cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Enforce all Assertions must be signed in some way by default
Date Mon, 18 Jan 2016 14:44:30 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 6e7b79f6a -> 6c7cbe317


Enforce all Assertions must be signed in some way by default


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6c7cbe31
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6c7cbe31
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6c7cbe31

Branch: refs/heads/master
Commit: 6c7cbe317d468efd81e538319152de9fba57e1e3
Parents: 6e7b79f
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 18 14:43:41 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 18 14:43:41 2016 +0000

----------------------------------------------------------------------
 .../saml/sso/SAMLSSOResponseValidator.java      |  8 ++--
 .../saml/sso/CombinedValidatorTest.java         |  1 +
 .../saml/sso/SAMLSSOResponseValidatorTest.java  | 49 ++++++++++++++++++++
 3 files changed, 54 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/6c7cbe31/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 3ee7005..e072817 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -50,7 +50,8 @@ public class SAMLSSOResponseValidator {
     private TokenReplayCache<String> replayCache;
     
     /**
-     * Enforce that Assertions must be signed if the POST binding was used. The default is
true.
+     * Enforce that Assertions contained in the Response must be signed (if the Response
itself is not
+     * signed). The default is true.
      */
     public void setEnforceAssertionsSigned(boolean enforceAssertionsSigned) {
         this.enforceAssertionsSigned = enforceAssertionsSigned;
@@ -108,9 +109,8 @@ public class SAMLSSOResponseValidator {
             }
             validateIssuer(assertion.getIssuer());
             
-            if (enforceAssertionsSigned && postBinding && assertion.getSignature()
== null) {
-                LOG.fine("If the HTTP Post binding is used to deliver the Response, "
-                         + "the enclosed assertions must be signed");
+            if (!enforceResponseSigned && enforceAssertionsSigned && assertion.getSignature()
== null) {
+                LOG.fine("The enclosed assertions in the SAML Response must be signed");
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
             }
             

http://git-wip-us.apache.org/repos/asf/cxf/blob/6c7cbe31/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index bba459e..cb684ed 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -168,6 +168,7 @@ public class CombinedValidatorTest extends org.junit.Assert {
         
         // Test SSO validation
         SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+        ssoValidator.setEnforceAssertionsSigned(false);
         ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
         ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
         ssoValidator.setClientAddress("http://apache.org");

http://git-wip-us.apache.org/repos/asf/cxf/blob/6c7cbe31/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
index 9d886c3..ed4e5e2 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidatorTest.java
@@ -77,6 +77,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -97,6 +98,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -122,6 +124,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -147,6 +150,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -172,6 +176,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -198,6 +203,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -298,6 +304,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -324,6 +331,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -343,6 +351,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -372,6 +381,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -403,6 +413,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -437,6 +448,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -472,6 +484,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -515,6 +528,7 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         
         // Validate the Response
         SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
+        validator.setEnforceAssertionsSigned(false);
         validator.setIssuerIDP("http://cxf.apache.org/issuer");
         validator.setAssertionConsumerURL("http://recipient.apache.org");
         validator.setClientAddress("http://apache.org");
@@ -529,6 +543,41 @@ public class SAMLSSOResponseValidatorTest extends org.junit.Assert {
         }
     }
     
+    @org.junit.Test
+    public void testEnforceAssertionsSigned() throws Exception {
+        
+        SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+        subjectConfirmationData.setAddress("http://apache.org");
+        subjectConfirmationData.setInResponseTo("12345");
+        subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+        subjectConfirmationData.setRecipient("http://recipient.apache.org");
+        
+        Response response = createResponse(subjectConfirmationData);
+        
+        Crypto issuerCrypto = new Merlin();
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
+        InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+        keyStore.load(input, "password".toCharArray());
+        ((Merlin)issuerCrypto).setKeyStore(keyStore);
+        
+        // Test SSO validation
+        SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+        ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
+        ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
+        ssoValidator.setClientAddress("http://apache.org");
+        ssoValidator.setRequestId("12345");
+        ssoValidator.setSpIdentifier("http://service.apache.org");
+        
+        // Parse the response
+        try {
+            ssoValidator.validateSamlResponse(response, false);
+            fail("Failure expected on an unsigned Assertion");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+    }
+    
     private Response createResponse(
         SubjectConfirmationDataBean subjectConfirmationData
     ) throws Exception {


Mime
View raw message