You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/01/14 16:08:03 UTC

svn commit: r1651695 - in /webservices/wss4j/branches/1_6_x-fixes/src: main/java/org/apache/ws/security/validate/SamlAssertionValidator.java test/java/org/apache/ws/security/saml/SamlConditionsTest.java

Author: coheigea
Date: Wed Jan 14 15:08:02 2015
New Revision: 1651695

URL: http://svn.apache.org/r1651695
Log:
[WSS-521] - Validate that a SAML Assertion "IssueInstant" is not "in the future"


Conflicts:
	src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java

Modified:
    webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
    webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java

Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1651695&r1=1651694&r2=1651695&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java (original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java Wed Jan 14 15:08:02 2015
@@ -212,14 +212,18 @@ public class SamlAssertionValidator exte
     protected void checkConditions(AssertionWrapper assertion) throws WSSecurityException {
         DateTime validFrom = null;
         DateTime validTill = null;
+        DateTime issueInstant = null;
+        
         if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
             && assertion.getSaml2().getConditions() != null) {
             validFrom = assertion.getSaml2().getConditions().getNotBefore();
             validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml2().getIssueInstant();
         } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
             && assertion.getSaml1().getConditions() != null) {
             validFrom = assertion.getSaml1().getConditions().getNotBefore();
             validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml1().getIssueInstant();
         }
         
         if (validFrom != null) {
@@ -235,6 +239,17 @@ public class SamlAssertionValidator exte
             LOG.debug("SAML Token condition (Not On Or After) not met");
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
         }
+        
+        // IssueInstant is not strictly in Conditions, but it has similar semantics to 
+        // NotBefore, so including it here
+        if (issueInstant != null) {
+            DateTime currentTime = new DateTime();
+            currentTime = currentTime.plusSeconds(futureTTL);
+            if (issueInstant.isAfter(currentTime)) {
+                LOG.debug("SAML Token IssueInstant not met");
+                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+            }
+        }
     }
 
     /**

Modified: webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java?rev=1651695&r1=1651694&r2=1651695&view=diff
==============================================================================
--- webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java (original)
+++ webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java Wed Jan 14 15:08:02 2015
@@ -224,6 +224,43 @@ public class SamlConditionsTest extends
         }
     }
     
+    @org.junit.Test
+    public void testSAML2FutureIssueInstant() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        
+        DateTime issueInstant = new DateTime();
+        issueInstant = issueInstant.plusMinutes(60);
+        assertion.getSaml2().setIssueInstant(issueInstant);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+        
+        try {
+            verify(unsignedDoc);
+            fail("Failure expected in processing the SAML Conditions element");
+        } catch (WSSecurityException ex) {
+            assertTrue(ex.getMessage().contains("SAML token security failure"));
+        }
+    }
+    
     /**
      * Test that creates, sends and processes an unsigned SAML 2 authentication assertion
      * with an (invalid) custom Conditions statement.