Changed logic for verification of Assertion signature:

- signatures are now always verified when present - when wantAssertionsSigned on SPSSODescriptor is set to true then unsigned assertions get always rejected
sannies · Apr 3, 2011 · 4667203 · 4667203
1 parent 45b7e26
commit 4667203
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 10 deletions.
diff --git a/...saml2-core/src/main/java/org/springframework/security/saml/metadata/ExtendedMetadata.java b/...saml2-core/src/main/java/org/springframework/security/saml/metadata/ExtendedMetadata.java
@@ -67,8 +67,13 @@ public class ExtendedMetadata implements Serializable, Cloneable {
      */
     private Set<String> trustedKeys;
 
-    private boolean requireLogoutRequestSigned;
+    /**
+     * SAML specification mandates that incoming LogoutRequests must be authenticated.
+     */
+    private boolean requireLogoutRequestSigned = true;
+
     private boolean requireLogoutResponseSigned;
+
     private boolean requireArtifactResolveSigned;
 
     /**

diff --git a/.../saml2-core/src/main/java/org/springframework/security/saml/metadata/MetadataManager.java b/.../saml2-core/src/main/java/org/springframework/security/saml/metadata/MetadataManager.java
@@ -915,7 +915,7 @@ public void onEvent(MetadataProvider provider) {
 
     @Autowired
     public void setKeyManager(KeyManager keyManager) {
-        this.keyManager = keyManager; // TODO check was set
+        this.keyManager = keyManager;
     }
 
 }
diff --git a/...-core/src/main/java/org/springframework/security/saml/websso/SingleLogoutProfileImpl.java b/...-core/src/main/java/org/springframework/security/saml/websso/SingleLogoutProfileImpl.java
@@ -85,7 +85,7 @@ public void sendLogoutRequest(SAMLMessageContext context, SAMLCredential credent
     /**
      * Returns logout request message ready to be sent to the IDP.
      *
-     * @param context message context
+     * @param context        message context
      * @param credential     information about assertions used to log current user in
      * @param bindingService service used to deliver the request
      * @return logoutRequest to be sent to IDP
@@ -194,11 +194,6 @@ public boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential c
             return false;
         }
 
-        // TODO
-        if (logoutRequest.getNotOnOrAfter() != null) {
-
-        }
-
         // Find index for which the logout is requested
         boolean indexFound = false;
         if (logoutRequest.getSessionIndexes() != null && logoutRequest.getSessionIndexes().size() > 0) {
@@ -218,9 +213,16 @@ public boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential c
 
         // Fail if sessionIndex is not found in any assertion
         if (!indexFound) {
+
+            // Check logout request still valid and store request
+            if (logoutRequest.getNotOnOrAfter() != null) {
+                // TODO store request for assertions possibly arriving later
+            }
+
             Status status = getStatus(StatusCode.REQUESTER_URI, "The requested SessionIndex was not found");
             sendLogoutResponse(status, context);
             return false;
+
         }
 
         try {

diff --git a/...ore/src/main/java/org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.java b/...ore/src/main/java/org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.java
@@ -324,9 +324,9 @@ protected void verifySubject(Subject subject, AuthnRequest request, SAMLMessageC
     protected void verifyAssertionSignature(Signature signature, SAMLMessageContext context) throws SAMLException, org.opensaml.xml.security.SecurityException, ValidationException {
         SPSSODescriptor roleMetadata = (SPSSODescriptor) context.getLocalEntityRoleMetadata();
         boolean wantSigned = roleMetadata.getWantAssertionsSigned();
-        if (signature != null && wantSigned) { // TODO verify this
+        if (signature != null) {
             verifySignature(signature, context.getPeerEntityMetadata().getEntityID(), context.getLocalTrustEngine());
-        } else if (wantSigned && !context.isInboundSAMLMessageAuthenticated()) {
+        } else if (wantSigned) {
             log.debug("Assertion must be signed, but is not");
             throw new SAMLException("SAML Assertion is invalid");
         }