You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/01/11 14:02:26 UTC
svn commit: r1057610 - in /webservices/wss4j/trunk: ./
src/main/java/org/apache/ws/security/action/
src/main/java/org/apache/ws/security/components/crypto/
src/main/java/org/apache/ws/security/message/
src/main/java/org/apache/ws/security/processor/ sr...
Author: coheigea
Date: Tue Jan 11 13:02:25 2011
New Revision: 1057610
URL: http://svn.apache.org/viewvc?rev=1057610&view=rev
Log:
[WSS-146] - Support validating signatures in the SAMLTokenProcessor
- Added some negative tests.
- Also refactored SAMLUtil to support extracting credentials from SAML2 subjects.
Modified:
webservices/wss4j/trunk/pom.xml
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoFactory.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/OpenSAMLUtil.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignaturePartsTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java
Modified: webservices/wss4j/trunk/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/pom.xml?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/pom.xml (original)
+++ webservices/wss4j/trunk/pom.xml Tue Jan 11 13:02:25 2011
@@ -120,8 +120,7 @@
<verbose>true</verbose>
<targetJdk>1.5</targetJdk>
<excludes>
- <exclude>**/Merlin.java, **/CryptoBase.java, **/SAMLIssuerImpl.java, **/DOM2Writer.java
- </exclude>
+ <exclude>**/CryptoBase.java, **/DOM2Writer.java</exclude>
</excludes>
</configuration>
<executions>
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java Tue Jan 11 13:02:25 2011
@@ -56,7 +56,6 @@ public class SAMLTokenSignedAction imple
}
SAMLIssuer saml = loadSamlIssuer(handler, reqData);
- saml.setInstanceDoc(doc);
AssertionWrapper assertion = saml.newAssertion();
if (assertion == null) {
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoFactory.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoFactory.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoFactory.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoFactory.java Tue Jan 11 13:02:25 2011
@@ -170,7 +170,7 @@ public abstract class CryptoFactory {
* @return
*/
private static Crypto loadClass(String cryptoClassName, Map map, ClassLoader loader) {
- Class cryptogenClass = null;
+ Class<?> cryptogenClass = null;
Crypto crypto = null;
if (cryptoClassName != null) {
@@ -184,17 +184,17 @@ public abstract class CryptoFactory {
}
log.debug("Using Crypto Engine [" + cryptoClassName + "]");
try {
- Class[] classes = null;
+ Class<?>[] classes = null;
//
// for backwards compat
//
if (map instanceof Properties) {
- classes = new Class[]{Properties.class,ClassLoader.class};
+ classes = new Class[]{Properties.class, ClassLoader.class};
} else {
- classes = new Class[]{Map.class,ClassLoader.class};
+ classes = new Class[]{Map.class, ClassLoader.class};
}
- Constructor c = cryptogenClass.getConstructor(classes);
- crypto = (Crypto) c.newInstance(new Object[]{map,loader});
+ Constructor<?> c = cryptogenClass.getConstructor(classes);
+ crypto = (Crypto) c.newInstance(new Object[] {map, loader});
return crypto;
} catch (java.lang.Exception e) {
if (log.isDebugEnabled()) {
@@ -212,6 +212,7 @@ public abstract class CryptoFactory {
}
}
}
+
/**
* Gets the properties for crypto.
* The functions loads the property file via
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java Tue Jan 11 13:02:25 2011
@@ -22,12 +22,10 @@ package org.apache.ws.security.message;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.opensaml.xml.io.MarshallingException;
-import org.opensaml.xml.signature.SignatureException;
-
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -77,9 +75,7 @@ public class WSSecSAMLToken extends WSSe
try {
Element element = (Element) saml.toDOM(document);
WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), element);
- } catch (SignatureException ex) {
- throw new RuntimeException(ex.toString(), ex);
- } catch (MarshallingException ex) {
+ } catch (WSSecurityException ex) {
throw new RuntimeException(ex.toString(), ex);
}
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java Tue Jan 11 13:02:25 2011
@@ -30,9 +30,6 @@ import org.apache.ws.security.components
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.DOM2Writer;
-import org.opensaml.xml.io.UnmarshallingException;
-import org.opensaml.xml.validation.ValidationException;
-
import org.w3c.dom.Element;
import java.util.List;
@@ -52,7 +49,7 @@ public class SAMLTokenProcessor implemen
if (log.isDebugEnabled()) {
log.debug("Found SAML Assertion element");
}
- AssertionWrapper assertion = handleSAMLToken(elem);
+ AssertionWrapper assertion = handleSAMLToken(elem, crypto);
wsDocInfo.addTokenElement(elem);
WSSecurityEngineResult result =
new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, assertion);
@@ -62,28 +59,15 @@ public class SAMLTokenProcessor implemen
return java.util.Collections.singletonList(result);
}
- public AssertionWrapper handleSAMLToken(Element token) throws WSSecurityException {
- boolean result = false;
- AssertionWrapper assertion = null;
- try {
- assertion = new AssertionWrapper(token);
- assertion.verify();
- result = true;
- if (log.isDebugEnabled()) {
- log.debug("SAML Assertion issuer " + assertion.getIssuerString());
- log.debug(DOM2Writer.nodeToString(token));
- }
- } catch (UnmarshallingException e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
- );
- } catch (ValidationException e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
- );
- }
- if (!result) {
- throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
+ public AssertionWrapper handleSAMLToken(
+ Element token,
+ Crypto crypto
+ ) throws WSSecurityException {
+ AssertionWrapper assertion = new AssertionWrapper(token);
+ assertion.verify(crypto);
+ if (log.isDebugEnabled()) {
+ log.debug("SAML Assertion issuer " + assertion.getIssuerString());
+ log.debug(DOM2Writer.nodeToString(token));
}
return assertion;
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java Tue Jan 11 13:02:25 2011
@@ -22,7 +22,6 @@ package org.apache.ws.security.saml;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.w3c.dom.Document;
/**
* Builds a WS SAML Assertion and inserts it into the SOAP Envelope.
