Repository: cxf-fediz Updated Branches: refs/heads/master e68df8357 -> 020045463
Fixed SAML redirect signature Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/02004546 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/02004546 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/02004546 Branch: refs/heads/master Commit: 020045463e720aca1de3466d3480f8b084f400dc Parents: e68df83 Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Mar 23 16:59:16 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Mar 23 16:59:16 2016 +0000 ---------------------------------------------------------------------- .../idp/samlsso/AuthnRequestValidator.java | 3 ++- .../WEB-INF/flows/saml-signin-request.xml | 6 +++--- .../WEB-INF/flows/saml-validate-request.xml | 20 ++++++++++---------- .../apache/cxf/fediz/systests/idp/IdpTest.java | 5 ++--- 4 files changed, 17 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java index b20b1f1..82f3c66 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/samlsso/AuthnRequestValidator.java @@ -41,6 +41,7 @@ import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor; import org.apache.wss4j.dom.validate.Credential; import org.apache.wss4j.dom.validate.SignatureTrustValidator; import org.apache.wss4j.dom.validate.Validator; +import org.apache.xml.security.utils.Base64; import org.opensaml.saml.saml2.core.AuthnRequest; import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator; import org.opensaml.security.credential.BasicCredential; @@ -89,7 +90,7 @@ public class AuthnRequestValidator { sig.update(requestToSign.getBytes(StandardCharsets.UTF_8)); - if (!sig.verify(signature.getBytes())) { + if (!sig.verify(Base64.decode(signature))) { LOG.debug("Signature validation failed"); throw new ProcessingException(TYPE.BAD_REQUEST); } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml index f706f0a..cc7b0f6 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml @@ -43,7 +43,7 @@ <evaluate expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)" /> <transition on="yes" to="redirectToLocalIDP" /> - <transition on="no" to="requestRpToken"> + <transition on="no" to="parseAndValidateSAMLRequest"> <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" /> </transition> <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> @@ -59,7 +59,7 @@ <action-state id="cacheSecurityToken"> <secured attributes="IS_AUTHENTICATED_FULLY" /> <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" /> - <transition to="requestRpToken"> + <transition to="parseAndValidateSAMLRequest"> <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" /> </transition> </action-state> @@ -67,7 +67,7 @@ <!-- ============================================================================================================= --> <!-- normal exit point --> - <end-state id="requestRpToken"> + <end-state id="parseAndValidateSAMLRequest"> <output name="homerealm" value="flowScope.homerealm" /> <output name="idpToken" value="flowScope.idpToken" /> </end-state> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml index 52f7960..2578e98 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml @@ -33,17 +33,9 @@ <if test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0" then="viewBadRequest" /> <if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()" - then="parseAndValidateSAMLRequest" else="viewBadRequest" /> + then="signinSAMLRequest" else="viewBadRequest" /> </decision-state> - <action-state id="parseAndValidateSAMLRequest"> - <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext, flowScope.idpConfig, - flowScope.Signature, flowScope.RelayState, - flowScope.SAMLRequest)" /> - <transition to="signinSAMLRequest"/> - <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" /> - </action-state> - <subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest"> <input name="idpConfig" value="flowScope.idpConfig" /> <input name="SAMLRequest" value="flowScope.SAMLRequest" /> @@ -53,7 +45,7 @@ <output name="idpToken" /> <output name="trusted_idp_context" /> - <transition on="requestRpToken" to="requestRpToken"> + <transition on="parseAndValidateSAMLRequest" to="parseAndValidateSAMLRequest"> <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm" /> <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" /> </transition> @@ -62,6 +54,14 @@ <transition on="redirectToLocalIDP" to="redirectToLocalIDP" /> </subflow-state> + <action-state id="parseAndValidateSAMLRequest"> + <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext, flowScope.idpConfig, + flowScope.Signature, flowScope.RelayState, + flowScope.SAMLRequest)" /> + <transition to="requestRpToken"/> + <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" /> + </action-state> + <!-- produce RP security token (as String type) --> <action-state id="requestRpToken"> <on-entry> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/02004546/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java ---------------------------------------------------------------------- diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java index e43e62f..97137b1 100644 --- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java +++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -388,7 +388,6 @@ public class IdpTest { } @org.junit.Test - @org.junit.Ignore public void testSeparateSignature() throws Exception { OpenSAMLUtil.initSamlEngine(); @@ -422,7 +421,7 @@ public class IdpTest { java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA"); signature.initSign(privateKey); - String requestToSign = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml?"; + String requestToSign = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml/up?"; requestToSign += SSOConstants.RELAY_STATE + "=" + relayState; requestToSign += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest; requestToSign += "&" + SSOConstants.SIG_ALG + "=" @@ -433,7 +432,7 @@ public class IdpTest { String encodedSignature = Base64.encode(signBytes); - String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml?"; + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml/up?"; url += SSOConstants.RELAY_STATE + "=" + relayState; url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest; url += "&" + SSOConstants.SIGNATURE + "=" + URLEncoder.encode(encodedSignature, StandardCharsets.UTF_8.name());
