You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/09/11 16:49:03 UTC
svn commit: r1624308 - in /webservices/wss4j/trunk:
ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/
ws-security-dom/src/test/java/org/apache/wss4j/dom/message/
ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/
ws-security-stax/src/m...
Author: coheigea
Date: Thu Sep 11 14:49:03 2014
New Revision: 1624308
URL: http://svn.apache.org/r1624308
Log:
[WSS-512] - Provide a configurable way of enforcing that SAML Bearer Tokens must have an internal signature
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java Thu Sep 11 14:49:03 2014
@@ -69,6 +69,12 @@ public class SamlAssertionValidator exte
private boolean requireStandardSubjectConfirmationMethod = true;
/**
+ * If this is set, an Assertion with a Bearer SubjectConfirmation Method must be
+ * signed
+ */
+ private boolean requireBearerSignature = true;
+
+ /**
* Set the time in seconds in the future within which the NotBefore time of an incoming
* Assertion is valid. The default is 60 seconds.
*/
@@ -152,8 +158,14 @@ public class SamlAssertionValidator exte
requiredMethodFound = true;
}
if (SAML2Constants.CONF_BEARER.equals(method)
- || SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
- || SAML1Constants.CONF_BEARER.equals(method)
+ || SAML1Constants.CONF_BEARER.equals(method)) {
+ standardMethodFound = true;
+ if (requireBearerSignature && !signed) {
+ LOG.debug("A Bearer Assertion was not signed");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "invalidSAMLsecurity");
+ }
+ } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
|| SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
standardMethodFound = true;
}
@@ -272,5 +284,13 @@ public class SamlAssertionValidator exte
public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod) {
this.requireStandardSubjectConfirmationMethod = requireStandardSubjectConfirmationMethod;
}
+
+ public boolean isRequireBearerSignature() {
+ return requireBearerSignature;
+ }
+
+ public void setRequireBearerSignature(boolean requireBearerSignature) {
+ this.requireBearerSignature = requireBearerSignature;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/ReplayTest.java Thu Sep 11 14:49:03 2014
@@ -46,6 +46,7 @@ import org.apache.wss4j.common.saml.buil
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -476,6 +477,11 @@ public class ReplayTest extends org.juni
}
WSSConfig wssConfig = WSSConfig.getNewInstance();
+ SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+ assertionValidator.setRequireBearerSignature(false);
+ wssConfig.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+ wssConfig.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+
RequestData data = new RequestData();
data.setWssConfig(wssConfig);
data.setCallbackHandler(callbackHandler);
@@ -524,6 +530,11 @@ public class ReplayTest extends org.juni
}
WSSConfig wssConfig = WSSConfig.getNewInstance();
+ SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+ assertionValidator.setRequireBearerSignature(false);
+ wssConfig.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+ wssConfig.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+
RequestData data = new RequestData();
data.setWssConfig(wssConfig);
data.setCallbackHandler(callbackHandler);
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java Thu Sep 11 14:49:03 2014
@@ -1049,6 +1049,45 @@ public class SamlTokenTest extends org.j
newEngine.processSecurityHeader(unsignedDoc, null, null, null);
}
+ @org.junit.Test
+ public void testUnsignedBearer() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+ WSSecurityEngine newEngine = new WSSecurityEngine();
+ try {
+ newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+ fail("Failure expected on an unsigned bearer token");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+
+ // Now disable this check
+ WSSConfig config = WSSConfig.getNewInstance();
+ SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+ assertionValidator.setRequireBearerSignature(false);
+ config.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+ config.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+ config.setValidateSamlSubjectConfirmation(false);
+
+ newEngine.setWssConfig(config);
+ newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+ }
+
private void encryptElement(
Document document,
Element elementToEncrypt,
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java Thu Sep 11 14:49:03 2014
@@ -62,6 +62,12 @@ public class SamlTokenValidatorImpl exte
* be present in the assertion (Bearer / SenderVouches / HolderOfKey).
*/
private boolean requireStandardSubjectConfirmationMethod = true;
+
+ /**
+ * If this is set, an Assertion with a Bearer SubjectConfirmation Method must be
+ * signed
+ */
+ private boolean requireBearerSignature = true;
/**
* Set the time in seconds in the future within which the NotBefore time of an incoming
@@ -169,8 +175,14 @@ public class SamlTokenValidatorImpl exte
requiredMethodFound = true;
}
if (SAML2Constants.CONF_BEARER.equals(method)
- || SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
- || SAML1Constants.CONF_BEARER.equals(method)
+ || SAML1Constants.CONF_BEARER.equals(method)) {
+ standardMethodFound = true;
+ if (requireBearerSignature && !signed) {
+ LOG.debug("A Bearer Assertion was not signed");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "invalidSAMLsecurity");
+ }
+ } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
|| SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
standardMethodFound = true;
}
@@ -243,5 +255,13 @@ public class SamlTokenValidatorImpl exte
public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod) {
this.requireStandardSubjectConfirmationMethod = requireStandardSubjectConfirmationMethod;
}
+
+ public boolean isRequireBearerSignature() {
+ return requireBearerSignature;
+ }
+
+ public void setRequireBearerSignature(boolean requireBearerSignature) {
+ this.requireBearerSignature = requireBearerSignature;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java Thu Sep 11 14:49:03 2014
@@ -39,6 +39,7 @@ import org.apache.wss4j.stax.ext.WSSCons
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.test.saml.SAML2CallbackHandler;
import org.apache.wss4j.stax.test.utils.StAX2DOM;
+import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.junit.Assert;
import org.junit.Test;
@@ -187,6 +188,12 @@ public class ReplayTest extends Abstract
ReplayCache replayCache = null;
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+
+ SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+ validator.setRequireBearerSignature(false);
+ securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+ securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+
replayCache = securityProperties.getSamlOneTimeUseReplayCache();
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
@@ -198,6 +205,12 @@ public class ReplayTest extends Abstract
// now process SAML Token again
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+
+ SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+ validator.setRequireBearerSignature(false);
+ securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+ securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+
securityProperties.setSamlOneTimeUseReplayCache(replayCache);
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
@@ -240,6 +253,12 @@ public class ReplayTest extends Abstract
ReplayCache replayCache = null;
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+
+ SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+ validator.setRequireBearerSignature(false);
+ securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+ securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+
replayCache = securityProperties.getSamlOneTimeUseReplayCache();
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
@@ -251,6 +270,12 @@ public class ReplayTest extends Abstract
// now process SAML Token again
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+
+ SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+ validator.setRequireBearerSignature(false);
+ securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+ securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+
securityProperties.setSamlOneTimeUseReplayCache(replayCache);
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java?rev=1624308&r1=1624307&r2=1624308&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java Thu Sep 11 14:49:03 2014
@@ -1084,6 +1084,67 @@ public class SAMLTokenTest extends Abstr
}
}
+ @Test
+ public void testUnsignedBearer() throws Exception {
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setSignAssertion(false);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+ properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+
+ // Validate
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ try {
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ fail("Failure expected on an unsigned bearer token");
+ } catch (XMLStreamException e) {
+ // expected
+ }
+ }
+
+ // Validate again - disable the signed Bearer check
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+
+ SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+ validator.setRequireBearerSignature(false);
+ securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+ securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+ }
+ }
+
private void encryptElement(
Document document,
Element elementToEncrypt,