@@ -30,7 +29,6 @@ import org.w3c.dom.Document;
*
* @author Davanum Srinivas (dims@yahoo.com).
*/
-
public interface SAMLIssuer {
/**
@@ -58,8 +56,4 @@ public interface SAMLIssuer {
*/
public String getIssuerKeyPassword();
- /**
- * @param instanceDoc The instanceDoc to set.
- */
- public void setInstanceDoc(Document instanceDoc);
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java Tue Jan 11 13:02:25 2011
@@ -21,8 +21,6 @@ package org.apache.ws.security.saml;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
@@ -30,8 +28,6 @@ import org.apache.ws.security.components
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.saml.ext.SAMLParms;
-import org.apache.ws.security.saml.ext.builder.SAML1Constants;
-import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.apache.ws.security.util.Loader;
import org.opensaml.xml.security.x509.BasicX509Credential;
@@ -40,24 +36,12 @@ import org.opensaml.xml.signature.KeyInf
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import java.security.KeyException;
import java.security.PrivateKey;
-import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
-import java.util.Collection;
-import java.util.Date;
import java.util.Properties;
import javax.security.auth.callback.CallbackHandler;
-import javax.xml.crypto.MarshalException;
-import javax.xml.crypto.XMLStructure;
-import javax.xml.crypto.dom.DOMStructure;
-import javax.xml.crypto.dsig.keyinfo.KeyValue;
-import javax.xml.crypto.dsig.keyinfo.X509Data;
/**
* Builds a WS SAML Assertion and inserts it into the SOAP Envelope. Refer to
@@ -70,17 +54,13 @@ public class SAMLIssuerImpl implements S
private static final Log log = LogFactory.getLog(SAMLIssuerImpl.class.getName());
private AssertionWrapper sa = null;
-
- private Document instanceDoc = null;
-
+
private Properties properties = null;
private Crypto issuerCrypto = null;
private String issuerKeyPassword = null;
private String issuerKeyName = null;
- private WSSConfig wssConfig = WSSConfig.getNewInstance();
-
private String samlVersion = null;
/**
@@ -255,10 +235,4 @@ public class SAMLIssuerImpl implements S
return issuerKeyPassword;
}
- /**
- * @param instanceDoc The instanceDoc to set.
- */
- public void setInstanceDoc(Document instanceDoc) {
- this.instanceDoc = instanceDoc;
- }
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java Tue Jan 11 13:02:25 2011
@@ -49,6 +49,10 @@ public class SAMLKeyInfo {
*/
AssertionWrapper assertion;
+ public SAMLKeyInfo() {
+ //
+ }
+
public SAMLKeyInfo(AssertionWrapper assertion, X509Certificate[] certs) {
this.certs = certs;
this.assertion = assertion;
@@ -68,15 +72,31 @@ public class SAMLKeyInfo {
return certs;
}
+ public void setCerts(X509Certificate[] certs) {
+ this.certs = certs;
+ }
+
public byte[] getSecret() {
return secret;
}
+
+ public void setSecret(byte[] secret) {
+ this.secret = secret;
+ }
public PublicKey getPublicKey() {
return this.publicKey;
}
+
+ public void setPublicKey(PublicKey publicKey) {
+ this.publicKey = publicKey;
+ }
public AssertionWrapper getAssertion() {
return assertion;
}
+
+ public void setAssertion(AssertionWrapper assertion) {
+ this.assertion = assertion;
+ }
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java Tue Jan 11 13:02:25 2011
@@ -19,9 +19,6 @@
package org.apache.ws.security.saml;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
@@ -35,14 +32,6 @@ import org.apache.ws.security.saml.ext.A
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.opensaml.common.SAMLObject;
-import org.opensaml.saml1.core.AttributeStatement;
-import org.opensaml.saml1.core.AuthenticationStatement;
-import org.opensaml.saml1.core.Statement;
-import org.opensaml.saml1.core.Subject;
-import org.opensaml.saml1.core.SubjectStatement;
-import org.opensaml.xml.io.UnmarshallingException;
-
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;
@@ -51,7 +40,6 @@ import javax.security.auth.callback.Call
import javax.security.auth.callback.CallbackHandler;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
-import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
@@ -60,14 +48,12 @@ import javax.xml.namespace.QName;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
-import java.util.Iterator;
import java.util.List;
/**
* Utility methods for SAML stuff
*/
public class SAMLUtil {
- private static Log log = LogFactory.getLog(SAMLUtil.class.getName());
/**
* Get a SAMLKeyInfo object from parsing a SecurityTokenReference that uses
@@ -109,33 +95,30 @@ public class SAMLUtil {
);
}
if (assertion == null) {
- return SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
+ return SAMLUtil.getCredentialFromSubject(token, crypto, cb);
} else {
- return SAMLUtil.getSAMLKeyInfo(assertion, crypto, cb);
+ return SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
}
}
/**
- * Parse a SAML Assertion as a DOM element to obtain a SAMLKeyInfo object.
