cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1478065 - in /cxf/fediz/trunk/plugins: core/src/main/java/org/apache/cxf/fediz/core/ core/src/main/java/org/apache/cxf/fediz/core/saml/ core/src/test/java/org/apache/cxf/fediz/core/ tomcat/src/main/java/org/apache/cxf/fediz/tomcat/
Date Wed, 01 May 2013 16:01:34 GMT
Author: coheigea
Date: Wed May  1 16:01:33 2013
New Revision: 1478065

URL: http://svn.apache.org/r1478065
Log:
[FEDIZ-4] - Added support to the plugin core to verify SAML HolderOfKey ConfirmationMethods

Added:
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
Modified:
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
    cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java
    cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
Wed May  1 16:01:33 2013
@@ -194,7 +194,9 @@ public class FederationProcessorImpl imp
             }
             if (canHandle) {
                 try {
-                    validatorResponse = validator.validateAndProcessToken(rst, config);
+                    TokenValidatorRequest validatorRequest = 
+                        new TokenValidatorRequest(rst, request.getCerts());
+                    validatorResponse = validator.validateAndProcessToken(validatorRequest,
config);
                 } catch (ProcessingException ex) {
                     throw ex;
                 } catch (Exception ex) {

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
Wed May  1 16:01:33 2013
@@ -19,11 +19,14 @@
 
 package org.apache.cxf.fediz.core;
 
+import java.security.cert.Certificate;
+
 public class FederationRequest {
 
     private String wa;
     private String wresult;
     private String wct;
+    private Certificate[] certs;
 
 
     public String getWct() {
@@ -45,6 +48,12 @@ public class FederationRequest {
     public void setWresult(String wresult) {
         this.wresult = wresult;
     }
+    public Certificate[] getCerts() {
+        return certs;
+    }
+    public void setCerts(Certificate[] certs) {
+        this.certs = certs;
+    }
 
 
 }

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
Wed May  1 16:01:33 2013
@@ -43,5 +43,8 @@ public interface TokenValidator {
      * Validate a Token using the given Element and Configuration.
      * @throws ProcessingException 
      */
-    TokenValidatorResponse validateAndProcessToken(Element token, FederationContext config)
throws ProcessingException;
+    TokenValidatorResponse validateAndProcessToken(
+        TokenValidatorRequest request, 
+        FederationContext config
+    ) throws ProcessingException;
 }

Added: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java?rev=1478065&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java
(added)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorRequest.java
Wed May  1 16:01:33 2013
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.security.cert.Certificate;
+
+import org.w3c.dom.Element;
+
+public class TokenValidatorRequest {
+
+    private final Element token;
+    private final Certificate[] certs;
+
+    public TokenValidatorRequest(Element token, Certificate[] certs) {
+        this.token = token;
+        this.certs = certs;
+    }
+
+    public Element getToken() {
+        return token;
+    }
+
+    public Certificate[] getCerts() {
+        return certs;
+    }
+
+
+
+}

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
Wed May  1 16:01:33 2013
@@ -34,6 +34,7 @@ import org.apache.cxf.fediz.core.Claim;
 import org.apache.cxf.fediz.core.ClaimCollection;
 import org.apache.cxf.fediz.core.ClaimTypes;
 import org.apache.cxf.fediz.core.TokenValidator;
+import org.apache.cxf.fediz.core.TokenValidatorRequest;
 import org.apache.cxf.fediz.core.TokenValidatorResponse;
 import org.apache.cxf.fediz.core.config.CertificateValidationMethod;
 import org.apache.cxf.fediz.core.config.FederationContext;
@@ -83,9 +84,10 @@ public class SAMLTokenValidator implemen
         return false;
     }
     
-    public TokenValidatorResponse validateAndProcessToken(Element token,
+    public TokenValidatorResponse validateAndProcessToken(TokenValidatorRequest request,
             FederationContext config) throws ProcessingException {
 
+        Element token = request.getToken();
         try {          
             RequestData requestData = new RequestData();
             WSSConfig wssConfig = WSSConfig.getNewInstance();
@@ -165,6 +167,12 @@ public class SAMLTokenValidator implemen
                     throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
                 }
             }
+            
+            // Now check for HolderOfKey requirements
+            if (!SAMLUtil.checkHolderOfKey(assertion, request.getCerts())) {
+                LOG.warn("Assertion fails holder-of-key requirements");
+                throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
+            }
 
             String audience = null;
             List<Claim> claims = null;

