Author: coheigea
Date: Tue Jan 3 11:20:55 2012
New Revision: 1226742
URL: http://svn.apache.org/viewvc?rev=1226742&view=rev
Log:
[WSS-331] - Insufficient checking of SAML Condition NotBefore/NotOnOrAfter
validation dates
- Fixed, thanks
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1226742&r1=1226741&r2=1226742&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Tue Jan 3 11:20:55 2012
@@ -74,22 +74,7 @@ public class SamlAssertionValidator exte
}
// Check conditions
- DateTime validFrom = null;
- DateTime validTill = null;
- if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
- && assertion.getSaml2().getConditions() != null) {
- validFrom = assertion.getSaml2().getConditions().getNotBefore();
- validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
- } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
- && assertion.getSaml1().getConditions() != null) {
- validFrom = assertion.getSaml1().getConditions().getNotBefore();
- validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
- }
- if (validFrom != null && validTill != null
- && !(validFrom.isBeforeNow() && validTill.isAfterNow())) {
- LOG.debug("SAML Token condition not met");
- throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
- }
+ checkConditions(assertion);
// Verify trust on the signature
if (assertion.isSigned()) {
@@ -117,4 +102,31 @@ public class SamlAssertionValidator exte
return super.validate(trustCredential, data);
}
+ /**
+ * Check the Conditions of the Assertion.
+ */
+ protected void checkConditions(AssertionWrapper assertion) throws
WSSecurityException {
+ DateTime validFrom = null;
+ DateTime validTill = null;
+ if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
+ && assertion.getSaml2().getConditions() != null) {
+ validFrom = assertion.getSaml2().getConditions().getNotBefore();
+ validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+ } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
+ && assertion.getSaml1().getConditions() != null) {
+ validFrom = assertion.getSaml1().getConditions().getNotBefore();
+ validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+ }
+
+ if (validFrom != null && validFrom.isAfterNow()) {
+ LOG.debug("SAML Token condition (Not Before) not met");
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
+ }
+
+ if (validTill != null && validTill.isBeforeNow()) {
+ LOG.debug("SAML Token condition (Not On Or After) not met");
+ throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLsecurity");
+ }
+ }
+
}
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java?rev=1226742&r1=1226741&r2=1226742&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlConditionsTest.java
Tue Jan 3 11:20:55 2012
@@ -19,40 +19,26 @@
package org.apache.ws.security.saml;
+import java.util.List;
+
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.common.CustomHandler;
import org.apache.ws.security.common.CustomSamlAssertionValidator;
import org.apache.ws.security.common.SAML1CallbackHandler;
import org.apache.ws.security.common.SAML2CallbackHandler;
-import org.apache.ws.security.common.SAMLElementCallbackHandler;
import org.apache.ws.security.common.SOAPUtil;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSAMLToken;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.SAMLParms;
import org.apache.ws.security.saml.ext.bean.ConditionsBean;
-import org.apache.ws.security.saml.ext.builder.SAML1Constants;
import org.apache.ws.security.util.WSSecurityUtil;
-
import org.joda.time.DateTime;
-import org.opensaml.Configuration;
-import org.opensaml.common.SAMLObjectBuilder;
-import org.opensaml.saml2.core.AttributeValue;
-import org.opensaml.saml2.core.Conditions;
-import org.opensaml.xml.XMLObjectBuilder;
-import org.opensaml.xml.XMLObjectBuilderFactory;
-import org.opensaml.xml.schema.XSAny;
import org.w3c.dom.Document;
-import java.util.Collections;
-import java.util.List;
-
/**
* Test-case for sending and processing an a SAML Token with a custom
Conditions element.
*/
