You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Resolved) (JIRA)" <ji...@apache.org> on 2012/01/03 12:22:39 UTC

[jira] [Resolved] (WSS-331) Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)

     [ https://issues.apache.org/jira/browse/WSS-331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved WSS-331.
-------------------------------------

    Resolution: Fixed
    
> Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
> -----------------------------------------------------------------------------------
>
>                 Key: WSS-331
>                 URL: https://issues.apache.org/jira/browse/WSS-331
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Glen Mazza
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6.5
>
>
> Hi, the Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (Mar 2005) - docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, gives this Schema for saml:Conditions:
> <element name="Conditions" type="saml:ConditionsType"/>
> <complexType name="ConditionsType">
> <choice minOccurs="0" maxOccurs="unbounded">
> <element ref="saml:Condition"/>
> <element ref="saml:AudienceRestriction"/>
> <element ref="saml:OneTimeUse"/>
> <element ref="saml:ProxyRestriction"/>
> </choice>
> <attribute name="NotBefore" type="dateTime" use="optional"/>
> <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
> </complexType>
> As shown above, NotBefore and NotOnOrAfter are both optional--however, absence of one should not negate checking of the other.
> In class org.apache.ws.security.validate.SamlAssertionValidator on TRUNK, I see this code in method validate():
>         DateTime validFrom = null;
>         DateTime validTill = null;
>         if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
>             && assertion.getSaml2().getConditions() != null) {
>             validFrom = assertion.getSaml2().getConditions().getNotBefore();
>             validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
>         } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
>             ...similar...
>         }
>         if (validFrom != null && validTill != null 
>             && !(validFrom.isBeforeNow() && validTill.isAfterNow())) {
>             LOG.debug("SAML Token condition not met");
>             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
>         }
> The If block right above will skip checking if either validFrom or validTo is missing, but if just one of the two constraints is present it appears that single constraint should still be checked.  Also, the logic above requires both validFrom and validTill to be violated before the WSSecurityException is thrown, but it should be thrown even if just one of the two constraints fail.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org