cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: Simplifying the SamlAssertionValidator + pick up latest fixes from WSS4J
Date Mon, 19 Jan 2015 11:47:55 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/1.1.x-fixes ce877b5e1 -> 5aae6f8d5


Simplifying the SamlAssertionValidator + pick up latest fixes from WSS4J

Conflicts:
	plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
	pom.xml


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/5aae6f8d
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/5aae6f8d
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/5aae6f8d

Branch: refs/heads/1.1.x-fixes
Commit: 5aae6f8d503c2f70f4e36567037ab5df6ed900ca
Parents: ce877b5
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 19 11:13:44 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 19 11:47:49 2015 +0000

----------------------------------------------------------------------
 .../fediz/core/saml/SamlAssertionValidator.java | 145 +------------------
 pom.xml                                         |   2 +-
 2 files changed, 7 insertions(+), 140 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5aae6f8d/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
index 9098494..d8cecf6 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
@@ -38,36 +38,22 @@ import org.apache.ws.security.components.crypto.CryptoType;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
 import org.apache.ws.security.validate.Credential;
-import org.apache.ws.security.validate.Validator;
-import org.joda.time.DateTime;
-import org.opensaml.common.SAMLVersion;
-import org.opensaml.xml.validation.ValidationException;
-import org.opensaml.xml.validation.ValidatorSuite;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * This class validates a SAML Assertion, which is wrapped in an "AssertionWrapper" instance.
- * It assumes that the AssertionWrapper instance has already verified the signature on the
- * assertion (done by the SAMLTokenProcessor). It verifies trust in the signature, and also
- * checks that the Subject contains a KeyInfo (and processes it) for the holder-of-key case,
- * and verifies that the Assertion is signed as well for holder-of-key. 
+ * This class validates a SAML Assertion by wrapping the default WSS4J SamlAssertionValidator.
+ * It extends it by verifying trust in the Signature using a TRUST_TYPE, as well as subject
DN
+ * constraints.
  */
-public class SamlAssertionValidator implements Validator {
+public class SamlAssertionValidator extends org.apache.ws.security.validate.SamlAssertionValidator
{
     
     private static final Logger LOG = LoggerFactory.getLogger(SamlAssertionValidator.class);
     
     public enum TRUST_TYPE { CHAIN_TRUST, CHAIN_TRUST_CONSTRAINTS, PEER_TRUST }
     
     /**
-     * The time in seconds in the future within which the NotBefore time of an incoming 
-     * Assertion is valid. The default is 60 seconds.
-     */
-    private int futureTTL = 60;
-
-    /**
      * Defines the kind of trust which is required thus assertion signature validation is
successful.
      */
     private TRUST_TYPE signatureTrustType = TRUST_TYPE.CHAIN_TRUST;
@@ -77,22 +63,13 @@ public class SamlAssertionValidator implements Validator {
      */
     private Collection<Pattern> subjectDNPatterns = new ArrayList<Pattern>();
     
-    
-    /**
-     * Set the time in seconds in the future within which the NotBefore time of an incoming

-     * Assertion is valid. The default is 60 seconds.
-     */
-    public void setFutureTTL(int newFutureTTL) {
-        futureTTL = newFutureTTL;
-    }
-    
     /**
      * Set the kind of trust. The default is CHAIN_TRUST.
      */
     public void setSignatureTrustType(TRUST_TYPE trustType) {
         this.signatureTrustType = trustType;
     }
-
+    
     /**
      * Set a list of Strings corresponding to regular expression constraints on
      * the subject DN of a certificate
@@ -112,51 +89,6 @@ public class SamlAssertionValidator implements Validator {
     }
     
