You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/01/14 16:02:47 UTC
svn commit: r1651692 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
Author: coheigea
Date: Wed Jan 14 15:02:46 2015
New Revision: 1651692
URL: http://svn.apache.org/r1651692
Log:
[WSS-521] - Validate that a SAML Assertion "IssueInstant" is not "in the future"
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java?rev=1651692&r1=1651691&r2=1651692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java Wed Jan 14 15:02:46 2015
@@ -782,14 +782,18 @@ public class SamlAssertionWrapper {
public void checkConditions(int futureTTL) throws WSSecurityException {
DateTime validFrom = null;
DateTime validTill = null;
+ DateTime issueInstant = null;
+
if (getSamlVersion().equals(SAMLVersion.VERSION_20)
&& getSaml2().getConditions() != null) {
validFrom = getSaml2().getConditions().getNotBefore();
validTill = getSaml2().getConditions().getNotOnOrAfter();
+ issueInstant = getSaml2().getIssueInstant();
} else if (getSamlVersion().equals(SAMLVersion.VERSION_11)
&& getSaml1().getConditions() != null) {
validFrom = getSaml1().getConditions().getNotBefore();
validTill = getSaml1().getConditions().getNotOnOrAfter();
+ issueInstant = getSaml1().getIssueInstant();
}
if (validFrom != null) {
@@ -805,6 +809,17 @@ public class SamlAssertionWrapper {
LOG.debug("SAML Token condition (Not On Or After) not met");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
+
+ // IssueInstant is not strictly in Conditions, but it has similar semantics to
+ // NotBefore, so including it here
+ if (issueInstant != null) {
+ DateTime currentTime = new DateTime();
+ currentTime = currentTime.plusSeconds(futureTTL);
+ if (issueInstant.isAfter(currentTime)) {
+ LOG.debug("SAML Token IssueInstant not met");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+ }
+ }
}
/**
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java?rev=1651692&r1=1651691&r2=1651692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java Wed Jan 14 15:02:46 2015
@@ -233,6 +233,43 @@ public class SamlConditionsTest extends
}
}
+ @org.junit.Test
+ public void testSAML2FutureIssueInstant() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ DateTime issueInstant = new DateTime();
+ issueInstant = issueInstant.plusMinutes(60);
+ samlAssertion.getSaml2().setIssueInstant(issueInstant);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+ String outputString =
+ XMLUtils.PrettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ try {
+ verify(unsignedDoc);
+ fail("Failure expected in processing the SAML Conditions element");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getMessage().contains("SAML token security failure"));
+ }
+ }
+
/**
* Test that creates, sends and processes an unsigned SAML 2 authentication assertion
* with an (invalid) custom Conditions statement.