Author: coheigea
Date: Fri Feb 15 17:31:57 2013
New Revision: 1446705
URL: http://svn.apache.org/r1446705
Log:
[WSS-373] - Consolidated SAML profile checking into SamlAssertionWrapper
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
(original)
+++
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/saml/SamlAssertionWrapper.java
Fri Feb 15 17:31:57 2013
@@ -36,6 +36,7 @@ import org.apache.xml.security.exception
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.joda.time.DateTime;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml1.core.AttributeStatement;
@@ -57,6 +58,7 @@ import org.opensaml.xml.signature.Signat
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
+import org.opensaml.xml.validation.ValidatorSuite;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -695,6 +697,77 @@ public class SamlAssertionWrapper {
}
/**
+ * Check the Conditions of the Assertion.
+ */
+ public void checkConditions(int futureTTL) throws WSSecurityException {
+ DateTime validFrom = null;
+ DateTime validTill = null;
+ if (getSamlVersion().equals(SAMLVersion.VERSION_20)
+ && getSaml2().getConditions() != null) {
+ validFrom = getSaml2().getConditions().getNotBefore();
+ validTill = getSaml2().getConditions().getNotOnOrAfter();
+ } else if (getSamlVersion().equals(SAMLVersion.VERSION_11)
+ && getSaml1().getConditions() != null) {
+ validFrom = getSaml1().getConditions().getNotBefore();
+ validTill = getSaml1().getConditions().getNotOnOrAfter();
+ }
+
+ if (validFrom != null) {
+ DateTime currentTime = new DateTime();
+ currentTime = currentTime.plusSeconds(futureTTL);
+ if (validFrom.isAfter(currentTime)) {
+ LOG.debug("SAML Token condition (Not Before) not met");
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
+ }
+ }
+
+ if (validTill != null && validTill.isBeforeNow()) {
+ LOG.debug("SAML Token condition (Not On Or After) not met");
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
+ }
+ }
+
+ /**
+ * Validate the samlAssertion against schemas/profiles
+ */
+ public void validateAssertion(boolean validateSignatureAgainstProfile)
throws WSSecurityException {
+ if (validateSignatureAgainstProfile) {
+ validateSignatureAgainstProfile();
+ }
+
+ if (getSaml1() != null) {
+ ValidatorSuite schemaValidators =
+
org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
+ ValidatorSuite specValidators =
+
org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
+ try {
+ schemaValidators.validate(getSaml1());
+ specValidators.validate(getSaml1());
+ } catch (ValidationException e) {
+ LOG.debug("Saml Validation error: " + e.getMessage(), e);
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity", e
+ );
+ }
+ } else if (getSaml2() != null) {
+ ValidatorSuite schemaValidators =
+
org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
+ ValidatorSuite specValidators =
+
org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
+ try {
+ schemaValidators.validate(getSaml2());
+ specValidators.validate(getSaml2());
+ } catch (ValidationException e) {
+ LOG.debug("Saml Validation error: " + e.getMessage(), e);
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity", e
+ );
+ }
+ }
+ }
+
+
+ /**
* Parse the DOM Element into Opensaml objects.
*/
private void parseElement(Element element) throws WSSecurityException {
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
(original)
+++
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/SamlAssertionValidator.java
Fri Feb 15 17:31:57 2013
@@ -22,14 +22,10 @@ package org.apache.ws.security.dom.valid
import java.util.List;
import org.apache.ws.security.common.ext.WSSecurityException;
-import org.apache.ws.security.common.saml.SamlAssertionWrapper;
import org.apache.ws.security.common.saml.OpenSAMLUtil;
import org.apache.ws.security.common.saml.SAMLKeyInfo;
+import org.apache.ws.security.common.saml.SamlAssertionWrapper;
import org.apache.ws.security.dom.handler.RequestData;
-import org.joda.time.DateTime;
-import org.opensaml.common.SAMLVersion;
-import org.opensaml.xml.validation.ValidationException;
-import org.opensaml.xml.validation.ValidatorSuite;
/**
* This class validates a SAML Assertion, which is wrapped in an
"SamlAssertionWrapper" instance.
@@ -131,70 +127,14 @@ public class SamlAssertionValidator exte
* Check the Conditions of the Assertion.
