You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2017/03/22 15:52:10 UTC

svn commit: r1788127 - in /webservices/wss4j/branches/2_0_x-fixes: ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java

Author: coheigea
Date: Wed Mar 22 15:52:10 2017
New Revision: 1788127

URL: http://svn.apache.org/viewvc?rev=1788127&view=rev
Log:
WSS-603 - Improper date check in SamlAssertionWrapper.checkIssueInstant

Modified:
    webservices/wss4j/branches/2_0_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
    webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java

Modified: webservices/wss4j/branches/2_0_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_0_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java?rev=1788127&r1=1788126&r2=1788127&view=diff
==============================================================================
--- webservices/wss4j/branches/2_0_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java (original)
+++ webservices/wss4j/branches/2_0_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java Wed Mar 22 15:52:10 2017
@@ -837,8 +837,7 @@ public class SamlAssertionWrapper {
         
         // Check the IssueInstant is not in the future, subject to the future TTL
         if (issueInstant != null) {
-            DateTime currentTime = new DateTime();
-            currentTime = currentTime.plusSeconds(futureTTL);
+            DateTime currentTime = new DateTime().plusSeconds(futureTTL);
             if (issueInstant.isAfter(currentTime)) {
                 LOG.debug("SAML Token IssueInstant not met");
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
@@ -846,9 +845,8 @@ public class SamlAssertionWrapper {
             
             // If there is no NotOnOrAfter, then impose a TTL on the IssueInstant.
             if (validTill == null) {
-                currentTime = new DateTime();
-                currentTime.minusSeconds(ttl);
-                
+                currentTime = new DateTime().minusSeconds(ttl);
+
                 if (issueInstant.isBefore(currentTime)) {
                     LOG.debug("SAML Token IssueInstant not met. The assertion was created too long ago.");
                     throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");

Modified: webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java?rev=1788127&r1=1788126&r2=1788127&view=diff
==============================================================================
--- webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java (original)
+++ webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java Wed Mar 22 15:52:10 2017
@@ -214,7 +214,39 @@ public class SamlConditionsTest extends
         }
     }
     
-    @org.junit.Test
+    @Test
+    public void testSAML2NoNotOnOrAfter() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+        DateTime issueInstant = new DateTime().minusSeconds(5);
+        samlAssertion.getSaml2().setIssueInstant(issueInstant);
+        samlAssertion.getSaml2().getConditions().setNotOnOrAfter(null);
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader(doc);
+        secHeader.insertSecurityHeader();
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken(secHeader);
+
+        Document unsignedDoc = wsSign.build(samlAssertion);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+            String outputString =
+                XMLUtils.prettyDocumentToString(unsignedDoc);
+            LOG.debug(outputString);
+        }
+
+        verify(unsignedDoc);
+    }
+
+    @Test
     public void testSAML2StaleIssueInstantButWithNotOnOrAfter() throws Exception {
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);