You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2021/04/08 09:40:53 UTC
[cxf] branch opensaml4 created (now 0edbe1f)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch opensaml4
in repository https://gitbox.apache.org/repos/asf/cxf.git.
at 0edbe1f Updating to OpenSAML4. One test fails in systests/advanced
This branch includes the following new commits:
new 0edbe1f Updating to OpenSAML4. One test fails in systests/advanced
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[cxf] 01/01: Updating to OpenSAML4. One test fails in
systests/advanced
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch opensaml4
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 0edbe1f5eb63acab05d042c8842ce724d7a1bf1a
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Apr 8 10:40:15 2021 +0100
Updating to OpenSAML4. One test fails in systests/advanced
---
parent/pom.xml | 2 +-
.../security/oauth2/saml/SamlOAuthValidator.java | 5 ++-
.../saml/sso/SAMLProtocolResponseValidator.java | 6 +--
.../saml/sso/SAMLSSOResponseValidator.java | 13 +++---
.../saml/sso/SamlpRequestComponentBuilder.java | 8 ++--
.../saml/sso/AbstractSAMLCallbackHandler.java | 14 +++----
.../security/saml/sso/CombinedValidatorTest.java | 9 +++--
.../saml/sso/SAML2PResponseComponentBuilder.java | 4 +-
.../saml/sso/SAMLResponseValidatorTest.java | 23 ++++++-----
.../saml/sso/SAMLSSOResponseValidatorTest.java | 47 +++++++++++-----------
.../saml/xacml2/DefaultXACMLRequestBuilder.java | 5 ++-
.../saml/xacml2/SamlRequestComponentBuilder.java | 4 +-
.../saml/xacml2/RequestComponentBuilderTest.java | 9 +++--
.../cxf/sts/token/provider/SAMLTokenProvider.java | 10 ++---
.../cxf/sts/token/renewer/SAMLTokenRenewer.java | 22 +++++-----
.../sts/token/validator/SAMLTokenValidator.java | 15 +++----
.../oauth2/common/SamlCallbackHandler.java | 4 +-
.../jaxrs/security/saml/SamlCallbackHandler.java | 4 +-
18 files changed, 104 insertions(+), 100 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 42f7306..11a09f3 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -221,7 +221,7 @@
<cxf.woodstox.core.version>6.2.5</cxf.woodstox.core.version>
<cxf.woodstox.stax2-api.version>4.2.1</cxf.woodstox.stax2-api.version>
<cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
- <cxf.wss4j.version>2.3.1</cxf.wss4j.version>
+ <cxf.wss4j.version>2.5.0-SNAPSHOT</cxf.wss4j.version>
<cxf.xalan.version>2.7.2</cxf.xalan.version>
<cxf.xerces.version>2.12.1</cxf.xerces.version>
<cxf.xmlschema.version>2.2.5</cxf.xmlschema.version>
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index 885fb42..ee16b40 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rs.security.oauth2.saml;
+import java.time.Instant;
import java.util.List;
import javax.ws.rs.core.UriBuilder;
@@ -145,7 +146,7 @@ public class SamlOAuthValidator {
SubjectConfirmationData subjectConfData) {
if (subjectConfData == null) {
if (!subjectConfirmationDataRequired
- && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBeforeNow()) {
+ && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBefore(Instant.now())) {
return;
}
throw ExceptionUtils.toNotAuthorizedException(null, null);
@@ -159,7 +160,7 @@ public class SamlOAuthValidator {
// We must have a NotOnOrAfter timestamp
if (subjectConfData.getNotOnOrAfter() == null
- || subjectConfData.getNotOnOrAfter().isBeforeNow()) {
+ || subjectConfData.getNotOnOrAfter().isBefore(Instant.now())) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
index 9642ff4..93c5ac6 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
@@ -23,6 +23,7 @@ import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.Arrays;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -59,7 +60,6 @@ import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.apache.xml.security.utils.Constants;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.BasicCredential;
@@ -120,7 +120,7 @@ public class SAMLProtocolResponseValidator {
}
if (samlResponse.getIssueInstant() != null) {
- DateTime currentTime = new DateTime();
+ Instant currentTime = Instant.now();
currentTime = currentTime.plusSeconds(futureTTL);
if (samlResponse.getIssueInstant().isAfter(currentTime)) {
LOG.warning("SAML Response IssueInstant not met");
@@ -185,7 +185,7 @@ public class SAMLProtocolResponseValidator {
}
if (samlResponse.getIssueInstant() != null) {
- DateTime currentTime = new DateTime();
+ Instant currentTime = Instant.now();
currentTime = currentTime.plusSeconds(futureTTL);
if (samlResponse.getIssueInstant().isAfter(currentTime)) {
LOG.warning("SAML Response IssueInstant not met");
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 3f6de43..dbc9b32 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -128,15 +128,12 @@ public class SAMLSSOResponseValidator {
// Store Session NotOnOrAfter
for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
if (authnStatment.getSessionNotOnOrAfter() != null) {
- sessionNotOnOrAfter =
- Instant.ofEpochMilli(authnStatment.getSessionNotOnOrAfter().toDate().getTime());
+ sessionNotOnOrAfter = authnStatment.getSessionNotOnOrAfter();
}
}
// Fall back to the SubjectConfirmationData NotOnOrAfter if we have no session NotOnOrAfter
if (sessionNotOnOrAfter == null) {
