB
          David Morris

        Activity

          People

            coheigea Colm O hEigeartaigh
            davemorris David Morris
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 48h
                48h
                Remaining:
                Remaining Estimate - 48h
                48h
                Logged:
                Time Spent - Not Specified
                Not Specified