You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/05/24 15:28:38 UTC
svn commit: r1342249 - in /cxf/trunk/rt/rs/security/sso/saml: ./
src/main/java/org/apache/cxf/rs/security/saml/sso/ src/main/resources/
Author: coheigea
Date: Thu May 24 13:28:38 2012
New Revision: 1342249
URL: http://svn.apache.org/viewvc?rev=1342249&view=rev
Log:
Adding TokenReplayCache interface + implementation based on EhCache
Added:
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java
cxf/trunk/rt/rs/security/sso/saml/src/main/resources/
cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml
Modified:
cxf/trunk/rt/rs/security/sso/saml/pom.xml
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Modified: cxf/trunk/rt/rs/security/sso/saml/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/pom.xml?rev=1342249&r1=1342248&r2=1342249&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/pom.xml (original)
+++ cxf/trunk/rt/rs/security/sso/saml/pom.xml Thu May 24 13:28:38 2012
@@ -69,6 +69,12 @@
<groupId>${cxf.servlet-api.group}</groupId>
<artifactId>${cxf.servlet-api.artifact}</artifactId>
</dependency>
+ <dependency>
+ <groupId>net.sf.ehcache</groupId>
+ <artifactId>ehcache-core</artifactId>
+ <version>${cxf.ehcache.version}</version>
+ <scope>compile</scope>
+ </dependency>
</dependencies>
<build>
<plugins>
Added: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java?rev=1342249&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java (added)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java Thu May 24 13:28:38 2012
@@ -0,0 +1,138 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.saml.sso;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.net.URL;
+
+import net.sf.ehcache.Cache;
+import net.sf.ehcache.CacheManager;
+import net.sf.ehcache.Ehcache;
+import net.sf.ehcache.Element;
+
+import org.apache.ws.security.util.Loader;
+
+/**
+ * An in-memory EHCache implementation of the TokenReplayCache interface.
+ * The default TTL is 60 minutes and the max TTL is 12 hours.
+ */
+public class EHCacheTokenReplayCache implements TokenReplayCache<String>, Closeable {
+
+ public static final long DEFAULT_TTL = 3600L;
+ public static final long MAX_TTL = DEFAULT_TTL * 12L;
+ private static final String CACHE_KEY = "cxf-samlp-replay-cache";
+ private Ehcache cache;
+ private CacheManager cacheManager;
+ private long ttl = DEFAULT_TTL;
+
+ public EHCacheTokenReplayCache() {
+ String defaultConfigFile = "cxf-samlp-ehcache.xml";
+ URL configFileURL = Loader.getResource(defaultConfigFile);
+ createCache(configFileURL);
+ }
+
+ public EHCacheTokenReplayCache(URL configFileURL) {
+ createCache(configFileURL);
+ }
+
+ private void createCache(URL configFileURL) {
+ if (configFileURL == null) {
+ cacheManager = CacheManager.create();
+ } else {
+ cacheManager = CacheManager.create(configFileURL);
+ }
+
+ Ehcache newCache = new Cache(CACHE_KEY, 50000, true, false, DEFAULT_TTL, DEFAULT_TTL);
+ cache = cacheManager.addCacheIfAbsent(newCache);
+ }
+
+ /**
+ * Set a new (default) TTL value in seconds
+ * @param newTtl a new (default) TTL value in seconds
+ */
+ public void setTTL(long newTtl) {
+ ttl = newTtl;
+ }
+
+ /**
+ * Get the (default) TTL value in seconds
+ * @return the (default) TTL value in seconds
+ */
+ public long getTTL() {
+ return ttl;
+ }
+
+ /**
+ * Add the given identifier to the cache. It will be cached for a default amount of time.
+ * @param id The identifier to be added
+ */
+ public void putId(String id) {
+ putId(id, ttl);
+ }
+
+ /**
+ * Add the given identifier to the cache.
+ * @param identifier The identifier to be added
+ * @param timeToLive The length of time to cache the Identifier in seconds
+ */
+ public void putId(String id, long timeToLive) {
+ if (id == null || "".equals(id)) {
+ return;
+ }
+
+ int parsedTTL = (int)timeToLive;
+ if (timeToLive != (long)parsedTTL || parsedTTL < 0 || parsedTTL > MAX_TTL) {
+ // Default to configured value
+ parsedTTL = (int)ttl;
+ if (ttl != (long)parsedTTL) {
+ // Fall back to 60 minutes if the default TTL is set incorrectly
+ parsedTTL = 3600;
+ }
+ }
+
+ cache.put(new Element(id, id, false, parsedTTL, parsedTTL));
+ }
+
+ /**
+ * Return the given identifier if it is contained in the cache, otherwise null.
+ * @param id The identifier to check
+ */
+ public String getId(String id) {
+ Element element = cache.get(id);
+ if (element != null) {
+ if (cache.isExpired(element)) {
+ cache.remove(id);
+ return null;
+ }
+ return (String)element.getObjectValue();
+ }
+ return null;
+ }
+
+ public void close() throws IOException {
+ if (cacheManager != null) {
+ cacheManager.shutdown();
+ cacheManager = null;
+ cache = null;
+ }
+ }
+
+}
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1342249&r1=1342248&r2=1342249&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java Thu May 24 13:28:38 2012
@@ -67,6 +67,7 @@ public class RequestAssertionConsumerSer
private boolean supportDeflateEncoding = true;
private boolean supportBase64Encoding = true;
private boolean enforceAssertionsSigned = true;
+ private TokenReplayCache<String> replayCache;
private MessageContext messageContext;
@@ -82,6 +83,17 @@ public class RequestAssertionConsumerSer
return supportDeflateEncoding;
}
+ public void setReplayCache(TokenReplayCache<String> replayCache) {
+ this.replayCache = replayCache;
+ }
+
+ public TokenReplayCache<String> getReplayCache() {
+ if (replayCache == null) {
+ replayCache = new EHCacheTokenReplayCache();
+ }
+ return replayCache;
+ }
+
/**
* Enforce that Assertions must be signed if the POST binding was used. The default is true.