- sessionNotOnOrAfter =
- Instant.ofEpochMilli(subjectConf.getSubjectConfirmationData()
- .getNotOnOrAfter().toDate().getTime());
+ sessionNotOnOrAfter = subjectConf.getSubjectConfirmationData().getNotOnOrAfter();
}
}
}
@@ -152,7 +149,7 @@ public class SAMLSSOResponseValidator {
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
if (samlResponse.getIssueInstant() != null) {
- validatorResponse.setCreated(Instant.ofEpochMilli(samlResponse.getIssueInstant().toDate().getTime()));
+ validatorResponse.setCreated(samlResponse.getIssueInstant());
}
Element assertionElement = validAssertion.getDOM();
@@ -232,7 +229,7 @@ public class SAMLSSOResponseValidator {
// We must have a NotOnOrAfter timestamp
if (subjectConfData.getNotOnOrAfter() == null
- || subjectConfData.getNotOnOrAfter().isBeforeNow()) {
+ || subjectConfData.getNotOnOrAfter().isBefore(Instant.now())) {
LOG.warning("Subject Conf Data does not contain NotOnOrAfter or it has expired");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
@@ -240,7 +237,7 @@ public class SAMLSSOResponseValidator {
// Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
if (postBinding && replayCache != null) {
if (!replayCache.contains(id)) {
- Instant expires = Instant.ofEpochMilli(subjectConfData.getNotOnOrAfter().toDate().getTime());
+ Instant expires = subjectConfData.getNotOnOrAfter();
replayCache.putId(id, expires);
} else {
LOG.warning("Replay attack with token id: " + id);
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java
index 554441d..415aedb 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java
@@ -19,11 +19,11 @@
package org.apache.cxf.rs.security.saml.sso;
+import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.UUID;
-import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObjectBuilder;
@@ -84,7 +84,7 @@ public final class SamlpRequestComponentBuilder {
authnRequest.setForceAuthn(forceAuthn);
authnRequest.setID("_" + UUID.randomUUID());
authnRequest.setIsPassive(isPassive);
- authnRequest.setIssueInstant(new DateTime());
+ authnRequest.setIssueInstant(Instant.now());
authnRequest.setProtocolBinding(protocolBinding);
authnRequest.setVersion(version);
@@ -112,12 +112,12 @@ public final class SamlpRequestComponentBuilder {
LogoutRequest logoutRequest = logoutRequestBuilder.buildObject();
logoutRequest.setID("_" + UUID.randomUUID());
logoutRequest.setVersion(version);
- logoutRequest.setIssueInstant(new DateTime());
+ logoutRequest.setIssueInstant(Instant.now());
logoutRequest.setDestination(destination);
logoutRequest.setConsent(consent);
logoutRequest.setIssuer(issuer);
if (notOnOrAfter != null) {
- logoutRequest.setNotOnOrAfter(new DateTime(notOnOrAfter.getTime()));
+ logoutRequest.setNotOnOrAfter(notOnOrAfter.toInstant());
}
logoutRequest.setReason(reason);
logoutRequest.setNameID(nameID);
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
index e473bdf..d758ff5 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
@@ -20,6 +20,7 @@
package org.apache.cxf.rs.security.saml.sso;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.Collections;
import java.util.List;
@@ -48,7 +49,6 @@ import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
-import org.joda.time.DateTime;
/**
* A base implementation of a Callback Handler for a SAML assertion. By default it creates an
@@ -75,22 +75,22 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
protected List<Object> customAttributeValues;
protected ConditionsBean conditions;
protected SubjectConfirmationDataBean subjectConfirmationData;
- protected DateTime authnInstant;
- protected DateTime sessionNotOnOrAfter;
+ protected Instant authnInstant;
+ protected Instant sessionNotOnOrAfter;
- public DateTime getSessionNotOnOrAfter() {
+ public Instant getSessionNotOnOrAfter() {
return sessionNotOnOrAfter;
}
- public void setSessionNotOnOrAfter(DateTime sessionNotOnOrAfter) {
+ public void setSessionNotOnOrAfter(Instant sessionNotOnOrAfter) {
this.sessionNotOnOrAfter = sessionNotOnOrAfter;
}
- public DateTime getAuthnInstant() {
+ public Instant getAuthnInstant() {
return authnInstant;
}
- public void setAuthnInstant(DateTime authnInstant) {
+ public void setAuthnInstant(Instant authnInstant) {
this.authnInstant = authnInstant;
}
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index 64a21ab..6006924 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -23,6 +23,8 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
import java.util.Collections;
import org.w3c.dom.Document;
@@ -44,7 +46,6 @@ import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.Loader;
import org.apache.wss4j.dom.engine.WSSConfig;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.Response;
@@ -290,13 +291,13 @@ public class CombinedValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java
index 7525035..a937bb3 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java
@@ -19,9 +19,9 @@
package org.apache.cxf.rs.security.saml.sso;
+import java.time.Instant;
import java.util.UUID;
-import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObjectBuilder;
@@ -70,7 +70,7 @@ public final class SAML2PResponseComponentBuilder {
Response response = responseBuilder.buildObject();
