ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1446705 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/ws/security/common/saml/ ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/ ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/...
Date Fri, 15 Feb 2013 17:31:58 GMT
Author: coheigea
Date: Fri Feb 15 17:31:57 2013
New Revision: 1446705

URL: http://svn.apache.org/r1446705
Log:
[WSS-373] - Consolidated SAML profile checking into SamlAssertionWrapper

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
Fri Feb 15 17:31:57 2013
@@ -36,6 +36,7 @@ import org.apache.xml.security.exception
 import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.signature.XMLSignatureException;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.common.SignableSAMLObject;
 import org.opensaml.saml1.core.AttributeStatement;
@@ -57,6 +58,7 @@ import org.opensaml.xml.signature.Signat
 import org.opensaml.xml.signature.SignatureConstants;
 import org.opensaml.xml.signature.SignatureValidator;
 import org.opensaml.xml.validation.ValidationException;
+import org.opensaml.xml.validation.ValidatorSuite;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -695,6 +697,77 @@ public class SamlAssertionWrapper {
     }
     
     /**
+     * Check the Conditions of the Assertion.
+     */
+    public void checkConditions(int futureTTL) throws WSSecurityException {
+        DateTime validFrom = null;
+        DateTime validTill = null;
+        if (getSamlVersion().equals(SAMLVersion.VERSION_20)
+            && getSaml2().getConditions() != null) {
+            validFrom = getSaml2().getConditions().getNotBefore();
+            validTill = getSaml2().getConditions().getNotOnOrAfter();
+        } else if (getSamlVersion().equals(SAMLVersion.VERSION_11)
+            && getSaml1().getConditions() != null) {
+            validFrom = getSaml1().getConditions().getNotBefore();
+            validTill = getSaml1().getConditions().getNotOnOrAfter();
+        }
+        
+        if (validFrom != null) {
+            DateTime currentTime = new DateTime();
+            currentTime = currentTime.plusSeconds(futureTTL);
+            if (validFrom.isAfter(currentTime)) {
+                LOG.debug("SAML Token condition (Not Before) not met");
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+            }
+        }
+
+        if (validTill != null && validTill.isBeforeNow()) {
+            LOG.debug("SAML Token condition (Not On Or After) not met");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+    }
+    
+    /**
+     * Validate the samlAssertion against schemas/profiles
+     */
+    public void validateAssertion(boolean validateSignatureAgainstProfile) throws WSSecurityException
{
+        if (validateSignatureAgainstProfile) {
+            validateSignatureAgainstProfile();
+        }
+        
+        if (getSaml1() != null) {
+            ValidatorSuite schemaValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
+            ValidatorSuite specValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
+            try {
+                schemaValidators.validate(getSaml1());
+                specValidators.validate(getSaml1());
+            } catch (ValidationException e) {
+                LOG.debug("Saml Validation error: " + e.getMessage(), e);
+                throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", e
+                );
+            }
+        } else if (getSaml2() != null) {
+            ValidatorSuite schemaValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
+            ValidatorSuite specValidators = 
+                org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
+            try {
+                schemaValidators.validate(getSaml2());
+                specValidators.validate(getSaml2());
+            } catch (ValidationException e) {
+                LOG.debug("Saml Validation error: " + e.getMessage(), e);
+                throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", e
+                );
+            }
+        }
+    }
+
+    
+    /**
      * Parse the DOM Element into Opensaml objects.
      */
     private void parseElement(Element element) throws WSSecurityException {

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
Fri Feb 15 17:31:57 2013
@@ -22,14 +22,10 @@ package org.apache.ws.security.dom.valid
 import java.util.List;
 
 import org.apache.ws.security.common.ext.WSSecurityException;
-import org.apache.ws.security.common.saml.SamlAssertionWrapper;
 import org.apache.ws.security.common.saml.OpenSAMLUtil;
 import org.apache.ws.security.common.saml.SAMLKeyInfo;
+import org.apache.ws.security.common.saml.SamlAssertionWrapper;
 import org.apache.ws.security.dom.handler.RequestData;
-import org.joda.time.DateTime;
-import org.opensaml.common.SAMLVersion;
-import org.opensaml.xml.validation.ValidationException;
-import org.opensaml.xml.validation.ValidatorSuite;
 
