You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/01 18:01:34 UTC
svn commit: r1478065 - in /cxf/fediz/trunk/plugins:
core/src/main/java/org/apache/cxf/fediz/core/
core/src/main/java/org/apache/cxf/fediz/core/saml/
core/src/test/java/org/apache/cxf/fediz/core/
tomcat/src/main/java/org/apache/cxf/fediz/tomcat/
Author: coheigea
Date: Wed May 1 16:01:33 2013
New Revision: 1478065
URL: http://svn.apache.org/r1478065
Log:
[FEDIZ-4] - Added support to the plugin core to verify SAML HolderOfKey ConfirmationMethods
Added:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
Modified:
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java
cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java Wed May 1 16:01:33 2013
@@ -194,7 +194,9 @@ public class FederationProcessorImpl imp
}
if (canHandle) {
try {
- validatorResponse = validator.validateAndProcessToken(rst, config);
+ TokenValidatorRequest validatorRequest =
+ new TokenValidatorRequest(rst, request.getCerts());
+ validatorResponse = validator.validateAndProcessToken(validatorRequest, config);
} catch (ProcessingException ex) {
throw ex;
} catch (Exception ex) {
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java Wed May 1 16:01:33 2013
@@ -19,11 +19,14 @@
package org.apache.cxf.fediz.core;
+import java.security.cert.Certificate;
+
public class FederationRequest {
private String wa;
private String wresult;
private String wct;
+ private Certificate[] certs;
public String getWct() {
@@ -45,6 +48,12 @@ public class FederationRequest {
public void setWresult(String wresult) {
this.wresult = wresult;
}
+ public Certificate[] getCerts() {
+ return certs;
+ }
+ public void setCerts(Certificate[] certs) {
+ this.certs = certs;
+ }
}
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java Wed May 1 16:01:33 2013
@@ -43,5 +43,8 @@ public interface TokenValidator {
* Validate a Token using the given Element and Configuration.
* @throws ProcessingException
*/
- TokenValidatorResponse validateAndProcessToken(Element token, FederationContext config) throws ProcessingException;
+ TokenValidatorResponse validateAndProcessToken(
+ TokenValidatorRequest request,
+ FederationContext config
+ ) throws ProcessingException;
}
Added: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java?rev=1478065&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java (added)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java Wed May 1 16:01:33 2013
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.security.cert.Certificate;
+
+import org.w3c.dom.Element;
+
+public class TokenValidatorRequest {
+
+ private final Element token;
+ private final Certificate[] certs;
+
+ public TokenValidatorRequest(Element token, Certificate[] certs) {
+ this.token = token;
+ this.certs = certs;
+ }
+
+ public Element getToken() {
+ return token;
+ }
+
+ public Certificate[] getCerts() {
+ return certs;
+ }
+
+
+
+}
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java Wed May 1 16:01:33 2013
@@ -34,6 +34,7 @@ import org.apache.cxf.fediz.core.Claim;
import org.apache.cxf.fediz.core.ClaimCollection;
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.TokenValidator;
+import org.apache.cxf.fediz.core.TokenValidatorRequest;
import org.apache.cxf.fediz.core.TokenValidatorResponse;
import org.apache.cxf.fediz.core.config.CertificateValidationMethod;
import org.apache.cxf.fediz.core.config.FederationContext;
@@ -83,9 +84,10 @@ public class SAMLTokenValidator implemen
return false;
}
- public TokenValidatorResponse validateAndProcessToken(Element token,
+ public TokenValidatorResponse validateAndProcessToken(TokenValidatorRequest request,
FederationContext config) throws ProcessingException {
+ Element token = request.getToken();
try {
RequestData requestData = new RequestData();
WSSConfig wssConfig = WSSConfig.getNewInstance();
@@ -165,6 +167,12 @@ public class SAMLTokenValidator implemen
throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
}
}
+
+ // Now check for HolderOfKey requirements
+ if (!SAMLUtil.checkHolderOfKey(assertion, request.getCerts())) {
+ LOG.warn("Assertion fails holder-of-key requirements");
+ throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
+ }
String audience = null;
List<Claim> claims = null;
Added: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java?rev=1478065&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java (added)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java Wed May 1 16:01:33 2013
@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.saml;
+
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+/**
+ * Some SAML Utility methods
+ */
+public final class SAMLUtil {
+
+ private SAMLUtil() {
+ // complete
+ }
+
+ /**
+ * Check the holder-of-key requirements against the received assertion. The subject
+ * credential of the SAML Assertion must match a client certificate credential when
+ * 2-way TLS is used.