Added: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java?rev=1478065&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
(added)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
Wed May  1 16:01:33 2013
@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.saml;
+
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+
+/**
+ * Some SAML Utility methods
+ */
+public final class SAMLUtil  {
+    
+    private SAMLUtil() {
+        // complete
+    }
+
+    /**
+     * Check the holder-of-key requirements against the received assertion. The subject
+     * credential of the SAML Assertion must match a client certificate credential when 
+     * 2-way TLS is used.
+     * @param assertionWrapper the SAML Assertion wrapper object
+     * @tlsCerts The client certificates
+     * @param signedResults a list of all of the signed results
+     */
+    public static boolean checkHolderOfKey(
+        AssertionWrapper assertionWrapper,
+        Certificate[] tlsCerts
+    ) {
+        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
+        for (String confirmationMethod : confirmationMethods) {
+            if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
+                if (tlsCerts == null || tlsCerts.length == 0) {
+                    return false;
+                }
+                SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                if (!compareCredentials(subjectKeyInfo, tlsCerts)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Compare the credentials of the assertion to the credentials used in 2-way TLS.
+     * Return true on a match
+     * @param subjectKeyInfo the SAMLKeyInfo object
+     * @param signedResults a list of all of the signed results
+     * @return true if the credentials of the assertion were used to verify a signature
+     */
+    private static boolean compareCredentials(
+        SAMLKeyInfo subjectKeyInfo,
+        Certificate[] tlsCerts
+    ) {
+        X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
+        PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
+
+        //
+        // Try to match the TLS certs
+        //
+        if (subjectCerts != null && subjectCerts.length > 0 
+            && tlsCerts[0].equals(subjectCerts[0])) {
+            return true;
+        } else if (subjectPublicKey != null
+            && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
+            return true;
+        }
+
+        return false;
+    }
+
+}

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
Wed May  1 16:01:33 2013
@@ -173,9 +173,6 @@ public class SamlAssertionValidator impl
         credential.setPublicKey(samlKeyInfo.getPublicKey());
         credential.setCertificates(samlKeyInfo.getCerts());
         
-        if (credential == null) {
-            throw new WSSecurityException(WSSecurityException.FAILURE, "noCredential");
-        }
         X509Certificate[] certs = credential.getCertificates();
         PublicKey publicKey = credential.getPublicKey();
         Crypto crypto = getCrypto(data);
@@ -251,27 +248,6 @@ public class SamlAssertionValidator impl
      *
      * @param cert the certificate that should be validated against the keystore
      * @param crypto A crypto instance to use for trust validation
-     * @return true if the certificate is trusted, false if not
-     * @throws WSSecurityException
-     */
-    @Deprecated
-    protected boolean verifyTrustInCert(X509Certificate cert, Crypto crypto) 
-        throws WSSecurityException {
-        return verifyTrustInCert(cert, crypto, false);
-    }
-    
-    /**
-     * Evaluate whether a given certificate should be trusted.
-     * 
-     * Policy used in this implementation:
-     * 1. Search the keystore for the transmitted certificate
-     * 2. Search the keystore for a connection to the transmitted certificate
-     * (that is, search for certificate(s) of the issuer of the transmitted certificate
-     * 3. Verify the trust path for those certificates found because the search for the issuer

-     * might be fooled by a phony DN (String!)
-     *
-     * @param cert the certificate that should be validated against the keystore
-     * @param crypto A crypto instance to use for trust validation
      * @param enableRevocation Whether revocation is enabled or not
      * @return true if the certificate is trusted, false if not
      * @throws WSSecurityException
@@ -411,22 +387,6 @@ public class SamlAssertionValidator impl
      * Evaluate whether the given certificate chain should be trusted.
      * 
      * @param certificates the certificate chain that should be validated against the keystore
-     * @param crypto  A Crypto instance to use for trust validation
-     * @return true if the certificate chain is trusted, false if not
-     * @throws WSSecurityException
-     */
-    @Deprecated
-    protected boolean verifyTrustInCerts(
-        X509Certificate[] certificates, 
-        Crypto crypto
-    ) throws WSSecurityException {
-        return verifyTrustInCerts(certificates, crypto, false);
-    }
-    
-    /**
-     * Evaluate whether the given certificate chain should be trusted.
-     * 
-     * @param certificates the certificate chain that should be validated against the keystore
      * @param crypto A Crypto instance
      * @param enableRevocation Whether revocation is enabled or not
      * @return true if the certificate chain is trusted, false if not

Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java
Wed May  1 16:01:33 2013
@@ -36,7 +36,10 @@ public class CustomValidator implements 
     }
 
     @Override
-    public TokenValidatorResponse validateAndProcessToken(Element token, FederationContext
config) {
+    public TokenValidatorResponse validateAndProcessToken(
+        TokenValidatorRequest request, 
+        FederationContext config
+    ) {
         return new TokenValidatorResponse(null,
                                           FederationProcessorTest.TEST_USER,
                                           FederationProcessorTest.TEST_RSTR_ISSUER,

Modified: cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?rev=1478065&r1=1478064&r2=1478065&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
(original)
+++ cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
Wed May  1 16:01:33 2013
@@ -23,6 +23,7 @@ import java.io.File;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.security.Principal;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
@@ -327,6 +328,10 @@ public class FederationAuthenticator ext
                 FederationRequest wfReq = new FederationRequest();
                 wfReq.setWa(wa);
                 wfReq.setWresult(wresult);
+                
+                X509Certificate certs[] = 
+                    (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
+                wfReq.setCerts(certs);
 
                 String contextName = request.getServletContext().getContextPath();
                 if (contextName == null || contextName.isEmpty()) {



Mime
View raw message