+ * Parse a SAML Assertion as a DOM element to obtain a SAMLKeyInfo object from
+ * the Subject of the assertion
*
* @param elem The SAML Assertion as a DOM element
* @return a SAMLKeyInfo object
* @throws WSSecurityException
*/
- public static SAMLKeyInfo getSAMLKeyInfo(
+ public static SAMLKeyInfo getCredentialFromSubject(
Element elem, Crypto crypto, CallbackHandler cb
) throws WSSecurityException {
- try {
- AssertionWrapper assertion = new AssertionWrapper(elem);
- return getSAMLKeyInfo(assertion, crypto, cb);
- } catch (UnmarshallingException e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidSAMLToken", new Object[]{"for Signature (cannot parse)"}, e);
- }
+ AssertionWrapper assertion = new AssertionWrapper(elem);
+ return getCredentialFromSubject(assertion, crypto, cb);
}
/**
- * Parse a SAML Assertion to obtain a SAMLKeyInfo object.
+ * Parse a SAML Assertion to obtain a SAMLKeyInfo object from
+ * the Subject of the assertion
*
* @param assertion The SAML Assertion
* @param crypto The Crypto instance to use to obtain certificates
@@ -143,7 +126,7 @@ public class SAMLUtil {
* @return a SAMLKeyInfo object
* @throws WSSecurityException
*/
- public static SAMLKeyInfo getSAMLKeyInfo(
+ public static SAMLKeyInfo getCredentialFromSubject(
AssertionWrapper assertion, Crypto crypto, CallbackHandler cb
) throws WSSecurityException {
// First ask the cb whether it can provide the secret
@@ -162,217 +145,188 @@ public class SAMLUtil {
}
}
- // WARNING! THIS IS HARD CODED TO SAML v1.1
- org.opensaml.saml1.core.Assertion saml11Assertion = assertion.getSaml1();
- Iterator<?> statements = saml11Assertion.getStatements().iterator();
- while (statements.hasNext()) {
- Statement stmt = (Statement) statements.next();
- if (stmt instanceof AttributeStatement) {
- AttributeStatement attrStmt = (AttributeStatement) stmt;
- Subject samlSubject = attrStmt.getSubject();
- Element sub = samlSubject.getSubjectConfirmation().getDOM();
- Element kiElem =
- WSSecurityUtil.getDirectChildElement(sub, "KeyInfo", WSConstants.SIG_NS);
-
- Node node = kiElem.getFirstChild();
- while (node != null) {
- if (Node.ELEMENT_NODE == node.getNodeType()) {
- QName el = new QName(node.getNamespaceURI(), node.getLocalName());
- if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
- EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
- WSDocInfo docInfo = new WSDocInfo(node.getOwnerDocument());
- List<WSSecurityEngineResult> result =
- proc.handleToken((Element)node, null, crypto, cb, docInfo, null);
- byte[] secret =
- (byte[])result.get(0).get(
- WSSecurityEngineResult.TAG_SECRET
- );
- return new SAMLKeyInfo(assertion, secret);
- } else if (el.equals(new QName(WSConstants.WST_NS, "BinarySecret"))) {
- Text txt = (Text)node.getFirstChild();
- return new SAMLKeyInfo(assertion, Base64.decode(txt.getData()));
- }
- }
- node = node.getNextSibling();
- }
- } else if (stmt instanceof AuthenticationStatement) {
- AuthenticationStatement authStmt = (AuthenticationStatement) stmt;
- Subject samlSubj = authStmt.getSubject();
- if (samlSubj == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "invalidSAMLToken",
- new Object[]{"for Signature (no Subject)"}
- );
- }
-
- Element sub = samlSubj.getSubjectConfirmation().getDOM();
- Element keyInfoElement =
- WSSecurityUtil.getDirectChildElement(sub, "KeyInfo", WSConstants.SIG_NS);
- X509Certificate[] certs = null;
- KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");
- XMLStructure keyInfoStructure = new DOMStructure(keyInfoElement);
-
- try {
- KeyInfo keyInfo = keyInfoFactory.unmarshalKeyInfo(keyInfoStructure);
- List<?> list = keyInfo.getContent();
-
- for (int i = 0; i < list.size(); i++) {
- XMLStructure xmlStructure = (XMLStructure) list.get(i);
- if (xmlStructure instanceof KeyValue) {
- PublicKey publicKey = ((KeyValue)xmlStructure).getPublicKey();
- return new SAMLKeyInfo(assertion, publicKey);
- } else if (xmlStructure instanceof X509Data) {
- List<?> x509Data = ((X509Data)xmlStructure).getContent();
- for (int j = 0; j < x509Data.size(); j++) {
- Object x509obj = x509Data.get(j);
- if (x509obj instanceof X509Certificate) {
- certs = new X509Certificate[1];
- certs[0] = (X509Certificate)x509obj;
- return new SAMLKeyInfo(assertion, certs);
- } else if (x509obj instanceof X509IssuerSerial) {
- String alias =
- crypto.getAliasForX509Cert(
- ((X509IssuerSerial)x509obj).getIssuerName(),
- ((X509IssuerSerial)x509obj).getSerialNumber()
- );
- certs = crypto.getCertificates(alias);
- return new SAMLKeyInfo(assertion, certs);
- }
- }
- }
- }
- } catch (Exception ex) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "invalidSAMLsecurity",
- new Object[]{"cannot get certificate or key"}, ex
- );
- }
+ SAMLKeyInfo samlKeyInfo = null;
