You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/12/08 16:49:58 UTC
svn commit: r1211938 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/validate/
test/java/org/apache/ws/security/common/
test/java/org/apache/ws/security/saml/
Author: coheigea
Date: Thu Dec 8 15:49:57 2011
New Revision: 1211938
URL: http://svn.apache.org/viewvc?rev=1211938&view=rev
Log:
[WSS-320] - Support validating Conditions in the SAMLAssertionValidator.
Added:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/AbstractSAMLCallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML1CallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML2CallbackHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1211938&r1=1211937&r2=1211938&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java Thu Dec 8 15:49:57 2011
@@ -26,6 +26,8 @@ import org.apache.ws.security.handler.Re
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.joda.time.DateTime;
+import org.opensaml.common.SAMLVersion;
/**
* This class validates a SAML Assertion, which is wrapped in an "AssertionWrapper" instance.
@@ -36,6 +38,9 @@ import org.apache.ws.security.saml.ext.O
*/
public class SamlAssertionValidator extends SignatureTrustValidator {
+ private static org.apache.commons.logging.Log LOG =
+ org.apache.commons.logging.LogFactory.getLog(SamlAssertionValidator.class);
+
/**
* Validate the credential argument. It must contain a non-null AssertionWrapper.
* A Crypto and a CallbackHandler implementation is also required to be set.
@@ -58,13 +63,33 @@ public class SamlAssertionValidator exte
}
if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
if (assertion.getSubjectKeyInfo() == null) {
+ LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject conf method");
throw new WSSecurityException(WSSecurityException.FAILURE, "noKeyInSAMLToken");
}
// The assertion must have been signed for HOK
if (!assertion.isSigned()) {
+ LOG.debug("A holder-of-key assertion must be signed");
throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
}
}
+
+ // Check conditions
+ DateTime validFrom = null;
+ DateTime validTill = null;
+ if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
+ && assertion.getSaml2().getConditions() != null) {
+ validFrom = assertion.getSaml2().getConditions().getNotBefore();
+ validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+ } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
+ && assertion.getSaml1().getConditions() != null) {
+ validFrom = assertion.getSaml1().getConditions().getNotBefore();
+ validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+ }
+ if (validFrom != null && validTill != null
+ && !(validFrom.isBeforeNow() && validTill.isAfterNow())) {
+ LOG.debug("SAML Token condition not met");
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ }
// Verify trust on the signature
if (assertion.isSigned()) {
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/AbstractSAMLCallbackHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/AbstractSAMLCallbackHandler.java?rev=1211938&r1=1211937&r2=1211938&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/AbstractSAMLCallbackHandler.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/AbstractSAMLCallbackHandler.java Thu Dec 8 15:49:57 2011
@@ -27,6 +27,7 @@ import org.apache.ws.security.saml.ext.b
import org.apache.ws.security.saml.ext.bean.AttributeStatementBean;
import org.apache.ws.security.saml.ext.bean.AuthenticationStatementBean;
import org.apache.ws.security.saml.ext.bean.AuthDecisionStatementBean;
+import org.apache.ws.security.saml.ext.bean.ConditionsBean;
import org.apache.ws.security.saml.ext.bean.KeyInfoBean;
import org.apache.ws.security.saml.ext.bean.SubjectBean;
import org.apache.ws.security.saml.ext.bean.SubjectLocalityBean;
@@ -65,6 +66,11 @@ public abstract class AbstractSAMLCallba
protected String subjectLocalityDnsAddress = null;
protected String resource = null;
protected List<?> customAttributeValues = null;
+ protected ConditionsBean conditions = null;
+
+ public void setConditions(ConditionsBean conditionsBean) {
+ this.conditions = conditionsBean;
+ }
public void setConfirmationMethod(String confMethod) {
confirmationMethod = confMethod;
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML1CallbackHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML1CallbackHandler.java?rev=1211938&r1=1211937&r2=1211938&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML1CallbackHandler.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML1CallbackHandler.java Thu Dec 8 15:49:57 2011
@@ -59,6 +59,10 @@ public class SAML1CallbackHandler extend
SAMLCallback callback = (SAMLCallback) callbacks[i];
callback.setSamlVersion(SAMLVersion.VERSION_11);
callback.setIssuer(issuer);
+ if (conditions != null) {
+ callback.setConditions(conditions);
+ }
+
SubjectBean subjectBean =
new SubjectBean(
subjectName, subjectQualifier, confirmationMethod
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML2CallbackHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML2CallbackHandler.java?rev=1211938&r1=1211937&r2=1211938&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML2CallbackHandler.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAML2CallbackHandler.java Thu Dec 8 15:49:57 2011
@@ -58,6 +58,10 @@ public class SAML2CallbackHandler extend
SAMLCallback callback = (SAMLCallback) callbacks[i];
callback.setSamlVersion(SAMLVersion.VERSION_20);
callback.setIssuer(issuer);
+ if (conditions != null) {
+ callback.setConditions(conditions);
+ }
+
SubjectBean subjectBean =
new SubjectBean(
subjectName, subjectQualifier, confirmationMethod
Added: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java?rev=1211938&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java (added)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java Thu Dec 8 15:49:57 2011
@@ -0,0 +1,218 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.saml;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.common.CustomHandler;
+import org.apache.ws.security.common.CustomSamlAssertionValidator;
+import org.apache.ws.security.common.SAML1CallbackHandler;
+import org.apache.ws.security.common.SAML2CallbackHandler;
+import org.apache.ws.security.common.SAMLElementCallbackHandler;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.WSSecSAMLToken;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.SAMLParms;
+import org.apache.ws.security.saml.ext.bean.ConditionsBean;
+import org.apache.ws.security.saml.ext.builder.SAML1Constants;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+import org.joda.time.DateTime;
+import org.opensaml.Configuration;
+import org.opensaml.common.SAMLObjectBuilder;
+import org.opensaml.saml2.core.AttributeValue;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.xml.XMLObjectBuilder;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+import org.opensaml.xml.schema.XSAny;
+import org.w3c.dom.Document;
+
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Test-case for sending and processing an a SAML Token with a custom Conditions element.
