Author: coheigea
Date: Thu Sep 11 14:52:58 2014
New Revision: 1624311
URL: http://svn.apache.org/r1624311
Log:
[WSS-512] - Provide a configurable way of enforcing that SAML Bearer Tokens
must have an internal signature
Conflicts:
src/test/java/org/apache/ws/security/message/ReplayTest.java
ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/ReplayTest.java
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?rev=1624311&r1=1624310&r2=1624311&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java
Thu Sep 11 14:52:58 2014
@@ -71,6 +71,12 @@ public class SamlAssertionValidator exte
private boolean requireStandardSubjectConfirmationMethod = true;
/**
+ * If this is set, an Assertion with a Bearer SubjectConfirmation Method
must be
+ * signed
+ */
+ private boolean requireBearerSignature = true;
+
+ /**
* Set the time in seconds in the future within which the NotBefore time
of an incoming
* Assertion is valid. The default is 60 seconds.
*/
@@ -154,8 +160,14 @@ public class SamlAssertionValidator exte
requiredMethodFound = true;
}
if (SAML2Constants.CONF_BEARER.equals(method)
- || SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
- || SAML1Constants.CONF_BEARER.equals(method)
+ || SAML1Constants.CONF_BEARER.equals(method)) {
+ standardMethodFound = true;
+ if (requireBearerSignature && !signed) {
+ LOG.debug("A Bearer Assertion was not signed");
+ throw new
WSSecurityException(WSSecurityException.FAILURE,
+ "invalidSAMLsecurity");
+ }
+ } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
|| SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
standardMethodFound = true;
}
@@ -330,5 +342,13 @@ public class SamlAssertionValidator exte
public void setRequireStandardSubjectConfirmationMethod(boolean
requireStandardSubjectConfirmationMethod) {
this.requireStandardSubjectConfirmationMethod =
requireStandardSubjectConfirmationMethod;
}
+
+ public boolean isRequireBearerSignature() {
+ return requireBearerSignature;
+ }
+
+ public void setRequireBearerSignature(boolean requireBearerSignature) {
+ this.requireBearerSignature = requireBearerSignature;
+ }
}
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/ReplayTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/ReplayTest.java?rev=1624311&r1=1624310&r2=1624311&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/ReplayTest.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/ReplayTest.java
Thu Sep 11 14:52:58 2014
@@ -44,6 +44,7 @@ import org.apache.ws.security.saml.ext.b
import org.apache.ws.security.saml.ext.builder.SAML2Constants;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XMLUtils;
+import org.apache.ws.security.validate.SamlAssertionValidator;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -285,6 +286,11 @@ public class ReplayTest extends org.juni
}
WSSConfig wssConfig = WSSConfig.getNewInstance();
+ SamlAssertionValidator assertionValidator = new
SamlAssertionValidator();
+ assertionValidator.setRequireBearerSignature(false);
+ wssConfig.setValidator(WSSecurityEngine.SAML_TOKEN,
assertionValidator);
+ wssConfig.setValidator(WSSecurityEngine.SAML2_TOKEN,
assertionValidator);
+
RequestData data = new RequestData();
data.setWssConfig(wssConfig);
data.setCallbackHandler(callbackHandler);
@@ -334,6 +340,11 @@ public class ReplayTest extends org.juni
}
WSSConfig wssConfig = WSSConfig.getNewInstance();
+ SamlAssertionValidator assertionValidator = new
SamlAssertionValidator();
+ assertionValidator.setRequireBearerSignature(false);
+ wssConfig.setValidator(WSSecurityEngine.SAML_TOKEN,
assertionValidator);
+ wssConfig.setValidator(WSSecurityEngine.SAML2_TOKEN,
assertionValidator);
+
RequestData data = new RequestData();
data.setWssConfig(wssConfig);
data.setCallbackHandler(callbackHandler);
Modified:
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java?rev=1624311&r1=1624310&r2=1624311&view=diff
==============================================================================
---
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
(original)
+++
webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
Thu Sep 11 14:52:58 2014
@@ -1049,6 +1049,44 @@ public class SamlTokenTest extends org.j
newEngine.processSecurityHeader(unsignedDoc, null, null, null);
}
+ @org.junit.Test
+ public void testUnsignedBearer() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler.setIssuer("www.example.com");
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper samlAssertion = new AssertionWrapper(samlParms);
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+ WSSecurityEngine newEngine = new WSSecurityEngine();
+ try {
+ newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+ fail("Failure expected on an unsigned bearer token");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+
+ // Now disable this check
+ WSSConfig config = WSSConfig.getNewInstance();
+ SamlAssertionValidator assertionValidator = new
SamlAssertionValidator();
+ assertionValidator.setRequireBearerSignature(false);
+ config.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+ config.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+
+ newEngine.setWssConfig(config);
+ newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+ }
+
private void encryptElement(
Document document,
Element elementToEncrypt,
