This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch coheigea/saml-refactor-new
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
commit 14980fc13c330ca67f14121bb498de334d2691fc
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Thu Jun 19 09:41:15 2025 +0100
Removing SAML CallbackHandler from ST Signed action
---
.../wss4j/dom/action/SAMLTokenSignedAction.java | 8 +----
.../org/apache/wss4j/dom/handler/RequestData.java | 19 ++++++++++
.../org/apache/wss4j/dom/handler/WSHandler.java | 40 +++++++++++++++-------
3 files changed, 47 insertions(+), 20 deletions(-)
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
index 0e9ae6ef5..2845d9c91 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
@@ -31,7 +31,6 @@ import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandler;
-import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.saml.WSSecSignatureSAML;
public class SAMLTokenSignedAction implements Action {
@@ -39,12 +38,7 @@ public class SAMLTokenSignedAction implements Action {
public void execute(WSHandler handler, SecurityActionToken actionToken,
RequestData reqData)
throws WSSecurityException {
- CallbackHandler samlCallbackHandler =
- handler.getCallbackHandler(
- WSHandlerConstants.SAML_CALLBACK_CLASS,
- WSHandlerConstants.SAML_CALLBACK_REF,
- reqData
- );
+ CallbackHandler samlCallbackHandler = reqData.getSamlCallbackHandler();
if (samlCallbackHandler == null) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE,
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
index f1029fa99..f4d923114 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
@@ -97,6 +97,7 @@ public class RequestData {
private Serializer encryptionSerializer;
private WSDocInfo wsDocInfo;
private Provider signatureProvider;
+ private CallbackHandler samlCallbackHandler;
/**
* Whether to add an InclusiveNamespaces PrefixList as a
CanonicalizationMethod
@@ -780,4 +781,22 @@ public class RequestData {
public void setSignatureProvider(Provider signatureProvider) {
this.signatureProvider = signatureProvider;
}
+
+ /**
+ * Get the CallbackHandler used for SAML processing.
+ * This is used to process SAML Assertions, and to sign SAML Assertions.
+ * @return the CallbackHandler used for SAML processing.
+ */
+ public CallbackHandler getSamlCallbackHandler() {
+ return samlCallbackHandler;
+ }
+
+ /**
+ * Set the CallbackHandler used for SAML processing.
+ * @param samlCallbackHandler
+ */
+ public void setSamlCallbackHandler(CallbackHandler samlCallbackHandler) {
+ this.samlCallbackHandler = samlCallbackHandler;
+ }
+
}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
index c90f1d48d..9c441785b 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
@@ -155,19 +155,8 @@ public abstract class WSHandler {
+ " The danger here is that the actual encryption
bytes will not be signed");
reqData.setStoreBytesInAttachment(false);
}
- } else if (actionToDo.getAction() == WSConstants.ST_SIGNED
- && actionToDo.getActionToken() == null) {
- decodeSignatureParameter(reqData);
- // it is possible and legal that we do not have a signature
crypto here - thus ignore the exception.
- // This is usually the case for the SAML option "sender
vouches". In this case no user crypto is
- // required.
- try {
- SignatureActionToken actionToken = new
SignatureActionToken();
- actionToken.setCrypto(loadSignatureCrypto(reqData));
- actionToDo.setActionToken(actionToken);
- } catch (Exception ex) {
- LOG.debug(ex.getMessage(), ex);
- }
+ } else if (actionToDo.getAction() == WSConstants.ST_SIGNED) {
+ configureSTSignedAction(reqData, actionToDo);
} else if ((actionToDo.getAction() == WSConstants.ENCR
|| actionToDo.getAction() == WSConstants.DKT_ENCR)
&& actionToDo.getActionToken() == null) {
@@ -272,6 +261,31 @@ public abstract class WSHandler {
}
}
+ private void configureSTSignedAction(RequestData reqData, HandlerAction
actionToDo) throws WSSecurityException {
+ if (actionToDo.getActionToken() == null) {
+ decodeSignatureParameter(reqData);
+ // it is possible and legal that we do not have a signature crypto
here - thus ignore the exception.
+ // This is usually the case for the SAML option "sender vouches".
In this case no user crypto is
+ // required.
+ try {
+ SignatureActionToken actionToken = new SignatureActionToken();
+ actionToken.setCrypto(loadSignatureCrypto(reqData));
+ actionToDo.setActionToken(actionToken);
+ } catch (Exception ex) {
+ LOG.debug(ex.getMessage(), ex);
+ }
+ }
+ if (reqData.getSamlCallbackHandler() == null) {
+ CallbackHandler samlCallbackHandler =
+ getCallbackHandler(
+ WSHandlerConstants.SAML_CALLBACK_CLASS,
+ WSHandlerConstants.SAML_CALLBACK_REF,
+ reqData
+ );
+ reqData.setSamlCallbackHandler(samlCallbackHandler);
+ }
+ }
+
private HandlerAction getSignatureActionThatSignsATimestamp(
List<HandlerAction> actions, RequestData reqData
) {
