[jira] [Created] (WSS-331) Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)

Tue, 27 Dec 2011 11:04:54 -0800 

Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates 
(?)
-----------------------------------------------------------------------------------

                 Key: WSS-331
                 URL: https://issues.apache.org/jira/browse/WSS-331
             Project: WSS4J
          Issue Type: Bug
            Reporter: Glen Mazza
            Assignee: Colm O hEigeartaigh


Hi, the Assertions and Protocols for the OASIS Security Assertion Markup 
Language (SAML) V2.0 (Mar 2005) - 
docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, gives this Schema 
for saml:Conditions:

<element name="Conditions" type="saml:ConditionsType"/>
<complexType name="ConditionsType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Condition"/>
<element ref="saml:AudienceRestriction"/>
<element ref="saml:OneTimeUse"/>
<element ref="saml:ProxyRestriction"/>
</choice>
<attribute name="NotBefore" type="dateTime" use="optional"/>
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
</complexType>

As shown above, NotBefore and NotOnOrAfter are both optional--however, absence 
of one should not negate checking of the other.

In class org.apache.ws.security.validate.SamlAssertionValidator on TRUNK, I see 
this code in method validate():

        DateTime validFrom = null;
        DateTime validTill = null;
        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
            && assertion.getSaml2().getConditions() != null) {
            validFrom = assertion.getSaml2().getConditions().getNotBefore();
            validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
        } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
            ...similar...
        }
        if (validFrom != null && validTill != null 
            && !(validFrom.isBeforeNow() && validTill.isAfterNow())) {
            LOG.debug("SAML Token condition not met");
            throw new WSSecurityException(WSSecurityException.FAILURE, 
"invalidSAMLsecurity");
        }

The If block right above will skip checking if either validFrom or validTo is 
missing, but if just one of the two constraints is present it appears that 
single constraint should still be checked.  Also, the logic above requires both 
validFrom and validTill to be violated before the WSSecurityException is 
thrown, but it should be thrown even if just one of the two constraints fail.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to