response.setID(UUID.randomUUID().toString());
- response.setIssueInstant(new DateTime());
+ response.setIssueInstant(Instant.now());
response.setInResponseTo(inResponseTo);
response.setIssuer(createIssuer(issuer));
response.setStatus(status);
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
index 2305a24..52e90f3 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
@@ -23,6 +23,8 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
import java.util.Collections;
import java.util.List;
@@ -44,7 +46,6 @@ import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.Loader;
import org.apache.wss4j.dom.engine.WSSConfig;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants;
@@ -472,7 +473,7 @@ public class SAMLResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
// Create a AuthenticationAssertion
@@ -484,8 +485,8 @@ public class SAMLResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
@@ -511,7 +512,7 @@ public class SAMLResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
// Create a AuthenticationAssertion
@@ -523,8 +524,8 @@ public class SAMLResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
@@ -557,7 +558,7 @@ public class SAMLResponseValidatorTest {
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
- response.setIssueInstant(new DateTime().plusMinutes(5));
+ response.setIssueInstant(Instant.now().plus(Duration.ofMinutes(5)));
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
@@ -610,7 +611,7 @@ public class SAMLResponseValidatorTest {
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
- assertion.getSaml2().setIssueInstant(new DateTime().plusMinutes(5));
+ assertion.getSaml2().setIssueInstant(Instant.now().plus(Duration.ofMinutes(5)));
response.getAssertions().add(assertion.getSaml2());
@@ -648,7 +649,7 @@ public class SAMLResponseValidatorTest {
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
- callbackHandler.setAuthnInstant(new DateTime().plusDays(1));
+ callbackHandler.setAuthnInstant(Instant.now().plus(Duration.ofDays(1)));
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
@@ -690,7 +691,7 @@ public class SAMLResponseValidatorTest {
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
- callbackHandler.setSessionNotOnOrAfter(new DateTime().minusDays(1));
+ callbackHandler.setSessionNotOnOrAfter(Instant.now().minus(Duration.ofDays(1)));
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
index b5dc509..1bf6b65 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
@@ -23,6 +23,8 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -44,7 +46,6 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.Loader;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Response;
@@ -73,7 +74,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -99,7 +100,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://bad.apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -125,7 +126,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345-bad");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -151,7 +152,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://bad.recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -177,7 +178,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().minusSeconds(1));
+ subjectConfirmationData.setNotAfter(Instant.now().minusSeconds(1));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -203,8 +204,8 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
- subjectConfirmationData.setNotBefore(new DateTime());
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
+ subjectConfirmationData.setNotBefore(Instant.now());
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -245,8 +246,8 @@ public class SAMLSSOResponseValidatorTest {
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
@@ -255,7 +256,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
@@ -301,7 +302,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -328,7 +329,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -375,7 +376,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
@@ -405,7 +406,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
@@ -437,7 +438,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
List<String> values = new ArrayList<>();
@@ -468,7 +469,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
List<AudienceRestrictionBean> audienceRestrictions =
@@ -509,7 +510,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
// Create a AuthenticationAssertion
@@ -521,8 +522,8 @@ public class SAMLSSOResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
@@ -554,7 +555,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -614,8 +615,8 @@ public class SAMLSSOResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
if (audienceRestrictions == null) {
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
index 407c877..bf03f55 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
@@ -20,16 +20,17 @@
package org.apache.cxf.rt.security.saml.xacml2;
import java.security.Principal;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.namespace.QName;
+import net.shibboleth.utilities.java.support.xml.DOMTypeSupport;
import org.apache.cxf.message.Message;
import org.apache.cxf.rt.security.saml.xacml.CXFMessageParser;
