You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2022/03/07 13:53:43 UTC
[cxf] 01/01: Updating to OpenSAML4. One test fails in systests/advanced
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch opensaml4
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 09901b3ff58076e2c5ff98c3b7204eb6ef128609
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Mar 7 13:50:09 2022 +0000
Updating to OpenSAML4. One test fails in systests/advanced
---
parent/pom.xml | 2 +-
.../security/oauth2/saml/SamlOAuthValidator.java | 5 ++-
.../saml/sso/SAMLProtocolResponseValidator.java | 6 +--
.../saml/sso/SAMLSSOResponseValidator.java | 13 +++---
.../saml/sso/SamlpRequestComponentBuilder.java | 8 ++--
.../saml/sso/AbstractSAMLCallbackHandler.java | 14 +++----
.../security/saml/sso/CombinedValidatorTest.java | 9 +++--
.../saml/sso/SAML2PResponseComponentBuilder.java | 4 +-
.../saml/sso/SAMLResponseValidatorTest.java | 23 ++++++-----
.../saml/sso/SAMLSSOResponseValidatorTest.java | 47 +++++++++++-----------
.../saml/xacml2/DefaultXACMLRequestBuilder.java | 5 ++-
.../saml/xacml2/SamlRequestComponentBuilder.java | 4 +-
.../saml/xacml2/RequestComponentBuilderTest.java | 9 +++--
.../cxf/sts/token/provider/SAMLTokenProvider.java | 10 ++---
.../cxf/sts/token/renewer/SAMLTokenRenewer.java | 22 +++++-----
.../sts/token/validator/SAMLTokenValidator.java | 15 +++----
.../oauth2/common/SamlCallbackHandler.java | 4 +-
.../jaxrs/security/saml/SamlCallbackHandler.java | 4 +-
18 files changed, 104 insertions(+), 100 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 754e3f1..c07295f 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -227,7 +227,7 @@
<cxf.woodstox.core.version>6.2.7</cxf.woodstox.core.version>
<cxf.woodstox.stax2-api.version>4.2.1</cxf.woodstox.stax2-api.version>
<cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
- <cxf.wss4j.version>2.4.1</cxf.wss4j.version>
+ <cxf.wss4j.version>2.5.0-SNAPSHOT</cxf.wss4j.version>
<cxf.xalan.version>2.7.2</cxf.xalan.version>
<cxf.xerces.version>2.12.2</cxf.xerces.version>
<cxf.xmlschema.version>2.3.0</cxf.xmlschema.version>
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
index 885fb42..ee16b40 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/SamlOAuthValidator.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rs.security.oauth2.saml;
+import java.time.Instant;
import java.util.List;
import javax.ws.rs.core.UriBuilder;
@@ -145,7 +146,7 @@ public class SamlOAuthValidator {
SubjectConfirmationData subjectConfData) {
if (subjectConfData == null) {
if (!subjectConfirmationDataRequired
- && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBeforeNow()) {
+ && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBefore(Instant.now())) {
return;
}
throw ExceptionUtils.toNotAuthorizedException(null, null);
@@ -159,7 +160,7 @@ public class SamlOAuthValidator {
// We must have a NotOnOrAfter timestamp
if (subjectConfData.getNotOnOrAfter() == null
- || subjectConfData.getNotOnOrAfter().isBeforeNow()) {
+ || subjectConfData.getNotOnOrAfter().isBefore(Instant.now())) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
index 9642ff4..93c5ac6 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
@@ -23,6 +23,7 @@ import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.Arrays;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -59,7 +60,6 @@ import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.apache.xml.security.utils.Constants;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.BasicCredential;
@@ -120,7 +120,7 @@ public class SAMLProtocolResponseValidator {
}
if (samlResponse.getIssueInstant() != null) {
- DateTime currentTime = new DateTime();
+ Instant currentTime = Instant.now();
currentTime = currentTime.plusSeconds(futureTTL);
if (samlResponse.getIssueInstant().isAfter(currentTime)) {
LOG.warning("SAML Response IssueInstant not met");
@@ -185,7 +185,7 @@ public class SAMLProtocolResponseValidator {
}
if (samlResponse.getIssueInstant() != null) {
- DateTime currentTime = new DateTime();
+ Instant currentTime = Instant.now();
currentTime = currentTime.plusSeconds(futureTTL);
if (samlResponse.getIssueInstant().isAfter(currentTime)) {
LOG.warning("SAML Response IssueInstant not met");
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 3f6de43..dbc9b32 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -128,15 +128,12 @@ public class SAMLSSOResponseValidator {
