Adding some stuff to the SAMLTokenValidator in the STS
Conflicts:
services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4327a2ef
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4327a2ef
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4327a2ef
Branch: refs/heads/2.7.x-fixes
Commit: 4327a2ef1d6de59b4e3d5853cd31f10a3b0aa54b
Parents: 1ef8fc6
Author: Colm O hEigeartaigh <[email protected]>
Authored: Mon Jan 19 11:07:15 2015 +0000
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Mon Jan 19 11:32:55 2015 +0000
----------------------------------------------------------------------
.../sts/token/validator/SAMLTokenValidator.java | 46 +++++++++++++++++++-
1 file changed, 44 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/4327a2ef/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index 196eba7..a2874bb 100644
---
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -55,8 +55,13 @@ import
org.apache.ws.security.validate.SignatureTrustValidator;
import org.apache.ws.security.validate.Validator;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLVersion;
+<<<<<<< HEAD
import org.opensaml.xml.validation.ValidationException;
import org.opensaml.xml.validation.ValidatorSuite;
+=======
+import org.opensaml.xml.signature.KeyInfo;
+import org.opensaml.xml.signature.Signature;
+>>>>>>> c1f9d04... Adding some stuff to the SAMLTokenValidator in the STS
/**
* Validate a SAML Assertion. It is valid if it was issued and signed by this
STS.
@@ -74,6 +79,12 @@ public class SAMLTokenValidator implements TokenValidator {
private SAMLRoleParser samlRoleParser = new DefaultSAMLRoleParser();
/**
+ * Whether to validate the signature of the Assertion (if it exists)
against the
+ * relevant profile. Default is true.
+ */
+ private boolean validateSignatureAgainstProfile = true;
+
+ /**
* Set a list of Strings corresponding to regular expression constraints
on the subject DN
* of a certificate that was used to sign a received Assertion
*/
@@ -255,6 +266,7 @@ public class SAMLTokenValidator implements TokenValidator {
/**
* Validate the assertion against schemas/profiles
*/
+<<<<<<< HEAD
protected void validateAssertion(AssertionWrapper assertion) throws
WSSecurityException {
if (assertion.getSaml1() != null) {
ValidatorSuite schemaValidators =
@@ -281,6 +293,10 @@ public class SAMLTokenValidator implements TokenValidator {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
}
}
+=======
+ protected void validateAssertion(SamlAssertionWrapper assertion) throws
WSSecurityException {
+ assertion.validateAssertion(validateSignatureAgainstProfile);
+>>>>>>> c1f9d04... Adding some stuff to the SAMLTokenValidator in the STS
}
protected boolean validateConditions(
@@ -288,21 +304,31 @@ public class SAMLTokenValidator implements TokenValidator
{
) {
DateTime validFrom = null;
DateTime validTill = null;
+ DateTime issueInstant = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
validFrom = assertion.getSaml2().getConditions().getNotBefore();
validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+ issueInstant = assertion.getSaml2().getIssueInstant();
} else {
validFrom = assertion.getSaml1().getConditions().getNotBefore();
validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+ issueInstant = assertion.getSaml1().getIssueInstant();
}
- if (validFrom.isAfterNow()) {
+
+ if (validFrom != null && validFrom.isAfterNow()) {
LOG.log(Level.WARNING, "SAML Token condition not met");
return false;
- } else if (validTill.isBeforeNow()) {
+ } else if (validTill != null && validTill.isBeforeNow()) {
LOG.log(Level.WARNING, "SAML Token condition not met");
validateTarget.setState(STATE.EXPIRED);
return false;
}
+
+ if (issueInstant != null && issueInstant.isAfterNow()) {
+ LOG.log(Level.WARNING, "SAML Token IssueInstant not met");
+ return false;
+ }
+
return true;
}
@@ -346,4 +372,20 @@ public class SAMLTokenValidator implements TokenValidator {
public void setSamlRoleParser(SAMLRoleParser samlRoleParser) {
this.samlRoleParser = samlRoleParser;
}
+
+ /**
+ * Whether to validate the signature of the Assertion (if it exists)
against the
+ * relevant profile. Default is true.
+ */
+ public boolean isValidateSignatureAgainstProfile() {
+ return validateSignatureAgainstProfile;
+ }
+
+ /**
+ * Whether to validate the signature of the Assertion (if it exists)
against the
+ * relevant profile. Default is true.
+ */
+ public void setValidateSignatureAgainstProfile(boolean
validateSignatureAgainstProfile) {
+ this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
+ }
}