import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
-import org.joda.time.DateTime;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
import org.opensaml.xacml.ctx.AttributeValueType;
@@ -137,7 +138,7 @@ public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
List<AttributeType> attributes = new ArrayList<>();
AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
XACMLConstants.XS_DATETIME, null,
- new DateTime().toString());
+ DOMTypeSupport.instantToString(Instant.now()));
attributes.add(environmentAttribute);
return RequestComponentBuilder.createEnvironmentType(attributes);
}
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
index a98a6e4..8b105bb 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
@@ -19,9 +19,9 @@
package org.apache.cxf.rt.security.saml.xacml2;
+import java.time.Instant;
import java.util.UUID;
-import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObjectBuilder;
@@ -79,7 +79,7 @@ public final class SamlRequestComponentBuilder {
);
authzQuery.setID("_" + UUID.randomUUID().toString());
authzQuery.setVersion(SAMLVersion.VERSION_20);
- authzQuery.setIssueInstant(new DateTime());
+ authzQuery.setIssueInstant(Instant.now());
authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
authzQuery.setReturnContext(Boolean.valueOf(returnContext));
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
index a05119c..de3f660 100644
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rt.security.saml.xacml2;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -30,9 +31,9 @@ import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import net.shibboleth.utilities.java.support.xml.DOMTypeSupport;
import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.joda.time.DateTime;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
import org.opensaml.xacml.ctx.AttributeValueType;
@@ -193,9 +194,9 @@ public class RequestComponentBuilderTest {
ActionType action = RequestComponentBuilder.createActionType(attributes);
// Environment
- DateTime dateTime = new DateTime();
+ Instant dateTime = Instant.now();
AttributeValueType environmentAttributeValue =
- RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+ RequestComponentBuilder.createAttributeValueType(DOMTypeSupport.instantToString(dateTime));
AttributeType environmentAttribute =
RequestComponentBuilder.createAttributeType(
XACMLConstants.CURRENT_DATETIME,
@@ -222,4 +223,4 @@ public class RequestComponentBuilderTest {
assertNotNull(policyElement);
}
-}
\ No newline at end of file
+}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
index 9cc2bfc..12f5f41 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
@@ -19,6 +19,7 @@
package org.apache.cxf.sts.token.provider;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -52,7 +53,6 @@ import org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean;
import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
/**
@@ -153,8 +153,8 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements Toke
}
response.setToken(token);
- DateTime validFrom = null;
- DateTime validTill = null;
+ Instant validFrom = null;
+ Instant validTill = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
validFrom = assertion.getSaml2().getConditions().getNotBefore();
validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
@@ -162,8 +162,8 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements Toke
validFrom = assertion.getSaml1().getConditions().getNotBefore();
validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
}
- response.setCreated(validFrom.toDate().toInstant());
- response.setExpires(validTill.toDate().toInstant());
+ response.setCreated(validFrom);
+ response.setExpires(validTill);
response.setEntropy(entropyBytes);
if (keySize > 0) {
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
index ddd4aca..9942144 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
@@ -21,6 +21,7 @@ package org.apache.cxf.sts.token.renewer;
import java.security.Principal;
import java.security.cert.Certificate;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -70,7 +71,6 @@ import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.saml.DOMSAMLUtil;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml1.core.Audience;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
@@ -218,8 +218,8 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
response.setToken(token);
response.setTokenId(renewedAssertion.getId());
- DateTime validFrom = null;
- DateTime validTill = null;
+ Instant validFrom = null;
+ Instant validTill = null;
if (renewedAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
validFrom = renewedAssertion.getSaml2().getConditions().getNotBefore();
validTill = renewedAssertion.getSaml2().getConditions().getNotOnOrAfter();
@@ -227,8 +227,8 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
validFrom = renewedAssertion.getSaml1().getConditions().getNotBefore();
validTill = renewedAssertion.getSaml1().getConditions().getNotOnOrAfter();
}
- response.setCreated(validFrom.toDate().toInstant());
- response.setExpires(validTill.toDate().toInstant());
+ response.setCreated(validFrom);
+ response.setExpires(validTill);
LOG.fine("SAML Token successfully renewed");
