cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1551228 - in /cxf/trunk/services/sts/sts-core/src: main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Date Mon, 16 Dec 2013 15:18:58 GMT
Author: coheigea
Date: Mon Dec 16 15:18:58 2013
New Revision: 1551228

URL: http://svn.apache.org/r1551228
Log:
Validation fix in the STS

Modified:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1551228&r1=1551227&r2=1551228&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
Mon Dec 16 15:18:58 2013
@@ -153,6 +153,29 @@ public class SAMLTokenValidator implemen
             SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
             response.setPrincipal(samlPrincipal);
             
+            if (!assertion.isSigned()) {
+                LOG.log(Level.WARNING, "The received assertion is not signed, and therefore
not trusted");
+                return response;
+            }
+
+            RequestData requestData = new RequestData();
+            requestData.setSigVerCrypto(sigCrypto);
+            WSSConfig wssConfig = WSSConfig.getNewInstance();
+            requestData.setWssConfig(wssConfig);
+            requestData.setCallbackHandler(callbackHandler);
+            requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+
+            WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument());
+
+            // Verify the signature
+            Signature sig = assertion.getSignature();
+            KeyInfo keyInfo = sig.getKeyInfo();
+            SAMLKeyInfo samlKeyInfo = 
+                SAMLUtil.getCredentialFromKeyInfo(
+                    keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo),
sigCrypto
+                );
+            assertion.verifySignature(samlKeyInfo);
+                
             SecurityToken secToken = null;
             byte[] signatureValue = assertion.getSignatureValue();
             if (tokenParameters.getTokenStore() != null && signatureValue != null
@@ -169,29 +192,6 @@ public class SAMLTokenValidator implemen
             }
             
             if (secToken == null) {
-                if (!assertion.isSigned()) {
-                    LOG.log(Level.WARNING, "The received assertion is not signed, and therefore
not trusted");
-                    return response;
-                }
-                
-                RequestData requestData = new RequestData();
-                requestData.setSigVerCrypto(sigCrypto);
-                WSSConfig wssConfig = WSSConfig.getNewInstance();
-                requestData.setWssConfig(wssConfig);
-                requestData.setCallbackHandler(callbackHandler);
-                requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
-
-                WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument());
-                
-                // Verify the signature
-                Signature sig = assertion.getSignature();
-                KeyInfo keyInfo = sig.getKeyInfo();
-                SAMLKeyInfo samlKeyInfo = 
-                    SAMLUtil.getCredentialFromKeyInfo(
-                        keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo),
sigCrypto
-                    );
-                assertion.verifySignature(samlKeyInfo);
-                
                 // Validate the assertion against schemas/profiles
                 validateAssertion(assertion);
 
@@ -211,7 +211,6 @@ public class SAMLTokenValidator implemen
                 if (!certConstraints.matches(cert)) {
                     return response;
                 }
-                
             }
             
             // Parse roles from the validated token

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java?rev=1551228&r1=1551227&r2=1551228&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Mon Dec 16 15:18:58 2013
@@ -34,6 +34,7 @@ import javax.security.auth.callback.Unsu
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+
 import org.apache.cxf.jaxws.context.WebServiceContextImpl;
 import org.apache.cxf.jaxws.context.WrappedMessageContext;
 import org.apache.cxf.message.MessageImpl;
@@ -425,6 +426,53 @@ public class SAMLTokenValidatorTest exte
         assertTrue(roles.iterator().next().getName().equals("employee"));
     }
     
+    /**
+     * Test an invalid SAML 2 Assertion
+     */
+    @org.junit.Test
+    public void testInvalidSAML2Assertion() throws Exception {
+        TokenValidator samlTokenValidator = new SAMLTokenValidator();
+        TokenValidatorParameters validatorParameters = createValidatorParameters();
+        TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+        
+        // Create a ValidateTarget consisting of a SAML Assertion
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new PasswordCallbackHandler();
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
+        Document doc = samlToken.getOwnerDocument();
+        samlToken = (Element)doc.appendChild(samlToken);
+        
+        ReceivedToken validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        TokenValidatorResponse validatorResponse = 
+            samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+        
+        // Replace "alice" with "bob".
+        Element nameID = 
+            (Element)samlToken.getElementsByTagNameNS(WSConstants.SAML2_NS, "NameID").item(0);
+        nameID.setTextContent("bob");
+        
+        // Now validate again
+        validateTarget = new ReceivedToken(samlToken);
+        tokenRequirements.setValidateTarget(validateTarget);
+        validatorParameters.setToken(validateTarget);
+        
+        assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+        
+        validatorResponse = samlTokenValidator.validateToken(validatorParameters);
+        assertTrue(validatorResponse != null);
+        assertTrue(validatorResponse.getToken() != null);
+        assertTrue(validatorResponse.getToken().getState() != STATE.VALID);
+    }
+    
     private TokenValidatorParameters createValidatorParameters() throws WSSecurityException
{
         TokenValidatorParameters parameters = new TokenValidatorParameters();
         
@@ -627,5 +675,5 @@ public class SAMLTokenValidatorTest exte
         }
     }
     
-    
+
 }



Mime
View raw message