// Store Session NotOnOrAfter
for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
if (authnStatment.getSessionNotOnOrAfter() != null) {
- sessionNotOnOrAfter =
- Instant.ofEpochMilli(authnStatment.getSessionNotOnOrAfter().toDate().getTime());
+ sessionNotOnOrAfter = authnStatment.getSessionNotOnOrAfter();
}
}
// Fall back to the SubjectConfirmationData NotOnOrAfter if we have no session NotOnOrAfter
if (sessionNotOnOrAfter == null) {
- sessionNotOnOrAfter =
- Instant.ofEpochMilli(subjectConf.getSubjectConfirmationData()
- .getNotOnOrAfter().toDate().getTime());
+ sessionNotOnOrAfter = subjectConf.getSubjectConfirmationData().getNotOnOrAfter();
}
}
}
@@ -152,7 +149,7 @@ public class SAMLSSOResponseValidator {
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
if (samlResponse.getIssueInstant() != null) {
- validatorResponse.setCreated(Instant.ofEpochMilli(samlResponse.getIssueInstant().toDate().getTime()));
+ validatorResponse.setCreated(samlResponse.getIssueInstant());
}
Element assertionElement = validAssertion.getDOM();
@@ -232,7 +229,7 @@ public class SAMLSSOResponseValidator {
// We must have a NotOnOrAfter timestamp
if (subjectConfData.getNotOnOrAfter() == null
- || subjectConfData.getNotOnOrAfter().isBeforeNow()) {
+ || subjectConfData.getNotOnOrAfter().isBefore(Instant.now())) {
LOG.warning("Subject Conf Data does not contain NotOnOrAfter or it has expired");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
@@ -240,7 +237,7 @@ public class SAMLSSOResponseValidator {
// Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
if (postBinding && replayCache != null) {
if (!replayCache.contains(id)) {
- Instant expires = Instant.ofEpochMilli(subjectConfData.getNotOnOrAfter().toDate().getTime());
+ Instant expires = subjectConfData.getNotOnOrAfter();
replayCache.putId(id, expires);
} else {
LOG.warning("Replay attack with token id: " + id);
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java
index 554441d..415aedb 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlpRequestComponentBuilder.java
@@ -19,11 +19,11 @@
package org.apache.cxf.rs.security.saml.sso;
+import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.UUID;
-import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObjectBuilder;
@@ -84,7 +84,7 @@ public final class SamlpRequestComponentBuilder {
authnRequest.setForceAuthn(forceAuthn);
authnRequest.setID("_" + UUID.randomUUID());
authnRequest.setIsPassive(isPassive);
- authnRequest.setIssueInstant(new DateTime());
+ authnRequest.setIssueInstant(Instant.now());
authnRequest.setProtocolBinding(protocolBinding);
authnRequest.setVersion(version);
@@ -112,12 +112,12 @@ public final class SamlpRequestComponentBuilder {
LogoutRequest logoutRequest = logoutRequestBuilder.buildObject();
logoutRequest.setID("_" + UUID.randomUUID());
logoutRequest.setVersion(version);
- logoutRequest.setIssueInstant(new DateTime());
+ logoutRequest.setIssueInstant(Instant.now());
logoutRequest.setDestination(destination);
logoutRequest.setConsent(consent);
logoutRequest.setIssuer(issuer);
if (notOnOrAfter != null) {
- logoutRequest.setNotOnOrAfter(new DateTime(notOnOrAfter.getTime()));
+ logoutRequest.setNotOnOrAfter(notOnOrAfter.toInstant());
}
logoutRequest.setReason(reason);
logoutRequest.setNameID(nameID);
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
index e473bdf..d758ff5 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
@@ -20,6 +20,7 @@
package org.apache.cxf.rs.security.saml.sso;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.Collections;
import java.util.List;
@@ -48,7 +49,6 @@ import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
-import org.joda.time.DateTime;
/**
* A base implementation of a Callback Handler for a SAML assertion. By default it creates an
@@ -75,22 +75,22 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
protected List<Object> customAttributeValues;
protected ConditionsBean conditions;
protected SubjectConfirmationDataBean subjectConfirmationData;
- protected DateTime authnInstant;
- protected DateTime sessionNotOnOrAfter;
+ protected Instant authnInstant;
+ protected Instant sessionNotOnOrAfter;
- public DateTime getSessionNotOnOrAfter() {
+ public Instant getSessionNotOnOrAfter() {
return sessionNotOnOrAfter;
}
- public void setSessionNotOnOrAfter(DateTime sessionNotOnOrAfter) {
