Author: anil.saldhana(a)jboss.com
Date: 2011-08-10 12:56:04 -0400 (Wed, 10 Aug 2011)
New Revision: 1171
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/util/AssertionUtilUnitTestCase.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
PLFED-222: skew in expiration of assertions
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-08-10
16:43:53 UTC (rev 1170)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-08-10
16:56:04 UTC (rev 1171)
@@ -34,6 +34,8 @@
//Define some constants
String ASSERTION_CONSUMER_URL = "ASSERTION_CONSUMER_URL";
+ String CLOCK_SKEW_MILIS = "CLOCK_SKEW_MILIS";
+
String DISABLE_AUTHN_STATEMENT = "DISABLE_AUTHN_STATEMENT";
String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES";
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java 2011-08-10
16:43:53 UTC (rev 1170)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java 2011-08-10
16:56:04 UTC (rev 1171)
@@ -285,6 +285,44 @@
}
/**
+ * Verify whether the assertion has expired.
+ * You can add in a clock skew to adapt to conditions where in the IDP
+ * and SP are out of sync.
+ *
+ * @param assertion
+ * @param clockSkewInMilis in miliseconds
+ * @return
+ * @throws ConfigurationException
+ */
+ public static boolean hasExpired(AssertionType assertion, long clockSkewInMilis)
throws ConfigurationException
+ {
+ boolean expiry = false;
+
+ //Check for validity of assertion
+ ConditionsType conditionsType = assertion.getConditions();
+ if (conditionsType != null)
+ {
+ XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
+ XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
+ XMLGregorianCalendar updatedNotBefore = XMLTimeUtil.subtract(notBefore,
clockSkewInMilis);
+ XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
+ XMLGregorianCalendar updatedOnOrAfter = XMLTimeUtil.add(notOnOrAfter,
clockSkewInMilis);
+
+ if (trace)
+ log.trace("Now=" + now.toXMLFormat() + " ::notBefore=" +
notBefore.toXMLFormat() + "::notOnOrAfter="
+ + notOnOrAfter);
+ expiry = !XMLTimeUtil.isValid(now, updatedNotBefore, updatedOnOrAfter);
+ if (expiry)
+ {
+ log.info("Assertion has expired with id=" + assertion.getID());
+ }
+ }
+
+ //TODO: if conditions do not exist, assume the assertion to be everlasting?
+ return expiry;
+ }
+
+ /**
* Check whether the assertion has expired
* @param assertion
* @return
@@ -316,6 +354,44 @@
}
/**
+ * Verify whether the assertion has expired.
+ * You can add in a clock skew to adapt to conditions where in the IDP
+ * and SP are out of sync.
+ *
+ * @param assertion
+ * @param clockSkewInMilis in miliseconds
+ * @return
+ * @throws ConfigurationException
+ */
+ public static boolean hasExpired(SAML11AssertionType assertion, long clockSkewInMilis)
throws ConfigurationException
+ {
+ boolean expiry = false;
+
+ //Check for validity of assertion
+ SAML11ConditionsType conditionsType = assertion.getConditions();
+ if (conditionsType != null)
+ {
+ XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
+ XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
+ XMLGregorianCalendar updatedNotBefore = XMLTimeUtil.subtract(notBefore,
clockSkewInMilis);
+ XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
+ XMLGregorianCalendar updatedOnOrAfter = XMLTimeUtil.add(notOnOrAfter,
clockSkewInMilis);
+
+ if (trace)
+ log.trace("Now=" + now.toXMLFormat() + " ::notBefore=" +
notBefore.toXMLFormat() + "::notOnOrAfter="
+ + notOnOrAfter);
+ expiry = !XMLTimeUtil.isValid(now, updatedNotBefore, updatedOnOrAfter);
+ if (expiry)
+ {
+ log.info("Assertion has expired with id=" + assertion.getID());
+ }
+ }
+
+ //TODO: if conditions do not exist, assume the assertion to be everlasting?
+ return expiry;
+ }
+
+ /**
* Extract the expiration time from an {@link AssertionType}
* @param assertion
* @return
Modified:
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/util/AssertionUtilUnitTestCase.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/util/AssertionUtilUnitTestCase.java 2011-08-10
16:43:53 UTC (rev 1170)
+++
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/util/AssertionUtilUnitTestCase.java 2011-08-10
16:56:04 UTC (rev 1171)
@@ -22,6 +22,7 @@
package org.picketlink.test.identity.federation.core.saml.v2.util;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
@@ -91,6 +92,28 @@
}
@Test
+ public void testExpiredAssertionWithClockSkew() throws Exception
+ {
+ NameIDType nameIdType = new NameIDType();
+ nameIdType.setValue("somename");
+
+ AssertionType assertion = new AssertionType("SomeID",
XMLTimeUtil.getIssueInstant());
+ assertion.setIssuer(nameIdType);
+
+ XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
+
+ XMLGregorianCalendar sometimeAgo = XMLTimeUtil.subtract(now, 55555);
+
+ ConditionsType conditions = new ConditionsType();
+ conditions.setNotBefore(XMLTimeUtil.subtract(now, 55575));
+ conditions.setNotOnOrAfter(sometimeAgo);
+ assertion.setConditions(conditions);
+
+ assertFalse(AssertionUtil.hasExpired(assertion, 60000));
+ assertTrue(AssertionUtil.hasExpired(assertion, 600));
+ }
+
+ @Test
public void testRoleExtraction() throws Exception
{
String file = "parser/saml2/saml2-response-assertion-subject.xml";
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-08-10
16:43:53 UTC (rev 1170)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-08-10
16:56:04 UTC (rev 1171)
@@ -87,6 +87,7 @@
* </p>
* <p>
* Configuration Options:
+ * @see SAML2Handler#CLOCK_SKEW_MILIS: a milisecond value sets a skew for checking the
validity of assertion (SP Setting)
* @see SAML2Handler#DISABLE_AUTHN_STATEMENT Setting a value will disable the generation
of an AuthnStatement (IDP Setting)
* @see SAML2Handler#DISABLE_SENDING_ROLES Setting any value will disable the generation
and return of roles to SP (IDP Setting)
* @see SAML2Handler#DISABLE_ROLE_PICKING Setting to true will disable picking IDP
attribute statements (SP Setting)
@@ -466,7 +467,14 @@
boolean expiredAssertion;
try
{
- expiredAssertion = AssertionUtil.hasExpired(assertion);
+ String skew = (String)
handlerConfig.getParameter(SAML2Handler.CLOCK_SKEW_MILIS);
+ if (StringUtil.isNotNull(skew))
+ {
+ long skewMilis = Long.parseLong(skew);
+ expiredAssertion = AssertionUtil.hasExpired(assertion, skewMilis);
+ }
+ else
+ expiredAssertion = AssertionUtil.hasExpired(assertion);
}
catch (ConfigurationException e)
{
Show replies by date