Author: klape
Date: 2013-09-13 02:53:02 -0400 (Fri, 13 Sep 2013)
New Revision: 17917
Modified:
thirdparty/cxf/branches/cxf-2.6.6.jbossorg-1-bz-1004624/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
Log:
[BZ1004624] Fixing signed SAML assertion validation error w/ SupportingTokens only policy,
also adding some additional checks
Modified:
thirdparty/cxf/branches/cxf-2.6.6.jbossorg-1-bz-1004624/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
===================================================================
---
thirdparty/cxf/branches/cxf-2.6.6.jbossorg-1-bz-1004624/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java 2013-09-13
06:44:16 UTC (rev 17916)
+++
thirdparty/cxf/branches/cxf-2.6.6.jbossorg-1-bz-1004624/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java 2013-09-13
06:53:02 UTC (rev 17917)
@@ -23,6 +23,7 @@
import java.io.InputStream;
import java.net.URL;
import java.security.Principal;
+import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
@@ -45,6 +46,7 @@
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.resource.ResourceManager;
import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
@@ -113,6 +115,33 @@
}
assertTokens(message, SP12Constants.SAML_TOKEN, signed);
+ // Check version against policy
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ for (AssertionInfo ai :
aim.getAssertionInfo(SP12Constants.SAML_TOKEN)) {
+ SamlToken samlToken = (SamlToken)ai.getAssertion();
+ for (WSSecurityEngineResult result : samlResults) {
+ AssertionWrapper assertionWrapper =
+
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+
+ if (!checkVersion(samlToken, assertionWrapper)) {
+ ai.setNotAsserted("Wrong SAML Version");
+ }
+
+ TLSSessionInfo tlsInfo =
message.get(TLSSessionInfo.class);
+ Certificate[] tlsCerts = null;
+ if (tlsInfo != null) {
+ tlsCerts = tlsInfo.getPeerCertificates();
+ }
+ if (!SAMLUtils.checkHolderOfKey(assertionWrapper, null,
tlsCerts)) {
+ ai.setNotAsserted("Assertion fails holder-of-key
requirements");
+ continue;
+ }
+ if (!SAMLUtils.checkSenderVouches(assertionWrapper,
tlsCerts, null, null)) {
+ ai.setNotAsserted("Assertion fails
sender-vouches requirements");
+ continue;
+ }
+ }
+ }
Principal principal =
(Principal)samlResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
message.put(WSS4JInInterceptor.PRINCIPAL_RESULT, principal);
@@ -168,6 +197,8 @@
};
data.setWssConfig(WSSConfig.getNewInstance());
+ data.setSigCrypto(getCrypto(null, SecurityConstants.SIGNATURE_CRYPTO,
+ SecurityConstants.SIGNATURE_PROPERTIES, message));
SAMLTokenProcessor p = new SAMLTokenProcessor();
List<WSSecurityEngineResult> results =
p.handleToken(tokenElement, data, wsDocInfo);
@@ -339,4 +370,19 @@
return crypto;
}
+ /**
+ * Check the policy version against the received assertion
+ */
+ private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper)
{
+ if ((samlToken.isUseSamlVersion11Profile10()
+ || samlToken.isUseSamlVersion11Profile11())
+ && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
+ return false;
+ } else if (samlToken.isUseSamlVersion20Profile11()
+ && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
+ return false;
+ }
+ return true;
+ }
+
}
Show replies by date