cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1342249 - in /cxf/trunk/rt/rs/security/sso/saml: ./ src/main/java/org/apache/cxf/rs/security/saml/sso/ src/main/resources/
Date Thu, 24 May 2012 13:28:38 GMT
Author: coheigea
Date: Thu May 24 13:28:38 2012
New Revision: 1342249

URL: http://svn.apache.org/viewvc?rev=1342249&view=rev
Log:
Adding TokenReplayCache interface + implementation based on EhCache

Added:
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/resources/
    cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml
Modified:
    cxf/trunk/rt/rs/security/sso/saml/pom.xml
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
    cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java

Modified: cxf/trunk/rt/rs/security/sso/saml/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/pom.xml?rev=1342249&r1=1342248&r2=1342249&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/pom.xml (original)
+++ cxf/trunk/rt/rs/security/sso/saml/pom.xml Thu May 24 13:28:38 2012
@@ -69,6 +69,12 @@
             <groupId>${cxf.servlet-api.group}</groupId>
             <artifactId>${cxf.servlet-api.artifact}</artifactId>
         </dependency>
+        <dependency>
+            <groupId>net.sf.ehcache</groupId>
+            <artifactId>ehcache-core</artifactId>
+            <version>${cxf.ehcache.version}</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
     <build>
         <plugins>

Added: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java?rev=1342249&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java
(added)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/EHCacheTokenReplayCache.java
Thu May 24 13:28:38 2012
@@ -0,0 +1,138 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.saml.sso;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.net.URL;
+
+import net.sf.ehcache.Cache;
+import net.sf.ehcache.CacheManager;
+import net.sf.ehcache.Ehcache;
+import net.sf.ehcache.Element;
+
+import org.apache.ws.security.util.Loader;
+
+/**
+ * An in-memory EHCache implementation of the TokenReplayCache interface. 
+ * The default TTL is 60 minutes and the max TTL is 12 hours.
+ */
+public class EHCacheTokenReplayCache implements TokenReplayCache<String>, Closeable
{
+    
+    public static final long DEFAULT_TTL = 3600L;
+    public static final long MAX_TTL = DEFAULT_TTL * 12L;
+    private static final String CACHE_KEY = "cxf-samlp-replay-cache";
+    private Ehcache cache;
+    private CacheManager cacheManager;
+    private long ttl = DEFAULT_TTL;
+    
+    public EHCacheTokenReplayCache() {
+        String defaultConfigFile = "cxf-samlp-ehcache.xml";
+        URL configFileURL = Loader.getResource(defaultConfigFile);
+        createCache(configFileURL);
+    }
+    
+    public EHCacheTokenReplayCache(URL configFileURL) {
+        createCache(configFileURL);
+    }
+    
+    private void createCache(URL configFileURL) {
+        if (configFileURL == null) {
+            cacheManager = CacheManager.create();
+        } else {
+            cacheManager = CacheManager.create(configFileURL);
+        }
+        
+        Ehcache newCache = new Cache(CACHE_KEY, 50000, true, false, DEFAULT_TTL, DEFAULT_TTL);
+        cache = cacheManager.addCacheIfAbsent(newCache);
+    }
+    
+    /**
+     * Set a new (default) TTL value in seconds
+     * @param newTtl a new (default) TTL value in seconds
+     */
+    public void setTTL(long newTtl) {
+        ttl = newTtl;
+    }
+    
+    /**
+     * Get the (default) TTL value in seconds
+     * @return the (default) TTL value in seconds
+     */
+    public long getTTL() {
+        return ttl;
+    }
+    
+    /**
+     * Add the given identifier to the cache. It will be cached for a default amount of time.
+     * @param id The identifier to be added
+     */
+    public void putId(String id) {
+        putId(id, ttl);
+    }
+    
+    /**
+     * Add the given identifier to the cache.
+     * @param identifier The identifier to be added
+     * @param timeToLive The length of time to cache the Identifier in seconds
+     */
+    public void putId(String id, long timeToLive) {
+        if (id == null || "".equals(id)) {
+            return;
+        }
+        
+        int parsedTTL = (int)timeToLive;
+        if (timeToLive != (long)parsedTTL || parsedTTL < 0 || parsedTTL > MAX_TTL)
{
+            // Default to configured value
+            parsedTTL = (int)ttl;
+            if (ttl != (long)parsedTTL) {
+                // Fall back to 60 minutes if the default TTL is set incorrectly
+                parsedTTL = 3600;
+            }
+        }
+        
+        cache.put(new Element(id, id, false, parsedTTL, parsedTTL));
+    }
+    
+    /**
+     * Return the given identifier if it is contained in the cache, otherwise null.
+     * @param id The identifier to check
+     */
+    public String getId(String id) {
+        Element element = cache.get(id);
+        if (element != null) {
+            if (cache.isExpired(element)) {
+                cache.remove(id);
+                return null;
+            }
+            return (String)element.getObjectValue();
+        }
+        return null;
+    }
+
+    public void close() throws IOException {
+        if (cacheManager != null) {
+            cacheManager.shutdown();
+            cacheManager = null;
+            cache = null;
+        }
+    }
+    
+}