+ if (assertion.getSaml1() != null) {
+ samlKeyInfo = getCredentialFromSubject(assertion.getSaml1(), crypto, cb);
+ } else {
+ samlKeyInfo = getCredentialFromSubject(assertion.getSaml2(), crypto, cb);
+ }
+
+ if (samlKeyInfo != null) {
+ samlKeyInfo.setAssertion(assertion);
+ return samlKeyInfo;
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "invalidSAMLsecurity",
+ new Object[]{"cannot get certificate or key"}
+ );
+ }
+ }
+
+ /**
+ * Get the SAMLKeyInfo object corresponding to the credential stored in the Subject of a
+ * SAML 1.1 assertion
+ * @param assertion The SAML 1.1 assertion
+ * @param crypto The crypto instance used to get the credential
+ * @param cb The CallbackHandler used for secret keys
+ * @return The SAMLKeyInfo object obtained from the Subject
+ * @throws WSSecurityException
+ */
+ private static SAMLKeyInfo getCredentialFromSubject(
+ org.opensaml.saml1.core.Assertion assertion,
+ Crypto crypto,
+ CallbackHandler cb
+ ) throws WSSecurityException {
+ for (org.opensaml.saml1.core.Statement stmt : assertion.getStatements()) {
+ org.opensaml.saml1.core.Subject samlSubject = null;
+ if (stmt instanceof org.opensaml.saml1.core.AttributeStatement) {
+ org.opensaml.saml1.core.AttributeStatement attrStmt =
+ (org.opensaml.saml1.core.AttributeStatement) stmt;
+ samlSubject = attrStmt.getSubject();
+ } else if (stmt instanceof org.opensaml.saml1.core.AuthenticationStatement) {
+ org.opensaml.saml1.core.AuthenticationStatement authStmt =
+ (org.opensaml.saml1.core.AuthenticationStatement) stmt;
+ samlSubject = authStmt.getSubject();
} else {
throw new WSSecurityException(
WSSecurityException.FAILURE, "invalidSAMLsecurity",
- new Object[]{"cannot get certificate or key"}
+ new Object[] {"cannot get certificate or key"}
);
}
+
+ if (samlSubject == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "invalidSAMLToken",
+ new Object[] {"for Signature (no Subject)"}
+ );
+ }
+
+ Element sub = samlSubject.getSubjectConfirmation().getDOM();
+ Element keyInfoElement =
+ WSSecurityUtil.getDirectChildElement(sub, "KeyInfo", WSConstants.SIG_NS);
+ return getCredentialFromKeyInfo(keyInfoElement, crypto, cb);
}
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "invalidSAMLsecurity",
- new Object[]{"cannot get certificate or key"}
- );
+ return null;
}
/**
- * Extracts the certificate(s) from the SAML token reference.
- * <p/>
- *
- * @param elem The element containing the SAML token.
- * @return an array of X509 certificates
- * @throws org.apache.ws.security.WSSecurityException
+ * Get the SAMLKeyInfo object corresponding to the credential stored in the Subject of a
+ * SAML 2 assertion
+ * @param assertion The SAML 2 assertion
+ * @param crypto The crypto instance used to get the credential
+ * @param cb The CallbackHandler used for secret keys
+ * @return The SAMLKeyInfo object obtained from the Subject
+ * @throws WSSecurityException
*/
- public static X509Certificate[] getCertificatesFromSAML(
- Element elem
+ private static SAMLKeyInfo getCredentialFromSubject(
+ org.opensaml.saml2.core.Assertion assertion,
+ Crypto crypto,
+ CallbackHandler cb
) throws WSSecurityException {
- /*
- * Get some information about the SAML token content. This controls how
- * to deal with the whole stuff. First get the Authentication statement
- * (includes Subject), then get the _first_ confirmation method only.
- */
- AssertionWrapper assertion;
- try {
- assertion = new AssertionWrapper(elem);
- } catch (UnmarshallingException e) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidSAMLToken", new Object[]{"for Signature (cannot parse)"}, e);
- }
- SubjectStatement samlSubjS = null;
-
- // WARNING! THIS IS HARD CODED TO SAML v1.1
- org.opensaml.saml1.core.Assertion saml11Assertion = assertion.getSaml1();
-
- Iterator it = saml11Assertion.getStatements().iterator();
- while (it.hasNext()) {
- SAMLObject so = (SAMLObject) it.next();
- if (so instanceof SubjectStatement) {
- samlSubjS = (SubjectStatement) so;
- break;
+ org.opensaml.saml2.core.Subject samlSubject = assertion.getSubject();
+ if (samlSubject == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "invalidSAMLToken",
+ new Object[]{"for Signature (no Subject)"}
+ );
+ }
+ List<org.opensaml.saml2.core.SubjectConfirmation> subjectConfList =
+ samlSubject.getSubjectConfirmations();
+ for (org.opensaml.saml2.core.SubjectConfirmation subjectConfirmation : subjectConfList) {
+ Element sub = subjectConfirmation.getDOM();
+
+ Element keyInfoElement =
+ WSSecurityUtil.getDirectChildElement(sub, "KeyInfo", WSConstants.SIG_NS);
+ return getCredentialFromKeyInfo(keyInfoElement, crypto, cb);
+ }
+
+ return null;
+ }
+
+ /**
+ * This method returns a SAMLKeyInfo corresponding to the credential found in the
+ * KeyInfo (DOM Element) argument.
