You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/01/18 15:44:30 UTC
cxf git commit: Enforce all Assertions must be signed in some way by
default
Repository: cxf
Updated Branches:
refs/heads/master 6e7b79f6a -> 6c7cbe317
Enforce all Assertions must be signed in some way by default
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6c7cbe31
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6c7cbe31
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6c7cbe31
Branch: refs/heads/master
Commit: 6c7cbe317d468efd81e538319152de9fba57e1e3
Parents: 6e7b79f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 18 14:43:41 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 14:43:41 2016 +0000
----------------------------------------------------------------------
.../saml/sso/SAMLSSOResponseValidator.java | 8 ++--
.../saml/sso/CombinedValidatorTest.java | 1 +
.../saml/sso/SAMLSSOResponseValidatorTest.java | 49 ++++++++++++++++++++
3 files changed, 54 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/6c7cbe31/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 3ee7005..e072817 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -50,7 +50,8 @@ public class SAMLSSOResponseValidator {
private TokenReplayCache<String> replayCache;
/**
- * Enforce that Assertions must be signed if the POST binding was used. The default is true.
+ * Enforce that Assertions contained in the Response must be signed (if the Response itself is not
+ * signed). The default is true.
*/
public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
this.enforceAssertionsSigned = enforceAssertionsSigned;
@@ -108,9 +109,8 @@ public class SAMLSSOResponseValidator {
}
validateIssuer(assertion.getIssuer());
- if (enforceAssertionsSigned && postBinding && assertion.getSignature() == null) {
- LOG.fine("If the HTTP Post binding is used to deliver the Response, "
- + "the enclosed assertions must be signed");
+ if (!enforceResponseSigned && enforceAssertionsSigned && assertion.getSignature() == null) {
+ LOG.fine("The enclosed assertions in the SAML Response must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/6c7cbe31/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index bba459e..cb684ed 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -168,6 +168,7 @@ public class CombinedValidatorTest extends org.junit.Assert {
// Test SSO validation
SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+ ssoValidator.setEnforceAssertionsSigned(false);
ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
ssoValidator.setClientAddress("http://apache.org");
http://git-wip-us.apache.org/repos/asf/cxf/blob/6c7cbe31/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
index 9d886c3..ed4e5e2 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
@@ -77,6 +77,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -97,6 +98,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -122,6 +124,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -147,6 +150,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -172,6 +176,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -198,6 +203,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -298,6 +304,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -324,6 +331,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -343,6 +351,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -372,6 +381,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -403,6 +413,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -437,6 +448,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -472,6 +484,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -515,6 +528,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+ validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
@@ -529,6 +543,41 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
}
}
+ @org.junit.Test
+ public void testEnforceAssertionsSigned() throws Exception {
+
+ SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+ subjectConfirmationData.setAddress("http://apache.org");
+ subjectConfirmationData.setInResponseTo("12345");
+ subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setRecipient("http://recipient.apache.org");
+
+ Response response = createResponse(subjectConfirmationData);
+
+ Crypto issuerCrypto = new Merlin();
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
+ InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+ keyStore.load(input, "password".toCharArray());
+ ((Merlin)issuerCrypto).setKeyStore(keyStore);
+
+ // Test SSO validation
+ SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+ ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
+ ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
+ ssoValidator.setClientAddress("http://apache.org");
+ ssoValidator.setRequestId("12345");
+ ssoValidator.setSpIdentifier("http://service.apache.org");
+
+ // Parse the response
+ try {
+ ssoValidator.validateSamlResponse(response, false);
+ fail("Failure expected on an unsigned Assertion");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
+
private Response createResponse(
SubjectConfirmationDataBean subjectConfirmationData
) throws Exception {