*/
protected void checkConditions(SamlAssertionWrapper samlAssertion) throws
WSSecurityException {
- DateTime validFrom = null;
- DateTime validTill = null;
- if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
- && samlAssertion.getSaml2().getConditions() != null) {
- validFrom =
samlAssertion.getSaml2().getConditions().getNotBefore();
- validTill =
samlAssertion.getSaml2().getConditions().getNotOnOrAfter();
- } else if
(samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
- && samlAssertion.getSaml1().getConditions() != null) {
- validFrom =
samlAssertion.getSaml1().getConditions().getNotBefore();
- validTill =
samlAssertion.getSaml1().getConditions().getNotOnOrAfter();
- }
-
- if (validFrom != null) {
- DateTime currentTime = new DateTime();
- currentTime = currentTime.plusSeconds(futureTTL);
- if (validFrom.isAfter(currentTime)) {
- LOG.debug("SAML Token condition (Not Before) not met");
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
- }
- }
-
- if (validTill != null && validTill.isBeforeNow()) {
- LOG.debug("SAML Token condition (Not On Or After) not met");
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
- }
+ samlAssertion.checkConditions(futureTTL);
}
/**
* Validate the samlAssertion against schemas/profiles
*/
protected void validateAssertion(SamlAssertionWrapper samlAssertion)
throws WSSecurityException {
- if (validateSignatureAgainstProfile) {
- samlAssertion.validateSignatureAgainstProfile();
- }
-
- if (samlAssertion.getSaml1() != null) {
- ValidatorSuite schemaValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
- ValidatorSuite specValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
- try {
- schemaValidators.validate(samlAssertion.getSaml1());
- specValidators.validate(samlAssertion.getSaml1());
- } catch (ValidationException e) {
- LOG.debug("Saml Validation error: " + e.getMessage(), e);
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity", e
- );
- }
- } else if (samlAssertion.getSaml2() != null) {
- ValidatorSuite schemaValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
- ValidatorSuite specValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
- try {
- schemaValidators.validate(samlAssertion.getSaml2());
- specValidators.validate(samlAssertion.getSaml2());
- } catch (ValidationException e) {
- LOG.debug("Saml Validation error: " + e.getMessage(), e);
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity", e
- );
- }
- }
+ samlAssertion.validateAssertion(validateSignatureAgainstProfile);
}
/**
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
(original)
+++
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/SAMLTokenInputHandler.java
Fri Feb 15 17:31:57 2013
@@ -51,7 +51,6 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
-import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
@@ -120,13 +119,6 @@ public class SAMLTokenInputHandler exten
throw new
WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"empty", "no signature to validate");
}
- SAMLSignatureProfileValidator validator = new
SAMLSignatureProfileValidator();
- try {
- validator.validate(signature);
- } catch (ValidationException ex) {
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
- "empty", ex, "SAML signature validation failed");
- }
int sigKeyInfoIdx = getSignatureKeyInfoIndex(eventQueue);
if (sigKeyInfoIdx < 0) {
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
(original)
+++
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/validate/SamlTokenValidatorImpl.java
Fri Feb 15 17:31:57 2013
@@ -23,22 +23,24 @@ import org.apache.ws.security.common.sam
import org.apache.ws.security.stax.impl.securityToken.SAMLSecurityToken;
import org.apache.xml.security.stax.ext.SecurityToken;
import
org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
-import org.joda.time.DateTime;
-import org.opensaml.common.SAMLVersion;
-import org.opensaml.xml.validation.ValidationException;
-import org.opensaml.xml.validation.ValidatorSuite;
/**
* @author $Author$
* @version $Revision$ $Date$
*/
public class SamlTokenValidatorImpl extends SignatureTokenValidatorImpl
implements SamlTokenValidator {
-
+
/**
* The time in seconds in the future within which the NotBefore time of an
incoming
* Assertion is valid. The default is 60 seconds.
*/
private int futureTTL = 60;
+
+ /**
+ * Whether to validate the signature of the Assertion (if it exists)
against the
+ * relevant profile. Default is true.
+ */
+ private boolean validateSignatureAgainstProfile = true;
/**
* Set the time in seconds in the future within which the NotBefore time
of an incoming
@@ -47,6 +49,22 @@ public class SamlTokenValidatorImpl exte
public void setFutureTTL(int newFutureTTL) {
futureTTL = newFutureTTL;
}
+
+ /**
+ * Whether to validate the signature of the Assertion (if it exists)
against the
+ * relevant profile. Default is true.
+ */
+ public boolean isValidateSignatureAgainstProfile() {
+ return validateSignatureAgainstProfile;
+ }
+
+ /**
+ * Whether to validate the signature of the Assertion (if it exists)
against the
+ * relevant profile. Default is true.
