ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-331) Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
Date Mon, 05 Mar 2012 13:21:58 GMT

     [ https://issues.apache.org/jira/browse/WSS-331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-331.
-----------------------------------

    
> Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
> -----------------------------------------------------------------------------------
>
>                 Key: WSS-331
>                 URL: https://issues.apache.org/jira/browse/WSS-331
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Glen Mazza
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6.5
>
>
> Hi, the Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)
V2.0 (Mar 2005) - docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, gives this
Schema for saml:Conditions:
> <element name="Conditions" type="saml:ConditionsType"/>
> <complexType name="ConditionsType">
> <choice minOccurs="0" maxOccurs="unbounded">
> <element ref="saml:Condition"/>
> <element ref="saml:AudienceRestriction"/>
> <element ref="saml:OneTimeUse"/>
> <element ref="saml:ProxyRestriction"/>
> </choice>
> <attribute name="NotBefore" type="dateTime" use="optional"/>
> <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
> </complexType>
> As shown above, NotBefore and NotOnOrAfter are both optional--however, absence of one
should not negate checking of the other.
> In class org.apache.ws.security.validate.SamlAssertionValidator on TRUNK, I see this
code in method validate():
>         DateTime validFrom = null;
>         DateTime validTill = null;
>         if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
>             && assertion.getSaml2().getConditions() != null) {
>             validFrom = assertion.getSaml2().getConditions().getNotBefore();
>             validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
>         } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
>             ...similar...
>         }
>         if (validFrom != null && validTill != null 
>             && !(validFrom.isBeforeNow() && validTill.isAfterNow()))
{
>             LOG.debug("SAML Token condition not met");
>             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
>         }
> The If block right above will skip checking if either validFrom or validTo is missing,
but if just one of the two constraints is present it appears that single constraint should
still be checked.  Also, the logic above requires both validFrom and validTill to be violated
before the WSSecurityException is thrown, but it should be thrown even if just one of the
two constraints fail.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message