You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/04/06 12:58:46 UTC
svn commit: r1310278 - in /cxf/trunk/services/sts/sts-core/src:
main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Author: coheigea
Date: Fri Apr 6 10:58:46 2012
New Revision: 1310278
URL: http://svn.apache.org/viewvc?rev=1310278&view=rev
Log:
Added in functionality to prevent the renewal of a token that is "overly" expired
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1310278&r1=1310277&r2=1310278&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java Fri Apr 6 10:58:46 2012
@@ -58,14 +58,18 @@ import org.joda.time.DateTime;
import org.opensaml.common.SAMLVersion;
/**
- * A TokenRenewer implementation that renews a (valid) SAML Token.
+ * A TokenRenewer implementation that renews a (valid or expired) SAML Token.
*/
public class SAMLTokenRenewer implements TokenRenewer {
+ // The default maximum expired time a token is allowed to be is 30 minutes
+ public static final long DEFAULT_MAX_EXPIRY = 60L * 30L;
+
private static final Logger LOG = LogUtils.getL7dLogger(SAMLTokenRenewer.class);
private boolean signToken = true;
private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
private Map<String, SAMLRealm> realmMap = new HashMap<String, SAMLRealm>();
+ private long maxExpiry = DEFAULT_MAX_EXPIRY;
/**
* Return true if this TokenRenewer implementation is able to renew a token.
@@ -98,6 +102,21 @@ public class SAMLTokenRenewer implements
//
}
+ /**
+ * Set a new value (in seconds) for how long a token is allowed to be expired for before renewal.
+ * The default is 30 minutes.
+ */
+ public void setMaxExpiry(long newExpiry) {
+ maxExpiry = newExpiry;
+ }
+
+ /**
+ * Get how long a token is allowed to be expired for before renewal (in seconds). The default is
+ * 30 minutes.
+ */
+ public long getMaxExpiry() {
+ return maxExpiry;
+ }
/**
* Renew a token given a TokenRenewerParameters
@@ -116,6 +135,18 @@ public class SAMLTokenRenewer implements
try {
AssertionWrapper assertion = new AssertionWrapper((Element)tokenToRenew.getToken());
+ // Check to see whether the token has expired greater than the configured max expiry time
+ if (tokenToRenew.getState() == STATE.EXPIRED) {
+ DateTime expiryDate = getExpiryDate(assertion);
+ DateTime currentDate = new DateTime();
+ if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
+ LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
+ throw new STSException(
+ "The token expired too long ago to be renewed", STSException.REQUEST_FAILED
+ );
+ }
+ }
+
// Create new Conditions & sign the Assertion
createNewConditions(assertion, tokenParameters);
signAssertion(assertion, tokenParameters);
@@ -350,5 +381,13 @@ public class SAMLTokenRenewer implements
}
}
+
+ private DateTime getExpiryDate(AssertionWrapper assertion) {
+ if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+ return assertion.getSaml2().getConditions().getNotOnOrAfter();
+ } else {
+ return assertion.getSaml1().getConditions().getNotOnOrAfter();
+ }
+ }
}
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1310278&r1=1310277&r2=1310278&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java Fri Apr 6 10:58:46 2012
@@ -47,6 +47,7 @@ import org.apache.cxf.sts.token.validato
import org.apache.cxf.sts.token.validator.TokenValidator;
import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
+import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.CustomTokenPrincipal;
import org.apache.ws.security.WSConstants;
@@ -373,6 +374,61 @@ public class SAMLTokenRenewerTest extend
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
}
+
+ /**
+ * Renew an expired SAML2 Assertion that has expired greater than the maximum allowable time
+ * for renewal.
+ */
+ @org.junit.Test
+ public void renewTooFarExpiredSAML2Assertion() throws Exception {
+ // Create the Assertion
+ Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+ CallbackHandler callbackHandler = new PasswordCallbackHandler();
+ Element samlToken =
+ createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50);
+ Document doc = samlToken.getOwnerDocument();
+ samlToken = (Element)doc.appendChild(samlToken);
+ // Sleep to expire the token
+ Thread.sleep(2000);
+
+ // Validate the Assertion
+ TokenValidator samlTokenValidator = new SAMLTokenValidator();
+ TokenValidatorParameters validatorParameters = createValidatorParameters();
+ TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+ ReceivedToken validateTarget = new ReceivedToken(samlToken);
+ tokenRequirements.setValidateTarget(validateTarget);
+ validatorParameters.setToken(validateTarget);
+
+ assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+
+ TokenValidatorResponse validatorResponse =
+ samlTokenValidator.validateToken(validatorParameters);
+ assertTrue(validatorResponse != null);
+ assertTrue(validatorResponse.getToken() != null);
+ assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+
+ // Renew the Assertion
+ TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
+ renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
+ renewerParameters.setStsProperties(validatorParameters.getStsProperties());
+ renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
+ renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext());
+ renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
+ renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
+ renewerParameters.setTokenStore(validatorParameters.getTokenStore());
+ renewerParameters.setToken(validatorResponse.getToken());
+
+ TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ ((SAMLTokenRenewer)samlTokenRenewer).setMaxExpiry(1L);
+ assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+
+ try {
+ samlTokenRenewer.renewToken(renewerParameters);
+ fail("Failure expected as the token expired too long ago");
+ } catch (STSException ex) {
+ // Expected
+ }
+ }
private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
TokenValidatorParameters parameters = new TokenValidatorParameters();