You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2017/03/22 15:46:36 UTC
svn commit: r1788123 - in /webservices/wss4j/branches/2_1_x-fixes:
ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
Author: coheigea
Date: Wed Mar 22 15:46:36 2017
New Revision: 1788123
URL: http://svn.apache.org/viewvc?rev=1788123&view=rev
Log:
WSS-603 - Improper date check in SamlAssertionWrapper.checkIssueInstant
Modified:
webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java?rev=1788123&r1=1788122&r2=1788123&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java Wed Mar 22 15:46:36 2017
@@ -829,8 +829,7 @@ public class SamlAssertionWrapper {
// Check the IssueInstant is not in the future, subject to the future TTL
if (issueInstant != null) {
- DateTime currentTime = new DateTime();
- currentTime = currentTime.plusSeconds(futureTTL);
+ DateTime currentTime = new DateTime().plusSeconds(futureTTL);
if (issueInstant.isAfter(currentTime)) {
LOG.debug("SAML Token IssueInstant not met");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
@@ -838,8 +837,7 @@ public class SamlAssertionWrapper {
// If there is no NotOnOrAfter, then impose a TTL on the IssueInstant.
if (validTill == null) {
- currentTime = new DateTime();
- currentTime.minusSeconds(ttl);
+ currentTime = new DateTime().minusSeconds(ttl);
if (issueInstant.isBefore(currentTime)) {
LOG.debug("SAML Token IssueInstant not met. The assertion was created too long ago.");
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java?rev=1788123&r1=1788122&r2=1788123&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlConditionsTest.java Wed Mar 22 15:46:36 2017
@@ -214,6 +214,38 @@ public class SamlConditionsTest extends
assertTrue(ex.getMessage().contains("SAML token security failure"));
}
}
+
+ @Test
+ public void testSAML2NoNotOnOrAfter() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ DateTime issueInstant = new DateTime().minusSeconds(5);
+ samlAssertion.getSaml2().setIssueInstant(issueInstant);
+ samlAssertion.getSaml2().getConditions().setNotOnOrAfter(null);
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader(doc);
+ secHeader.insertSecurityHeader();
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken(secHeader);
+
+ Document unsignedDoc = wsSign.build(samlAssertion);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SAML 2 Authn Assertion (sender vouches):");
+ String outputString =
+ XMLUtils.prettyDocumentToString(unsignedDoc);
+ LOG.debug(outputString);
+ }
+
+ verify(unsignedDoc);
+ }
@Test
public void testSAML2StaleIssueInstantButWithNotOnOrAfter() throws Exception {