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java?rev=1342249&r1=1342248&r2=1342249&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerService.java
Thu May 24 13:28:38 2012
@@ -67,6 +67,7 @@ public class RequestAssertionConsumerSer
     private boolean supportDeflateEncoding = true;
     private boolean supportBase64Encoding = true;
     private boolean enforceAssertionsSigned = true;
+    private TokenReplayCache<String> replayCache;
 
     private MessageContext messageContext;
     
@@ -82,6 +83,17 @@ public class RequestAssertionConsumerSer
         return supportDeflateEncoding;
     }
     
+    public void setReplayCache(TokenReplayCache<String> replayCache) {
+        this.replayCache = replayCache;
+    }
+    
+    public TokenReplayCache<String> getReplayCache() {
+        if (replayCache == null) {
+            replayCache = new EHCacheTokenReplayCache();
+        }
+        return replayCache;
+    }
+    
     /**
      * Enforce that Assertions must be signed if the POST binding was used. The default is
true.
      */
@@ -267,6 +279,7 @@ public class RequestAssertionConsumerSer
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
             ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
             ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
+            ssoResponseValidator.setReplayCache(getReplayCache());
 
             return ssoResponseValidator.validateSamlResponse(samlResponse, postBinding);
         } catch (WSSecurityException ex) {

Modified: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?rev=1342249&r1=1342248&r2=1342249&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
(original)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
Thu May 24 13:28:38 2012
@@ -32,10 +32,6 @@ import org.opensaml.saml2.core.AuthnStat
 /**
  * Validate a SAML 2.0 Protocol Response according to the Web SSO profile. The Response
  * should be validated by the SAMLProtocolResponseValidator first.
- * 
-TODO The service provider MUST ensure that bearer assertions are not replayed, by maintaining
the set of used
-ID values for the length of time for which the assertion would be considered valid based
on the
-NotOnOrAfter attribute in the <SubjectConfirmationData>.
  */
 public class SAMLSSOResponseValidator {
     
@@ -47,6 +43,7 @@ public class SAMLSSOResponseValidator {
     private String requestId;
     private String spIdentifier;
     private boolean enforceAssertionsSigned = true;
+    private TokenReplayCache<String> replayCache;
     
