ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1443438 - in /webservices/wss4j/branches/1_6_x-fixes/src: main/java/org/apache/ws/security/saml/ext/ main/java/org/apache/ws/security/validate/ test/java/org/apache/ws/security/saml/
Date Thu, 07 Feb 2013 12:33:14 GMT
Author: coheigea
Date: Thu Feb  7 12:33:14 2013
New Revision: 1443438

URL: http://svn.apache.org/viewvc?rev=1443438&view=rev
Log:
[WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator

Added:
    webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenCustomSignatureTest.java
Modified:
    webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
    webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java

Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java?rev=1443438&r1=1443437&r2=1443438&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
Thu Feb  7 12:33:14 2013
@@ -530,12 +530,7 @@ public class AssertionWrapper {
     public void verifySignature(
         RequestData data, WSDocInfo docInfo
     ) throws WSSecurityException {
-        Signature sig = null;
-        if (saml2 != null && saml2.getSignature() != null) {
-            sig = saml2.getSignature();
-        } else if (saml1 != null && saml1.getSignature() != null) {
-            sig = saml1.getSignature();
-        }
+        Signature sig = getSignature();
         if (sig != null) {
             KeyInfo keyInfo = sig.getKeyInfo();
             SAMLKeyInfo samlKeyInfo = 
@@ -561,12 +556,6 @@ public class AssertionWrapper {
                     new Object[]{"cannot get certificate or key"}
                 );
             }
-            SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
-            try {
-                validator.validate(sig);
-            } catch (ValidationException ex) {
-                throw new WSSecurityException("SAML signature validation failed", ex);
-            }
             
             BasicX509Credential credential = new BasicX509Credential();
             if (samlKeyInfo.getCerts() != null) {
@@ -591,6 +580,23 @@ public class AssertionWrapper {
         }
     }
     
+    /**
+     * Validate the signature of the Assertion against the Profile. This does not actually
+     * verify the signature itself (see the verifySignature method for this)
+     * @throws WSSecurityException
+     */
+    public void validateSignatureAgainstProfile() throws WSSecurityException {
+        Signature sig = getSignature();
+        if (sig != null) {
+            SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
+            try {
+                validator.validate(sig);
+            } catch (ValidationException ex) {
+                throw new WSSecurityException("SAML signature validation failed", ex);
+            }
+        }
+    }
+    
     public Signature getSignature() {
         Signature sig = null;
         if (saml2 != null && saml2.getSignature() != null) {

Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1443438&r1=1443437&r2=1443438&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Thu Feb  7 12:33:14 2013
@@ -50,6 +50,12 @@ public class SamlAssertionValidator exte
     private int futureTTL = 60;
     
     /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    private boolean validateSignatureAgainstProfile = true;
+    
+    /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming

      * Assertion is valid. The default is 60 seconds.
      */
@@ -156,6 +162,10 @@ public class SamlAssertionValidator exte
      * Validate the assertion against schemas/profiles
      */
     protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException
{
+        if (validateSignatureAgainstProfile) {
+            assertion.validateSignatureAgainstProfile();
+        }
+        
         if (assertion.getSaml1() != null) {
             ValidatorSuite schemaValidators = 
                 org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
@@ -186,5 +196,21 @@ public class SamlAssertionValidator exte
             }
         }
     }
+
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public boolean isValidateSignatureAgainstProfile() {
+        return validateSignatureAgainstProfile;
+    }
+
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
+        this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
+    }
     