+ public void setSessionNotOnOrAfter(Instant sessionNotOnOrAfter) {
this.sessionNotOnOrAfter = sessionNotOnOrAfter;
}
- public DateTime getAuthnInstant() {
+ public Instant getAuthnInstant() {
return authnInstant;
}
- public void setAuthnInstant(DateTime authnInstant) {
+ public void setAuthnInstant(Instant authnInstant) {
this.authnInstant = authnInstant;
}
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index 64a21ab..6006924 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -23,6 +23,8 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
import java.util.Collections;
import org.w3c.dom.Document;
@@ -44,7 +46,6 @@ import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.Loader;
import org.apache.wss4j.dom.engine.WSSConfig;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.Response;
@@ -290,13 +291,13 @@ public class CombinedValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java
index 7525035..a937bb3 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAML2PResponseComponentBuilder.java
@@ -19,9 +19,9 @@
package org.apache.cxf.rs.security.saml.sso;
+import java.time.Instant;
import java.util.UUID;
-import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObjectBuilder;
@@ -70,7 +70,7 @@ public final class SAML2PResponseComponentBuilder {
Response response = responseBuilder.buildObject();
response.setID(UUID.randomUUID().toString());
- response.setIssueInstant(new DateTime());
+ response.setIssueInstant(Instant.now());
response.setInResponseTo(inResponseTo);
response.setIssuer(createIssuer(issuer));
response.setStatus(status);
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
index 2305a24..52e90f3 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
@@ -23,6 +23,8 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
import java.util.Collections;
import java.util.List;
@@ -44,7 +46,6 @@ import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.Loader;
import org.apache.wss4j.dom.engine.WSSConfig;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants;
@@ -472,7 +473,7 @@ public class SAMLResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
// Create a AuthenticationAssertion
@@ -484,8 +485,8 @@ public class SAMLResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
@@ -511,7 +512,7 @@ public class SAMLResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
// Create a AuthenticationAssertion
@@ -523,8 +524,8 @@ public class SAMLResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
@@ -557,7 +558,7 @@ public class SAMLResponseValidatorTest {
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
- response.setIssueInstant(new DateTime().plusMinutes(5));
+ response.setIssueInstant(Instant.now().plus(Duration.ofMinutes(5)));
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
@@ -610,7 +611,7 @@ public class SAMLResponseValidatorTest {
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
- assertion.getSaml2().setIssueInstant(new DateTime().plusMinutes(5));
+ assertion.getSaml2().setIssueInstant(Instant.now().plus(Duration.ofMinutes(5)));
response.getAssertions().add(assertion.getSaml2());
@@ -648,7 +649,7 @@ public class SAMLResponseValidatorTest {
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
- callbackHandler.setAuthnInstant(new DateTime().plusDays(1));
+ callbackHandler.setAuthnInstant(Instant.now().plus(Duration.ofDays(1)));
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
@@ -690,7 +691,7 @@ public class SAMLResponseValidatorTest {
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
- callbackHandler.setSessionNotOnOrAfter(new DateTime().minusDays(1));
+ callbackHandler.setSessionNotOnOrAfter(Instant.now().minus(Duration.ofDays(1)));
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
index b5dc509..1bf6b65 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
@@ -23,6 +23,8 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -44,7 +46,6 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.Loader;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Response;
@@ -73,7 +74,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -99,7 +100,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://bad.apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -125,7 +126,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345-bad");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -151,7 +152,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://bad.recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -177,7 +178,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().minusSeconds(1));
