You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/01/18 15:46:24 UTC
[2/2] cxf git commit: Enforce all Assertions must be signed in some
way by default
Enforce all Assertions must be signed in some way by default
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3863a2a7
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3863a2a7
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3863a2a7
Branch: refs/heads/3.0.x-fixes
Commit: 3863a2a71d6398491447c2f024f1595fbb921b34
Parents: 8858a63
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 18 14:43:41 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 14:45:09 2016 +0000
----------------------------------------------------------------------
.../saml/sso/SAMLSSOResponseValidator.java | 8 ++--
.../saml/sso/CombinedValidatorTest.java | 1 +
.../saml/sso/SAMLSSOResponseValidatorTest.java | 49 ++++++++++++++++++++
3 files changed, 54 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/3863a2a7/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 8da52c8..70c659f 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -50,7 +50,8 @@ public class SAMLSSOResponseValidator {
private TokenReplayCache<String> replayCache;
/**
- * Enforce that Assertions must be signed if the POST binding was used. The default is true.
+ * Enforce that Assertions contained in the Response must be signed (if the Response itself is not
+ * signed). The default is true.
*/
public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
this.enforceAssertionsSigned = enforceAssertionsSigned;
@@ -108,9 +109,8 @@ public class SAMLSSOResponseValidator {
}
validateIssuer(assertion.getIssuer());
- if (enforceAssertionsSigned && postBinding && assertion.getSignature() == null) {
- LOG.fine("If the HTTP Post binding is used to deliver the Response, "
- + "the enclosed assertions must be signed");
+ if (!enforceResponseSigned && enforceAssertionsSigned && assertion.getSignature() == null) {
+ LOG.fine("The enclosed assertions in the SAML Response must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3863a2a7/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index 3150a0e..261a630 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -168,6 +168,7 @@ public class CombinedValidatorTest extends org.junit.Assert {
// Test SSO validation
SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+ ssoValidator.setEnforceAssertionsSigned(false);
ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
ssoValidator.setClientAddress("http://apache.org");
http://git-wip-us.apache.org/repos/asf/cxf/blob/3863a2a7/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
index 7855c29a..08814bb 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
@@ -77,6 +77,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -97,6 +98,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -122,6 +124,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -147,6 +150,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -172,6 +176,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -198,6 +203,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -298,6 +304,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -324,6 +331,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -343,6 +351,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -372,6 +381,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -403,6 +413,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -437,6 +448,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -472,6 +484,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -515,6 +528,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -529,6 +543,41 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
}
}
+ @org.junit.Test
+ public void testEnforceAssertionsSigned() throws Exception {
+
+ SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+ subjectConfirmationData.setAddress("http://apache.org");
+ subjectConfirmationData.setInResponseTo("12345");
+ subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setRecipient("http://recipient.apache.org");
+
+ Response response = createResponse(subjectConfirmationData);
+
+ Crypto issuerCrypto = new Merlin();
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
+ InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+ keyStore.load(input, "password".toCharArray());
+ ((Merlin)issuerCrypto).setKeyStore(keyStore);
+
+ // Test SSO validation
+ SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+ ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
+ ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
+ ssoValidator.setClientAddress("http://apache.org");
+ ssoValidator.setRequestId("12345");
+ ssoValidator.setSpIdentifier("http://service.apache.org");
+
+ // Parse the response
+ try {
+ ssoValidator.validateSamlResponse(response, false);
+ fail("Failure expected on an unsigned Assertion");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
+
private Response createResponse(
SubjectConfirmationDataBean subjectConfirmationData
) throws Exception {