cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1311210 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/ services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/r...
Date Mon, 09 Apr 2012 12:33:46 GMT
Author: coheigea
Date: Mon Apr  9 12:33:45 2012
New Revision: 1311210

URL: http://svn.apache.org/viewvc?rev=1311210&view=rev
Log:
[CXF-4158] - Add proof-of-possession logic

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Mon Apr  9 12:33:45 2012
@@ -105,7 +105,7 @@ public abstract class AbstractSamlPolicy
      * @param signedResults a list of all of the signed results
      * @return true if the credentials of the assertion were used to verify a signature
      */
-    private boolean compareCredentials(
+    protected boolean compareCredentials(
         SAMLKeyInfo subjectKeyInfo,
         List<WSSecurityEngineResult> signedResults,
         Certificate[] tlsCerts

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
Mon Apr  9 12:33:45 2012
@@ -141,6 +141,9 @@ public class SCTCanceller implements Tok
         return result;
     }
 
+    /**
+     * Set whether proof of possession is required or not to cancel a token
+     */
     public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
         this.verifyProofOfPossession = verifyProofOfPossession;
     }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
Mon Apr  9 12:33:45 2012
@@ -20,6 +20,8 @@
 package org.apache.cxf.sts.token.renewer;
 
 import java.security.Principal;
+import java.security.cert.Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
@@ -29,12 +31,15 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.security.auth.callback.CallbackHandler;
+import javax.xml.ws.handler.MessageContext;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.STSPropertiesMBean;
 import org.apache.cxf.sts.SignatureProperties;
@@ -46,14 +51,20 @@ import org.apache.cxf.sts.token.realm.SA
 import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractSamlPolicyValidator;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.bean.ConditionsBean;
 import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder;
 import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder;
+import org.apache.ws.security.util.WSSecurityUtil;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
 
@@ -70,6 +81,8 @@ public class SAMLTokenRenewer implements
     private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
     private Map<String, SAMLRealm> realmMap = new HashMap<String, SAMLRealm>();
     private long maxExpiry = DEFAULT_MAX_EXPIRY;
+    // boolean to enable/disable the check of proof of possession
+    private boolean verifyProofOfPossession = true;
     
     /**
      * Return true if this TokenRenewer implementation is able to renew a token.
@@ -98,8 +111,11 @@ public class SAMLTokenRenewer implements
         return false;
     }
 
+    /**
+     * Set whether proof of possession is required or not to renew a token
+     */
     public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
-        //
+        this.verifyProofOfPossession = verifyProofOfPossession;
     }
     
     /**
@@ -147,6 +163,16 @@ public class SAMLTokenRenewer implements
                 }
             }
             
+            ProofOfPossessionValidator popValidator = new ProofOfPossessionValidator();
+            if (verifyProofOfPossession 
+                && !popValidator.checkProofOfPossession(tokenParameters, assertion.getSubjectKeyInfo()))
{
+                throw new STSException(
+                    "Failed to verify the proof of possession of the key associated with
the "
+                    + "saml token. No matching key found in the request.",
+                    STSException.INVALID_REQUEST
+                );
+            }
+            
             // Create new Conditions & sign the Assertion
             createNewConditions(assertion, tokenParameters);
             signAssertion(assertion, tokenParameters);
@@ -390,4 +416,32 @@ public class SAMLTokenRenewer implements
         }
     }
 
+    private static class ProofOfPossessionValidator extends AbstractSamlPolicyValidator {
+        
+        public boolean checkProofOfPossession(
+            TokenRenewerParameters tokenParameters,
+            SAMLKeyInfo subjectKeyInfo
+        ) {
+            MessageContext messageContext = tokenParameters.getWebServiceContext().getMessageContext();
+            final List<WSHandlerResult> handlerResults = 
+                CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
+
+            List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
+            if (handlerResults != null && handlerResults.size() > 0) {
+                WSHandlerResult handlerResult = handlerResults.get(0);
+                List<WSSecurityEngineResult> results = handlerResult.getResults();
+                
+                WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults);
+                WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_SIGN, signedResults);
+            }
+            
+            TLSSessionInfo tlsInfo = (TLSSessionInfo)messageContext.get(TLSSessionInfo.class);
+            Certificate[] tlsCerts = null;
+            if (tlsInfo != null) {
+                tlsCerts = tlsInfo.getPeerCertificates();
+            }
+            
+            return compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
+        }
+    }
 }

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
Mon Apr  9 12:33:45 2012
@@ -62,6 +62,7 @@ public class SAMLTokenRenewerLifetimeTes
     public void testSaml2ValidLifetime() throws Exception {
         int requestedLifetime = 60;
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setAcceptClientLifetime(true);
         samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -106,6 +107,7 @@ public class SAMLTokenRenewerLifetimeTes
     @org.junit.Test
     public void testSaml2ProviderLifetime() throws Exception {
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         
         long providerLifetime = 10 * 600L;
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
@@ -143,6 +145,7 @@ public class SAMLTokenRenewerLifetimeTes
     public void testSaml2ExceededConfiguredMaxLifetime() throws Exception {
         long maxLifetime = 30 * 60L;  // 30 minutes
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setMaxLifetime(maxLifetime);
         conditionsProvider.setAcceptClientLifetime(true);
@@ -190,6 +193,7 @@ public class SAMLTokenRenewerLifetimeTes
     @org.junit.Test
     public void testSaml2ExceededDefaultMaxLifetime() throws Exception {
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setAcceptClientLifetime(true);
         samlTokenRenewer.setConditionsProvider(conditionsProvider);
@@ -239,6 +243,7 @@ public class SAMLTokenRenewerLifetimeTes
         
         long maxLifetime = 30 * 60L;  // 30 minutes
         SAMLTokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
         conditionsProvider.setMaxLifetime(maxLifetime);
         conditionsProvider.setFailLifetimeExceedance(false);

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerRealmTest.java
Mon Apr  9 12:33:45 2012
@@ -111,6 +111,7 @@ public class SAMLTokenRenewerRealmTest e
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         Map<String, SAMLRealm> samlRealms = getSamlRealms();
         ((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
         String realm = validatorResponse.getTokenRealm();
@@ -178,6 +179,7 @@ public class SAMLTokenRenewerRealmTest e
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         Map<String, SAMLRealm> samlRealms = getSamlRealms();
         ((SAMLTokenRenewer)samlTokenRenewer).setRealmMap(samlRealms);
         String realm = validatorResponse.getTokenRealm();

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java?rev=1311210&r1=1311209&r2=1311210&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerTest.java
Mon Apr  9 12:33:45 2012
@@ -112,6 +112,7 @@ public class SAMLTokenRenewerTest extend
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
         TokenRenewerResponse renewerResponse = 
@@ -174,6 +175,7 @@ public class SAMLTokenRenewerTest extend
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
         TokenRenewerResponse renewerResponse = 
@@ -235,6 +237,7 @@ public class SAMLTokenRenewerTest extend
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
         TokenRenewerResponse renewerResponse = 
@@ -297,6 +300,7 @@ public class SAMLTokenRenewerTest extend
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
         TokenRenewerResponse renewerResponse = 
@@ -356,6 +360,7 @@ public class SAMLTokenRenewerTest extend
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         
         TokenRenewerResponse renewerResponse = 
@@ -419,6 +424,7 @@ public class SAMLTokenRenewerTest extend
         renewerParameters.setToken(validatorResponse.getToken());
         
         TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
+        samlTokenRenewer.setVerifyProofOfPossession(false);
         ((SAMLTokenRenewer)samlTokenRenewer).setMaxExpiry(1L);
         assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
         



Mime
View raw message