Author: marcelkolsteren
Date: 2009-08-29 13:10:40 -0400 (Sat, 29 Aug 2009)
New Revision: 753
Added:
identity-federation/trunk/jboss-identity-webapps/seam-sp/src/main/resources/jbid_test_keystore.jks
Modified:
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java
identity-federation/trunk/jboss-identity-webapps/seam-sp/src/main/webapp/WEB-INF/components.xml
Log:
JBID-182: Seam authentication filter: signature validation still based on HTTP/Redirect
binding
Modified:
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java
===================================================================
---
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java 2009-08-29
07:09:51 UTC (rev 752)
+++
identity-federation/trunk/jboss-identity-seam/src/main/java/org/jboss/identity/seam/federation/SamlAuthenticationFilter.java 2009-08-29
17:10:40 UTC (rev 753)
@@ -27,10 +27,8 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
-import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
-import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
@@ -51,14 +49,14 @@
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.XMLSignatureException;
import org.jboss.identity.federation.api.saml.v2.common.IDGenerator;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
-import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
-import org.jboss.identity.federation.web.util.HTTPRedirectUtil;
-import org.jboss.identity.federation.web.util.PostBindingUtil;
-import org.jboss.identity.federation.web.util.RedirectBindingSignatureUtil;
-import org.jboss.identity.federation.web.util.RedirectBindingUtil;
+import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
+import org.jboss.identity.federation.api.util.XMLSignatureUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
@@ -72,6 +70,9 @@
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
import org.jboss.identity.federation.saml.v2.protocol.StatusType;
+import org.jboss.identity.federation.web.util.HTTPRedirectUtil;
+import org.jboss.identity.federation.web.util.PostBindingUtil;
+import org.jboss.identity.federation.web.util.RedirectBindingUtil;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
@@ -86,6 +87,7 @@
import org.jboss.seam.servlet.ServletRequestSessionMap;
import org.jboss.seam.util.Base64;
import org.jboss.seam.web.AbstractFilter;
+import org.w3c.dom.Document;
import org.xml.sax.SAXException;
/**
@@ -245,12 +247,6 @@
{
String samlResponse = request.getParameter("SAMLResponse");
- if (signatureRequired && !validateSignature(request))
- {
- log.error("Invalid signature");
- throw new RuntimeException("Validity Checks failed");
- }
-
// deal with SAML response from IDP
byte[] base64DecodedResponse = Base64.decode(samlResponse);
InputStream is = new ByteArrayInputStream(base64DecodedResponse);
@@ -271,6 +267,12 @@
throw new RuntimeException(e);
}
+ if (signatureRequired &&
!validateSignature(saml2Response.getSamlDocumentHolder()))
+ {
+ log.error("Invalid signature");
+ throw new RuntimeException("Validity Checks failed");
+ }
+
StatusType statusType = responseType.getStatus();
if (statusType == null)
{
@@ -384,53 +386,41 @@
return user;
}
- private boolean validateSignature(HttpServletRequest request)
- {
- // Check if there is a signature
- String signature = request.getParameter("Signature");
- if (signature == null || signature.length() == 0)
- {
- log.error("Signature Value missing in response from IDP");
- return false;
- }
- String sigAlg = request.getParameter("sigAlg");
- if (sigAlg == null || sigAlg.length() == 0)
- {
- log.error("Signature Algorithm missing in the response from IDP");
- return false;
- }
-
+ private boolean validateSignature(SAMLDocumentHolder documentHolder)
+ {
try
{
- if("GET".equalsIgnoreCase(request.getMethod()))
- {
- String queryString = request.getQueryString();
- byte[] sigValue =
RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
-
- return RedirectBindingSignatureUtil.validateSignature(queryString,
this.publicKeyOfIDP, sigValue);
- }
- return true;
+ Document samlDocument = documentHolder.getSamlDocument();
+ return XMLSignatureUtil.validate(samlDocument, this.publicKeyOfIDP);
}
- catch (UnsupportedEncodingException e)
+ catch (MarshalException e)
{
throw new RuntimeException(e);
}
- catch (GeneralSecurityException e)
+ catch (XMLSignatureException e)
{
throw new RuntimeException(e);
}
- catch (IOException e)
- {
- throw new RuntimeException(e);
- }
}
private PublicKey getPublicKeyOfIDP()
{
+ final String classPathPrefix = "classpath:";
+
try
{
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
- keyStore.load(new URL(keyStoreURL).openStream(), keyStorePass != null ?
keyStorePass.toCharArray() : null);
+ InputStream keyStoreStream;
+ if (keyStoreURL.startsWith(classPathPrefix))
+ {
+ keyStoreStream = getClass().getClassLoader().getResourceAsStream(
+ keyStoreURL.substring(classPathPrefix.length()));
+ }
+ else
+ {
+ keyStoreStream = new URL(keyStoreURL).openStream();
+ }
+ keyStore.load(keyStoreStream, keyStorePass != null ? keyStorePass.toCharArray()
: null);
return keyStore.getCertificate(idpCertificateAlias).getPublicKey();
}
catch (KeyStoreException e)
@@ -505,16 +495,16 @@
throw new RuntimeException(e);
}
}
-
+
private AuthnRequestType createSAMLRequest(String serviceURL, String identityURL)
throws ConfigurationException
{
- if(serviceURL == null)
+ if (serviceURL == null)
throw new IllegalArgumentException("serviceURL is null");
- if(identityURL == null)
+ if (identityURL == null)
throw new IllegalArgumentException("identityURL is null");
-
+
SAML2Request saml2Request = new SAML2Request();
String id = IDGenerator.create("ID_");
- return saml2Request.createAuthnRequestType(id, serviceURL, identityURL,
serviceURL);
+ return saml2Request.createAuthnRequestType(id, serviceURL, identityURL,
serviceURL);
}
}
Added:
identity-federation/trunk/jboss-identity-webapps/seam-sp/src/main/resources/jbid_test_keystore.jks
===================================================================
(Binary files differ)
Property changes on:
identity-federation/trunk/jboss-identity-webapps/seam-sp/src/main/resources/jbid_test_keystore.jks
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Modified:
identity-federation/trunk/jboss-identity-webapps/seam-sp/src/main/webapp/WEB-INF/components.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/seam-sp/src/main/webapp/WEB-INF/components.xml 2009-08-29
07:09:51 UTC (rev 752)
+++
identity-federation/trunk/jboss-identity-webapps/seam-sp/src/main/webapp/WEB-INF/components.xml 2009-08-29
17:10:40 UTC (rev 753)
@@ -12,10 +12,10 @@
name="org.jboss.identity.seam.federation.samlAuthenticationFilter">
<property
name="identityProviderURL">http://localhost:8080/idp-sig-no-val</property>
<property
name="singleSignOnServiceURL">http://localhost:8080/idp-sig-no-val/</property>
- <property
name="keyStoreURL">file:/etc/keystores/samlkeystore</property>
- <property name="keyStorePass">jajaja</property>
- <property name="idpCertificateAlias">saml</property>
+ <property
name="keyStoreURL">classpath:/jbid_test_keystore.jks</property>
+ <property name="keyStorePass">store123</property>
+ <property name="idpCertificateAlias">servercert</property>
<property name="binding">HTTP_Post</property>
- <property name="signatureRequired">false</property>
+ <property name="signatureRequired">true</property>
</component>
</components>
\ No newline at end of file
Show replies by thread