+ subjectConfirmationData.setNotAfter(Instant.now().minusSeconds(1));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -203,8 +204,8 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
- subjectConfirmationData.setNotBefore(new DateTime());
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
+ subjectConfirmationData.setNotBefore(Instant.now());
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -245,8 +246,8 @@ public class SAMLSSOResponseValidatorTest {
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
@@ -255,7 +256,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
@@ -301,7 +302,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -328,7 +329,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -375,7 +376,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
@@ -405,7 +406,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
@@ -437,7 +438,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
List<String> values = new ArrayList<>();
@@ -468,7 +469,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
List<AudienceRestrictionBean> audienceRestrictions =
@@ -509,7 +510,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
// Create a AuthenticationAssertion
@@ -521,8 +522,8 @@ public class SAMLSSOResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
@@ -554,7 +555,7 @@ public class SAMLSSOResponseValidatorTest {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
- subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
@@ -614,8 +615,8 @@ public class SAMLSSOResponseValidatorTest {
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
- conditions.setNotBefore(new DateTime());
- conditions.setNotAfter(new DateTime().plusMinutes(5));
+ conditions.setNotBefore(Instant.now());
+ conditions.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
if (audienceRestrictions == null) {
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
index 407c877..bf03f55 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/DefaultXACMLRequestBuilder.java
@@ -20,16 +20,17 @@
package org.apache.cxf.rt.security.saml.xacml2;
import java.security.Principal;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.namespace.QName;
+import net.shibboleth.utilities.java.support.xml.DOMTypeSupport;
import org.apache.cxf.message.Message;
import org.apache.cxf.rt.security.saml.xacml.CXFMessageParser;
import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
-import org.joda.time.DateTime;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
import org.opensaml.xacml.ctx.AttributeValueType;
@@ -137,7 +138,7 @@ public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
List<AttributeType> attributes = new ArrayList<>();
AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
XACMLConstants.XS_DATETIME, null,
- new DateTime().toString());
+ DOMTypeSupport.instantToString(Instant.now()));
attributes.add(environmentAttribute);
return RequestComponentBuilder.createEnvironmentType(attributes);
}
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
index a98a6e4..8b105bb 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/SamlRequestComponentBuilder.java
@@ -19,9 +19,9 @@
package org.apache.cxf.rt.security.saml.xacml2;
+import java.time.Instant;
import java.util.UUID;
-import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObjectBuilder;
@@ -79,7 +79,7 @@ public final class SamlRequestComponentBuilder {
);
authzQuery.setID("_" + UUID.randomUUID().toString());
authzQuery.setVersion(SAMLVersion.VERSION_20);
- authzQuery.setIssueInstant(new DateTime());
+ authzQuery.setIssueInstant(Instant.now());
authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
authzQuery.setReturnContext(Boolean.valueOf(returnContext));
diff --git a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
index a05119c..de3f660 100644
--- a/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
+++ b/rt/security-saml/src/test/java/org/apache/cxf/rt/security/saml/xacml2/RequestComponentBuilderTest.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rt.security.saml.xacml2;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -30,9 +31,9 @@ import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import net.shibboleth.utilities.java.support.xml.DOMTypeSupport;