+ */
+public class SamlConditionsTest extends org.junit.Assert {
+ private static final org.apache.commons.logging.Log LOG =
+ org.apache.commons.logging.LogFactory.getLog(SamlConditionsTest.class);
+ private WSSecurityEngine secEngine = new WSSecurityEngine();
+
+ public SamlConditionsTest() {
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setValidator(WSSecurityEngine.SAML_TOKEN, new CustomSamlAssertionValidator());
+ config.setValidator(WSSecurityEngine.SAML2_TOKEN, new CustomSamlAssertionValidator());
+ secEngine.setWssConfig(config);
+ }
+
+ /**
+ * Test that creates, sends and processes an unsigned SAML 1.1 authentication assertion
+ * with a custom Conditions statement.
+ */
+ @org.junit.Test
+ public void testSAML1Conditions() throws Exception {
+ SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ ConditionsBean conditions = new ConditionsBean();
+ DateTime notBefore = new DateTime();
+ conditions.setNotBefore(notBefore);
+ conditions.setNotAfter(notBefore.plusMinutes(20));
+ callbackHandler.setConditions(conditions);
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 1.1 Authn Assertion (sender vouches):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ List<WSSecurityEngineResult> results = verify(unsignedDoc);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
+ AssertionWrapper receivedAssertion =
+ (AssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(receivedAssertion != null);
+ assertTrue(!receivedAssertion.isSigned());
+ assertTrue(receivedAssertion.getSignatureValue() == null);
+ }
+
+ /**
+ * Test that creates, sends and processes an unsigned SAML 2 authentication assertion
+ * with an (invalid) custom Conditions statement.
+ */
+ @org.junit.Test
+ public void testSAML2InvalidAfterConditions() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ ConditionsBean conditions = new ConditionsBean();
+ DateTime notBefore = new DateTime();
+ conditions.setNotBefore(notBefore.minusMinutes(5));
+ conditions.setNotAfter(notBefore.minusMinutes(3));
+ callbackHandler.setConditions(conditions);
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ try {
+ verify(unsignedDoc);
+ fail("Failure expected in processing the SAML Conditions element");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getMessage().contains("SAML token security failure"));
+ }
+ }
+
+ /**
+ * Test that creates, sends and processes an unsigned SAML 2 authentication assertion
+ * with an (invalid) custom Conditions statement.
+ */
+ @org.junit.Test
+ public void testSAML2InvalidBeforeConditions() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ ConditionsBean conditions = new ConditionsBean();
+ DateTime notBefore = new DateTime();
+ conditions.setNotBefore(notBefore.plusMinutes(2));
+ conditions.setNotAfter(notBefore.plusMinutes(5));
+ callbackHandler.setConditions(conditions);
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, assertion, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ try {
+ verify(unsignedDoc);
+ fail("Failure expected in processing the SAML Conditions element");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getMessage().contains("SAML token security failure"));
+ }
+ }
+
+ /**
+ * Verifies the soap envelope
+ * <p/>
+ *
+ * @param envelope
+ * @throws Exception Thrown when there is a problem in verification
+ */
+ private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, null, null);
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ assertTrue(outputString.indexOf("counter_port_type") > 0 ? true : false);
+ return results;
+ }
+
+}
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java?rev=1211938&r1=1211937&r2=1211938&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java Thu Dec 8 15:49:57 2011
@@ -54,8 +54,6 @@ import javax.security.auth.callback.Call
/**
* Some tests for how SAML tokens are referenced.
- * TODO - Add tests for references from an EncryptedData structure to a SAML Assertion when
- * WSS-265 is fixed: https://issues.apache.org/jira/browse/WSS-265
*/
public class SamlReferenceTest extends org.junit.Assert {
private static final org.apache.commons.logging.Log LOG =