Repository: cxf
Updated Branches:
refs/heads/2.7.x-fixes b1e0c76d6 -> b6b7a419a
Adding some more SAML SSO tests
Conflicts:
rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/416cd1fe
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/416cd1fe
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/416cd1fe
Branch: refs/heads/2.7.x-fixes
Commit: 416cd1fe1f26d3bc2ab95f038e06a3f9f9cbd2b9
Parents: b1e0c76
Author: Colm O hEigeartaigh <[email protected]>
Authored: Wed Jan 14 16:06:56 2015 +0000
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Wed Jan 14 16:54:25 2015 +0000
----------------------------------------------------------------------
.../saml/sso/SAMLProtocolResponseValidator.java | 45 +++++++++-
.../saml/sso/SAMLResponseValidatorTest.java | 91 ++++++++++++++++++++
2 files changed, 135 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/416cd1fe/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
----------------------------------------------------------------------
diff --git
a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
index e40eb3a..e02cb38 100644
---
a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
+++
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java
@@ -32,7 +32,6 @@ import javax.security.auth.callback.CallbackHandler;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
-
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
@@ -56,6 +55,7 @@ import org.apache.ws.security.validate.Validator;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.apache.xml.security.utils.Constants;
+import org.joda.time.DateTime;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.encryption.EncryptedData;
import org.opensaml.xml.security.x509.BasicX509Credential;
@@ -80,6 +80,16 @@ public class SAMLProtocolResponseValidator {
private Validator assertionValidator = new SamlAssertionValidator();
private Validator signatureValidator = new SignatureTrustValidator();
+<<<<<<< HEAD
+=======
+ private boolean keyInfoMustBeAvailable = true;
+
+ /**
+ * The time in seconds in the future within which the NotBefore time of an
incoming
+ * Assertion is valid. The default is 60 seconds.
+ */
+ private int futureTTL = 60;
+>>>>>>> ce2c2f3... Adding some more SAML SSO tests
/**
* Validate a SAML 2 Protocol Response
@@ -107,6 +117,15 @@ public class SAMLProtocolResponseValidator {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
}
+ if (samlResponse.getIssueInstant() != null) {
+ DateTime currentTime = new DateTime();
+ currentTime = currentTime.plusSeconds(futureTTL);
+ if (samlResponse.getIssueInstant().isAfter(currentTime)) {
+ LOG.fine("SAML Response IssueInstant not met");
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
+ }
+ }
+
validateResponseAgainstSchemas(samlResponse);
validateResponseSignature(samlResponse, sigCrypto, callbackHandler);
@@ -155,6 +174,15 @@ public class SAMLProtocolResponseValidator {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
}
+ if (samlResponse.getIssueInstant() != null) {
+ DateTime currentTime = new DateTime();
+ currentTime = currentTime.plusSeconds(futureTTL);
+ if (samlResponse.getIssueInstant().isAfter(currentTime)) {
+ LOG.fine("SAML Response IssueInstant not met");
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
+ }
+ }
+
validateResponseAgainstSchemas(samlResponse);
validateResponseSignature(samlResponse, sigCrypto, callbackHandler);
@@ -511,4 +539,19 @@ public class SAMLProtocolResponseValidator {
}
}
+<<<<<<< HEAD
+=======
+ public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) {
+ this.keyInfoMustBeAvailable = keyInfoMustBeAvailable;
+ }
+
+ public int getFutureTTL() {
+ return futureTTL;
+ }
+
+ public void setFutureTTL(int futureTTL) {
+ this.futureTTL = futureTTL;
+ }
+
+>>>>>>> ce2c2f3... Adding some more SAML SSO tests
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/416cd1fe/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
----------------------------------------------------------------------
diff --git
a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
index 3933276..334cbf5 100644
---
a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
+++
b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLResponseValidatorTest.java
@@ -561,6 +561,97 @@ public class SAMLResponseValidatorTest extends
org.junit.Assert {
}
}
+ @org.junit.Test
+ public void testResponseIssueInstant() throws Exception {
+ DocumentBuilderFactory docBuilderFactory =
DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+ Document doc = docBuilder.newDocument();
+
+ Status status =
+ SAML2PResponseComponentBuilder.createStatus(
+ SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
+ );
+ Response response =
+ SAML2PResponseComponentBuilder.createSAMLResponse(
+ "http://cxf.apache.org/saml";, "http://cxf.apache.org/issuer";,
status
+ );
+
+ response.setIssueInstant(new DateTime().plusMinutes(5));
+
+ // Create an AuthenticationAssertion
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("http://cxf.apache.org/issuer";);
+
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper assertion = new
SamlAssertionWrapper(samlCallback);
+
+ response.getAssertions().add(assertion.getSaml2());
+
+ Element policyElement = OpenSAMLUtil.toDom(response, doc);
+ doc.appendChild(policyElement);
+ assertNotNull(policyElement);
+
+ Response marshalledResponse =
(Response)OpenSAMLUtil.fromDom(policyElement);
+
+ // Validate the Response
+ SAMLProtocolResponseValidator validator = new
SAMLProtocolResponseValidator();
+ try {
+ validator.validateSamlResponse(marshalledResponse, null, null);
+ fail("Expected failure on an invalid Response IssueInstant");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
+ public void testAssertionIssueInstant() throws Exception {
+ DocumentBuilderFactory docBuilderFactory =
DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+ DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+ Document doc = docBuilder.newDocument();
+
+ Status status =
+ SAML2PResponseComponentBuilder.createStatus(
+ SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
+ );
+ Response response =
+ SAML2PResponseComponentBuilder.createSAMLResponse(
+ "http://cxf.apache.org/saml";, "http://cxf.apache.org/issuer";,
status
+ );
+
+ // Create an AuthenticationAssertion
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("http://cxf.apache.org/issuer";);
+
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper assertion = new
SamlAssertionWrapper(samlCallback);
+
+ assertion.getSaml2().setIssueInstant(new DateTime().plusMinutes(5));
+
+ response.getAssertions().add(assertion.getSaml2());
+
+ Element policyElement = OpenSAMLUtil.toDom(response, doc);
+ doc.appendChild(policyElement);
+ assertNotNull(policyElement);
+
+ Response marshalledResponse =
(Response)OpenSAMLUtil.fromDom(policyElement);
+
+ // Validate the Response
+ SAMLProtocolResponseValidator validator = new
SAMLProtocolResponseValidator();
+ try {
+ validator.validateSamlResponse(marshalledResponse, null, null);
+ fail("Expected failure on an invalid Assertion IssueInstant");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
/**
* Sign a SAML Response