 /**
  * This class validates a SAML Assertion, which is wrapped in an "SamlAssertionWrapper" instance.
@@ -131,70 +127,14 @@ public class SamlAssertionValidator exte
      * Check the Conditions of the Assertion.
      */
     protected void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
-        DateTime validFrom = null;
-        DateTime validTill = null;
-        if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
-            && samlAssertion.getSaml2().getConditions() != null) {
-            validFrom = samlAssertion.getSaml2().getConditions().getNotBefore();
-            validTill = samlAssertion.getSaml2().getConditions().getNotOnOrAfter();
-        } else if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
-            && samlAssertion.getSaml1().getConditions() != null) {
-            validFrom = samlAssertion.getSaml1().getConditions().getNotBefore();
-            validTill = samlAssertion.getSaml1().getConditions().getNotOnOrAfter();
-        }
-        
-        if (validFrom != null) {
-            DateTime currentTime = new DateTime();
-            currentTime = currentTime.plusSeconds(futureTTL);
-            if (validFrom.isAfter(currentTime)) {
-                LOG.debug("SAML Token condition (Not Before) not met");
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        }
-
-        if (validTill != null && validTill.isBeforeNow()) {
-            LOG.debug("SAML Token condition (Not On Or After) not met");
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
+        samlAssertion.checkConditions(futureTTL);
     }
     
     /**
      * Validate the samlAssertion against schemas/profiles
      */
     protected void validateAssertion(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
-        if (validateSignatureAgainstProfile) {
-            samlAssertion.validateSignatureAgainstProfile();
-        }
-        
-        if (samlAssertion.getSaml1() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
-            try {
-                schemaValidators.validate(samlAssertion.getSaml1());
-                specValidators.validate(samlAssertion.getSaml1());
-            } catch (ValidationException e) {
-                LOG.debug("Saml Validation error: " + e.getMessage(), e);
-                throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", e
-                );
-            }
-        } else if (samlAssertion.getSaml2() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
-            try {
-                schemaValidators.validate(samlAssertion.getSaml2());
-                specValidators.validate(samlAssertion.getSaml2());
-            } catch (ValidationException e) {
-                LOG.debug("Saml Validation error: " + e.getMessage(), e);
-                throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", e
-                );
-            }
-        }
+        samlAssertion.validateAssertion(validateSignatureAgainstProfile);
     }
 
     /**

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
Fri Feb 15 17:31:57 2013
@@ -51,7 +51,6 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
 import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
-import org.opensaml.security.SAMLSignatureProfileValidator;
 import org.opensaml.xml.security.x509.BasicX509Credential;
 import org.opensaml.xml.signature.Signature;
 import org.opensaml.xml.signature.SignatureValidator;
@@ -120,13 +119,6 @@ public class SAMLTokenInputHandler exten
                 throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
                         "empty", "no signature to validate");
             }
-            SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
-            try {
-                validator.validate(signature);
-            } catch (ValidationException ex) {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
-                        "empty", ex, "SAML signature validation failed");
-            }
 
             int sigKeyInfoIdx = getSignatureKeyInfoIndex(eventQueue);
             if (sigKeyInfoIdx < 0) {

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
Fri Feb 15 17:31:57 2013
@@ -23,22 +23,24 @@ import org.apache.ws.security.common.sam
 import org.apache.ws.security.stax.impl.securityToken.SAMLSecurityToken;
 import org.apache.xml.security.stax.ext.SecurityToken;
 import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
-import org.joda.time.DateTime;
-import org.opensaml.common.SAMLVersion;
-import org.opensaml.xml.validation.ValidationException;
-import org.opensaml.xml.validation.ValidatorSuite;
 
 /**
  * @author $Author$
  * @version $Revision$ $Date$
  */
 public class SamlTokenValidatorImpl extends SignatureTokenValidatorImpl implements SamlTokenValidator
{
-
+    
     /**
      * The time in seconds in the future within which the NotBefore time of an incoming
      * Assertion is valid. The default is 60 seconds.
      */
     private int futureTTL = 60;
+    
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    private boolean validateSignatureAgainstProfile = true;
 
     /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming
@@ -47,6 +49,22 @@ public class SamlTokenValidatorImpl exte
     public void setFutureTTL(int newFutureTTL) {
         futureTTL = newFutureTTL;
     }
+    
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public boolean isValidateSignatureAgainstProfile() {
+        return validateSignatureAgainstProfile;
+    }
+
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
+        this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
+    }
 
     @Override
     public AbstractInboundSecurityToken validate(final SamlAssertionWrapper samlAssertionWrapper,
@@ -69,71 +87,19 @@ public class SamlTokenValidatorImpl exte
         return securityToken;
     }
 
