[prev in list] [next in list] [prev in thread] [next in thread]
List: jaxme-dev
Subject: [jira] [Created] (WSS-331) Insufficient checking of SAML Condition
From: "Glen Mazza (Created) (JIRA)" <jira () apache ! org>
Date: 2011-12-27 19:04:30
Message-ID: 758207646.46764.1325012670656.JavaMail.tomcat () hel ! zones ! apache ! org
[Download RAW message or body]
Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
-----------------------------------------------------------------------------------
Key: WSS-331
URL: https://issues.apache.org/jira/browse/WSS-331
Project: WSS4J
Issue Type: Bug
Reporter: Glen Mazza
Assignee: Colm O hEigeartaigh
Hi, the Assertions and Protocols for the OASIS Security Assertion Markup Language \
(SAML) V2.0 (Mar 2005) - docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, \
gives this Schema for saml:Conditions:
<element name="Conditions" type="saml:ConditionsType"/>
<complexType name="ConditionsType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Condition"/>
<element ref="saml:AudienceRestriction"/>
<element ref="saml:OneTimeUse"/>
<element ref="saml:ProxyRestriction"/>
</choice>
<attribute name="NotBefore" type="dateTime" use="optional"/>
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
</complexType>
As shown above, NotBefore and NotOnOrAfter are both optional--however, absence of one \
should not negate checking of the other.
In class org.apache.ws.security.validate.SamlAssertionValidator on TRUNK, I see this \
code in method validate():
DateTime validFrom = null;
DateTime validTill = null;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)
&& assertion.getSaml2().getConditions() != null) {
validFrom = assertion.getSaml2().getConditions().getNotBefore();
validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
} else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)
...similar...
}
if (validFrom != null && validTill != null
&& !(validFrom.isBeforeNow() && validTill.isAfterNow())) {
LOG.debug("SAML Token condition not met");
throw new WSSecurityException(WSSecurityException.FAILURE, \
"invalidSAMLsecurity"); }
The If block right above will skip checking if either validFrom or validTo is \
missing, but if just one of the two constraints is present it appears that single \
constraint should still be checked. Also, the logic above requires both validFrom \
and validTill to be violated before the WSSecurityException is thrown, but it should \
be thrown even if just one of the two constraints fail.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: \
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more \
information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic