cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Adding some stuff to the SAMLTokenValidator in the STS
Date Mon, 19 Jan 2015 11:08:18 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 4fa469166 -> f429d8afd


Adding some stuff to the SAMLTokenValidator in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f429d8af
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f429d8af
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f429d8af

Branch: refs/heads/master
Commit: f429d8afd15285a9697186d17e13d6c43bbc7c33
Parents: 4fa4691
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 19 11:07:15 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 19 11:07:15 2015 +0000

----------------------------------------------------------------------
 .../sts/token/validator/SAMLTokenValidator.java | 64 +++++++++++---------
 1 file changed, 35 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f429d8af/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
index bd31688..0859749 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
@@ -60,8 +60,6 @@ import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.xml.signature.KeyInfo;
 import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.validation.ValidationException;
-import org.opensaml.xml.validation.ValidatorSuite;
 
 /**
  * Validate a SAML Assertion. It is valid if it was issued and signed by this STS.
@@ -79,6 +77,12 @@ public class SAMLTokenValidator implements TokenValidator {
     private SAMLRoleParser samlRoleParser = new DefaultSAMLRoleParser();
     
     /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    private boolean validateSignatureAgainstProfile = true;
+    
+    /**
      * Set a list of Strings corresponding to regular expression constraints on the subject
DN
      * of a certificate that was used to sign a received Assertion
      */
@@ -270,31 +274,7 @@ public class SAMLTokenValidator implements TokenValidator {
      * Validate the assertion against schemas/profiles
      */
     protected void validateAssertion(SamlAssertionWrapper assertion) throws WSSecurityException
{
-        if (assertion.getSaml1() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
-            try {
-                schemaValidators.validate(assertion.getSaml1());
-                specValidators.validate(assertion.getSaml1());
-            } catch (ValidationException e) {
-                LOG.fine("Saml Validation error: " + e.getMessage());
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        } else if (assertion.getSaml2() != null) {
-            ValidatorSuite schemaValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
-            ValidatorSuite specValidators = 
-                org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
-            try {
-                schemaValidators.validate(assertion.getSaml2());
-                specValidators.validate(assertion.getSaml2());
-            } catch (ValidationException e) {
-                LOG.fine("Saml Validation error: " + e.getMessage());
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        }
+        assertion.validateAssertion(validateSignatureAgainstProfile);
     }
     
     protected boolean validateConditions(
@@ -302,21 +282,31 @@ public class SAMLTokenValidator implements TokenValidator {
     ) {
         DateTime validFrom = null;
         DateTime validTill = null;
+        DateTime issueInstant = null;
         if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
             validFrom = assertion.getSaml2().getConditions().getNotBefore();
             validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml2().getIssueInstant();
         } else {
             validFrom = assertion.getSaml1().getConditions().getNotBefore();
             validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+            issueInstant = assertion.getSaml1().getIssueInstant();
         }
-        if (validFrom.isAfterNow()) {
+        
+        if (validFrom != null && validFrom.isAfterNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
             return false;
-        } else if (validTill.isBeforeNow()) {
+        } else if (validTill != null && validTill.isBeforeNow()) {
             LOG.log(Level.WARNING, "SAML Token condition not met");
             validateTarget.setState(STATE.EXPIRED);
             return false;
         }
+        
+        if (issueInstant != null && issueInstant.isAfterNow()) {
+            LOG.log(Level.WARNING, "SAML Token IssueInstant not met");
+            return false;
+        }
+        
         return true;
     }
     
@@ -351,4 +341,20 @@ public class SAMLTokenValidator implements TokenValidator {
     public void setSamlRoleParser(SAMLRoleParser samlRoleParser) {
         this.samlRoleParser = samlRoleParser;
     }
+    
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public boolean isValidateSignatureAgainstProfile() {
+        return validateSignatureAgainstProfile;
+    }
+
+    /**
+     * Whether to validate the signature of the Assertion (if it exists) against the 
+     * relevant profile. Default is true.
+     */
+    public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
+        this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
+    }
 }


Mime
View raw message