You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/08/13 13:33:12 UTC
[cxf-fediz] branch master updated: Actually validate the signature
for SAML SSO even if signatures are not required
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push:
new 3c0a616 Actually validate the signature for SAML SSO even if signatures are not required
3c0a616 is described below
commit 3c0a616d4a2b5dabc351471ca2e49f4515039ebd
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Aug 13 13:06:22 2020 +0100
Actually validate the signature for SAML SSO even if signatures are not required
---
.../cxf/fediz/core/saml/SAMLTokenValidator.java | 17 ++++----
.../core/samlsso/SAMLEncryptedResponseTest.java | 50 ++++++++++++++++++++++
2 files changed, 59 insertions(+), 8 deletions(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
index b7f5b22..125011b 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
@@ -99,17 +99,18 @@ public class SAMLTokenValidator implements TokenValidator {
// PasswordCallbackHandler(password));
SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
-
+
boolean doNotEnforceAssertionsSigned = !request.isEnforceTokenSigned();
-
+
boolean trusted = doNotEnforceAssertionsSigned;
String assertionIssuer = assertion.getIssuerString();
-
- if (!doNotEnforceAssertionsSigned) {
- if (!assertion.isSigned()) {
- LOG.warn("Assertion is not signed");
- throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
- }
+
+ if (!doNotEnforceAssertionsSigned && !assertion.isSigned()) {
+ LOG.warn("Assertion is not signed");
+ throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
+ }
+
+ if (assertion.isSigned()) {
// Verify the signature
Signature sig = assertion.getSignature();
KeyInfo keyInfo = sig.getKeyInfo();
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
index 882df46..fb1e001 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
@@ -200,6 +200,56 @@ public class SAMLEncryptedResponseTest {
}
@org.junit.Test
+ public void validateSignedButNotRequiredEncryptedSAMLResponse() throws Exception {
+ // Mock up a Request
+ FedizContext config =
+ getFederationConfigurator().getFedizContext("ROOT_DECRYPTION_ALLOW_UNSIGNED");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ RequestState requestState = new RequestState(TEST_REQUEST_URL,
+ TEST_IDP_ISSUER,
+ requestId,
+ TEST_REQUEST_URL,
+ (String)config.getProtocol().getIssuer(),
+ null,
+ relayState,
+ System.currentTimeMillis());
+
+ // Create SAML Response
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setAlsoAddAuthnStatement(true);
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setIssuer(TEST_IDP_ISSUER);
+ callbackHandler.setSubjectName(TEST_USER);
+ String responseStr = createSamlResponseStr(callbackHandler, requestId, true);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(responseStr);
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setRequestState(requestState);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ FedizResponse wfRes = wfProc.processRequest(wfReq, config);
+
+ Assert.assertEquals("Principal name wrong", TEST_USER,
+ wfRes.getUsername());
+ Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
+ Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
+ .size());
+ Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
+ assertClaims(wfRes.getClaims(), ClaimTypes.COUNTRY);
+ }
+
+ @org.junit.Test
public void validateUnsignedEncryptedSAMLResponse() throws Exception {
// Mock up a Request
FedizContext config =