ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1624308 - in /webservices/wss4j/trunk: ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/ ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ ws-security-stax/src/m...
Date Thu, 11 Sep 2014 14:49:03 GMT
Author: coheigea
Date: Thu Sep 11 14:49:03 2014
New Revision: 1624308

URL: http://svn.apache.org/r1624308
Log:
[WSS-512] - Provide a configurable way of enforcing that SAML Bearer Tokens must have an internal
signature

Modified:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
Thu Sep 11 14:49:03 2014
@@ -69,6 +69,12 @@ public class SamlAssertionValidator exte
     private boolean requireStandardSubjectConfirmationMethod = true;
     
     /**
+     * If this is set, an Assertion with a Bearer SubjectConfirmation Method must be
+     * signed 
+     */
+    private boolean requireBearerSignature = true;
+    
+    /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming

      * Assertion is valid. The default is 60 seconds.
      */
@@ -152,8 +158,14 @@ public class SamlAssertionValidator exte
                     requiredMethodFound = true;
                 }
                 if (SAML2Constants.CONF_BEARER.equals(method)
-                    || SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
-                    || SAML1Constants.CONF_BEARER.equals(method)
+                    || SAML1Constants.CONF_BEARER.equals(method)) {
+                    standardMethodFound = true;
+                    if (requireBearerSignature && !signed) {
+                        LOG.debug("A Bearer Assertion was not signed");
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,

+                                                      "invalidSAMLsecurity");
+                    }
+                } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
                     || SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
                     standardMethodFound = true;
                 }
@@ -272,5 +284,13 @@ public class SamlAssertionValidator exte
     public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)
{
         this.requireStandardSubjectConfirmationMethod = requireStandardSubjectConfirmationMethod;
     }
+
+    public boolean isRequireBearerSignature() {
+        return requireBearerSignature;
+    }
+
+    public void setRequireBearerSignature(boolean requireBearerSignature) {
+        this.requireBearerSignature = requireBearerSignature;
+    }
     
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
Thu Sep 11 14:49:03 2014
@@ -46,6 +46,7 @@ import org.apache.wss4j.common.saml.buil
 import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -476,6 +477,11 @@ public class ReplayTest extends org.juni
         }
         
         WSSConfig wssConfig = WSSConfig.getNewInstance();
+        SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+        assertionValidator.setRequireBearerSignature(false);
+        wssConfig.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+        wssConfig.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+        
         RequestData data = new RequestData();
         data.setWssConfig(wssConfig);
         data.setCallbackHandler(callbackHandler);
@@ -524,6 +530,11 @@ public class ReplayTest extends org.juni
         }
         
         WSSConfig wssConfig = WSSConfig.getNewInstance();
+        SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+        assertionValidator.setRequireBearerSignature(false);
+        wssConfig.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+        wssConfig.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+        
         RequestData data = new RequestData();
         data.setWssConfig(wssConfig);
         data.setCallbackHandler(callbackHandler);

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
Thu Sep 11 14:49:03 2014
@@ -1049,6 +1049,45 @@ public class SamlTokenTest extends org.j
         newEngine.processSecurityHeader(unsignedDoc, null, null, null);
     }
     
+    @org.junit.Test
+    public void testUnsignedBearer() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+        
+        WSSecurityEngine newEngine = new WSSecurityEngine();
+        try {
+            newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+            fail("Failure expected on an unsigned bearer token");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+
+        // Now disable this check
+        WSSConfig config = WSSConfig.getNewInstance();
+        SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+        assertionValidator.setRequireBearerSignature(false);
+        config.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+        config.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+        config.setValidateSamlSubjectConfirmation(false);
+        
+        newEngine.setWssConfig(config);
+        newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+    }
+    
     private void encryptElement(
         Document document,
         Element elementToEncrypt,

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
Thu Sep 11 14:49:03 2014
@@ -62,6 +62,12 @@ public class SamlTokenValidatorImpl exte
      * be present in the assertion (Bearer / SenderVouches / HolderOfKey).
      */
     private boolean requireStandardSubjectConfirmationMethod = true;
+    
+    /**
+     * If this is set, an Assertion with a Bearer SubjectConfirmation Method must be
+     * signed 
+     */
+    private boolean requireBearerSignature = true;
 
     /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming
@@ -169,8 +175,14 @@ public class SamlTokenValidatorImpl exte
                     requiredMethodFound = true;
                 }
                 if (SAML2Constants.CONF_BEARER.equals(method)
-                    || SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
-                    || SAML1Constants.CONF_BEARER.equals(method)
+                    || SAML1Constants.CONF_BEARER.equals(method)) {
+                    standardMethodFound = true;
+                    if (requireBearerSignature && !signed) {
+                        LOG.debug("A Bearer Assertion was not signed");
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,

+                                                      "invalidSAMLsecurity");
+                    }
+                } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
                     || SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
                     standardMethodFound = true;
                 }
@@ -243,5 +255,13 @@ public class SamlTokenValidatorImpl exte
     public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)
{
         this.requireStandardSubjectConfirmationMethod = requireStandardSubjectConfirmationMethod;
     }
+
+    public boolean isRequireBearerSignature() {
+        return requireBearerSignature;
+    }
+
+    public void setRequireBearerSignature(boolean requireBearerSignature) {
+        this.requireBearerSignature = requireBearerSignature;
+    }
     
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
Thu Sep 11 14:49:03 2014
@@ -39,6 +39,7 @@ import org.apache.wss4j.stax.ext.WSSCons
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
 import org.apache.wss4j.stax.test.saml.SAML2CallbackHandler;
 import org.apache.wss4j.stax.test.utils.StAX2DOM;
+import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.junit.Assert;
 import org.junit.Test;
@@ -187,6 +188,12 @@ public class ReplayTest extends Abstract
         ReplayCache replayCache = null;
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            
+            SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+            validator.setRequireBearerSignature(false);
+            securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+            securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+            
             replayCache = securityProperties.getSamlOneTimeUseReplayCache();
             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
@@ -198,6 +205,12 @@ public class ReplayTest extends Abstract
         // now process SAML Token again
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            
+            SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+            validator.setRequireBearerSignature(false);
+            securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+            securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+            
             securityProperties.setSamlOneTimeUseReplayCache(replayCache);
             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
@@ -240,6 +253,12 @@ public class ReplayTest extends Abstract
         ReplayCache replayCache = null;
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            
+            SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+            validator.setRequireBearerSignature(false);
+            securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+            securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+            
             replayCache = securityProperties.getSamlOneTimeUseReplayCache();
             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
@@ -251,6 +270,12 @@ public class ReplayTest extends Abstract
         // now process SAML Token again
         {
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            
+            SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+            validator.setRequireBearerSignature(false);
+            securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+            securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+            
             securityProperties.setSamlOneTimeUseReplayCache(replayCache);
             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
Thu Sep 11 14:49:03 2014
@@ -1084,6 +1084,67 @@ public class SAMLTokenTest extends Abstr
         }
     }
     
+    @Test
+    public void testUnsignedBearer() throws Exception {
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+            callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+            callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+            callbackHandler.setSignAssertion(false);
+
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
+            Properties properties = new Properties();
+            properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+            properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(),
WSSConstants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        // Validate
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+            
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            try {
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                fail("Failure expected on an unsigned bearer token");
+            }  catch (XMLStreamException e) {
+                // expected
+            }
+        }
+        
+        // Validate again - disable the signed Bearer check
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+            
+            SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+            validator.setRequireBearerSignature(false);
+            securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+            securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+            
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+        }
+    }
+    
     private void encryptElement(
         Document document,
         Element elementToEncrypt,



Mime
View raw message