return response;
@@ -315,9 +315,9 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
"Renewal after expiry is not allowed", STSException.REQUEST_FAILED
);
}
- DateTime expiryDate = getExpiryDate(assertion);
- DateTime currentDate = new DateTime();
- if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
+ Instant expiryDate = getExpiryDate(assertion);
+ Instant currentDate = Instant.now();
+ if ((currentDate.toEpochMilli() - expiryDate.toEpochMilli()) > (maxExpiry * 1000L)) {
LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
throw new STSException(
"The token expired too long ago to be renewed", STSException.REQUEST_FAILED
@@ -452,7 +452,7 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
if (assertion.getSaml1() != null) {
org.opensaml.saml.saml1.core.Assertion saml1Assertion = assertion.getSaml1();
- saml1Assertion.setIssueInstant(new DateTime());
+ saml1Assertion.setIssueInstant(Instant.now());
org.opensaml.saml.saml1.core.Conditions saml1Conditions =
SAML1ComponentBuilder.createSamlv1Conditions(conditions);
@@ -460,7 +460,7 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
saml1Assertion.setConditions(saml1Conditions);
} else {
org.opensaml.saml.saml2.core.Assertion saml2Assertion = assertion.getSaml2();
- saml2Assertion.setIssueInstant(new DateTime());
+ saml2Assertion.setIssueInstant(Instant.now());
org.opensaml.saml.saml2.core.Conditions saml2Conditions =
SAML2ComponentBuilder.createConditions(conditions);
@@ -530,7 +530,7 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
}
- private DateTime getExpiryDate(SamlAssertionWrapper assertion) {
+ private Instant getExpiryDate(SamlAssertionWrapper assertion) {
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
return assertion.getSaml2().getConditions().getNotOnOrAfter();
}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index 30dd1f6..ab6d466 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -20,6 +20,7 @@ package org.apache.cxf.sts.token.validator;
import java.security.Principal;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
@@ -56,7 +57,6 @@ import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SignatureTrustValidator;
import org.apache.wss4j.dom.validate.Validator;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
@@ -289,9 +289,9 @@ public class SAMLTokenValidator implements TokenValidator {
protected boolean validateConditions(
SamlAssertionWrapper assertion, ReceivedToken validateTarget
) {
- DateTime validFrom = null;
- DateTime validTill = null;
- DateTime issueInstant = null;
+ Instant validFrom = null;
+ Instant validTill = null;
+ Instant issueInstant = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
validFrom = assertion.getSaml2().getConditions().getNotBefore();
validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
@@ -302,16 +302,17 @@ public class SAMLTokenValidator implements TokenValidator {
issueInstant = assertion.getSaml1().getIssueInstant();
}
- if (validFrom != null && validFrom.isAfterNow()) {
+ Instant now = Instant.now();
+ if (validFrom != null && validFrom.isAfter(now)) {
LOG.log(Level.WARNING, "SAML Token condition not met");
return false;
- } else if (validTill != null && validTill.isBeforeNow()) {
+ } else if (validTill != null && validTill.isBefore(now)) {
LOG.log(Level.WARNING, "SAML Token condition not met");
validateTarget.setState(STATE.EXPIRED);
return false;
}
- if (issueInstant != null && issueInstant.isAfterNow()) {
+ if (issueInstant != null && issueInstant.isAfter(now)) {
LOG.log(Level.WARNING, "SAML Token IssueInstant not met");
return false;
}
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java
index ed8662a..15038d3 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java
@@ -20,6 +20,7 @@
package org.apache.cxf.systest.jaxrs.security.oauth2.common;
import java.io.IOException;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -47,7 +48,6 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.joda.time.DateTime;
/**
* A CallbackHandler instance that is used by the STS to mock up a SAML Attribute Assertion.
@@ -111,7 +111,7 @@ public class SamlCallbackHandler implements CallbackHandler {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
- authBean.setAuthenticationInstant(new DateTime());
+ authBean.setAuthenticationInstant(Instant.now());
authBean.setSessionIndex("123456");
authBean.setSubject(subjectBean);
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
index 72aea1a..aa30022 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
@@ -21,6 +21,7 @@ package org.apache.cxf.systest.jaxrs.security.saml;
import java.io.IOException;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -51,7 +52,6 @@ import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.joda.time.DateTime;
/**
* A CallbackHandler instance that is used by the STS to mock up a SAML Attribute Assertion.
@@ -141,7 +141,7 @@ public class SamlCallbackHandler implements CallbackHandler {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
- authBean.setAuthenticationInstant(new DateTime());
+ authBean.setAuthenticationInstant(Instant.now());
authBean.setSessionIndex("123456");
// AuthnContextClassRef is not set
authBean.setAuthenticationMethod(