+    
     /**
      * Check the Conditions of the Assertion.
      */
-    //todo shoudn't we move this into the SamlAssertionWrapper? Then it could be reused by
StAX and DOM impl.
     protected void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
-        DateTime validFrom = null;
-        DateTime validTill = null;
-        if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
-                && samlAssertion.getSaml2().getConditions() != null) {
-            validFrom = samlAssertion.getSaml2().getConditions().getNotBefore();
-            validTill = samlAssertion.getSaml2().getConditions().getNotOnOrAfter();
-        } else if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
-                && samlAssertion.getSaml1().getConditions() != null) {
-            validFrom = samlAssertion.getSaml1().getConditions().getNotBefore();
-            validTill = samlAssertion.getSaml1().getConditions().getNotOnOrAfter();
-        }
-
-        if (validFrom != null) {
-            DateTime currentTime = new DateTime();
-            currentTime = currentTime.plusSeconds(futureTTL);
-            if (validFrom.isAfter(currentTime)) {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
-                        "empty", "SAML Token condition (Not Before) not met");
-            }
-        }
-
-        if (validTill != null && validTill.isBeforeNow()) {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
-                    "empty", "SAML Token condition (Not On Or After) not met");
-        }
+        samlAssertion.checkConditions(futureTTL);
     }
-
+    
     /**
-     * Validate the assertion against schemas/profiles
+     * Validate the samlAssertion against schemas/profiles
      */
-    //todo shoudn't we move this into the SamlAssertionWrapper? Then it could be reused by
StAX and DOM impl.
     protected void validateAssertion(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
-        samlAssertion.validateSignatureAgainstProfile();
-        
-        if (samlAssertion.getSaml1() != null) {
-            ValidatorSuite schemaValidators =
-                    org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
-            ValidatorSuite specValidators =
-                    org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
-            try {
-                schemaValidators.validate(samlAssertion.getSaml1());
-                specValidators.validate(samlAssertion.getSaml1());
-            } catch (ValidationException e) {
-                throw new WSSecurityException(
-                        WSSecurityException.ErrorCode.FAILURE, "empty", e, "Saml Validation
error: "
-                );
-            }
-        } else if (samlAssertion.getSaml2() != null) {
-            ValidatorSuite schemaValidators =
-                    org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
-            ValidatorSuite specValidators =
-                    org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
-            try {
-                schemaValidators.validate(samlAssertion.getSaml2());
-                specValidators.validate(samlAssertion.getSaml2());
-            } catch (ValidationException e) {
-                throw new WSSecurityException(
-                        WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", e,
"Saml Validation error: "
-                );
-            }
-        }
+        samlAssertion.validateAssertion(validateSignatureAgainstProfile);
     }
+    
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
Fri Feb 15 17:31:57 2013
@@ -91,7 +91,6 @@ public class SAMLTokenNegativeTest exten
             } catch (XMLStreamException e) {
                 Assert.assertNotNull(e.getCause());
                 Assert.assertNotNull(e.getCause().getCause());
-                Assert.assertEquals(e.getCause().getCause().getMessage(), "Signature did
not validate against the credential's key");
             }
         }
     }
@@ -143,7 +142,6 @@ public class SAMLTokenNegativeTest exten
             } catch (XMLStreamException e) {
                 Assert.assertNotNull(e.getCause());
                 Assert.assertNotNull(e.getCause().getCause());
-                Assert.assertEquals(e.getCause().getCause().getMessage(), "Transforms did
not contain the required enveloped transform");
             }
         }
     }

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java
Fri Feb 15 17:31:57 2013
@@ -203,7 +203,7 @@ public class SamlConditionsTest extends 
                 Assert.fail("XMLStreamException expected");
             } catch (XMLStreamException e) {
                 Assert.assertNotNull(e.getCause());
-                Assert.assertEquals(e.getCause().getMessage(), "SAML Token condition (Not
On Or After) not met");
+                Assert.assertEquals(e.getCause().getMessage(), "SAML token security failure");
             }
         }
     }
@@ -249,7 +249,7 @@ public class SamlConditionsTest extends 
                 Assert.fail("XMLStreamException expected");
             } catch (XMLStreamException e) {
                 Assert.assertNotNull(e.getCause());
-                Assert.assertEquals(e.getCause().getMessage(), "SAML Token condition (Not
Before) not met");
+                Assert.assertEquals(e.getCause().getMessage(), "SAML token security failure");
             }
         }
     }



Mime
View raw message