ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1652390 - in /webservices/wss4j/trunk/ws-security-stax/src: main/java/org/apache/wss4j/stax/ext/ main/java/org/apache/wss4j/stax/validate/ test/java/org/apache/wss4j/stax/test/saml/
Date Fri, 16 Jan 2015 11:15:46 GMT
Author: coheigea
Date: Fri Jan 16 11:15:46 2015
New Revision: 1652390

URL: http://svn.apache.org/r1652390
Log:
[WSS-523 ] -Add the ability to supply AudienceRestrictions when validating SAML tokens - StAX
part

Modified:
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java?rev=1652390&r1=1652389&r2=1652390&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
Fri Jan 16 11:15:46 2015
@@ -116,6 +116,7 @@ public class WSSSecurityProperties exten
     private boolean enableSamlOneTimeUseReplayCache = true;
     private boolean validateSamlSubjectConfirmation = true;
     private Collection<Pattern> subjectDNPatterns = new ArrayList<Pattern>();
+    private List<String> audienceRestrictions = new ArrayList<String>();
 
     private CallbackHandler attachmentCallbackHandler;
     private Object msgContext;
@@ -178,6 +179,7 @@ public class WSSSecurityProperties exten
         this.subjectDNPatterns = wssSecurityProperties.subjectDNPatterns;
         this.attachmentCallbackHandler = wssSecurityProperties.attachmentCallbackHandler;
         this.msgContext = wssSecurityProperties.msgContext;
+        this.audienceRestrictions = wssSecurityProperties.audienceRestrictions;
     }
 
     /**
@@ -922,6 +924,22 @@ public class WSSSecurityProperties exten
     public Collection<Pattern> getSubjectCertConstraints() {
         return subjectDNPatterns;
     }
+    
+    /**
+     * Set the Audience Restrictions
+     */
+    public void setAudienceRestrictions(List<String> audienceRestrictions) {
+        if (audienceRestrictions != null) {
+            this.audienceRestrictions.addAll(audienceRestrictions);
+        }
+    }
+    
+    /**
+     * Get the Audience Restrictions
+     */
+    public List<String> getAudienceRestrictions() {
+        return audienceRestrictions;
+    }
 
     public int getDerivedSignatureKeyLength() {
         return derivedSignatureKeyLength;

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1652390&r1=1652389&r2=1652390&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
Fri Jan 16 11:15:46 2015
@@ -106,7 +106,8 @@ public class SamlTokenValidatorImpl exte
                                                  final InboundSecurityToken subjectSecurityToken,
                                                  final TokenContext tokenContext) throws
WSSecurityException {
         // Check conditions
-        checkConditions(samlAssertionWrapper);
+        checkConditions(samlAssertionWrapper,
+                        tokenContext.getWssSecurityProperties().getAudienceRestrictions());
         
         // Check the AuthnStatements of the assertion (if any)
         checkAuthnStatements(samlAssertionWrapper);
@@ -206,6 +207,16 @@ public class SamlTokenValidatorImpl exte
     }
     
     /**
+     * Check the Conditions of the Assertion.
+     */
+    protected void checkConditions(
+        SamlAssertionWrapper samlAssertion, List<String> audienceRestrictions
+    ) throws WSSecurityException {
+        checkConditions(samlAssertion);
+        samlAssertion.checkAudienceRestrictions(audienceRestrictions);
+    }
+    
+    /**
      * Check the Conditions of the Assertion.
      */
     protected void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java?rev=1652390&r1=1652389&r2=1652390&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java
Fri Jan 16 11:15:46 2015
@@ -509,6 +509,130 @@ public class SamlConditionsTest extends
         }
     }
     