*/
@@ -267,6 +279,7 @@ public class RequestAssertionConsumerSer
ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
+ ssoResponseValidator.setReplayCache(getReplayCache());
return ssoResponseValidator.validateSamlResponse(samlResponse, postBinding);
} catch (WSSecurityException ex) {
Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1342249&r1=1342248&r2=1342249&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java (original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java Thu May 24 13:28:38 2012
@@ -32,10 +32,6 @@ import org.opensaml.saml2.core.AuthnStat
/**
* Validate a SAML 2.0 Protocol Response according to the Web SSO profile. The Response
* should be validated by the SAMLProtocolResponseValidator first.
- *
-TODO The service provider MUST ensure that bearer assertions are not replayed, by maintaining the set of used
-ID values for the length of time for which the assertion would be considered valid based on the
-NotOnOrAfter attribute in the <SubjectConfirmationData>.
*/
public class SAMLSSOResponseValidator {
@@ -47,6 +43,7 @@ public class SAMLSSOResponseValidator {
private String requestId;
private String spIdentifier;
private boolean enforceAssertionsSigned = true;
+ private TokenReplayCache<String> replayCache;
/**
* Enforce that Assertions must be signed if the POST binding was used. The default is true.
@@ -105,7 +102,7 @@ public class SAMLSSOResponseValidator {
if (assertion.getAuthnStatements() != null
&& !assertion.getAuthnStatements().isEmpty()) {
org.opensaml.saml2.core.Subject subject = assertion.getSubject();
- if (validateAuthenticationSubject(subject)) {
+ if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) {
validateAudienceRestrictionCondition(assertion.getConditions());
foundValidSubject = true;
// Store Session NotOnOrAfter
@@ -162,7 +159,7 @@ public class SAMLSSOResponseValidator {
* Validate the Subject (of an Authentication Statement).
*/
private boolean validateAuthenticationSubject(
- org.opensaml.saml2.core.Subject subject
+ org.opensaml.saml2.core.Subject subject, String id, boolean postBinding
) throws WSSecurityException {
if (subject.getSubjectConfirmations() == null) {
return false;
@@ -171,7 +168,7 @@ public class SAMLSSOResponseValidator {
for (org.opensaml.saml2.core.SubjectConfirmation subjectConf
: subject.getSubjectConfirmations()) {
if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) {
- validateSubjectConfirmation(subjectConf.getSubjectConfirmationData());
+ validateSubjectConfirmation(subjectConf.getSubjectConfirmationData(), id, postBinding);
}
}
@@ -182,7 +179,7 @@ public class SAMLSSOResponseValidator {
* Validate a (Bearer) Subject Confirmation
*/
private void validateSubjectConfirmation(
- org.opensaml.saml2.core.SubjectConfirmationData subjectConfData
+ org.opensaml.saml2.core.SubjectConfirmationData subjectConfData, String id, boolean postBinding
) throws WSSecurityException {
if (subjectConfData == null) {
LOG.fine("Subject Confirmation Data of a Bearer Subject Confirmation is null");
@@ -204,6 +201,19 @@ public class SAMLSSOResponseValidator {
throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
}
+ // Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
+ if (postBinding && replayCache != null) {
+ if (replayCache.getId(id) == null) {
+ Date expires = subjectConfData.getNotOnOrAfter().toDate();
+ Date currentTime = new Date();
+ long ttl = expires.getTime() - currentTime.getTime();
+ replayCache.putId(id, ttl / 1000L);
+ } else {
+ LOG.fine("Replay attack with token id: " + id);
+ throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+ }
+ }
+
// Check address
if (subjectConfData.getAddress() != null
&& !subjectConfData.getAddress().equals(clientAddress)) {
@@ -301,5 +311,8 @@ public class SAMLSSOResponseValidator {
this.spIdentifier = spIdentifier;
}
-
+ public void setReplayCache(TokenReplayCache<String> replayCache) {
+ this.replayCache = replayCache;
+ }
+
}
Added: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java?rev=1342249&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java (added)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java Thu May 24 13:28:38 2012
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.saml.sso;
+
+public interface TokenReplayCache<T> {
+
+ T getId(T id);
+
+ void putId(T id);
+
+ void putId(T id, long timeToLive);
+}
\ No newline at end of file
Added: cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml?rev=1342249&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml (added)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml Thu May 24 13:28:38 2012
@@ -0,0 +1,16 @@
+<ehcache xsi:noNamespaceSchemaLocation="ehcache.xsd" updateCheck="false" monitoring="autodetect" dynamicConfig="true">
+
+ <diskStore path="java.io.tmpdir"/>
+
+ <defaultCache
+ maxElementsInMemory="50000"
+ eternal="false"
+ timeToIdleSeconds="3600"
+ timeToLiveSeconds="3600"
+ overflowToDisk="true"
+ maxElementsOnDisk="10000000"
+ diskPersistent="false"
+ diskExpiryThreadIntervalSeconds="120"
+ memoryStoreEvictionPolicy="LRU"
+ />
+</ehcache>