Enforce all Assertions must be signed in some way by default
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3863a2a7 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3863a2a7 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3863a2a7 Branch: refs/heads/3.0.x-fixes Commit: 3863a2a71d6398491447c2f024f1595fbb921b34 Parents: 8858a63 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Jan 18 14:43:41 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Jan 18 14:45:09 2016 +0000 ---------------------------------------------------------------------- .../saml/sso/SAMLSSOResponseValidator.java | 8 ++-- .../saml/sso/CombinedValidatorTest.java | 1 + .../saml/sso/SAMLSSOResponseValidatorTest.java | 49 ++++++++++++++++++++ 3 files changed, 54 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/3863a2a7/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 8da52c8..70c659f 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -50,7 +50,8 @@ public class SAMLSSOResponseValidator { private TokenReplayCache<String> replayCache; /** - * Enforce that Assertions must be signed if the POST binding was used. The default is true. + * Enforce that Assertions contained in the Response must be signed (if the Response itself is not + * signed). The default is true. */ public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) { this.enforceAssertionsSigned = enforceAssertionsSigned; @@ -108,9 +109,8 @@ public class SAMLSSOResponseValidator { } validateIssuer(assertion.getIssuer()); - if (enforceAssertionsSigned && postBinding && assertion.getSignature() == null) { - LOG.fine("If the HTTP Post binding is used to deliver the Response, " - + "the enclosed assertions must be signed"); + if (!enforceResponseSigned && enforceAssertionsSigned && assertion.getSignature() == null) { + LOG.fine("The enclosed assertions in the SAML Response must be signed"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } http://git-wip-us.apache.org/repos/asf/cxf/blob/3863a2a7/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java index 3150a0e..261a630 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java @@ -168,6 +168,7 @@ public class CombinedValidatorTest extends org.junit.Assert { // Test SSO validation SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator(); + ssoValidator.setEnforceAssertionsSigned(false); ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer";); ssoValidator.setAssertionConsumerURL("http://recipient.apache.org";); ssoValidator.setClientAddress("http://apache.org";); http://git-wip-us.apache.org/repos/asf/cxf/blob/3863a2a7/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java index 7855c29a..08814bb 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java @@ -77,6 +77,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -97,6 +98,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -122,6 +124,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -147,6 +150,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -172,6 +176,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -198,6 +203,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -298,6 +304,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -324,6 +331,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -343,6 +351,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -372,6 +381,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -403,6 +413,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -437,6 +448,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -472,6 +484,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -515,6 +528,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { // Validate the Response SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator(); + validator.setEnforceAssertionsSigned(false); validator.setIssuerIDP("http://cxf.apache.org/issuer";); validator.setAssertionConsumerURL("http://recipient.apache.org";); validator.setClientAddress("http://apache.org";); @@ -529,6 +543,41 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert { } } + @org.junit.Test + public void testEnforceAssertionsSigned() throws Exception { + + SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean(); + subjectConfirmationData.setAddress("http://apache.org";); + subjectConfirmationData.setInResponseTo("12345"); + subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5)); + subjectConfirmationData.setRecipient("http://recipient.apache.org";); + + Response response = createResponse(subjectConfirmationData); + + Crypto issuerCrypto = new Merlin(); + KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class); + InputStream input = Merlin.loadInputStream(loader, "alice.jks"); + keyStore.load(input, "password".toCharArray()); + ((Merlin)issuerCrypto).setKeyStore(keyStore); + + // Test SSO validation + SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator(); + ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer";); + ssoValidator.setAssertionConsumerURL("http://recipient.apache.org";); + ssoValidator.setClientAddress("http://apache.org";); + ssoValidator.setRequestId("12345"); + ssoValidator.setSpIdentifier("http://service.apache.org";); + + // Parse the response + try { + ssoValidator.validateSamlResponse(response, false); + fail("Failure expected on an unsigned Assertion"); + } catch (WSSecurityException ex) { + // expected + } + } + private Response createResponse( SubjectConfirmationDataBean subjectConfirmationData ) throws Exception {
