Author: coheigea
Date: Mon Dec 16 15:18:58 2013
New Revision: 1551228
URL: http://svn.apache.org/r1551228
Log:
Validation fix in the STS
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1551228&r1=1551227&r2=1551228&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
Mon Dec 16 15:18:58 2013
@@ -153,6 +153,29 @@ public class SAMLTokenValidator implemen
SAMLTokenPrincipal samlPrincipal = new
SAMLTokenPrincipalImpl(assertion);
response.setPrincipal(samlPrincipal);
+ if (!assertion.isSigned()) {
+ LOG.log(Level.WARNING, "The received assertion is not signed,
and therefore not trusted");
+ return response;
+ }
+
+ RequestData requestData = new RequestData();
+ requestData.setSigVerCrypto(sigCrypto);
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ requestData.setWssConfig(wssConfig);
+ requestData.setCallbackHandler(callbackHandler);
+
requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+
+ WSDocInfo docInfo = new
WSDocInfo(validateTargetElement.getOwnerDocument());
+
+ // Verify the signature
+ Signature sig = assertion.getSignature();
+ KeyInfo keyInfo = sig.getKeyInfo();
+ SAMLKeyInfo samlKeyInfo =
+ SAMLUtil.getCredentialFromKeyInfo(
+ keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData,
docInfo), sigCrypto
+ );
+ assertion.verifySignature(samlKeyInfo);
+
SecurityToken secToken = null;
byte[] signatureValue = assertion.getSignatureValue();
if (tokenParameters.getTokenStore() != null && signatureValue !=
null
@@ -169,29 +192,6 @@ public class SAMLTokenValidator implemen
}
if (secToken == null) {
- if (!assertion.isSigned()) {
- LOG.log(Level.WARNING, "The received assertion is not
signed, and therefore not trusted");
- return response;
- }
-
- RequestData requestData = new RequestData();
- requestData.setSigVerCrypto(sigCrypto);
- WSSConfig wssConfig = WSSConfig.getNewInstance();
- requestData.setWssConfig(wssConfig);
- requestData.setCallbackHandler(callbackHandler);
-
requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
-
- WSDocInfo docInfo = new
WSDocInfo(validateTargetElement.getOwnerDocument());
-
- // Verify the signature
- Signature sig = assertion.getSignature();
- KeyInfo keyInfo = sig.getKeyInfo();
- SAMLKeyInfo samlKeyInfo =
- SAMLUtil.getCredentialFromKeyInfo(
- keyInfo.getDOM(), new
WSSSAMLKeyInfoProcessor(requestData, docInfo), sigCrypto
- );
- assertion.verifySignature(samlKeyInfo);
-
// Validate the assertion against schemas/profiles
validateAssertion(assertion);
@@ -211,7 +211,6 @@ public class SAMLTokenValidator implemen
if (!certConstraints.matches(cert)) {
return response;
}
-
}
// Parse roles from the validated token
Modified:
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java?rev=1551228&r1=1551227&r2=1551228&view=diff
==============================================================================
---
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
(original)
+++
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Mon Dec 16 15:18:58 2013
@@ -34,6 +34,7 @@ import javax.security.auth.callback.Unsu
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+
import org.apache.cxf.jaxws.context.WebServiceContextImpl;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
@@ -425,6 +426,53 @@ public class SAMLTokenValidatorTest exte
assertTrue(roles.iterator().next().getName().equals("employee"));
}
+ /**
+ * Test an invalid SAML 2 Assertion
+ */
+ @org.junit.Test
+ public void testInvalidSAML2Assertion() throws Exception {
+ TokenValidator samlTokenValidator = new SAMLTokenValidator();
+ TokenValidatorParameters validatorParameters =
createValidatorParameters();
+ TokenRequirements tokenRequirements =
validatorParameters.getTokenRequirements();
+
+ // Create a ValidateTarget consisting of a SAML Assertion
+ Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+ CallbackHandler callbackHandler = new PasswordCallbackHandler();
+ Element samlToken =
+ createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto,
"mystskey", callbackHandler);
+ Document doc = samlToken.getOwnerDocument();
+ samlToken = (Element)doc.appendChild(samlToken);
+
+ ReceivedToken validateTarget = new ReceivedToken(samlToken);
+ tokenRequirements.setValidateTarget(validateTarget);
+ validatorParameters.setToken(validateTarget);
+
+ assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+
+ TokenValidatorResponse validatorResponse =
+ samlTokenValidator.validateToken(validatorParameters);
+ assertTrue(validatorResponse != null);
+ assertTrue(validatorResponse.getToken() != null);
+ assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+
+ // Replace "alice" with "bob".
+ Element nameID =
+ (Element)samlToken.getElementsByTagNameNS(WSConstants.SAML2_NS,
"NameID").item(0);
+ nameID.setTextContent("bob");
+
+ // Now validate again
+ validateTarget = new ReceivedToken(samlToken);
+ tokenRequirements.setValidateTarget(validateTarget);
+ validatorParameters.setToken(validateTarget);
+
+ assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+
+ validatorResponse =
samlTokenValidator.validateToken(validatorParameters);
+ assertTrue(validatorResponse != null);
+ assertTrue(validatorResponse.getToken() != null);
+ assertTrue(validatorResponse.getToken().getState() != STATE.VALID);
+ }
+
private TokenValidatorParameters createValidatorParameters() throws
WSSecurityException {
TokenValidatorParameters parameters = new TokenValidatorParameters();
@@ -627,5 +675,5 @@ public class SAMLTokenValidatorTest exte
}
}
-
+
}