+ * @param keyInfoElement The KeyInfo as a DOM Element
+ * @param crypto The crypto instance
+ * @return The credential (as a SAMLKeyInfo object)
+ * @throws WSSecurityException
+ */
+ public static SAMLKeyInfo getCredentialFromKeyInfo(
+ Element keyInfoElement,
+ Crypto crypto,
+ CallbackHandler cb
+ ) throws WSSecurityException {
+ //
+ // First try to find an EncryptedKey or a BinarySecret via DOM
+ //
+ Node node = keyInfoElement.getFirstChild();
+ while (node != null) {
+ if (Node.ELEMENT_NODE == node.getNodeType()) {
+ QName el = new QName(node.getNamespaceURI(), node.getLocalName());
+ if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+ EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
+ WSDocInfo docInfo = new WSDocInfo(node.getOwnerDocument());
+ List<WSSecurityEngineResult> result =
+ proc.handleToken((Element)node, null, crypto, cb, docInfo, null);
+ byte[] secret =
+ (byte[])result.get(0).get(
+ WSSecurityEngineResult.TAG_SECRET
+ );
+ return new SAMLKeyInfo(null, secret);
+ } else if (el.equals(new QName(WSConstants.WST_NS, "BinarySecret"))) {
+ Text txt = (Text)node.getFirstChild();
+ return new SAMLKeyInfo(null, Base64.decode(txt.getData()));
+ }
}
+ node = node.getNextSibling();
}
- Subject samlSubj = null;
- if (samlSubjS != null) {
- samlSubj = samlSubjS.getSubject();
- }
- if (samlSubj == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidSAMLToken", new Object[]{"for Signature (no Subject)"});
- }
-
-// String confirmMethod = null;
-// it = samlSubj.getConfirmationMethods();
-// if (it.hasNext()) {
-// confirmMethod = (String) it.next();
-// }
-// boolean senderVouches = false;
-// if (SAMLSubject.CONF_SENDER_VOUCHES.equals(confirmMethod)) {
-// senderVouches = true;
-// }
- Element sub = samlSubj.getSubjectConfirmation().getDOM();
- Element kiElem =
- WSSecurityUtil.getDirectChildElement(sub, "KeyInfo", WSConstants.SIG_NS);
+ //
+ // Next marshal the KeyInfo DOM element into a javax KeyInfo object and get the
+ // (public key) credential
+ //
X509Certificate[] certs = null;
KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");
- XMLStructure keyInfoStructure = new DOMStructure(kiElem);
-
+ XMLStructure keyInfoStructure = new DOMStructure(keyInfoElement);
+
try {
- KeyInfo keyInfo = keyInfoFactory.unmarshalKeyInfo(keyInfoStructure);
+ javax.xml.crypto.dsig.keyinfo.KeyInfo keyInfo =
+ keyInfoFactory.unmarshalKeyInfo(keyInfoStructure);
List<?> list = keyInfo.getContent();
for (int i = 0; i < list.size(); i++) {
XMLStructure xmlStructure = (XMLStructure) list.get(i);
- if (xmlStructure instanceof X509Data) {
+ if (xmlStructure instanceof KeyValue) {
+ PublicKey publicKey = ((KeyValue)xmlStructure).getPublicKey();
+ return new SAMLKeyInfo(null, publicKey);
+ } else if (xmlStructure instanceof X509Data) {
List<?> x509Data = ((X509Data)xmlStructure).getContent();
for (int j = 0; j < x509Data.size(); j++) {
Object x509obj = x509Data.get(j);
if (x509obj instanceof X509Certificate) {
certs = new X509Certificate[1];
certs[0] = (X509Certificate)x509obj;
- break;
+ return new SAMLKeyInfo(null, certs);
+ } else if (x509obj instanceof X509IssuerSerial) {
+ String alias =
+ crypto.getAliasForX509Cert(
+ ((X509IssuerSerial)x509obj).getIssuerName(),
+ ((X509IssuerSerial)x509obj).getSerialNumber()
+ );
+ certs = crypto.getCertificates(alias);
+ return new SAMLKeyInfo(null, certs);
}
}
}
}
- // TODO: get alias name for cert, check against username set by caller
} catch (Exception ex) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidSAMLsecurity",
- new Object[]{"cannot get certificate or key "}, ex);
- }
-
- return certs;
- }
-
- public static String getAssertionId(
- Element envelope,
- String elemName,
- String nmSpace
- ) throws WSSecurityException {
- String id;
- // Make the AssertionID the wsu:Id and the signature reference the same
- AssertionWrapper assertion;
-
- Element assertionElement =
- (Element)WSSecurityUtil.findElement(envelope, elemName, nmSpace);
-
- try {
- assertion = new AssertionWrapper(assertionElement);
- id = assertion.getId();
- } catch (Exception e1) {
- log.error(e1);
throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE,
- "noXMLSig", null, e1);
+ WSSecurityException.FAILURE, "invalidSAMLsecurity",
+ new Object[]{"cannot get certificate or key"}, ex
+ );
}
- return id;
+ return null;
}
-
+
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java Tue Jan 11 13:02:25 2011
@@ -37,9 +37,6 @@ import org.apache.ws.security.saml.ext.O
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.opensaml.xml.io.MarshallingException;
-import org.opensaml.xml.signature.SignatureException;
-
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -206,17 +203,7 @@ public class WSSecSignatureSAML extends
keyInfoFactory = KeyInfoFactory.getInstance("DOM");
