Merge pull request #10 from iguanajazz/master

security implementations, example webapp was included an some bugs was fixed.

Author: pitbulk

README

@@ -0,0 +1,37 @@
+This example was developed to show how Java Toolkit works.
+
+The com-folder contains the files you'll copy into your Java application. 
+The sample-folder has a minimal webapp with the files on com-folder inside java-folder and The files index.jsp and consume.jsp inside webapp-folder.
+index.jsp and consume.jsp are the ones that actually handle the SAML conversation.
+
+The index.jsp file acts as an initiater for the SAML conversation, if it should be initiated by the application. 
+
+This is called Service Provider Initiated SAML. The service provider creates a SAML Authentication Request and sends it to the identity provider (IdP), 
+We authenticate at the IdP and then a Response is sent to the Consumer Service Url configured on index.jsp.
+
+In order to know where to redirect the user with the authentication request, we need to establish the user's identity provider affinity. 
+This depends on your application. In this example, those validations are provided by consume.jsp, which is meant as a stub for you customization.
+
+Dependencies are configured on file pom.xml, also a jetty plugin is configured to execute the example with command "mvn jetty:run"
+
+
+What needs to be configured
+----------------------------
+
+In the example above, SAML settings are divided into two parts, the application specific (const_assertion_consumer_service_url, const_issuer, const_name_identifier_format) 
+and the user/account specific (idp_sso_target_url, x509certificate). You'll need to add your own code here to identify the user or user origin (e.g. by subdomain, ip_address etc.).
+
+The following information needs to be available on the account:
+
+appSettings.setAssertionConsumerServiceUrl
+The URL at which the SAML assertion should be received. In this example "http://localhost:3000/saml/consume" would be correct.
+
+appSettings.setIssuer
+The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.
+
+accSettings.setIdpSsoTargetUrl
+The URL to which the authentication request should be sent. This would be on the identity provider.
+
+accountSettings.setCertificate
+The x509 certificate fingerprint. 
+This is provided from the identity provider when setting up the relationship, for this version the certificate must be 1024-bit.

com/onelogin/saml/AuthRequest.java

@@ -74,29 +74,6 @@ public String getRequest(int format) throws XMLStreamException, IOException {
 		return result;
 	}
 
-	public static String getRidOfCRLF(String what) {
-		String lf = "%0D";
-		String cr = "%0A";
-		String now = lf;
-		int index = what.indexOf(now);
-
-		StringBuilder r = new StringBuilder();
-
-		while (index!=-1) {
-			r.append(what.substring(0,index));
-			what = what.substring(index+3,what.length());
-
-			if (now.equals(lf)) {
-				now = cr;
-			} else {
-				now = lf;
-			}
-
-			index = what.indexOf(now);
-		}
-		return r.toString();
-	}
-
 	private String encodeSAMLRequest(byte[] pSAMLRequest) throws RuntimeException {
 
 		Base64 base64Encoder = new Base64();
@@ -112,7 +89,7 @@ private String encodeSAMLRequest(byte[] pSAMLRequest) throws RuntimeException {
 
 			String stream = new String(base64Encoder.encode(byteArray.toByteArray()));
 
-			return stream;
+			return stream.trim();
 		} catch (Exception e) {
 			throw new RuntimeException(e);
 		}

com/onelogin/saml/Response.java

@@ -1,20 +1,23 @@
 package com.onelogin.saml;
 
-import com.onelogin.AccountSettings;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.lang.reflect.Method;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Calendar;
 import java.util.HashMap;
+import java.util.TimeZone;
+
 import javax.xml.XMLConstants;
 import javax.xml.crypto.dsig.XMLSignature;
 import javax.xml.crypto.dsig.XMLSignatureFactory;
 import javax.xml.crypto.dsig.dom.DOMValidateContext;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+
 import org.apache.commons.codec.binary.Base64;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -23,72 +26,136 @@
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
+import com.onelogin.AccountSettings;
+
 public class Response {
 
 	private Document xmlDoc;
-	private Integer Assertions;
+	private NodeList assertions;
 	private Element rootElement;
 	private final AccountSettings accountSettings;
 	private final Certificate certificate;
+	private String currentUrl;
 
 	public Response(AccountSettings accountSettings) throws CertificateException {
-		this.accountSettings = accountSettings;
+		this.accountSettings = accountSettings;		
 		certificate = new Certificate();
 		certificate.loadCertificate(this.accountSettings.getCertificate());
 	}
 
-	public void loadXml(String xml) throws ParserConfigurationException, SAXException, IOException {
-		DocumentBuilderFactory fty = DocumentBuilderFactory.newInstance();
+	public void loadXml(String xml) throws ParserConfigurationException, SAXException, IOException {		
+		DocumentBuilderFactory fty = DocumentBuilderFactory.newInstance();		
 		fty.setNamespaceAware(true);
 		// XMLConstants with FEATURE_SECURE_PROCESSING prevents external document access. (XXE/XEE Possible Attacks).
 		fty.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-		DocumentBuilder builder = fty.newDocumentBuilder();
-		ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
-		xmlDoc = builder.parse(bais);
+		DocumentBuilder builder = fty.newDocumentBuilder();		
+		ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());		
+		xmlDoc = builder.parse(bais);		
 	}
 
