cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1310278 - in /cxf/trunk/services/sts/sts-core/src: main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Date Fri, 06 Apr 2012 10:58:46 GMT
Author: coheigea
Date: Fri Apr  6 10:58:46 2012
New Revision: 1310278

URL: http://svn.apache.org/viewvc?rev=1310278&view=rev
Log:
Added in functionality to prevent the renewal of a token that is "overly" expired

Modified:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1310278&r1=1310277&r2=1310278&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
Fri Apr  6 10:58:46 2012
@@ -58,14 +58,18 @@ import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
 
 /**
- * A TokenRenewer implementation that renews a (valid) SAML Token.
+ * A TokenRenewer implementation that renews a (valid or expired) SAML Token.
  */
 public class SAMLTokenRenewer implements TokenRenewer {
     
+    // The default maximum expired time a token is allowed to be is 30 minutes
+    public static final long DEFAULT_MAX_EXPIRY = 60L * 30L;
+    
     private static final Logger LOG = LogUtils.getL7dLogger(SAMLTokenRenewer.class);
     private boolean signToken = true;
     private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
     private Map<String, SAMLRealm> realmMap = new HashMap<String, SAMLRealm>();
+    private long maxExpiry = DEFAULT_MAX_EXPIRY;
     
     /**
      * Return true if this TokenRenewer implementation is able to renew a token.
@@ -98,6 +102,21 @@ public class SAMLTokenRenewer implements
         //
     }
     
+    /**
+     * Set a new value (in seconds) for how long a token is allowed to be expired for before
renewal. 
+     * The default is 30 minutes.
+     */
+    public void setMaxExpiry(long newExpiry) {
+        maxExpiry = newExpiry;
+    }
+    
+    /**
+     * Get how long a token is allowed to be expired for before renewal (in seconds). The
default is 
+     * 30 minutes.
+     */
+    public long getMaxExpiry() {
+        return maxExpiry;
+    }
     
     /**
      * Renew a token given a TokenRenewerParameters
@@ -116,6 +135,18 @@ public class SAMLTokenRenewer implements
         try {
             AssertionWrapper assertion = new AssertionWrapper((Element)tokenToRenew.getToken());
             
+            // Check to see whether the token has expired greater than the configured max
expiry time
+            if (tokenToRenew.getState() == STATE.EXPIRED) {
+                DateTime expiryDate = getExpiryDate(assertion);
+                DateTime currentDate = new DateTime();
+                if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry *
1000L)) {
+                    LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
+                    throw new STSException(
+                        "The token expired too long ago to be renewed", STSException.REQUEST_FAILED
+                    );
+                }
+            }
+            
             // Create new Conditions & sign the Assertion
             createNewConditions(assertion, tokenParameters);
             signAssertion(assertion, tokenParameters);
@@ -350,5 +381,13 @@ public class SAMLTokenRenewer implements
         }
     }
 
+    
+    private DateTime getExpiryDate(AssertionWrapper assertion) {
+        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+            return assertion.getSaml2().getConditions().getNotOnOrAfter();
+        } else {
+            return assertion.getSaml1().getConditions().getNotOnOrAfter();
+        }
+    }
 
 }

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1310278&r1=1310277&r2=1310278&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Fri Apr  6 10:58:46 2012
@@ -47,6 +47,7 @@ import org.apache.cxf.sts.token.validato
 import org.apache.cxf.sts.token.validator.TokenValidator;
 import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
 import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
+import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.ws.security.CustomTokenPrincipal;
 import org.apache.ws.security.WSConstants;
@@ -373,6 +374,61 @@ public class SAMLTokenRenewerTest extend
         assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
     }
     
+    
+    /**
+     * Renew an expired SAML2 Assertion that has expired greater than the maximum allowable
time
+     * for renewal.
+     */
+    @org.junit.Test
+    public void renewTooFarExpiredSAML2Assertion() throws Exception {
+        // Create the Assertion
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler,
50);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        // Sleep to expire the token
+        Thread.sleep(2000);
+        
+        // Validate the Assertion
+        TokenValidator samlTokenValidator = new SAMLTokenValidator();
+        TokenValidatorParameters validatorParameters = createValidatorParameters();
+        TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+        ReceivedToken validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        TokenValidatorResponse validatorResponse = 
+                samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
+        
+        // Renew the Assertion
+        TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
+        renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
+        renewerParameters.setStsProperties(validatorParameters.getStsProperties());
+        renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
+        renewerParameters.setWebServiceContext(validatorParameters.getWebServiceContext());
+        renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
+        renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
+        renewerParameters.setTokenStore(validatorParameters.getTokenStore());
+        renewerParameters.setToken(validatorResponse.getToken());
+        
+        TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        ((SAMLTokenRenewer)samlTokenRenewer).setMaxExpiry(1L);
+        assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
+        
+        try {
+            samlTokenRenewer.renewToken(renewerParameters);
+            fail("Failure expected as the token expired too long ago");
+        } catch (STSException ex) {
+            // Expected
+        }
+    }
 
     private TokenValidatorParameters createValidatorParameters() throws WSSecurityException
{
         TokenValidatorParameters parameters = new TokenValidatorParameters();



Mime
View raw message