signatureFactory = XMLSignatureFactory.getInstance("DOM");
- try {
- samlToken = (Element) assertion.toDOM(doc);
- } catch (MarshallingException ex) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noSAMLdoc", null, ex
- );
- } catch (SignatureException ex) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noSAMLdoc", null, ex
- );
- }
+ samlToken = (Element) assertion.toDOM(doc);
//
// Get some information about the SAML token content. This controls how
@@ -258,7 +245,8 @@ public class WSSecSignatureSAML extends
new Object[] { "for SAML Signature (Key Holder)" }
);
}
- SAMLKeyInfo samlKeyInfo = SAMLUtil.getSAMLKeyInfo(assertion, userCrypto, null);
+ SAMLKeyInfo samlKeyInfo =
+ SAMLUtil.getCredentialFromSubject(assertion, userCrypto, null);
publicKey = samlKeyInfo.getPublicKey();
certs = samlKeyInfo.getCerts();
wsDocInfo.setCrypto(userCrypto);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java Tue Jan 11 13:02:25 2011
@@ -23,6 +23,9 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder;
import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder;
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
@@ -44,10 +47,10 @@ import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.XMLObject;
-import org.opensaml.xml.io.MarshallingException;
-import org.opensaml.xml.io.UnmarshallingException;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.SignatureException;
+import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Document;
@@ -55,6 +58,7 @@ import org.w3c.dom.Element;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
+
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
@@ -110,7 +114,7 @@ public class AssertionWrapper {
* @param element of type Element
* @throws UnmarshallingException when
*/
- public AssertionWrapper(Element element) throws UnmarshallingException {
+ public AssertionWrapper(Element element) throws WSSecurityException {
this(OpenSAMLUtil.fromDom(element));
assertionElement = element;
}
@@ -355,10 +359,8 @@ public class AssertionWrapper {
*
* @param doc of type Document
* @return Element
- * @throws MarshallingException when
- * @throws SignatureException when
*/
- public Element toDOM(Document doc) throws MarshallingException, SignatureException {
+ public Element toDOM(Document doc) throws WSSecurityException {
return OpenSAMLUtil.toDom(xmlObject, doc);
}
@@ -366,11 +368,8 @@ public class AssertionWrapper {
* Method assertionToString ...
*
* @return String
- * @throws MarshallingException when
- * @throws SignatureException when
- * @throws IOException when
*/
- public String assertionToString() throws MarshallingException, SignatureException {
+ public String assertionToString() throws WSSecurityException {
Element element = toDOM(null);
return DOM2Writer.nodeToString(element);
}
@@ -497,8 +496,7 @@ public class AssertionWrapper {
*
* @throws ValidationException
*/
- public void verify() throws ValidationException {
- SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
+ public void verify(Crypto crypto) throws WSSecurityException {
Signature sig = null;
if (saml2 != null && saml2.getSignature() != null) {
sig = saml2.getSignature();
@@ -506,17 +504,44 @@ public class AssertionWrapper {
sig = saml1.getSignature();
}
if (sig != null) {
- validator.validate(sig);
+ KeyInfo keyInfo = sig.getKeyInfo();
+ SAMLKeyInfo samlKeyInfo =
+ SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), crypto, null);
+ if (samlKeyInfo == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "invalidSAMLsecurity",
+ new Object[]{"cannot get certificate or key"}
+ );
+ }
+ SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
+ try {
+ validator.validate(sig);
+ } catch (ValidationException ex) {
+ throw new WSSecurityException("SAML signature validation failed", ex);
+ }
- // TODO validate signature
- //BasicX509Credential credential = new BasicX509Credential();
- //credential.setEntityCertificate(certificate);
- //SignatureValidator sigValidator = new SignatureValidator(credential);
- //sigValidator.validate(signature);
+ BasicX509Credential credential = new BasicX509Credential();
+ if (samlKeyInfo.getCerts() != null) {
+ credential.setEntityCertificate(samlKeyInfo.getCerts()[0]);
+ } else if (samlKeyInfo.getPublicKey() != null) {
+ credential.setPublicKey(samlKeyInfo.getPublicKey());
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "invalidSAMLsecurity",
+ new Object[]{"cannot get certificate or key"}
+ );
+ }
+ SignatureValidator sigValidator = new SignatureValidator(credential);
+ try {
+ sigValidator.validate(sig);
+ } catch (ValidationException ex) {
+ throw new WSSecurityException("SAML signature validation failed", ex);
+ }
} else {
log.debug("AssertionWrapper: no signature to validate");
}
}
+
/**
* Method getSamlVersion returns the samlVersion of this AssertionWrapper object.
