ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1624289 - in /webservices/wss4j/branches/1_6_x-fixes/src: main/java/org/apache/ws/security/validate/SamlAssertionValidator.java test/java/org/apache/ws/security/saml/SamlTokenTest.java
Date Thu, 11 Sep 2014 13:52:13 GMT
Author: coheigea
Date: Thu Sep 11 13:52:13 2014
New Revision: 1624289

URL: http://svn.apache.org/r1624289
Log:
[WSS-511] - Provide a (default) way of requiring at least one standard Subject Confirmation
Method


Conflicts:
	src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
	ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
	ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java

Modified:
    webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
    webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java

Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1624289&r1=1624288&r2=1624289&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Thu Sep 11 13:52:13 2014
@@ -28,6 +28,8 @@ import org.apache.ws.security.handler.Re
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.saml.ext.builder.SAML1Constants;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.xml.validation.ValidationException;
@@ -63,6 +65,12 @@ public class SamlAssertionValidator exte
     private String requiredSubjectConfirmationMethod;
     
     /**
+     * If this is set, at least one of the standard Subject Confirmation Methods *must*
+     * be present in the assertion (Bearer / SenderVouches / HolderOfKey).
+     */
+    private boolean requireStandardSubjectConfirmationMethod = true;
+    
+    /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming

      * Assertion is valid. The default is 60 seconds.
      */
@@ -111,15 +119,21 @@ public class SamlAssertionValidator exte
     ) throws WSSecurityException {
         
         List<String> methods = samlAssertion.getConfirmationMethods();
-        if ((methods == null || methods.isEmpty()) 
-            && requiredSubjectConfirmationMethod != null) {
-            LOG.debug("A required subject confirmation method was not present");
-            throw new WSSecurityException(WSSecurityException.FAILURE, 
+        if (methods == null || methods.isEmpty()) {
+            if (requiredSubjectConfirmationMethod != null) {
+                LOG.debug("A required subject confirmation method was not present");
+                throw new WSSecurityException(WSSecurityException.FAILURE, 
+                                          "invalidSAMLsecurity");
+            } else if (requireStandardSubjectConfirmationMethod) {
+                LOG.debug("A standard subject confirmation method was not present");
+                throw new WSSecurityException(WSSecurityException.FAILURE, 
                                           "invalidSAMLsecurity");
+            }
         }
         
         boolean signed = samlAssertion.isSigned();
         boolean requiredMethodFound = false;
+        boolean standardMethodFound = false;
         for (String method : methods) {
             if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
                 if (samlAssertion.getSubjectKeyInfo() == null) {
@@ -132,10 +146,19 @@ public class SamlAssertionValidator exte
                     LOG.debug("A holder-of-key assertion must be signed");
                     throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
                 }
+                standardMethodFound = true;
             }
             
-            if (method != null && method.equals(requiredSubjectConfirmationMethod))
{
-                requiredMethodFound = true;
+            if (method != null) {
+                if (method.equals(requiredSubjectConfirmationMethod)) {
+                    requiredMethodFound = true;
+                }
+                if (SAML2Constants.CONF_BEARER.equals(method)
+                    || SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
+                    || SAML1Constants.CONF_BEARER.equals(method)
+                    || SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
+                    standardMethodFound = true;
+                }
             }
         }
         
@@ -144,6 +167,12 @@ public class SamlAssertionValidator exte
             throw new WSSecurityException(WSSecurityException.FAILURE, 
                                           "invalidSAMLsecurity");
         }
+        
+        if (!standardMethodFound && requireStandardSubjectConfirmationMethod) {
+            LOG.debug("A standard subject confirmation method was not present");
+            throw new WSSecurityException(WSSecurityException.FAILURE, 
+                                      "invalidSAMLsecurity");
+        }
     }
     
     /**
@@ -293,5 +322,13 @@ public class SamlAssertionValidator exte
     public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)
{
         this.requiredSubjectConfirmationMethod = requiredSubjectConfirmationMethod;
     }
+
+    public boolean isRequireStandardSubjectConfirmationMethod() {
+        return requireStandardSubjectConfirmationMethod;
+    }
+
+    public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)
{
+        this.requireStandardSubjectConfirmationMethod = requireStandardSubjectConfirmationMethod;
+    }
     
 }

Modified: webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java?rev=1624289&r1=1624288&r2=1624289&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
Thu Sep 11 13:52:13 2014
@@ -1011,6 +1011,44 @@ public class SamlTokenTest extends org.j
         }
     }
     
+    @org.junit.Test
+    public void testStandardSubjectConfirmationMethod() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        callbackHandler.setConfirmationMethod("urn:oasis:names:tc:SAML:2.0:cm:custom");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper samlAssertion = new AssertionWrapper(samlParms);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+        
+        WSSecurityEngine newEngine = new WSSecurityEngine();
+        try {
+            newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+            fail("Failure expected on an unknown subject confirmation method");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+
+        // Now disable this check
+        WSSConfig config = WSSConfig.getNewInstance();
+        SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+        assertionValidator.setRequireStandardSubjectConfirmationMethod(false);
+        config.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+        config.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+        
+        newEngine.setWssConfig(config);
+        newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+    }
+    
     private void encryptElement(
         Document document,
         Element elementToEncrypt,



Mime
View raw message