You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/01/21 12:59:06 UTC
svn commit: r1653488 - in /webservices/wss4j/branches/1_6_x-fixes/src:
main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
test/java/org/apache/ws/security/saml/SamlConditionsTest.java
Author: coheigea
Date: Wed Jan 21 11:59:05 2015
New Revision: 1653488
URL: http://svn.apache.org/r1653488
Log:
[WSS-524] - Set a default TTL of 30 minutes on a SAML Assertion with no NotOnOrAfter Condition
Conflicts:
src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1653488&r1=1653487&r2=1653488&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java (original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java Wed Jan 21 11:59:05 2015
@@ -57,6 +57,12 @@ public class SamlAssertionValidator exte
private int futureTTL = 60;
/**
+ * The time in seconds within which a SAML Assertion is valid, if it does not contain
+ * a NotOnOrAfter Condition. The default is 30 minutes.
+ */
+ private int ttl = 60 * 30;
+
+ /**
* Whether to validate the signature of the Assertion (if it exists) against the
* relevant profile. Default is true.
*/
@@ -251,6 +257,8 @@ public class SamlAssertionValidator exte
// IssueInstant is not strictly in Conditions, but it has similar semantics to
// NotBefore, so including it here
+
+ // Check the IssueInstant is not in the future, subject to the future TTL
if (issueInstant != null) {
DateTime currentTime = new DateTime();
currentTime = currentTime.plusSeconds(futureTTL);
@@ -258,6 +266,17 @@ public class SamlAssertionValidator exte
LOG.debug("SAML Token IssueInstant not met");
throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
}
+
+ // If there is no NotOnOrAfter, then impose a TTL on the IssueInstant.
+ if (validTill == null) {
+ currentTime = new DateTime();
+ currentTime.minusSeconds(ttl);
+
+ if (issueInstant.isBefore(currentTime)) {
+ LOG.debug("SAML Token IssueInstant not met. The assertion was created too long ago.");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ }
+ }
}
}
@@ -509,4 +528,12 @@ public class SamlAssertionValidator exte
this.requireBearerSignature = requireBearerSignature;
}
+ public int getTtl() {
+ return ttl;
+ }
+
+ public void setTtl(int ttl) {
+ this.ttl = ttl;
+ }
+
}
Modified: webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java?rev=1653488&r1=1653487&r2=1653488&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java (original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java Wed Jan 21 11:59:05 2015
@@ -263,6 +263,118 @@ public class SamlConditionsTest extends
}
}
+ @org.junit.Test
+ public void testSAML2StaleIssueInstant() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ DateTime issueInstant = new DateTime();
+ issueInstant = issueInstant.minusMinutes(31);
+ assertion.getSaml2().setIssueInstant(issueInstant);
+ assertion.getSaml2().getConditions().setNotOnOrAfter(null);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ try {
+ verify(unsignedDoc);
+ fail("Failure expected in processing a stale SAML Assertion");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getMessage().contains("SAML token security failure"));
+ }
+ }
+
+ @org.junit.Test
+ public void testSAML2StaleIssueInstantButWithNotOnOrAfter() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ ConditionsBean conditions = new ConditionsBean();
+ conditions.setNotBefore(new DateTime());
+ conditions.setNotAfter(new DateTime().plusMinutes(35));
+
+ DateTime issueInstant = new DateTime();
+ issueInstant = issueInstant.minusMinutes(31);
+ assertion.getSaml2().setIssueInstant(issueInstant);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ verify(unsignedDoc);
+ }
+
+ @org.junit.Test
+ public void testSAML1StaleIssueInstant() throws Exception {
+ SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ DateTime issueInstant = new DateTime();
+ issueInstant = issueInstant.minusMinutes(31);
+ assertion.getSaml1().setIssueInstant(issueInstant);
+ assertion.getSaml1().getConditions().setNotOnOrAfter(null);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 1 Authn Assertion (sender vouches):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ try {
+ verify(unsignedDoc);
+ fail("Failure expected in processing a stale SAML Assertion");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getMessage().contains("SAML token security failure"));
+ }
+ }
+
/**
* Test that creates, sends and processes an unsigned SAML 2 authentication assertion
* with an (invalid) custom Conditions statement.