ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1653488 - in /webservices/wss4j/branches/1_6_x-fixes/src: main/java/org/apache/ws/security/validate/SamlAssertionValidator.java test/java/org/apache/ws/security/saml/SamlConditionsTest.java
Date Wed, 21 Jan 2015 11:59:06 GMT
Author: coheigea
Date: Wed Jan 21 11:59:05 2015
New Revision: 1653488

URL: http://svn.apache.org/r1653488
Log:
[WSS-524] - Set a default TTL of 30 minutes on a SAML Assertion with no NotOnOrAfter Condition

Conflicts:
	src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
	ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
	ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java

Modified:
    webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
    webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java

Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1653488&r1=1653487&r2=1653488&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Wed Jan 21 11:59:05 2015
@@ -57,6 +57,12 @@ public class SamlAssertionValidator exte
     private int futureTTL = 60;
     
     /**
+     * The time in seconds within which a SAML Assertion is valid, if it does not contain
+     * a NotOnOrAfter Condition. The default is 30 minutes.
+     */
+    private int ttl = 60 * 30;
+    
+    /**
      * Whether to validate the signature of the Assertion (if it exists) against the 
      * relevant profile. Default is true.
      */
@@ -251,6 +257,8 @@ public class SamlAssertionValidator exte
         
         // IssueInstant is not strictly in Conditions, but it has similar semantics to 
         // NotBefore, so including it here
+        
+        // Check the IssueInstant is not in the future, subject to the future TTL
         if (issueInstant != null) {
             DateTime currentTime = new DateTime();
             currentTime = currentTime.plusSeconds(futureTTL);
@@ -258,6 +266,17 @@ public class SamlAssertionValidator exte
                 LOG.debug("SAML Token IssueInstant not met");
                 throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
             }
+            
+            // If there is no NotOnOrAfter, then impose a TTL on the IssueInstant.
+            if (validTill == null) {
+                currentTime = new DateTime();
+                currentTime.minusSeconds(ttl);
+                
+                if (issueInstant.isBefore(currentTime)) {
+                    LOG.debug("SAML Token IssueInstant not met. The assertion was created
too long ago.");
+                    throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+                }
+            }
         }
     }
     
@@ -509,4 +528,12 @@ public class SamlAssertionValidator exte
         this.requireBearerSignature = requireBearerSignature;
     }
     
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
+
 }

Modified: webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java?rev=1653488&r1=1653487&r2=1653488&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
(original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
Wed Jan 21 11:59:05 2015
@@ -263,6 +263,118 @@ public class SamlConditionsTest extends
         }
     }
     
+    @org.junit.Test
+    public void testSAML2StaleIssueInstant() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        
+        DateTime issueInstant = new DateTime();
+        issueInstant = issueInstant.minusMinutes(31);
+        assertion.getSaml2().setIssueInstant(issueInstant);
+        assertion.getSaml2().getConditions().setNotOnOrAfter(null);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+        
+        try {
+            verify(unsignedDoc);
+            fail("Failure expected in processing a stale SAML Assertion");
+        } catch (WSSecurityException ex) {
+            assertTrue(ex.getMessage().contains("SAML token security failure"));
+        }
+    }
+    
+    @org.junit.Test
+    public void testSAML2StaleIssueInstantButWithNotOnOrAfter() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        
+        ConditionsBean conditions = new ConditionsBean();
+        conditions.setNotBefore(new DateTime());
+        conditions.setNotAfter(new DateTime().plusMinutes(35));
+        
+        DateTime issueInstant = new DateTime();
+        issueInstant = issueInstant.minusMinutes(31);
+        assertion.getSaml2().setIssueInstant(issueInstant);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+        
+        verify(unsignedDoc);
+    }
+    
+    @org.junit.Test
+    public void testSAML1StaleIssueInstant() throws Exception {
+        SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+        callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        
+        DateTime issueInstant = new DateTime();
+        issueInstant = issueInstant.minusMinutes(31);
+        assertion.getSaml1().setIssueInstant(issueInstant);
+        assertion.getSaml1().getConditions().setNotOnOrAfter(null);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 1 Authn Assertion (sender vouches):");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+        
+        try {
+            verify(unsignedDoc);
+            fail("Failure expected in processing a stale SAML Assertion");
+        } catch (WSSecurityException ex) {
+            assertTrue(ex.getMessage().contains("SAML token security failure"));
+        }
+    }
+    
     /**
      * Test that creates, sends and processes an unsigned SAML 2 authentication assertion
      * with an (invalid) custom Conditions statement.



Mime
View raw message