SamlAssertionValidator xref

View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security.validate;
21  
22  import java.util.List;
23  
24  import org.apache.ws.security.WSSecurityException;
25  import org.apache.ws.security.handler.RequestData;
26  import org.apache.ws.security.saml.SAMLKeyInfo;
27  import org.apache.ws.security.saml.ext.AssertionWrapper;
28  import org.apache.ws.security.saml.ext.OpenSAMLUtil;
29  import org.joda.time.DateTime;
30  import org.opensaml.common.SAMLVersion;
31  import org.opensaml.xml.validation.ValidationException;
32  import org.opensaml.xml.validation.ValidatorSuite;
33  
34  /**
35   * This class validates a SAML Assertion, which is wrapped in an "AssertionWrapper" instance.
36   * It assumes that the AssertionWrapper instance has already verified the signature on the
37   * assertion (done by the SAMLTokenProcessor). It verifies trust in the signature, and also
38   * checks that the Subject contains a KeyInfo (and processes it) for the holder-of-key case,
39   * and verifies that the Assertion is signed as well for holder-of-key. 
40   */
41  public class SamlAssertionValidator extends SignatureTrustValidator {
42      
43      private static final org.apache.commons.logging.Log LOG = 
44          org.apache.commons.logging.LogFactory.getLog(SamlAssertionValidator.class);
45      
46      /**
47       * The time in seconds in the future within which the NotBefore time of an incoming 
48       * Assertion is valid. The default is 60 seconds.
49       */
50      private int futureTTL = 60;
51      
52      /**
53       * Set the time in seconds in the future within which the NotBefore time of an incoming 
54       * Assertion is valid. The default is 60 seconds.
55       */
56      public void setFutureTTL(int newFutureTTL) {
57          futureTTL = newFutureTTL;
58      }
59      
60      /**
61       * Validate the credential argument. It must contain a non-null AssertionWrapper. 
62       * A Crypto and a CallbackHandler implementation is also required to be set.
63       * 
64       * @param credential the Credential to be validated
65       * @param data the RequestData associated with the request
66       * @throws WSSecurityException on a failed validation
67       */
68      public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
69          if (credential == null || credential.getAssertion() == null) {
70              throw new WSSecurityException(WSSecurityException.FAILURE, "noCredential");
71          }
72          AssertionWrapper assertion = credential.getAssertion();
73          
74          // Check HOK requirements
75          String confirmMethod = null;
76          List<String> methods = assertion.getConfirmationMethods();
77          if (methods != null && methods.size() > 0) {
78              confirmMethod = methods.get(0);
79          }
80          if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
81              if (assertion.getSubjectKeyInfo() == null) {
82                  LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject conf method");
83                  throw new WSSecurityException(WSSecurityException.FAILURE, "noKeyInSAMLToken");
84              }
85              // The assertion must have been signed for HOK
86              if (!assertion.isSigned()) {
87                  LOG.debug("A holder-of-key assertion must be signed");
88                  throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
89              }
90          }
91          
92          // Check conditions
93          checkConditions(assertion);
94          
95          // Validate the assertion against schemas/profiles
96          validateAssertion(assertion);
97  
98          // Verify trust on the signature
99          if (assertion.isSigned()) {
100             verifySignedAssertion(assertion, data);
101         }
102         return credential;
103     }
104     
105     /**
106      * Verify trust in the signature of a signed Assertion. This method is separate so that
107      * the user can override if if they want.
108      * @param assertion The signed Assertion
109      * @param data The RequestData context
110      * @return A Credential instance
111      * @throws WSSecurityException
112      */
113     protected Credential verifySignedAssertion(
114         AssertionWrapper assertion,
115         RequestData data
116     ) throws WSSecurityException {
117         Credential trustCredential = new Credential();
118         SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo();
119         trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
120         trustCredential.setCertificates(samlKeyInfo.getCerts());
121         return super.validate(trustCredential, data);
122     }
123     
124     /**
125      * Check the Conditions of the Assertion.
126      */
127     protected void checkConditions(AssertionWrapper assertion) throws WSSecurityException {
128         DateTime validFrom = null;
129         DateTime validTill = null;
130         if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
131             && assertion.getSaml2().getConditions() != null) {
132             validFrom = assertion.getSaml2().getConditions().getNotBefore();
133             validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
134         } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
135             && assertion.getSaml1().getConditions() != null) {
136             validFrom = assertion.getSaml1().getConditions().getNotBefore();
137             validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
138         }
139         
140         if (validFrom != null) {
141             DateTime currentTime = new DateTime();
142             currentTime = currentTime.plusSeconds(futureTTL);
143             if (validFrom.isAfter(currentTime)) {
144                 LOG.debug("SAML Token condition (Not Before) not met");
145                 throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
146             }
147         }
148 
149         if (validTill != null && validTill.isBeforeNow()) {
150             LOG.debug("SAML Token condition (Not On Or After) not met");
151             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
152         }
153     }
154     
155     /**
156      * Validate the assertion against schemas/profiles
157      */
158     protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException {
159         if (assertion.getSaml1() != null) {
160             ValidatorSuite schemaValidators = 
161                 org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator");
162             ValidatorSuite specValidators = 
163                 org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator");
164             try {
165                 schemaValidators.validate(assertion.getSaml1());
166                 specValidators.validate(assertion.getSaml1());
167             } catch (ValidationException e) {
168                 LOG.debug("Saml Validation error: " + e.getMessage(), e);
169                 throw new WSSecurityException(
170                     WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
171                 );
172             }
173         } else if (assertion.getSaml2() != null) {
174             ValidatorSuite schemaValidators = 
175                 org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator");
176             ValidatorSuite specValidators = 
177                 org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator");
178             try {
179                 schemaValidators.validate(assertion.getSaml2());
180                 specValidators.validate(assertion.getSaml2());
181             } catch (ValidationException e) {
182                 LOG.debug("Saml Validation error: " + e.getMessage(), e);
183                 throw new WSSecurityException(
184                     WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
185                 );
186             }
187         }
188     }
189     
190 }