cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: Adding some stuff to the SAMLTokenValidator in the STS
Date Mon, 19 Jan 2015 11:44:22 GMT
Adding some stuff to the SAMLTokenValidator in the STS

Conflicts:
	services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4327a2ef
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4327a2ef
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4327a2ef

Branch: refs/heads/2.7.x-fixes
Commit: 4327a2ef1d6de59b4e3d5853cd31f10a3b0aa54b
Parents: 1ef8fc6
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 19 11:07:15 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 19 11:32:55 2015 +0000

----------------------------------------------------------------------
 .../sts/token/validator/SAMLTokenValidator.java | 46 +++++++++++++++++++-
 1 file changed, 44 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/4327a2ef/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index 196eba7..a2874bb 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -55,8 +55,13 @@ import org.apache.ws.security.validate.SignatureTrustValidator;
 import org.apache.ws.security.validate.Validator;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
+<<<<<<< HEAD
 import org.opensaml.xml.validation.ValidationException;
 import org.opensaml.xml.validation.ValidatorSuite;
+=======
+import org.opensaml.xml.signature.KeyInfo;
+import org.opensaml.xml.signature.Signature;
+>>>>>>> c1f9d04... Adding some stuff to the SAMLTokenValidator in the
STS
 
 /**
  * Validate a SAML Assertion. It is valid if it was issued and signed by this STS.
@@ -74,6 +79,12 @@ public class SAMLTokenValidator implements TokenValidator {
     private SAMLRoleParser samlRoleParser = new DefaultSAMLRoleParser();
     
     /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    private boolean validateSignatureAgainstProfile = true;
+    
+    /**
      * Set a list of Strings corresponding to regular expression constraints on the subject
DN
      * of a certificate that was used to sign a received Assertion
      */
@@ -255,6 +266,7 @@ public class SAMLTokenValidator implements TokenValidator {
     /**
      * Validate the assertion against schemas/profiles
      */
+<<<<<<< HEAD
     protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException
{
         if (assertion.getSaml1() != null) {
             ValidatorSuite schemaValidators = 
@@ -281,6 +293,10 @@ public class SAMLTokenValidator implements TokenValidator {
                 throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
             }
         }
+=======
+    protected void validateAssertion(SamlAssertionWrapper assertion) throws WSSecurityException
{
+        assertion.validateAssertion(validateSignatureAgainstProfile);
+>>>>>>> c1f9d04... Adding some stuff to the SAMLTokenValidator in the
STS
     }
     
     protected boolean validateConditions(
@@ -288,21 +304,31 @@ public class SAMLTokenValidator implements TokenValidator {
     ) {
         DateTime validFrom = null;
         DateTime validTill = null;
+        DateTime issueInstant = null;
         if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
             validFrom = assertion.getSaml2().getConditions().getNotBefore();
             validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml2().getIssueInstant();
         } else {
             validFrom = assertion.getSaml1().getConditions().getNotBefore();
             validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml1().getIssueInstant();
         }
-        if (validFrom.isAfterNow()) {
+        
+        if (validFrom != null && validFrom.isAfterNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
             return false;
-        } else if (validTill.isBeforeNow()) {
+        } else if (validTill != null && validTill.isBeforeNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
             validateTarget.setState(STATE.EXPIRED);
             return false;
         }
+        
+        if (issueInstant != null && issueInstant.isAfterNow()) {
+            LOG.log(Level.WARNING, "SAML Token IssueInstant not met");
+            return false;
+        }
+        
         return true;
     }
     
@@ -346,4 +372,20 @@ public class SAMLTokenValidator implements TokenValidator {
     public void setSamlRoleParser(SAMLRoleParser samlRoleParser) {
         this.samlRoleParser = samlRoleParser;
     }
+    
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public boolean isValidateSignatureAgainstProfile() {
+        return validateSignatureAgainstProfile;
+    }
+
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
+        this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
+    }
 }


Mime
View raw message