import org.apache.cxf.rt.security.saml.xacml.XACMLConstants;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.joda.time.DateTime;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
import org.opensaml.xacml.ctx.AttributeValueType;
@@ -193,9 +194,9 @@ public class RequestComponentBuilderTest {
ActionType action = RequestComponentBuilder.createActionType(attributes);
// Environment
- DateTime dateTime = new DateTime();
+ Instant dateTime = Instant.now();
AttributeValueType environmentAttributeValue =
- RequestComponentBuilder.createAttributeValueType(dateTime.toString());
+ RequestComponentBuilder.createAttributeValueType(DOMTypeSupport.instantToString(dateTime));
AttributeType environmentAttribute =
RequestComponentBuilder.createAttributeType(
XACMLConstants.CURRENT_DATETIME,
@@ -222,4 +223,4 @@ public class RequestComponentBuilderTest {
assertNotNull(policyElement);
}
-}
\ No newline at end of file
+}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
index 48de43b..31b9f67 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
@@ -19,6 +19,7 @@
package org.apache.cxf.sts.token.provider;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -52,7 +53,6 @@ import org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean;
import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
/**
@@ -153,8 +153,8 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements Toke
}
response.setToken(token);
- final DateTime validFrom;
- final DateTime validTill;
+ Instant validFrom = null;
+ Instant validTill = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
validFrom = assertion.getSaml2().getConditions().getNotBefore();
validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
@@ -162,8 +162,8 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements Toke
validFrom = assertion.getSaml1().getConditions().getNotBefore();
validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
}
- response.setCreated(validFrom.toDate().toInstant());
- response.setExpires(validTill.toDate().toInstant());
+ response.setCreated(validFrom);
+ response.setExpires(validTill);
response.setEntropy(entropyBytes);
if (keySize > 0) {
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
index ac1e004..8d57f34 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
@@ -21,6 +21,7 @@ package org.apache.cxf.sts.token.renewer;
import java.security.Principal;
import java.security.cert.Certificate;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -70,7 +71,6 @@ import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.saml.DOMSAMLUtil;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml1.core.Audience;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
@@ -218,8 +218,8 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
response.setToken(token);
response.setTokenId(renewedAssertion.getId());
- final DateTime validFrom;
- final DateTime validTill;
+ Instant validFrom = null;
+ Instant validTill = null;
if (renewedAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
validFrom = renewedAssertion.getSaml2().getConditions().getNotBefore();
validTill = renewedAssertion.getSaml2().getConditions().getNotOnOrAfter();
@@ -227,8 +227,8 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
validFrom = renewedAssertion.getSaml1().getConditions().getNotBefore();
validTill = renewedAssertion.getSaml1().getConditions().getNotOnOrAfter();
}
- response.setCreated(validFrom.toDate().toInstant());
- response.setExpires(validTill.toDate().toInstant());
+ response.setCreated(validFrom);
+ response.setExpires(validTill);
LOG.fine("SAML Token successfully renewed");
return response;
@@ -315,9 +315,9 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
"Renewal after expiry is not allowed", STSException.REQUEST_FAILED
);
}
- DateTime expiryDate = getExpiryDate(assertion);
- DateTime currentDate = new DateTime();
- if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
+ Instant expiryDate = getExpiryDate(assertion);
+ Instant currentDate = Instant.now();
+ if ((currentDate.toEpochMilli() - expiryDate.toEpochMilli()) > (maxExpiry * 1000L)) {
LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
throw new STSException(
"The token expired too long ago to be renewed", STSException.REQUEST_FAILED
@@ -452,7 +452,7 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
if (assertion.getSaml1() != null) {
org.opensaml.saml.saml1.core.Assertion saml1Assertion = assertion.getSaml1();
