Author: coheigea Date: Thu Mar 29 12:00:53 2012 New Revision: 1306795 URL: http://svn.apache.org/viewvc?rev=1306795&view=rev Log: Introducing an EXPIRED State for ReceivedTokens
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java?rev=1306795&r1=1306794&r2=1306795&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java Thu Mar 29 12:00:53 2012 @@ -46,7 +46,7 @@ public class ReceivedToken { private STATE state = STATE.NONE; private Principal principal; - public enum STATE { VALID, INVALID, CANCELLED, NONE }; + public enum STATE { VALID, INVALID, CANCELLED, EXPIRED, NONE }; public ReceivedToken(Object receivedToken) throws STSException { if (receivedToken instanceof JAXBElement<?>) { Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java Thu Mar 29 12:00:53 2012 @@ -39,6 +39,7 @@ import org.apache.cxf.sts.request.Receiv import org.apache.cxf.sts.token.realm.CertConstraintsParser; import org.apache.cxf.sts.token.realm.SAMLRealmCodec; import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.ws.security.SAMLTokenPrincipal; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDocInfo; @@ -197,23 +198,6 @@ public class SAMLTokenValidator implemen } } - DateTime validFrom = null; - DateTime validTill = null; - if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { - validFrom = assertion.getSaml2().getConditions().getNotBefore(); - validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); - } else { - validFrom = assertion.getSaml1().getConditions().getNotBefore(); - validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); - } - if (validFrom.isAfterNow() || validTill.isBeforeNow()) { - LOG.log(Level.WARNING, "SAML Token condition not met"); - if (secToken != null) { - tokenParameters.getTokenStore().remove(secToken); - } - return response; - } - // Get the realm of the SAML token String tokenRealm = null; if (samlRealmCodec != null) { @@ -230,6 +214,10 @@ public class SAMLTokenValidator implemen } } + if (!validateConditions(assertion, validateTarget, secToken, tokenParameters.getTokenStore())) { + return response; + } + // Add the AssertionWrapper to the properties, as the claims are required to be transformed Map<String, Object> addProps = new HashMap<String, Object>(); addProps.put(AssertionWrapper.class.getName(), assertion); @@ -275,4 +263,35 @@ public class SAMLTokenValidator implemen } } + protected boolean validateConditions( + AssertionWrapper assertion, + ReceivedToken validateTarget, + SecurityToken secToken, + TokenStore tokenStore + ) { + DateTime validFrom = null; + DateTime validTill = null; + if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { + validFrom = assertion.getSaml2().getConditions().getNotBefore(); + validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); + } else { + validFrom = assertion.getSaml1().getConditions().getNotBefore(); + validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); + } + if (validFrom.isAfterNow()) { + LOG.log(Level.WARNING, "SAML Token condition not met"); + if (secToken != null) { + tokenStore.remove(secToken); + } + return false; + } else if (validTill.isBeforeNow()) { + LOG.log(Level.WARNING, "SAML Token condition not met"); + if (secToken != null) { + tokenStore.remove(secToken); + } + validateTarget.setState(STATE.EXPIRED); + return false; + } + return true; + } } Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SCTValidator.java Thu Mar 29 12:00:53 2012 @@ -105,6 +105,7 @@ public class SCTValidator implements Tok return response; } if (token.isExpired()) { + validateTarget.setState(STATE.EXPIRED); LOG.fine("Token: " + identifier + " is in the cache but expired"); return response; } Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java?rev=1306795&r1=1306794&r2=1306795&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java (original) +++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java Thu Mar 29 12:00:53 2012 @@ -169,7 +169,8 @@ public class UsernameTokenValidator impl if (ut.getPassword() == null) { return response; } - if (secToken == null || (secToken.getAssociatedHash() != ut.hashCode())) { + if (secToken == null || secToken.isExpired() + || (secToken.getAssociatedHash() != ut.hashCode())) { Credential credential = new Credential(); credential.setUsernametoken(ut); validator.validate(credential, requestData); Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java?rev=1306795&r1=1306794&r2=1306795&view=diff ============================================================================== --- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java (original) +++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java Thu Mar 29 12:00:53 2012 @@ -233,7 +233,7 @@ public class SAMLTokenValidatorTest exte samlTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); - assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); + assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED); } /** @@ -263,7 +263,7 @@ public class SAMLTokenValidatorTest exte samlTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); - assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); + assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED); }