'[jira] [Created] (WSS-331) Insufficient checking of SAML Condition'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       jaxme-dev
Subject:    [jira] [Created] (WSS-331) Insufficient checking of SAML Condition
From:       "Glen Mazza (Created) (JIRA)" <jira () apache ! org>
Date:       2011-12-27 19:04:30
Message-ID: 758207646.46764.1325012670656.JavaMail.tomcat () hel ! zones ! apache ! org
[Download RAW message or body]

Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
-----------------------------------------------------------------------------------

                 Key: WSS-331
                 URL: https://issues.apache.org/jira/browse/WSS-331
             Project: WSS4J
          Issue Type: Bug
            Reporter: Glen Mazza
            Assignee: Colm O hEigeartaigh


Hi, the Assertions and Protocols for the OASIS Security Assertion Markup Language \
(SAML) V2.0 (Mar 2005) - docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, \
gives this Schema for saml:Conditions:

<element name="Conditions" type="saml:ConditionsType"/>
<complexType name="ConditionsType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Condition"/>
<element ref="saml:AudienceRestriction"/>
<element ref="saml:OneTimeUse"/>
<element ref="saml:ProxyRestriction"/>
</choice>
<attribute name="NotBefore" type="dateTime" use="optional"/>
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
</complexType>

As shown above, NotBefore and NotOnOrAfter are both optional--however, absence of one \
should not negate checking of the other.

In class org.apache.ws.security.validate.SamlAssertionValidator on TRUNK, I see this \
code in method validate():

        DateTime validFrom = null;
        DateTime validTill = null;
        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
            && assertion.getSaml2().getConditions() != null) {
            validFrom = assertion.getSaml2().getConditions().getNotBefore();
            validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
        } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
            ...similar...
        }
        if (validFrom != null && validTill != null 
            && !(validFrom.isBeforeNow() && validTill.isAfterNow())) {
            LOG.debug("SAML Token condition not met");
            throw new WSSecurityException(WSSecurityException.FAILURE, \
"invalidSAMLsecurity");  }

The If block right above will skip checking if either validFrom or validTo is \
missing, but if just one of the two constraints is present it appears that single \
constraint should still be checked.  Also, the logic above requires both validFrom \
and validTill to be violated before the WSSecurityException is thrown, but it should \
be thrown even if just one of the two constraints fail.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: \
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more \
information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic