Author: coheigea
Date: Mon Apr 9 12:33:45 2012
New Revision: 1311210
URL: http://svn.apache.org/viewvc?rev=1311210&view=rev
Log:
[CXF-4158] - Add proof-of-possession logic
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Mon Apr 9 12:33:45 2012
@@ -105,7 +105,7 @@ public abstract class AbstractSamlPolicy
* @param signedResults a list of all of the signed results
* @return true if the credentials of the assertion were used to verify a
signature
*/
- private boolean compareCredentials(
+ protected boolean compareCredentials(
SAMLKeyInfo subjectKeyInfo,
List<WSSecurityEngineResult> signedResults,
Certificate[] tlsCerts
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
Mon Apr 9 12:33:45 2012
@@ -141,6 +141,9 @@ public class SCTCanceller implements Tok
return result;
}
+ /**
+ * Set whether proof of possession is required or not to cancel a token
+ */
public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
this.verifyProofOfPossession = verifyProofOfPossession;
}
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
Mon Apr 9 12:33:45 2012
@@ -20,6 +20,8 @@
package org.apache.cxf.sts.token.renewer;
import java.security.Principal;
+import java.security.cert.Certificate;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
@@ -29,12 +31,15 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
+import javax.xml.ws.handler.MessageContext;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.SignatureProperties;
@@ -46,14 +51,20 @@ import org.apache.cxf.sts.token.realm.SA
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import
org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractSamlPolicyValidator;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.bean.ConditionsBean;
import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder;
import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLVersion;
@@ -70,6 +81,8 @@ public class SAMLTokenRenewer implements
private ConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
private Map<String, SAMLRealm> realmMap = new HashMap<String, SAMLRealm>();
private long maxExpiry = DEFAULT_MAX_EXPIRY;
+ // boolean to enable/disable the check of proof of possession
+ private boolean verifyProofOfPossession = true;
/**
* Return true if this TokenRenewer implementation is able to renew a
token.
@@ -98,8 +111,11 @@ public class SAMLTokenRenewer implements
return false;
}
+ /**
+ * Set whether proof of possession is required or not to renew a token
+ */
public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
- //
+ this.verifyProofOfPossession = verifyProofOfPossession;
}
/**
@@ -147,6 +163,16 @@ public class SAMLTokenRenewer implements
}
}
+ ProofOfPossessionValidator popValidator = new
ProofOfPossessionValidator();
+ if (verifyProofOfPossession
+ && !popValidator.checkProofOfPossession(tokenParameters,
assertion.getSubjectKeyInfo())) {
+ throw new STSException(
+ "Failed to verify the proof of possession of the key
associated with the "
+ + "saml token. No matching key found in the request.",
+ STSException.INVALID_REQUEST
+ );
+ }
+
// Create new Conditions & sign the Assertion
createNewConditions(assertion, tokenParameters);
signAssertion(assertion, tokenParameters);
@@ -390,4 +416,32 @@ public class SAMLTokenRenewer implements
}
}
+ private static class ProofOfPossessionValidator extends
AbstractSamlPolicyValidator {
+
+ public boolean checkProofOfPossession(
+ TokenRenewerParameters tokenParameters,
+ SAMLKeyInfo subjectKeyInfo
+ ) {
+ MessageContext messageContext =
tokenParameters.getWebServiceContext().getMessageContext();
+ final List<WSHandlerResult> handlerResults =
+ CastUtils.cast((List<?>)
messageContext.get(WSHandlerConstants.RECV_RESULTS));
+
+ List<WSSecurityEngineResult> signedResults = new
ArrayList<WSSecurityEngineResult>();
+ if (handlerResults != null && handlerResults.size() > 0) {
+ WSHandlerResult handlerResult = handlerResults.get(0);
+ List<WSSecurityEngineResult> results =
handlerResult.getResults();
+
+ WSSecurityUtil.fetchAllActionResults(results,
WSConstants.SIGN, signedResults);
+ WSSecurityUtil.fetchAllActionResults(results,
WSConstants.UT_SIGN, signedResults);
+ }
+
+ TLSSessionInfo tlsInfo =
(TLSSessionInfo)messageContext.get(TLSSessionInfo.class);
+ Certificate[] tlsCerts = null;
+ if (tlsInfo != null) {
+ tlsCerts = tlsInfo.getPeerCertificates();
+ }
+
+ return compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
+ }
+ }
}
Modified:
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
Mon Apr 9 12:33:45 2012
@@ -62,6 +62,7 @@ public class SAMLTokenRenewerLifetimeTes
public void testSaml2ValidLifetime() throws Exception {
int requestedLifetime = 60;
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
DefaultConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -106,6 +107,7 @@ public class SAMLTokenRenewerLifetimeTes
@org.junit.Test
public void testSaml2ProviderLifetime() throws Exception {
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
long providerLifetime = 10 * 600L;
DefaultConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
@@ -143,6 +145,7 @@ public class SAMLTokenRenewerLifetimeTes
public void testSaml2ExceededConfiguredMaxLifetime() throws Exception {
long maxLifetime = 30 * 60L; // 30 minutes
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
DefaultConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
conditionsProvider.setMaxLifetime(maxLifetime);
conditionsProvider.setAcceptClientLifetime(true);
@@ -190,6 +193,7 @@ public class SAMLTokenRenewerLifetimeTes
@org.junit.Test
public void testSaml2ExceededDefaultMaxLifetime() throws Exception {
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
DefaultConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -239,6 +243,7 @@ public class SAMLTokenRenewerLifetimeTes
long maxLifetime = 30 * 60L; // 30 minutes
SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
DefaultConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
conditionsProvider.setMaxLifetime(maxLifetime);
conditionsProvider.setFailLifetimeExceedance(false);
Modified:
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
Mon Apr 9 12:33:45 2012
@@ -111,6 +111,7 @@ public class SAMLTokenRenewerRealmTest e
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
Map<String, SAMLRealm> samlRealms = getSamlRealms();
((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
String realm = validatorResponse.getTokenRealm();
@@ -178,6 +179,7 @@ public class SAMLTokenRenewerRealmTest e
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
Map<String, SAMLRealm> samlRealms = getSamlRealms();
((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
String realm = validatorResponse.getTokenRealm();
Modified:
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Mon Apr 9 12:33:45 2012
@@ -112,6 +112,7 @@ public class SAMLTokenRenewerTest extend
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
TokenRenewerResponse renewerResponse =
@@ -174,6 +175,7 @@ public class SAMLTokenRenewerTest extend
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
TokenRenewerResponse renewerResponse =
@@ -235,6 +237,7 @@ public class SAMLTokenRenewerTest extend
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
TokenRenewerResponse renewerResponse =
@@ -297,6 +300,7 @@ public class SAMLTokenRenewerTest extend
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
TokenRenewerResponse renewerResponse =
@@ -356,6 +360,7 @@ public class SAMLTokenRenewerTest extend
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
TokenRenewerResponse renewerResponse =
@@ -419,6 +424,7 @@ public class SAMLTokenRenewerTest extend
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+ samlTokenRenewer.setVerifyProofOfPossession(false);
((SAMLTokenRenewer)samlTokenRenewer).setMaxExpiry(1L);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
