Adding some stuff to the SAMLTokenValidator in the STS Conflicts: services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4327a2ef Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4327a2ef Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4327a2ef Branch: refs/heads/2.7.x-fixes Commit: 4327a2ef1d6de59b4e3d5853cd31f10a3b0aa54b Parents: 1ef8fc6 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Mon Jan 19 11:07:15 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Mon Jan 19 11:32:55 2015 +0000 ---------------------------------------------------------------------- .../sts/token/validator/SAMLTokenValidator.java | 46 +++++++++++++++++++- 1 file changed, 44 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/4327a2ef/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java index 196eba7..a2874bb 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java @@ -55,8 +55,13 @@ import org.apache.ws.security.validate.SignatureTrustValidator; import org.apache.ws.security.validate.Validator; import org.joda.time.DateTime; import org.opensaml.common.SAMLVersion; +<<<<<<< HEAD import org.opensaml.xml.validation.ValidationException; import org.opensaml.xml.validation.ValidatorSuite; +======= +import org.opensaml.xml.signature.KeyInfo; +import org.opensaml.xml.signature.Signature; +>>>>>>> c1f9d04... Adding some stuff to the SAMLTokenValidator in the STS /** * Validate a SAML Assertion. It is valid if it was issued and signed by this STS. @@ -74,6 +79,12 @@ public class SAMLTokenValidator implements TokenValidator { private SAMLRoleParser samlRoleParser = new DefaultSAMLRoleParser(); /** + * Whether to validate the signature of the Assertion (if it exists) against the + * relevant profile. Default is true. + */ + private boolean validateSignatureAgainstProfile = true; + + /** * Set a list of Strings corresponding to regular expression constraints on the subject DN * of a certificate that was used to sign a received Assertion */ @@ -255,6 +266,7 @@ public class SAMLTokenValidator implements TokenValidator { /** * Validate the assertion against schemas/profiles */ +<<<<<<< HEAD protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException { if (assertion.getSaml1() != null) { ValidatorSuite schemaValidators = @@ -281,6 +293,10 @@ public class SAMLTokenValidator implements TokenValidator { throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity"); } } +======= + protected void validateAssertion(SamlAssertionWrapper assertion) throws WSSecurityException { + assertion.validateAssertion(validateSignatureAgainstProfile); +>>>>>>> c1f9d04... Adding some stuff to the SAMLTokenValidator in the STS } protected boolean validateConditions( @@ -288,21 +304,31 @@ public class SAMLTokenValidator implements TokenValidator { ) { DateTime validFrom = null; DateTime validTill = null; + DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); + issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); + issueInstant = assertion.getSaml1().getIssueInstant(); } - if (validFrom.isAfterNow()) { + + if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; - } else if (validTill.isBeforeNow()) { + } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } + + if (issueInstant != null && issueInstant.isAfterNow()) { + LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); + return false; + } + return true; } @@ -346,4 +372,20 @@ public class SAMLTokenValidator implements TokenValidator { public void setSamlRoleParser(SAMLRoleParser samlRoleParser) { this.samlRoleParser = samlRoleParser; } + + /** + * Whether to validate the signature of the Assertion (if it exists) against the + * relevant profile. Default is true. + */ + public boolean isValidateSignatureAgainstProfile() { + return validateSignatureAgainstProfile; + } + + /** + * Whether to validate the signature of the Assertion (if it exists) against the + * relevant profile. Default is true. + */ + public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile) { + this.validateSignatureAgainstProfile = validateSignatureAgainstProfile; + } }