ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1653487 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/saml/ ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/ ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ ws-security-stax/sr...
Date Wed, 21 Jan 2015 11:51:16 GMT
Author: coheigea
Date: Wed Jan 21 11:51:15 2015
New Revision: 1653487

URL: http://svn.apache.org/r1653487
Log:
[WSS-524] - Set a default TTL of 30 minutes on a SAML Assertion with no NotOnOrAfter Condition

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java?rev=1653487&r1=1653486&r2=1653487&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
Wed Jan 21 11:51:15 2015
@@ -783,18 +783,15 @@ public class SamlAssertionWrapper {
     public void checkConditions(int futureTTL) throws WSSecurityException {
         DateTime validFrom = null;
         DateTime validTill = null;
-        DateTime issueInstant = null;
         
         if (getSamlVersion().equals(SAMLVersion.VERSION_20)
             && getSaml2().getConditions() != null) {
             validFrom = getSaml2().getConditions().getNotBefore();
             validTill = getSaml2().getConditions().getNotOnOrAfter();
-            issueInstant = getSaml2().getIssueInstant();
         } else if (getSamlVersion().equals(SAMLVersion.VERSION_11)
             && getSaml1().getConditions() != null) {
             validFrom = getSaml1().getConditions().getNotBefore();
             validTill = getSaml1().getConditions().getNotOnOrAfter();
-            issueInstant = getSaml1().getIssueInstant();
         }
         
         if (validFrom != null) {
@@ -810,9 +807,26 @@ public class SamlAssertionWrapper {
             LOG.debug("SAML Token condition (Not On Or After) not met");
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
         }
+    }
+    
+    /**
+     * Check the IssueInstant value of the Assertion.
+     */
+    public void checkIssueInstant(int futureTTL, int ttl) throws WSSecurityException {
+        DateTime issueInstant = null;
+        DateTime validTill = null;
+        
+        if (getSamlVersion().equals(SAMLVersion.VERSION_20)
+            && getSaml2().getConditions() != null) {
+            validTill = getSaml2().getConditions().getNotOnOrAfter();
+            issueInstant = getSaml2().getIssueInstant();
+        } else if (getSamlVersion().equals(SAMLVersion.VERSION_11)
+            && getSaml1().getConditions() != null) {
+            validTill = getSaml1().getConditions().getNotOnOrAfter();
+            issueInstant = getSaml1().getIssueInstant();
+        }
         
-        // IssueInstant is not strictly in Conditions, but it has similar semantics to 
-        // NotBefore, so including it here
+        // Check the IssueInstant is not in the future, subject to the future TTL
         if (issueInstant != null) {
             DateTime currentTime = new DateTime();
             currentTime = currentTime.plusSeconds(futureTTL);
@@ -820,6 +834,17 @@ public class SamlAssertionWrapper {
                 LOG.debug("SAML Token IssueInstant not met");
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
             }
+            
+            // If there is no NotOnOrAfter, then impose a TTL on the IssueInstant.
+            if (validTill == null) {
+                currentTime = new DateTime();
+                currentTime.minusSeconds(ttl);
+                
+                if (issueInstant.isBefore(currentTime)) {
+                    LOG.debug("SAML Token IssueInstant not met. The assertion was created
too long ago.");
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
+                }
+            }
         }
         
     }

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java?rev=1653487&r1=1653486&r2=1653487&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
Wed Jan 21 11:51:15 2015
@@ -52,6 +52,12 @@ public class SamlAssertionValidator exte
     private int futureTTL = 60;
     
     /**
+     * The time in seconds within which a SAML Assertion is valid, if it does not contain
+     * a NotOnOrAfter Condition. The default is 30 minutes.
+     */
+    private int ttl = 60 * 30;
+    
+    /**
      * Whether to validate the signature of the Assertion (if it exists) against the 
      * relevant profile. Default is true.
      */
@@ -222,6 +228,7 @@ public class SamlAssertionValidator exte
      */
     protected void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
         samlAssertion.checkConditions(futureTTL);
+        samlAssertion.checkIssueInstant(futureTTL, ttl);
     }
     
     /**
@@ -313,4 +320,12 @@ public class SamlAssertionValidator exte
         this.requireBearerSignature = requireBearerSignature;
     }
     
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
+    
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java?rev=1653487&r1=1653486&r2=1653487&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
Wed Jan 21 11:51:15 2015
@@ -173,6 +173,118 @@ public class SamlConditionsTest extends
         }
     }
     
+    @org.junit.Test
+    public void testSAML2StaleIssueInstant() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+        
+        DateTime issueInstant = new DateTime();
+        issueInstant = issueInstant.minusMinutes(31);
+        samlAssertion.getSaml2().setIssueInstant(issueInstant);
+        samlAssertion.getSaml2().getConditions().setNotOnOrAfter(null);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+        
+        try {
+            verify(unsignedDoc);
+            fail("Failure expected in processing a stale SAML Assertion");
+        } catch (WSSecurityException ex) {
+            assertTrue(ex.getMessage().contains("SAML token security failure"));
+        }
+    }
+    
+    @org.junit.Test
+    public void testSAML2StaleIssueInstantButWithNotOnOrAfter() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+        
+        ConditionsBean conditions = new ConditionsBean();
+        conditions.setNotBefore(new DateTime());
+        conditions.setNotAfter(new DateTime().plusMinutes(35));
+        
+        DateTime issueInstant = new DateTime();
+        issueInstant = issueInstant.minusMinutes(31);
+        samlAssertion.getSaml2().setIssueInstant(issueInstant);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+        
+        verify(unsignedDoc);
+    }
+    
+    @org.junit.Test
+    public void testSAML1StaleIssueInstant() throws Exception {
+        SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+        callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+        
+        DateTime issueInstant = new DateTime();
+        issueInstant = issueInstant.minusMinutes(31);
+        samlAssertion.getSaml1().setIssueInstant(issueInstant);
+        samlAssertion.getSaml1().getConditions().setNotOnOrAfter(null);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 1 Authn Assertion (sender vouches):");
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+        
+        try {
+            verify(unsignedDoc);
+            fail("Failure expected in processing a stale SAML Assertion");
+        } catch (WSSecurityException ex) {
+            assertTrue(ex.getMessage().contains("SAML token security failure"));
+        }
+    }
+    
     /**
      * Test that creates, sends and processes an unsigned SAML 2 authentication assertion
      * with an (invalid) custom Conditions statement.

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1653487&r1=1653486&r2=1653487&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
Wed Jan 21 11:51:15 2015
@@ -47,6 +47,12 @@ public class SamlTokenValidatorImpl exte
     private int futureTTL = 60;
     
     /**
+     * The time in seconds within which a SAML Assertion is valid, if it does not contain
+     * a NotOnOrAfter Condition. The default is 30 minutes.
+     */
+    private int ttl = 60 * 30;
+    
+    /**
      * Whether to validate the signature of the Assertion (if it exists) against the 
      * relevant profile. Default is true.
      */
@@ -221,6 +227,7 @@ public class SamlTokenValidatorImpl exte
      */
     protected void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
         samlAssertion.checkConditions(futureTTL);
+        samlAssertion.checkIssueInstant(futureTTL, ttl);
     }
     
     /**
@@ -285,4 +292,12 @@ public class SamlTokenValidatorImpl exte
         this.requireBearerSignature = requireBearerSignature;
     }
     
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
+    
 }



Mime
View raw message