+ */
+ public void setValidateSignatureAgainstProfile(boolean
validateSignatureAgainstProfile) {
+ this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
+ }
@Override
public AbstractInboundSecurityToken validate(final SamlAssertionWrapper
samlAssertionWrapper,
@@ -69,71 +87,19 @@ public class SamlTokenValidatorImpl exte
return securityToken;
}
+
/**
* Check the Conditions of the Assertion.
*/
- //todo shoudn't we move this into the SamlAssertionWrapper? Then it could
be reused by StAX and DOM impl.
protected void checkConditions(SamlAssertionWrapper samlAssertion) throws
WSSecurityException {
- DateTime validFrom = null;
- DateTime validTill = null;
- if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
- && samlAssertion.getSaml2().getConditions() != null) {
- validFrom =
samlAssertion.getSaml2().getConditions().getNotBefore();
- validTill =
samlAssertion.getSaml2().getConditions().getNotOnOrAfter();
- } else if
(samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
- && samlAssertion.getSaml1().getConditions() != null) {
- validFrom =
samlAssertion.getSaml1().getConditions().getNotBefore();
- validTill =
samlAssertion.getSaml1().getConditions().getNotOnOrAfter();
- }
-
- if (validFrom != null) {
- DateTime currentTime = new DateTime();
- currentTime = currentTime.plusSeconds(futureTTL);
- if (validFrom.isAfter(currentTime)) {
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
- "empty", "SAML Token condition (Not Before) not met");
- }
- }
-
- if (validTill != null && validTill.isBeforeNow()) {
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
- "empty", "SAML Token condition (Not On Or After) not met");
- }
+ samlAssertion.checkConditions(futureTTL);
}
-
+
/**
- * Validate the assertion against schemas/profiles
+ * Validate the samlAssertion against schemas/profiles
*/
- //todo shoudn't we move this into the SamlAssertionWrapper? Then it could
be reused by StAX and DOM impl.
protected void validateAssertion(SamlAssertionWrapper samlAssertion)
throws WSSecurityException {
- samlAssertion.validateSignatureAgainstProfile();
-
- if (samlAssertion.getSaml1() != null) {
- ValidatorSuite schemaValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
- ValidatorSuite specValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
- try {
- schemaValidators.validate(samlAssertion.getSaml1());
- specValidators.validate(samlAssertion.getSaml1());
- } catch (ValidationException e) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE, "empty", e,
"Saml Validation error: "
- );
- }
- } else if (samlAssertion.getSaml2() != null) {
- ValidatorSuite schemaValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
- ValidatorSuite specValidators =
-
org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
- try {
- schemaValidators.validate(samlAssertion.getSaml2());
- specValidators.validate(samlAssertion.getSaml2());
- } catch (ValidationException e) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity", e, "Saml Validation error: "
- );
- }
- }
+ samlAssertion.validateAssertion(validateSignatureAgainstProfile);
}
+
}
Modified:
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
(original)
+++
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SAMLTokenNegativeTest.java
Fri Feb 15 17:31:57 2013
@@ -91,7 +91,6 @@ public class SAMLTokenNegativeTest exten
} catch (XMLStreamException e) {
Assert.assertNotNull(e.getCause());
Assert.assertNotNull(e.getCause().getCause());
- Assert.assertEquals(e.getCause().getCause().getMessage(),
"Signature did not validate against the credential's key");
}
}
}
@@ -143,7 +142,6 @@ public class SAMLTokenNegativeTest exten
} catch (XMLStreamException e) {
Assert.assertNotNull(e.getCause());
Assert.assertNotNull(e.getCause().getCause());
- Assert.assertEquals(e.getCause().getCause().getMessage(),
"Transforms did not contain the required enveloped transform");
}
}
}
Modified:
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java?rev=1446705&r1=1446704&r2=1446705&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java
(original)
+++
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/saml/SamlConditionsTest.java
Fri Feb 15 17:31:57 2013
@@ -203,7 +203,7 @@ public class SamlConditionsTest extends
Assert.fail("XMLStreamException expected");
} catch (XMLStreamException e) {
Assert.assertNotNull(e.getCause());
- Assert.assertEquals(e.getCause().getMessage(), "SAML Token
condition (Not On Or After) not met");
+ Assert.assertEquals(e.getCause().getMessage(), "SAML token
security failure");
}
}
}
@@ -249,7 +249,7 @@ public class SamlConditionsTest extends
Assert.fail("XMLStreamException expected");
} catch (XMLStreamException e) {
Assert.assertNotNull(e.getCause());
- Assert.assertEquals(e.getCause().getMessage(), "SAML Token
condition (Not Before) not met");
+ Assert.assertEquals(e.getCause().getMessage(), "SAML token
security failure");
}
}
}