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/OpenSAMLUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/OpenSAMLUtil.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/OpenSAMLUtil.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/OpenSAMLUtil.java Tue Jan 11 13:02:25 2011
@@ -78,9 +78,14 @@ public class OpenSAMLUtil {
* @return XMLObject
* @throws UnmarshallingException
*/
- public static XMLObject fromDom(Element root) throws UnmarshallingException {
+ public static XMLObject fromDom(Element root) throws WSSecurityException {
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(root);
- XMLObject xmlObject = unmarshaller.unmarshall(root);
+ XMLObject xmlObject = null;
+ try {
+ xmlObject = unmarshaller.unmarshall(root);
+ } catch (UnmarshallingException ex) {
+ throw new WSSecurityException("Error unmarshalling a SAML assertion", ex);
+ }
if (xmlObject instanceof org.opensaml.saml1.core.Assertion) {
log.debug("OpenSAMLUtil: found SAML 1 Assertion");
@@ -105,9 +110,14 @@ public class OpenSAMLUtil {
public static Element toDom(
XMLObject xmlObject,
Document doc
- ) throws MarshallingException, SignatureException {
+ ) throws WSSecurityException {
Marshaller marshaller = marshallerFactory.getMarshaller(xmlObject);
- Element element = marshaller.marshall(xmlObject);
+ Element element = null;
+ try {
+ element = marshaller.marshall(xmlObject);
+ } catch (MarshallingException ex) {
+ throw new WSSecurityException("Error marshalling a SAML assertion", ex);
+ }
// Sign the assertion if the signature element is present.
if (xmlObject instanceof org.opensaml.saml2.core.Assertion) {
@@ -115,14 +125,22 @@ public class OpenSAMLUtil {
// if there is a signature, but it hasn't already been signed
if (saml2.getSignature() != null) {
log.debug("Signing SAML v2.0 assertion...");
- Signer.signObject(saml2.getSignature());
+ try {
+ Signer.signObject(saml2.getSignature());
+ } catch (SignatureException ex) {
+ throw new WSSecurityException("Error signing a SAML assertion", ex);
+ }
}
} else if (xmlObject instanceof org.opensaml.saml1.core.Assertion) {
org.opensaml.saml1.core.Assertion saml1 = (org.opensaml.saml1.core.Assertion) xmlObject;
// if there is a signature, but it hasn't already been signed
if (saml1.getSignature() != null) {
log.debug("Signing SAML v1.1 assertion...");
- Signer.signObject(saml1.getSignature());
+ try {
+ Signer.signObject(saml1.getSignature());
+ } catch (SignatureException ex) {
+ throw new WSSecurityException("Error signing a SAML assertion", ex);
+ }
}
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java Tue Jan 11 13:02:25 2011
@@ -103,7 +103,7 @@ public class DerivedKeyTokenSTRParser im
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo keyInfo =
- SAMLUtil.getSAMLKeyInfo(assertion, crypto, cb);
+ SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
// TODO Handle malformed SAML tokens where they don't have the
// secret in them
secretKey = keyInfo.getSecret();
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java Tue Jan 11 13:02:25 2011
@@ -98,7 +98,7 @@ public class SecurityTokenRefSTRParser i
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo keyInfo =
- SAMLUtil.getSAMLKeyInfo(assertion, crypto, cb);
+ SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
// TODO Handle malformed SAML tokens where they don't have the
// secret in them
secretKey = keyInfo.getSecret();
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java Tue Jan 11 13:02:25 2011
@@ -120,7 +120,7 @@ public class SignatureSTRParser implemen
WSSecurityException.FAILURE, "noSigCryptoFile"
);
}
- SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
+ SAMLKeyInfo samlKi = SAMLUtil.getCredentialFromSubject(token, crypto, cb);
X509Certificate[] foundCerts = samlKi.getCerts();
if (foundCerts != null) {
certs = new X509Certificate[]{foundCerts[0]};
@@ -190,7 +190,7 @@ public class SignatureSTRParser implemen
AssertionWrapper assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo keyInfo =
- SAMLUtil.getSAMLKeyInfo(assertion, crypto, cb);
+ SAMLUtil.getCredentialFromSubject(assertion, crypto, cb);
X509Certificate[] foundCerts = keyInfo.getCerts();
if (foundCerts != null) {
certs = new X509Certificate[]{foundCerts[0]};
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignaturePartsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignaturePartsTest.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignaturePartsTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignaturePartsTest.java Tue Jan 11 13:02:25 2011
@@ -146,9 +146,6 @@ public class SignaturePartsTest extends
Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml_hok.properties");
- // Provide info to SAML issuer that it can construct a Holder-of-key
- // SAML token.
