cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Adding some stuff to the SAMLTokenValidator in the STS
Date Mon, 19 Jan 2015 11:21:27 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes c3d66a435 -> c1f9d044c


Adding some stuff to the SAMLTokenValidator in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c1f9d044
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c1f9d044
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c1f9d044

Branch: refs/heads/3.0.x-fixes
Commit: c1f9d044c7864226292cf398031f764cc3b42c3b
Parents: c3d66a4
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 19 11:07:15 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 19 11:21:23 2015 +0000

----------------------------------------------------------------------
 .../sts/token/validator/SAMLTokenValidator.java | 64 +++++++++++---------
 1 file changed, 35 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/c1f9d044/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index bd31688..0859749 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -60,8 +60,6 @@ import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.xml.signature.KeyInfo;
 import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.validation.ValidationException;
-import org.opensaml.xml.validation.ValidatorSuite;
 
 /**
  * Validate a SAML Assertion. It is valid if it was issued and signed by this STS.
@@ -79,6 +77,12 @@ public class SAMLTokenValidator implements TokenValidator {
     private SAMLRoleParser samlRoleParser = new DefaultSAMLRoleParser();
     
     /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    private boolean validateSignatureAgainstProfile = true;
+    
+    /**
      * Set a list of Strings corresponding to regular expression constraints on the subject
DN
      * of a certificate that was used to sign a received Assertion
      */
@@ -270,31 +274,7 @@ public class SAMLTokenValidator implements TokenValidator {
      * Validate the assertion against schemas/profiles
      */
     protected void validateAssertion(SamlAssertionWrapper assertion) throws WSSecurityException
{
-        if (assertion.getSaml1() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
-            try {
-                schemaValidators.validate(assertion.getSaml1());
-                specValidators.validate(assertion.getSaml1());
-            } catch (ValidationException e) {
-                LOG.fine("Saml Validation error: " + e.getMessage());
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        } else if (assertion.getSaml2() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
-            try {
-                schemaValidators.validate(assertion.getSaml2());
-                specValidators.validate(assertion.getSaml2());
-            } catch (ValidationException e) {
-                LOG.fine("Saml Validation error: " + e.getMessage());
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        }
+        assertion.validateAssertion(validateSignatureAgainstProfile);
     }
     
     protected boolean validateConditions(
@@ -302,21 +282,31 @@ public class SAMLTokenValidator implements TokenValidator {
     ) {
         DateTime validFrom = null;
         DateTime validTill = null;
+        DateTime issueInstant = null;
         if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
             validFrom = assertion.getSaml2().getConditions().getNotBefore();
             validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml2().getIssueInstant();
         } else {
             validFrom = assertion.getSaml1().getConditions().getNotBefore();
             validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml1().getIssueInstant();
         }
-        if (validFrom.isAfterNow()) {
+        
+        if (validFrom != null && validFrom.isAfterNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
             return false;
-        } else if (validTill.isBeforeNow()) {
+        } else if (validTill != null && validTill.isBeforeNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
             validateTarget.setState(STATE.EXPIRED);
             return false;
         }
+        
+        if (issueInstant != null && issueInstant.isAfterNow()) {
+            LOG.log(Level.WARNING, "SAML Token IssueInstant not met");
+            return false;
+        }
+        
         return true;
     }
     
@@ -351,4 +341,20 @@ public class SAMLTokenValidator implements TokenValidator {
     public void setSamlRoleParser(SAMLRoleParser samlRoleParser) {
         this.samlRoleParser = samlRoleParser;
     }
+    
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public boolean isValidateSignatureAgainstProfile() {
+        return validateSignatureAgainstProfile;
+    }
+
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
+        this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
+    }
 }


Mime
View raw message