ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1624263 - in /webservices/wss4j/branches/1_6_x-fixes/src: main/java/org/apache/ws/security/validate/SamlAssertionValidator.java test/java/org/apache/ws/security/saml/SamlTokenTest.java
Date Thu, 11 Sep 2014 11:31:40 GMT
Author: coheigea
Date: Thu Sep 11 11:31:40 2014
New Revision: 1624263

URL: http://svn.apache.org/r1624263
Log:
[WSS-510] - Provide a way of requiring a particular SAML subject confirmation method


Conflicts:
	src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
	src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
	ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
	ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
	ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java

Modified:
    webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
    webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java

Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1624263&r1=1624262&r2=1624263&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Thu Sep 11 11:31:40 2014
@@ -58,6 +58,11 @@ public class SamlAssertionValidator exte
     private boolean validateSignatureAgainstProfile = true;
     
     /**
+     * If this is set, then the value must appear as one of the Subject Confirmation Methods
+     */
+    private String requiredSubjectConfirmationMethod;
+    
+    /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming

      * Assertion is valid. The default is 60 seconds.
      */
@@ -79,23 +84,8 @@ public class SamlAssertionValidator exte
         }
         AssertionWrapper assertion = credential.getAssertion();
         
-        // Check HOK requirements
-        String confirmMethod = null;
-        List<String> methods = assertion.getConfirmationMethods();
-        if (methods != null && methods.size() > 0) {
-            confirmMethod = methods.get(0);
-        }
-        if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
-            if (assertion.getSubjectKeyInfo() == null) {
-                LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject
conf method");
-                throw new WSSecurityException(WSSecurityException.FAILURE, "noKeyInSAMLToken");
-            }
-            // The assertion must have been signed for HOK
-            if (!assertion.isSigned()) {
-                LOG.debug("A holder-of-key assertion must be signed");
-                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
-            }
-        }
+        // Check the Subject Confirmation requirements
+        verifySubjectConfirmationMethod(assertion);
         
         // Check conditions
         checkConditions(assertion);
@@ -114,6 +104,49 @@ public class SamlAssertionValidator exte
     }
     
     /**
+     * Check the Subject Confirmation method requirements
+     */
+    protected void verifySubjectConfirmationMethod(
+        AssertionWrapper samlAssertion
+    ) throws WSSecurityException {
+        
+        List<String> methods = samlAssertion.getConfirmationMethods();
+        if ((methods == null || methods.isEmpty()) 
+            && requiredSubjectConfirmationMethod != null) {
+            LOG.debug("A required subject confirmation method was not present");
+            throw new WSSecurityException(WSSecurityException.FAILURE, 
+                                          "invalidSAMLsecurity");
+        }
+        
+        boolean signed = samlAssertion.isSigned();
+        boolean requiredMethodFound = false;
+        for (String method : methods) {
+            if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
+                if (samlAssertion.getSubjectKeyInfo() == null) {
+                    LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject
conf method");
+                    throw new WSSecurityException(WSSecurityException.FAILURE, "noKeyInSAMLToken");
+                }
+                
+                // The assertion must have been signed for HOK
+                if (!signed) {
+                    LOG.debug("A holder-of-key assertion must be signed");
+                    throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+                }
+            }
+            
+            if (method != null && method.equals(requiredSubjectConfirmationMethod))
{
+                requiredMethodFound = true;
+            }
+        }
+        
+        if (!requiredMethodFound && requiredSubjectConfirmationMethod != null) {
+            LOG.debug("A required subject confirmation method was not present");
+            throw new WSSecurityException(WSSecurityException.FAILURE, 
+                                          "invalidSAMLsecurity");
+        }
+    }
+    
+    /**
      * Verify trust in the signature of a signed Assertion. This method is separate so that
      * the user can override if if they want.
      * @param assertion The signed Assertion
@@ -252,5 +285,13 @@ public class SamlAssertionValidator exte
     public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
         this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
     }
+
+    public String getRequiredSubjectConfirmationMethod() {
+        return requiredSubjectConfirmationMethod;
+    }
+
+    public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)
{
+        this.requiredSubjectConfirmationMethod = requiredSubjectConfirmationMethod;
+    }
     
 }

Modified: webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java?rev=1624263&r1=1624262&r2=1624263&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
Thu Sep 11 11:31:40 2014
@@ -52,8 +52,10 @@ import org.apache.ws.security.saml.ext.A
 import org.apache.ws.security.saml.ext.SAMLParms;
 import org.apache.ws.security.saml.ext.bean.SubjectConfirmationDataBean;
 import org.apache.ws.security.saml.ext.builder.SAML1Constants;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
 import org.apache.ws.security.util.WSSecurityUtil;
 import org.apache.ws.security.util.XMLUtils;
+import org.apache.ws.security.validate.SamlAssertionValidator;
 import org.apache.xml.security.encryption.EncryptedData;
 import org.apache.xml.security.encryption.EncryptedKey;
 import org.apache.xml.security.encryption.XMLCipher;
@@ -959,6 +961,56 @@ public class SamlTokenTest extends org.j
         assertTrue(actionResult != null);
     }
     
+    @org.junit.Test
+    public void testRequiredSubjectConfirmationMethod() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper samlAssertion = new AssertionWrapper(samlParms);
+        
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+        WSSConfig config = WSSConfig.getNewInstance();
+        SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+        assertionValidator.setRequiredSubjectConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+        config.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+        config.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+        
+        WSSecurityEngine newEngine = new WSSecurityEngine();
+        newEngine.setWssConfig(config);
+        newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+        
+        // Now create a Bearer assertion
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
+        samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        samlAssertion = new AssertionWrapper(samlParms);
+
+        wsSign = new WSSecSAMLToken();
+
+        doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+        try {
+            newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+            fail("Failure expected on an incorrect subject confirmation method");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+    }
+    
     private void encryptElement(
         Document document,
         Element elementToEncrypt,



Mime
View raw message