- saml.setInstanceDoc(doc);
AssertionWrapper assertion = saml.newAssertion();
WSSecSignatureSAML wsSign = new WSSecSignatureSAML();
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java Tue Jan 11 13:02:25 2011
@@ -31,7 +31,6 @@ import org.apache.ws.security.components
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.message.WSSecEncrypt;
import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.WSSecurityUtil;
@@ -63,7 +62,6 @@ public class SamlReferenceTest extends o
// Create a SAML assertion
SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml_hok.properties");
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
- saml.setInstanceDoc(doc);
Crypto hokCrypto = CryptoFactory.getInstance("crypto.properties");
AssertionWrapper assertion = saml.newAssertion();
Node assertionNode = assertion.toDOM(doc);
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java?rev=1057610&r1=1057609&r2=1057610&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java Tue Jan 11 13:02:25 2011
@@ -28,6 +28,7 @@ import org.apache.ws.security.WSConstant
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.common.CustomHandler;
import org.apache.ws.security.common.KeystoreCallbackHandler;
import org.apache.ws.security.common.SOAPUtil;
@@ -43,6 +44,9 @@ import org.w3c.dom.Document;
import javax.security.auth.callback.CallbackHandler;
import java.util.List;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
/**
* Test-case for sending and processing an signed SAML Assertion.
*
@@ -249,9 +253,6 @@ public class SignedSamlTokenTest extends
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml_hok.properties");
- // Provide info to SAML issuer that it can construct a Holder-of-key
- // SAML token.
- saml.setInstanceDoc(doc);
AssertionWrapper assertion = saml.newAssertion();
WSSecSignatureSAML wsSign = new WSSecSignatureSAML();
@@ -297,9 +298,6 @@ public class SignedSamlTokenTest extends
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml_hok_keyvalue.properties");
- // Provide info to SAML issuer that it can construct a Holder-of-key
- // SAML token.
- saml.setInstanceDoc(doc);
AssertionWrapper assertion = saml.newAssertion();
WSSecSignatureSAML wsSign = new WSSecSignatureSAML();
@@ -348,9 +346,6 @@ public class SignedSamlTokenTest extends
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml_hok.properties");
- // Provide info to SAML issuer that it can construct a Holder-of-key
- // SAML token.
- saml.setInstanceDoc(doc);
AssertionWrapper assertion = saml.newAssertion();
WSSecSignatureSAML wsSign = new WSSecSignatureSAML();
@@ -384,6 +379,55 @@ public class SignedSamlTokenTest extends
}
/**
+ * Test that creates a signed SAML Assertion using HOK, but then modifies the signature
+ * object by replacing the enveloped transform with the exclusive c14n transform.
+ * The signature validation should then fail - the enveloped transform is mandatory for
+ * a signed assertion.
+ */
+ @org.junit.Test
+ public void testSAMLSignedKeyHolderSigModified() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml_hok.properties");
+ AssertionWrapper assertion = saml.newAssertion();
+
+ WSSecSignatureSAML wsSign = new WSSecSignatureSAML();
+ wsSign.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
+ wsSign.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document signedDoc = wsSign.build(doc, crypto, assertion, null, null, null, secHeader);
+
+ //
+ // Modify the assertion
+ //
+ Element envelope = signedDoc.getDocumentElement();
+ NodeList list = envelope.getElementsByTagNameNS(WSConstants.SAML_NS, "Assertion");
+ Element assertionElement = (org.w3c.dom.Element)list.item(0);
+ list = assertionElement.getElementsByTagNameNS(WSConstants.SIG_NS, "Signature");
+ Element sigElement = (org.w3c.dom.Element)list.item(0);
+ list = sigElement.getElementsByTagNameNS(WSConstants.SIG_NS, "Transform");
+ Element transformElement = (org.w3c.dom.Element)list.item(0);
+ transformElement.setAttributeNS(null, "Algorithm", WSConstants.C14N_EXCL_OMIT_COMMENTS);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Signed (modified) SAML message (key holder):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ try {
+ verify(signedDoc);
+ fail("Expected failure on a modified signature");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
+
+ /**
* Test that creates a signed SAML Assertion using HOK, but then modifies the assertion.
* The signature verification should then fail.
*/
@@ -392,9 +436,6 @@ public class SignedSamlTokenTest extends
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml_hok.properties");
- // Provide info to SAML issuer that it can construct a Holder-of-key
- // SAML token.
- saml.setInstanceDoc(doc);
AssertionWrapper assertion = saml.newAssertion();
WSSecSignatureSAML wsSign = new WSSecSignatureSAML();
@@ -409,10 +450,9 @@ public class SignedSamlTokenTest extends
//
// Modify the assertion
//
- org.w3c.dom.Element envelope = signedDoc.getDocumentElement();
- org.w3c.dom.NodeList list =
- envelope.getElementsByTagNameNS(WSConstants.SAML_NS, "Assertion");
- org.w3c.dom.Element assertionElement = (org.w3c.dom.Element)list.item(0);
+ Element envelope = signedDoc.getDocumentElement();
+ NodeList list = envelope.getElementsByTagNameNS(WSConstants.SAML_NS, "Assertion");
+ Element assertionElement = (org.w3c.dom.Element)list.item(0);
assertionElement.setAttributeNS(null, "MinorVersion", "5");
if (LOG.isDebugEnabled()) {
@@ -422,14 +462,12 @@ public class SignedSamlTokenTest extends
LOG.debug(outputString);
}
- List<WSSecurityEngineResult> results = verify(signedDoc);
- /*
- WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
- AssertionWrapper receivedAssertion =
- (AssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- assertTrue(receivedAssertion != null);
- */
+ try {
+ verify(signedDoc);
+ fail("Expected failure on a modified signature");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
}