     /**
      * Enforce that Assertions must be signed if the POST binding was used. The default is
true.
@@ -105,7 +102,7 @@ public class SAMLSSOResponseValidator {
             if (assertion.getAuthnStatements() != null
                 && !assertion.getAuthnStatements().isEmpty()) {
                 org.opensaml.saml2.core.Subject subject = assertion.getSubject();
-                if (validateAuthenticationSubject(subject)) {
+                if (validateAuthenticationSubject(subject, assertion.getID(), postBinding))
{
                     validateAudienceRestrictionCondition(assertion.getConditions());
                     foundValidSubject = true;
                     // Store Session NotOnOrAfter
@@ -162,7 +159,7 @@ public class SAMLSSOResponseValidator {
      * Validate the Subject (of an Authentication Statement).
      */
     private boolean validateAuthenticationSubject(
-        org.opensaml.saml2.core.Subject subject
+        org.opensaml.saml2.core.Subject subject, String id, boolean postBinding
     ) throws WSSecurityException {
         if (subject.getSubjectConfirmations() == null) {
             return false;
@@ -171,7 +168,7 @@ public class SAMLSSOResponseValidator {
         for (org.opensaml.saml2.core.SubjectConfirmation subjectConf 
             : subject.getSubjectConfirmations()) {
             if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) {
-                validateSubjectConfirmation(subjectConf.getSubjectConfirmationData());
+                validateSubjectConfirmation(subjectConf.getSubjectConfirmationData(), id,
postBinding);
             }
         }
         
@@ -182,7 +179,7 @@ public class SAMLSSOResponseValidator {
      * Validate a (Bearer) Subject Confirmation
      */
     private void validateSubjectConfirmation(
-        org.opensaml.saml2.core.SubjectConfirmationData subjectConfData
+        org.opensaml.saml2.core.SubjectConfirmationData subjectConfData, String id, boolean
postBinding
     ) throws WSSecurityException {
         if (subjectConfData == null) {
             LOG.fine("Subject Confirmation Data of a Bearer Subject Confirmation is null");
@@ -204,6 +201,19 @@ public class SAMLSSOResponseValidator {
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
         }
         
+        // Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
+        if (postBinding && replayCache != null) {
+            if (replayCache.getId(id) == null) {
+                Date expires = subjectConfData.getNotOnOrAfter().toDate();
+                Date currentTime = new Date();
+                long ttl = expires.getTime() - currentTime.getTime();
+                replayCache.putId(id, ttl / 1000L);
+            } else {
+                LOG.fine("Replay attack with token id: " + id);
+                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+            }
+        }
+        
         // Check address
         if (subjectConfData.getAddress() != null
             && !subjectConfData.getAddress().equals(clientAddress)) {
@@ -301,5 +311,8 @@ public class SAMLSSOResponseValidator {
         this.spIdentifier = spIdentifier;
     }
     
-
+    public void setReplayCache(TokenReplayCache<String> replayCache) {
+        this.replayCache = replayCache;
+    }
+    
 }

Added: cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java?rev=1342249&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java
(added)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/TokenReplayCache.java
Thu May 24 13:28:38 2012
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.saml.sso;
+
+public interface TokenReplayCache<T> {
+
+    T getId(T id);
+
+    void putId(T id);
+
+    void putId(T id, long timeToLive);
+}
\ No newline at end of file

Added: cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml?rev=1342249&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml (added)
+++ cxf/trunk/rt/rs/security/sso/saml/src/main/resources/cxf-samlp-ehcache.xml Thu May 24
13:28:38 2012
@@ -0,0 +1,16 @@
+<ehcache xsi:noNamespaceSchemaLocation="ehcache.xsd" updateCheck="false" monitoring="autodetect"
dynamicConfig="true">
+
+    <diskStore path="java.io.tmpdir"/>
+
+    <defaultCache
+            maxElementsInMemory="50000"
+            eternal="false"
+            timeToIdleSeconds="3600"
+            timeToLiveSeconds="3600"
+            overflowToDisk="true"
+            maxElementsOnDisk="10000000"
+            diskPersistent="false"
+            diskExpiryThreadIntervalSeconds="120"
+            memoryStoreEvictionPolicy="LRU"
+            />
+</ehcache>



Mime
View raw message