+ * @param assertionWrapper the SAML Assertion wrapper object
+ * @tlsCerts The client certificates
+ * @param signedResults a list of all of the signed results
+ */
+ public static boolean checkHolderOfKey(
+ AssertionWrapper assertionWrapper,
+ Certificate[] tlsCerts
+ ) {
+ List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+ for (String confirmationMethod : confirmationMethods) {
+ if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+ if (tlsCerts == null || tlsCerts.length == 0) {
+ return false;
+ }
+ SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+ if (!compareCredentials(subjectKeyInfo, tlsCerts)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Compare the credentials of the assertion to the credentials used in 2-way TLS.
+ * Return true on a match
+ * @param subjectKeyInfo the SAMLKeyInfo object
+ * @param signedResults a list of all of the signed results
+ * @return true if the credentials of the assertion were used to verify a signature
+ */
+ private static boolean compareCredentials(
+ SAMLKeyInfo subjectKeyInfo,
+ Certificate[] tlsCerts
+ ) {
+ X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
+ PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
+
+ //
+ // Try to match the TLS certs
+ //
+ if (subjectCerts != null && subjectCerts.length > 0
+ && tlsCerts[0].equals(subjectCerts[0])) {
+ return true;
+ } else if (subjectPublicKey != null
+ && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
+ return true;
+ }
+
+ return false;
+ }
+
+}
Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java Wed May 1 16:01:33 2013
@@ -173,9 +173,6 @@ public class SamlAssertionValidator impl
credential.setPublicKey(samlKeyInfo.getPublicKey());
credential.setCertificates(samlKeyInfo.getCerts());
- if (credential == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE, "noCredential");
- }
X509Certificate[] certs = credential.getCertificates();
PublicKey publicKey = credential.getPublicKey();
Crypto crypto = getCrypto(data);
@@ -251,27 +248,6 @@ public class SamlAssertionValidator impl
*
* @param cert the certificate that should be validated against the keystore
* @param crypto A crypto instance to use for trust validation
- * @return true if the certificate is trusted, false if not
- * @throws WSSecurityException
- */
- @Deprecated
- protected boolean verifyTrustInCert(X509Certificate cert, Crypto crypto)
- throws WSSecurityException {
- return verifyTrustInCert(cert, crypto, false);
- }
-
- /**
- * Evaluate whether a given certificate should be trusted.
- *
- * Policy used in this implementation:
- * 1. Search the keystore for the transmitted certificate
- * 2. Search the keystore for a connection to the transmitted certificate
- * (that is, search for certificate(s) of the issuer of the transmitted certificate
- * 3. Verify the trust path for those certificates found because the search for the issuer
- * might be fooled by a phony DN (String!)
- *
- * @param cert the certificate that should be validated against the keystore
- * @param crypto A crypto instance to use for trust validation
* @param enableRevocation Whether revocation is enabled or not
* @return true if the certificate is trusted, false if not
* @throws WSSecurityException
@@ -411,22 +387,6 @@ public class SamlAssertionValidator impl
* Evaluate whether the given certificate chain should be trusted.
*
* @param certificates the certificate chain that should be validated against the keystore
- * @param crypto A Crypto instance to use for trust validation
- * @return true if the certificate chain is trusted, false if not
- * @throws WSSecurityException
- */
- @Deprecated
- protected boolean verifyTrustInCerts(
- X509Certificate[] certificates,
- Crypto crypto
- ) throws WSSecurityException {
- return verifyTrustInCerts(certificates, crypto, false);
- }
-
- /**
- * Evaluate whether the given certificate chain should be trusted.
- *
- * @param certificates the certificate chain that should be validated against the keystore
* @param crypto A Crypto instance
* @param enableRevocation Whether revocation is enabled or not
* @return true if the certificate chain is trusted, false if not
Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java (original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java Wed May 1 16:01:33 2013
@@ -36,7 +36,10 @@ public class CustomValidator implements
}
@Override
- public TokenValidatorResponse validateAndProcessToken(Element token, FederationContext config) {
+ public TokenValidatorResponse validateAndProcessToken(
+ TokenValidatorRequest request,
+ FederationContext config
+ ) {
return new TokenValidatorResponse(null,
FederationProcessorTest.TEST_USER,
FederationProcessorTest.TEST_RSTR_ISSUER,
Modified: cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java (original)
+++ cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java Wed May 1 16:01:33 2013
@@ -23,6 +23,7 @@ import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.Principal;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
@@ -327,6 +328,10 @@ public class FederationAuthenticator ext
FederationRequest wfReq = new FederationRequest();
wfReq.setWa(wa);
wfReq.setWresult(wresult);
+
+ X509Certificate certs[] =
+ (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
+ wfReq.setCerts(certs);
String contextName = request.getServletContext().getContextPath();
if (contextName == null || contextName.isEmpty()) {