 }

Added: webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenCustomSignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenCustomSignatureTest.java?rev=1443438&view=auto
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenCustomSignatureTest.java
(added)
+++ webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenCustomSignatureTest.java
Thu Feb  7 12:33:14 2013
@@ -0,0 +1,209 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.saml;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.common.SAML1CallbackHandler;
+import org.apache.ws.security.common.SAML2CallbackHandler;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.SAMLParms;
+import org.apache.ws.security.saml.ext.builder.SAML1Constants;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
+import org.apache.ws.security.validate.SamlAssertionValidator;
+import org.apache.xml.security.signature.XMLSignature;
+import org.apache.xml.security.transforms.Transforms;
+import org.apache.xml.security.transforms.params.XPath2FilterContainer;
+import org.apache.xml.security.utils.Constants;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+/**
+ */
+public class SamlTokenCustomSignatureTest extends org.junit.Assert {
+    private static final org.apache.commons.logging.Log LOG = 
+        org.apache.commons.logging.LogFactory.getLog(SamlTokenCustomSignatureTest.class);
+    
+    private Crypto crypto = null;
+    
+    public SamlTokenCustomSignatureTest() throws Exception {
+        WSSConfig.init();
+        crypto = CryptoFactory.getInstance("crypto.properties");
+    }
+
+    /**
+     * Test that creates, sends and processes a signed SAML 1.1 authentication assertion.
+     */
+    @org.junit.Test
+    public void testSAML1AuthnAssertion() throws Exception {
+        SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+        callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        Element assertionElement = assertion.toDOM(doc);
+        
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        secHeader.getSecurityHeader().appendChild(assertionElement);
+        
+        // Sign
+        signAssertion(doc, assertionElement);
+        
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 1.1 Authn Assertion (Bearer):");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        
+        try {
+            verify(doc);
+            fail("Failure expected on a signature that doesn't conform with the signature
profile");
+        } catch (WSSecurityException ex) {
+            // expected failure
+        }
+        
+        // This should pass as we are disabling signature profile validation in the Validator
+        verifyWithoutProfile(doc);
+    }
+    
+    /**
+     * Test that creates, sends and processes a signed SAML 2.0 authentication assertion.
+     */
+    @org.junit.Test
+    public void testSAML2AuthnAssertion() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        Element assertionElement = assertion.toDOM(doc);
+        
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        secHeader.getSecurityHeader().appendChild(assertionElement);
+        
+        // Sign
+        signAssertion(doc, assertionElement);
+        
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 2.0 Authn Assertion (Bearer):");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        
+        try {
+            verify(doc);
+            fail("Failure expected on a signature that doesn't conform with the signature
profile");
+        } catch (WSSecurityException ex) {
+            // expected failure
+        }
+        
+        // This should pass as we are disabling signature profile validation in the Validator
+        verifyWithoutProfile(doc);
+    }
+    
+    private void signAssertion(Document doc, Element assertionElement) throws Exception {
+        XMLSignature sig = 
+            new XMLSignature(doc, null, XMLSignature.ALGO_ID_SIGNATURE_RSA);
+        assertionElement.appendChild(sig.getElement());
+
+        Transforms transforms = new Transforms(doc);
+        String filter = "here()/ancestor::ds.Signature/parent::node()/descendant-or-self::*";
+        XPath2FilterContainer xpathC = XPath2FilterContainer.newInstanceIntersect(doc, filter);
+        xpathC.setXPathNamespaceContext("dsig-xpath", Transforms.TRANSFORM_XPATH2FILTER);
+        
+        Element node = xpathC.getElement();
+        transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER, node);
+        sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);
+
+        PrivateKey privateKey = crypto.getPrivateKey("16c73ab6-b892-458f-abf5-2f875f74882e",
"security");
+
+        sig.sign(privateKey);
+        
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("16c73ab6-b892-458f-abf5-2f875f74882e");
+        X509Certificate cert = crypto.getX509Certificates(cryptoType)[0];
+        sig.addKeyInfo(cert);
+        sig.checkSignatureValue(cert);
+    }
+    
+    /**
+     * Verifies the soap envelope
+     * 
+     * @param doc
+     * @throws Exception Thrown when there is a problem in verification
+     */
+    private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(
+                doc, null, null, crypto
+            );
+        String outputString = 
+            org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+        assertTrue(outputString.indexOf("counter_port_type") > 0 ? true : false);
+        return results;
+    }
+
+    private List<WSSecurityEngineResult> verifyWithoutProfile(Document doc) throws
Exception {
+        SamlAssertionValidator validator = new SamlAssertionValidator();
+        validator.setValidateSignatureAgainstProfile(false);
+        
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        WSSConfig config = secEngine.getWssConfig();
+        config.setValidator(WSSecurityEngine.SAML_TOKEN, validator);
+        config.setValidator(WSSecurityEngine.SAML2_TOKEN, validator);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(
+                doc, null, null, crypto
+            );
+        String outputString = 
+            org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+        assertTrue(outputString.indexOf("counter_port_type") > 0 ? true : false);
+        return results;
+    }
+
+
+}



Mime
View raw message