     /**
-     * Validate the credential argument. It must contain a non-null AssertionWrapper. 
-     * A Crypto and a CallbackHandler implementation is also required to be set.
-     * 
-     * @param credential the Credential to be validated
-     * @param data the RequestData associated with the request
-     * @throws WSSecurityException on a failed validation
-     */
-    public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
-        if (credential == null || credential.getAssertion() == null) {
-            throw new WSSecurityException(WSSecurityException.FAILURE, "noCredential");
-        }
-        AssertionWrapper assertion = credential.getAssertion();
-        
-        // Check HOK requirements
-        String confirmMethod = null;
-        List<String> methods = assertion.getConfirmationMethods();
-        if (methods != null && methods.size() > 0) {
-            confirmMethod = methods.get(0);
-        }
-        if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
-            if (assertion.getSubjectKeyInfo() == null) {
-                LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject
conf method");
-                throw new WSSecurityException(WSSecurityException.FAILURE, "noKeyInSAMLToken");
-            }
-            // The assertion must have been signed for HOK
-            if (!assertion.isSigned()) {
-                LOG.debug("A holder-of-key assertion must be signed");
-                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
-            }
-        }
-        
-        // Check conditions
-        checkConditions(assertion);
-        
-        // Validate the assertion against schemas/profiles
-        validateAssertion(assertion);
-
-        // Verify trust on the signature
-        if (assertion.isSigned()) {
-            verifySignedAssertion(assertion, data);
-        }
-        return credential;
-    }
-    
-    /**
      * Verify trust in the signature of a signed Assertion. This method is separate so that
      * the user can override if if they want.
      * @param assertion The signed Assertion
@@ -164,6 +96,7 @@ public class SamlAssertionValidator implements Validator {
      * @return A Credential instance
      * @throws WSSecurityException
      */
+    @Override
     protected Credential verifySignedAssertion(
         AssertionWrapper assertion,
         RequestData data
@@ -446,72 +379,6 @@ public class SamlAssertionValidator implements Validator {
     }
     
     /**
-     * Check the Conditions of the Assertion.
-     */
-    protected void checkConditions(AssertionWrapper assertion) throws WSSecurityException
{
-        DateTime validFrom = null;
-        DateTime validTill = null;
-        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
-            && assertion.getSaml2().getConditions() != null) {
-            validFrom = assertion.getSaml2().getConditions().getNotBefore();
-            validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
-        } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
-            && assertion.getSaml1().getConditions() != null) {
-            validFrom = assertion.getSaml1().getConditions().getNotBefore();
-            validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
-        }
-        
-        if (validFrom != null) {
-            DateTime currentTime = new DateTime();
-            currentTime = currentTime.plusSeconds(futureTTL);
-            if (validFrom.isAfter(currentTime)) {
-                LOG.debug("SAML Token condition (Not Before) not met");
-                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
-            }
-        }
-
-        if (validTill != null && validTill.isBeforeNow()) {
-            LOG.debug("SAML Token condition (Not On Or After) not met");
-            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
-        }
-    }
-    
-    /**
-     * Validate the assertion against schemas/profiles
-     */
-    protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException
{
-        if (assertion.getSaml1() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
-            try {
-                schemaValidators.validate(assertion.getSaml1());
-                specValidators.validate(assertion.getSaml1());
-            } catch (ValidationException e) {
-                LOG.debug("Saml Validation error: " + e.getMessage(), e);
-                throw new WSSecurityException(
-                    WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
-                );
-            }
-        } else if (assertion.getSaml2() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
-            try {
-                schemaValidators.validate(assertion.getSaml2());
-                specValidators.validate(assertion.getSaml2());
-            } catch (ValidationException e) {
-                LOG.debug("Saml Validation error: " + e.getMessage(), e);
-                throw new WSSecurityException(
-                    WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
-                );
-            }
-        }
-    }
-    
-    /**
      * @return true if the certificate's SubjectDN matches the constraints
      *         defined in the subject DNConstraints; false, otherwise. The
      *         certificate subject DN only has to match ONE of the subject cert

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5aae6f8d/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 9acbfb2..db943c5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -53,7 +53,7 @@
         <spring.version>3.1.4.RELEASE</spring.version>
         <spring.security.version>3.1.4.RELEASE</spring.security.version>
         <tomcat.version>7.0.54</tomcat.version>
-        <wss4j.version>1.6.17</wss4j.version>
+        <wss4j.version>1.6.18-SNAPSHOT</wss4j.version>
 
         <tomcat.url>http://localhost:8080/manager/text</tomcat.url>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>


Mime
View raw message