+    // Now test AudienceRestrictions with supplied restrictions
+    @org.junit.Test
+    public void testSAML2AudienceRestrictionValidation() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        List<String> audiences = new ArrayList<String>();
+        {
+            SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+            callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+            callbackHandler.setIssuer("www.example.com");
+
+            ConditionsBean conditions = new ConditionsBean();
+            conditions.setTokenPeriodMinutes(5);
+            audiences.add("http://apache.org/one");
+            audiences.add("http://apache.org/two");
+            AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
+            audienceRestrictionBean.setAudienceURIs(audiences);
+            conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
+            
+            callbackHandler.setConditions(conditions);
+
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
+            Properties properties = new Properties();
+            properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
properties);
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        // This should fail as the expected audience isn't in the assertion
+        audiences.clear();
+        audiences.add("http://apache.org/three");
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setAudienceRestrictions(audiences);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            try {
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                Assert.fail("XMLStreamException expected");
+            } catch (XMLStreamException e) {
+                Assert.assertNotNull(e.getCause());
+            }
+        }
+        
+        // Now add the correct audience back in...
+        audiences.add("http://apache.org/one");
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setAudienceRestrictions(audiences);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(),
xmlStreamReader);
+            Assert.assertNotNull(document);
+        }
+    }
+    
+    // Now test AudienceRestrictions with supplied restrictions
+    @org.junit.Test
+    public void testSAML1AudienceRestrictionValidation() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        List<String> audiences = new ArrayList<String>();
+        {
+            SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+            callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+            callbackHandler.setIssuer("www.example.com");
+
+            ConditionsBean conditions = new ConditionsBean();
+            conditions.setTokenPeriodMinutes(5);
+            audiences.add("http://apache.org/one");
+            audiences.add("http://apache.org/two");
+            AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
+            audienceRestrictionBean.setAudienceURIs(audiences);
+            conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
+            
+            callbackHandler.setConditions(conditions);
+
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
+            Properties properties = new Properties();
+            properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
properties);
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        // This should fail as the expected audience isn't in the assertion
+        audiences.clear();
+        audiences.add("http://apache.org/three");
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setAudienceRestrictions(audiences);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            try {
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                Assert.fail("XMLStreamException expected");
+            } catch (XMLStreamException e) {
+                Assert.assertNotNull(e.getCause());
+            }
+        }
+        
+        // Now add the correct audience back in...
+        audiences.add("http://apache.org/one");
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setAudienceRestrictions(audiences);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(),
xmlStreamReader);
+            Assert.assertNotNull(document);
+        }
+    }
+    
     /**
      * Test that creates, sends and processes an unsigned SAML 2 authentication assertion
      * with two AudienceRestriction Elements
@@ -555,6 +679,74 @@ public class SamlConditionsTest extends
             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
 
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(),
xmlStreamReader);
+            Assert.assertNotNull(document);
+        }
+    }
+    
+    // Now test AudienceRestrictions with supplied restrictions
+    @org.junit.Test
+    public void testSAML1AudienceRestrictionSeparateRestrictionsValidation() throws Exception
{
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+            callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+            callbackHandler.setIssuer("www.example.com");
+
+            ConditionsBean conditions = new ConditionsBean();
+            conditions.setTokenPeriodMinutes(5);
+            
+            List<AudienceRestrictionBean> audiencesRestrictions = 
+                new ArrayList<AudienceRestrictionBean>();
+            AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
+            audienceRestrictionBean.setAudienceURIs(Collections.singletonList("http://apache.org/one"));
+            audiencesRestrictions.add(audienceRestrictionBean);
+
+            audienceRestrictionBean = new AudienceRestrictionBean();
+            audienceRestrictionBean.setAudienceURIs(Collections.singletonList("http://apache.org/two"));
+            audiencesRestrictions.add(audienceRestrictionBean);
+
+            conditions.setAudienceRestrictions(audiencesRestrictions);
+            
+            callbackHandler.setConditions(conditions);
+
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
+            Properties properties = new Properties();
+            properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
properties);
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        // This should fail as the expected audience isn't in the assertion
+        List<String> audiences = new ArrayList<String>();
+        audiences.add("http://apache.org/three");
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setAudienceRestrictions(audiences);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            try {
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                Assert.fail("XMLStreamException expected");
+            } catch (XMLStreamException e) {
+                Assert.assertNotNull(e.getCause());
+            }
+        }
+        
+        // Now add the correct audience back in...
+        audiences.add("http://apache.org/one");
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setAudienceRestrictions(audiences);
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(),
xmlStreamReader);
             Assert.assertNotNull(document);
         }



Mime
View raw message