You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/01/16 12:15:46 UTC
svn commit: r1652390 - in /webservices/wss4j/trunk/ws-security-stax/src:
main/java/org/apache/wss4j/stax/ext/
main/java/org/apache/wss4j/stax/validate/
test/java/org/apache/wss4j/stax/test/saml/
Author: coheigea
Date: Fri Jan 16 11:15:46 2015
New Revision: 1652390
URL: http://svn.apache.org/r1652390
Log:
[WSS-523 ] -Add the ability to supply AudienceRestrictions when validating SAML tokens - StAX part
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java?rev=1652390&r1=1652389&r2=1652390&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java Fri Jan 16 11:15:46 2015
@@ -116,6 +116,7 @@ public class WSSSecurityProperties exten
private boolean enableSamlOneTimeUseReplayCache = true;
private boolean validateSamlSubjectConfirmation = true;
private Collection<Pattern> subjectDNPatterns = new ArrayList<Pattern>();
+ private List<String> audienceRestrictions = new ArrayList<String>();
private CallbackHandler attachmentCallbackHandler;
private Object msgContext;
@@ -178,6 +179,7 @@ public class WSSSecurityProperties exten
this.subjectDNPatterns = wssSecurityProperties.subjectDNPatterns;
this.attachmentCallbackHandler = wssSecurityProperties.attachmentCallbackHandler;
this.msgContext = wssSecurityProperties.msgContext;
+ this.audienceRestrictions = wssSecurityProperties.audienceRestrictions;
}
/**
@@ -922,6 +924,22 @@ public class WSSSecurityProperties exten
public Collection<Pattern> getSubjectCertConstraints() {
return subjectDNPatterns;
}
+
+ /**
+ * Set the Audience Restrictions
+ */
+ public void setAudienceRestrictions(List<String> audienceRestrictions) {
+ if (audienceRestrictions != null) {
+ this.audienceRestrictions.addAll(audienceRestrictions);
+ }
+ }
+
+ /**
+ * Get the Audience Restrictions
+ */
+ public List<String> getAudienceRestrictions() {
+ return audienceRestrictions;
+ }
public int getDerivedSignatureKeyLength() {
return derivedSignatureKeyLength;
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1652390&r1=1652389&r2=1652390&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java Fri Jan 16 11:15:46 2015
@@ -106,7 +106,8 @@ public class SamlTokenValidatorImpl exte
final InboundSecurityToken subjectSecurityToken,
final TokenContext tokenContext) throws WSSecurityException {
// Check conditions
- checkConditions(samlAssertionWrapper);
+ checkConditions(samlAssertionWrapper,
+ tokenContext.getWssSecurityProperties().getAudienceRestrictions());
// Check the AuthnStatements of the assertion (if any)
checkAuthnStatements(samlAssertionWrapper);
@@ -206,6 +207,16 @@ public class SamlTokenValidatorImpl exte
}
/**
+ * Check the Conditions of the Assertion.
+ */
+ protected void checkConditions(
+ SamlAssertionWrapper samlAssertion, List<String> audienceRestrictions
+ ) throws WSSecurityException {
+ checkConditions(samlAssertion);
+ samlAssertion.checkAudienceRestrictions(audienceRestrictions);
+ }
+
+ /**
* Check the Conditions of the Assertion.
*/
protected void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException {
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java?rev=1652390&r1=1652389&r2=1652390&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SamlConditionsTest.java Fri Jan 16 11:15:46 2015
@@ -509,6 +509,130 @@ public class SamlConditionsTest extends
}
}
+ // Now test AudienceRestrictions with supplied restrictions
+ @org.junit.Test
+ public void testSAML2AudienceRestrictionValidation() throws Exception {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ List<String> audiences = new ArrayList<String>();
+ {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ ConditionsBean conditions = new ConditionsBean();
+ conditions.setTokenPeriodMinutes(5);
+ audiences.add("http://apache.org/one");
+ audiences.add("http://apache.org/two");
+ AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
+ audienceRestrictionBean.setAudienceURIs(audiences);
+ conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
+
+ callbackHandler.setConditions(conditions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+
+ // This should fail as the expected audience isn't in the assertion
+ audiences.clear();
+ audiences.add("http://apache.org/three");
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setAudienceRestrictions(audiences);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ try {
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ Assert.fail("XMLStreamException expected");
+ } catch (XMLStreamException e) {
+ Assert.assertNotNull(e.getCause());
+ }
+ }
+
+ // Now add the correct audience back in...
+ audiences.add("http://apache.org/one");
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setAudienceRestrictions(audiences);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ Assert.assertNotNull(document);
+ }
+ }
+
+ // Now test AudienceRestrictions with supplied restrictions
+ @org.junit.Test
+ public void testSAML1AudienceRestrictionValidation() throws Exception {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ List<String> audiences = new ArrayList<String>();
+ {
+ SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ ConditionsBean conditions = new ConditionsBean();
+ conditions.setTokenPeriodMinutes(5);
+ audiences.add("http://apache.org/one");
+ audiences.add("http://apache.org/two");
+ AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
+ audienceRestrictionBean.setAudienceURIs(audiences);
+ conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
+
+ callbackHandler.setConditions(conditions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+
+ // This should fail as the expected audience isn't in the assertion
+ audiences.clear();
+ audiences.add("http://apache.org/three");
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setAudienceRestrictions(audiences);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ try {
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ Assert.fail("XMLStreamException expected");
+ } catch (XMLStreamException e) {
+ Assert.assertNotNull(e.getCause());
+ }
+ }
+
+ // Now add the correct audience back in...
+ audiences.add("http://apache.org/one");
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setAudienceRestrictions(audiences);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ Assert.assertNotNull(document);
+ }
+ }
+
/**
* Test that creates, sends and processes an unsigned SAML 2 authentication assertion
* with two AudienceRestriction Elements
@@ -555,6 +679,74 @@ public class SamlConditionsTest extends
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+ Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ Assert.assertNotNull(document);
+ }
+ }
+
+ // Now test AudienceRestrictions with supplied restrictions
+ @org.junit.Test
+ public void testSAML1AudienceRestrictionSeparateRestrictionsValidation() throws Exception {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ ConditionsBean conditions = new ConditionsBean();
+ conditions.setTokenPeriodMinutes(5);
+
+ List<AudienceRestrictionBean> audiencesRestrictions =
+ new ArrayList<AudienceRestrictionBean>();
+ AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
+ audienceRestrictionBean.setAudienceURIs(Collections.singletonList("http://apache.org/one"));
+ audiencesRestrictions.add(audienceRestrictionBean);
+
+ audienceRestrictionBean = new AudienceRestrictionBean();
+ audienceRestrictionBean.setAudienceURIs(Collections.singletonList("http://apache.org/two"));
+ audiencesRestrictions.add(audienceRestrictionBean);
+
+ conditions.setAudienceRestrictions(audiencesRestrictions);
+
+ callbackHandler.setConditions(conditions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.SAML_TOKEN_SIGNED;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+
+ // This should fail as the expected audience isn't in the assertion
+ List<String> audiences = new ArrayList<String>();
+ audiences.add("http://apache.org/three");
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setAudienceRestrictions(audiences);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ try {
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ Assert.fail("XMLStreamException expected");
+ } catch (XMLStreamException e) {
+ Assert.assertNotNull(e.getCause());
+ }
+ }
+
+ // Now add the correct audience back in...
+ audiences.add("http://apache.org/one");
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setAudienceRestrictions(audiences);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
Assert.assertNotNull(document);
}