- saml1Assertion.setIssueInstant(new DateTime());
+ saml1Assertion.setIssueInstant(Instant.now());
org.opensaml.saml.saml1.core.Conditions saml1Conditions =
SAML1ComponentBuilder.createSamlv1Conditions(conditions);
@@ -460,7 +460,7 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
saml1Assertion.setConditions(saml1Conditions);
} else {
org.opensaml.saml.saml2.core.Assertion saml2Assertion = assertion.getSaml2();
- saml2Assertion.setIssueInstant(new DateTime());
+ saml2Assertion.setIssueInstant(Instant.now());
org.opensaml.saml.saml2.core.Conditions saml2Conditions =
SAML2ComponentBuilder.createConditions(conditions);
@@ -530,7 +530,7 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
}
- private DateTime getExpiryDate(SamlAssertionWrapper assertion) {
+ private Instant getExpiryDate(SamlAssertionWrapper assertion) {
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
return assertion.getSaml2().getConditions().getNotOnOrAfter();
}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index a764ce4..ab6d466 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -20,6 +20,7 @@ package org.apache.cxf.sts.token.validator;
import java.security.Principal;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
@@ -56,7 +57,6 @@ import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SignatureTrustValidator;
import org.apache.wss4j.dom.validate.Validator;
-import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
@@ -289,9 +289,9 @@ public class SAMLTokenValidator implements TokenValidator {
protected boolean validateConditions(
SamlAssertionWrapper assertion, ReceivedToken validateTarget
) {
- final DateTime validFrom;
- final DateTime validTill;
- final DateTime issueInstant;
+ Instant validFrom = null;
+ Instant validTill = null;
+ Instant issueInstant = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
validFrom = assertion.getSaml2().getConditions().getNotBefore();
validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
@@ -302,16 +302,17 @@ public class SAMLTokenValidator implements TokenValidator {
issueInstant = assertion.getSaml1().getIssueInstant();
}
- if (validFrom != null && validFrom.isAfterNow()) {
+ Instant now = Instant.now();
+ if (validFrom != null && validFrom.isAfter(now)) {
LOG.log(Level.WARNING, "SAML Token condition not met");
return false;
- } else if (validTill != null && validTill.isBeforeNow()) {
+ } else if (validTill != null && validTill.isBefore(now)) {
LOG.log(Level.WARNING, "SAML Token condition not met");
validateTarget.setState(STATE.EXPIRED);
return false;
}
- if (issueInstant != null && issueInstant.isAfterNow()) {
+ if (issueInstant != null && issueInstant.isAfter(now)) {
LOG.log(Level.WARNING, "SAML Token IssueInstant not met");
return false;
}
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java
index ed8662a..15038d3 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/SamlCallbackHandler.java
@@ -20,6 +20,7 @@
package org.apache.cxf.systest.jaxrs.security.oauth2.common;
import java.io.IOException;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -47,7 +48,6 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.joda.time.DateTime;
/**
* A CallbackHandler instance that is used by the STS to mock up a SAML Attribute Assertion.
@@ -111,7 +111,7 @@ public class SamlCallbackHandler implements CallbackHandler {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
- authBean.setAuthenticationInstant(new DateTime());
+ authBean.setAuthenticationInstant(Instant.now());
authBean.setSessionIndex("123456");
authBean.setSubject(subjectBean);
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
index 72aea1a..aa30022 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java
@@ -21,6 +21,7 @@ package org.apache.cxf.systest.jaxrs.security.saml;
import java.io.IOException;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -51,7 +52,6 @@ import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.joda.time.DateTime;
/**
* A CallbackHandler instance that is used by the STS to mock up a SAML Attribute Assertion.
@@ -141,7 +141,7 @@ public class SamlCallbackHandler implements CallbackHandler {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
- authBean.setAuthenticationInstant(new DateTime());
+ authBean.setAuthenticationInstant(Instant.now());
authBean.setSessionIndex("123456");
// AuthnContextClassRef is not set
authBean.setAuthenticationMethod(