Author: anil.saldhana(a)jboss.com
Date: 2010-06-30 17:59:46 -0400 (Wed, 30 Jun 2010)
New Revision: 322
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
Log:
PLFED-92: SPPostSignatureFormAuthenticator should induce signature verification of IDP
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2010-06-30
21:40:43 UTC (rev 321)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2010-06-30
21:59:46 UTC (rev 322)
@@ -43,7 +43,6 @@
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
-import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
@@ -79,6 +78,12 @@
protected TrustKeyManager keyManager;
+ /**
+ * A flag to indicate that we are going to validate signature
+ * for saml responses from IDP
+ */
+ protected boolean validateSignature = false;
+
public SPPostFormAuthenticator()
{
super();
@@ -187,6 +192,7 @@
{
ServiceProviderSAMLResponseProcessor responseProcessor =
new ServiceProviderSAMLResponseProcessor(true, serviceURL);
+ responseProcessor.setValidateSignature( validateSignature );
SAML2HandlerResponse saml2HandlerResponse =
responseProcessor.process(samlResponse, httpContext, handlers,
chainLock);
@@ -337,17 +343,5 @@
protected ResponseType decryptAssertion(ResponseType responseType)
{
throw new RuntimeException("This authenticator does not handle
encryption");
- }
-
- /**
- * Verify Signature
- * @param samlDocumentHolder
- * @return
- * @throws IssuerNotTrustedException
- */
- protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws
IssuerNotTrustedException
- {
- //this authenticator does not deal with signatures.
- return true;
- }
+ }
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2010-06-30
21:40:43 UTC (rev 321)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2010-06-30
21:59:46 UTC (rev 322)
@@ -22,15 +22,9 @@
package org.picketlink.identity.federation.bindings.tomcat.sp;
import java.io.IOException;
-import java.net.MalformedURLException;
-import java.net.URL;
import java.security.KeyPair;
-import java.security.PublicKey;
import java.util.List;
-import javax.xml.crypto.MarshalException;
-import javax.xml.crypto.dsig.XMLSignatureException;
-
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
@@ -39,15 +33,9 @@
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
-import
org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
-import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
-import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
-import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
-import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.w3c.dom.Document;
/**
@@ -61,8 +49,16 @@
private static Logger log = Logger.getLogger(SPPostSignatureFormAuthenticator.class);
private boolean trace = log.isTraceEnabled();
- private boolean signAssertions = false;
+ /**
+ * Flag to indicate whether we want to sign the assertions
+ */
+ protected boolean signAssertions = false;
+ public SPPostSignatureFormAuthenticator()
+ {
+ this.validateSignature = true;
+ }
+
public boolean isSignAssertions()
{
return signAssertions;
@@ -130,54 +126,5 @@
log.trace("Sending to IDP:" + DocumentUtil.asString(samlDocument));
//Let the super class handle the sending
super.sendRequestToIDP(destination, samlDocument, relayState, response,
willSendRequest);
- }
-
-
- @Override
- protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws
IssuerNotTrustedException
- {
- Document samlResponse = samlDocumentHolder.getSamlDocument();
- ResponseType response = (ResponseType) samlDocumentHolder.getSamlObject();
-
- String issuerID = response.getIssuer().getValue();
-
- if(issuerID == null)
- throw new IssuerNotTrustedException("Issue missing");
-
- URL issuerURL;
- try
- {
- issuerURL = new URL(issuerID);
- }
- catch (MalformedURLException e1)
- {
- throw new IssuerNotTrustedException(e1);
- }
-
- try
- {
- PublicKey publicKey = keyManager.getValidatingKey(issuerURL.getHost());
- if(trace) log.trace("Going to verify signature in the saml response from
IDP");
- boolean sigResult = XMLSignatureUtil.validate(samlResponse, publicKey);
- if(trace) log.trace("Signature verification="+sigResult);
- return sigResult;
- }
- catch (TrustKeyConfigurationException e)
- {
- log.error("Unable to verify signature",e);
- }
- catch (TrustKeyProcessingException e)
- {
- log.error("Unable to verify signature",e);
- }
- catch (MarshalException e)
- {
- log.error("Unable to verify signature",e);
- }
- catch (XMLSignatureException e)
- {
- log.error("Unable to verify signature",e);
- }
- return false;
}
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2010-06-30
21:40:43 UTC (rev 321)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2010-06-30
21:59:46 UTC (rev 322)
@@ -23,27 +23,38 @@
import java.io.IOException;
import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.Lock;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.XMLSignatureException;
+
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import
org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
+import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
+import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
+import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
+import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.util.PostBindingUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.w3c.dom.Document;
/**
* Utility Class to handle processing of
@@ -52,7 +63,9 @@
* @since Oct 27, 2009
*/
public class ServiceProviderSAMLResponseProcessor extends ServiceProviderBaseProcessor
-{
+{
+ private boolean validateSignature = false;
+
/**
* Construct
* @param postBinding Whether it is the Post Binding
@@ -64,6 +77,16 @@
}
/**
+ * Flag to indicate whether the response should be validated for signature
+ * @param validateSignature
+ */
+ public void setValidateSignature(boolean validateSignature)
+ {
+ this.validateSignature = validateSignature;
+ }
+
+
+ /**
* Process the message
* @param samlResponse
* @param httpContext
@@ -102,6 +125,17 @@
documentHolder = saml2Response.getSamlDocumentHolder();
}
+ if( this.validateSignature )
+ try
+ {
+ if( ! this.verifySignature( documentHolder ) )
+ throw new ProcessingException( "Signature Validation failed" );
+ }
+ catch (IssuerNotTrustedException e)
+ {
+ throw new ProcessingException( e );
+ }
+
//Create the request/response
SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(documentHolder,
httpContext);
SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse();
@@ -132,4 +166,57 @@
return saml2HandlerResponse;
}
+
+ /**
+ * Validate the signature of the IDP response
+ * @param samlDocumentHolder
+ * @return
+ * @throws IssuerNotTrustedException
+ */
+ private boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws
IssuerNotTrustedException
+ {
+ Document samlResponse = samlDocumentHolder.getSamlDocument();
+ ResponseType response = (ResponseType) samlDocumentHolder.getSamlObject();
+
+ String issuerID = response.getIssuer().getValue();
+
+ if(issuerID == null)
+ throw new IssuerNotTrustedException("Issue missing");
+
+ URL issuerURL;
+ try
+ {
+ issuerURL = new URL(issuerID);
+ }
+ catch (MalformedURLException e1)
+ {
+ throw new IssuerNotTrustedException(e1);
+ }
+
+ try
+ {
+ PublicKey publicKey = keyManager.getValidatingKey(issuerURL.getHost());
+ if(trace) log.trace("Going to verify signature in the saml response from
IDP");
+ boolean sigResult = XMLSignatureUtil.validate(samlResponse, publicKey);
+ if(trace) log.trace("Signature verification="+sigResult);
+ return sigResult;
+ }
+ catch (TrustKeyConfigurationException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (TrustKeyProcessingException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (MarshalException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (XMLSignatureException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ return false;
+ }
}
\ No newline at end of file