Author: anil.saldhana(a)jboss.com Date: 2011-07-28 18:09:51 -0400 (Thu, 28 Jul 2011) New Revision: 1145 Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java Log: PLFED-8: throw ex if sig validation fails Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java (rev 0) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java 2011-07-28 22:09:51 UTC (rev 1145) @@ -0,0 +1,53 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.picketlink.identity.federation.core.saml.v2.exceptions; + +import java.security.GeneralSecurityException; + +/** + * Indicates the failure of signature validation + * @author Anil.Saldhana(a)redhat.com + * @since Jul 28, 2011 + */ +public class SignatureValidationException extends GeneralSecurityException +{ + private static final long serialVersionUID = 1L; + + public SignatureValidationException() + { + } + + public SignatureValidationException(String message, Throwable cause) + { + super(message, cause); + } + + public SignatureValidationException(String msg) + { + super(msg); + } + + public SignatureValidationException(Throwable cause) + { + super(cause); + } +} \ No newline at end of file Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 21:41:04 UTC (rev 1144) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 22:09:51 UTC (rev 1145) @@ -26,6 +26,7 @@ import org.apache.log4j.Logger; import org.picketlink.identity.federation.core.exceptions.ProcessingException; +import org.picketlink.identity.federation.core.saml.v2.exceptions.SignatureValidationException; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerErrorCodes; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; @@ -41,61 +42,62 @@ */ public class SAML2SignatureValidationHandler extends BaseSAML2Handler { - private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class); - private boolean trace = log.isTraceEnabled(); - + private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class); + + private final boolean trace = log.isTraceEnabled(); + /** * @see {@code SAML2Handler#handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse)} */ public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException { - Map<String,Object> requestOptions = request.getOptions(); - Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); - if(ignoreSignatures == Boolean.TRUE) + Map<String, Object> requestOptions = request.getOptions(); + Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); + if (ignoreSignatures == Boolean.TRUE) return; - + Document signedDocument = request.getRequestDocument(); - - if(trace) + + if (trace) { - log.trace("Will validate :" + DocumentUtil.asString(signedDocument)); + log.trace("Will validate :" + DocumentUtil.asString(signedDocument)); } PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY); try { - boolean isValid = this.validateSender(signedDocument, publicKey); - if(!isValid) - throw new ProcessingException(); + boolean isValid = this.validateSender(signedDocument, publicKey); + if (!isValid) + throw constructSignatureException(); } - catch(ProcessingException pe) + catch (ProcessingException pe) { - response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, - "Signature Validation Failed"); - throw pe; + response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, "Signature Validation Failed"); + throw pe; } } @Override public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException - { - Map<String,Object> requestOptions = request.getOptions(); - Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); - if(ignoreSignatures == Boolean.TRUE) + { + Map<String, Object> requestOptions = request.getOptions(); + Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES); + if (ignoreSignatures == Boolean.TRUE) return; - + Document signedDocument = request.getRequestDocument(); - if(trace) + if (trace) { - log.trace("Document for validation=" + DocumentUtil.asString(signedDocument)); + log.trace("Document for validation=" + DocumentUtil.asString(signedDocument)); } - + PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY); - this.validateSender(signedDocument, publicKey); + boolean isValid = this.validateSender(signedDocument, publicKey); + if (!isValid) + throw constructSignatureException(); } - - private boolean validateSender(Document signedDocument, PublicKey publicKey) - throws ProcessingException + + private boolean validateSender(Document signedDocument, PublicKey publicKey) throws ProcessingException { try { @@ -103,8 +105,14 @@ } catch (Exception e) { - log.error("Error validating signature:" , e); + log.error("Error validating signature:", e); throw new ProcessingException("Error validating signature."); - } - } + } + } + + private ProcessingException constructSignatureException() + { + SignatureValidationException sv = new SignatureValidationException("Signature Validation Failed"); + return new ProcessingException(sv); + } } \ No newline at end of file