-	public void loadXmlFromBase64(String response) throws ParserConfigurationException, SAXException, IOException {
+	public void loadXmlFromBase64(String response) throws ParserConfigurationException, SAXException, IOException {		
 		Base64 base64 = new Base64();
 		byte[] decodedB = base64.decode(response);
 		String decodedS = new String(decodedB);
 		loadXml(decodedS);
 	}
 
 	// isValid() function should be called to make basic security checks to responses.
-	public boolean isValid() throws Exception {
+	public boolean isValid() throws Exception {				
 		// Security Checks
-		rootElement = xmlDoc.getDocumentElement();
-		Assertions = xmlDoc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").getLength();
+		rootElement = xmlDoc.getDocumentElement();		
+		assertions = xmlDoc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");		
 		xmlDoc.getDocumentElement().normalize();
 
-		if (Assertions > 1) {
-			throw new Exception("SAML Response must contain 1 Assertion.");
+		// Check SAML version
+		String attName = rootElement.getAttribute("Version");		
+		if (!attName.equals("2.0")) {
+			throw new Exception("Unsupported SAML Version.");
 		}
-
-		String attName = rootElement.getAttribute("ID");
+		
+		// Check ID in the response
+		attName = rootElement.getAttribute("ID");		
 		if (attName.equals("")) {
 			throw new Exception("Missing ID attribute on SAML Response.");
 		}
-
-		attName = rootElement.getAttribute("Version");
-		if (!attName.equals("2.0")) {
-			throw new Exception("Unsupported SAML Version.");
+				
+		if (assertions == null || assertions.getLength() != 1) {
+			throw new Exception("SAML Response must contain 1 Assertion.");
 		}
 
-		NodeList nodes = xmlDoc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
-
+		NodeList nodes = xmlDoc.getElementsByTagNameNS("*", "Signature");
 		if (nodes == null || nodes.getLength() == 0) {
 			throw new Exception("Can't find signature in Document.");
 		}
 
-		if (setIdAttributeExists()) {
-			tagIdAttributes(xmlDoc);
+		// Check destination
+		String destinationUrl = rootElement.getAttribute("Destination");
+		if (destinationUrl != null) {
+			if(!destinationUrl.equals(currentUrl)){
+				throw new Exception("The response was received at " + currentUrl + " instead of " + destinationUrl);
+			}
 		}
-
-		X509Certificate cert = certificate.getX509Cert();
-		DOMValidateContext ctx = new DOMValidateContext(cert.getPublicKey(), nodes.item(0));
-		XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");
-		XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);
+		
+		// Check Audience 
+		NodeList nodeAudience = xmlDoc.getElementsByTagNameNS("*", "Audience");
+		String audienceUrl = nodeAudience.item(0).getChildNodes().item(0).getNodeValue();
+		if (audienceUrl != null) {
+			if(!audienceUrl.equals(currentUrl)){
+				throw new Exception(audienceUrl + " is not a valid audience for this Response");
+			}
+		}
+		
+		// Check SubjectConfirmation, at least one SubjectConfirmation must be valid
+		NodeList nodeSubConf = xmlDoc.getElementsByTagNameNS("*", "SubjectConfirmation");
+		boolean validSubjectConfirmation = true;
+		for(int i = 0; i < nodeSubConf.getLength(); i++){
+			Node method = nodeSubConf.item(i).getAttributes().getNamedItem("Method");			
+			if(method != null && !method.getNodeValue().equals("urn:oasis:names:tc:SAML:2.0:cm:bearer")){
+				continue;
+			}
+			NodeList childs = nodeSubConf.item(i).getChildNodes();			
+			for(int c = 0; c < childs.getLength(); c++){				
+				if(childs.item(c).getLocalName().equals("SubjectConfirmationData")){
+					Node inResponseTo = childs.item(c).getAttributes().getNamedItem("InResponseTo");					
+//					if(inResponseTo != null && !inResponseTo.getNodeValue().equals("ID of the AuthNRequest")){
+//						validSubjectConfirmation = false;
+//					}
+					Node recipient = childs.item(c).getAttributes().getNamedItem("Recipient");					
+					if(recipient != null && !recipient.getNodeValue().equals(currentUrl)){
+						validSubjectConfirmation = false;
+					}
+					Node notOnOrAfter = childs.item(c).getAttributes().getNamedItem("NotOnOrAfter");
+					if(notOnOrAfter != null){						
+						final Calendar notOnOrAfterDate = javax.xml.bind.DatatypeConverter.parseDateTime(notOnOrAfter.getNodeValue());
+						Calendar now = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
+						if(notOnOrAfterDate.before(now)){
+							validSubjectConfirmation = false;
+						}
+					}
+					Node notBefore = childs.item(c).getAttributes().getNamedItem("NotBefore");
+					if(notBefore != null){						
+						final Calendar notBeforeDate = javax.xml.bind.DatatypeConverter.parseDateTime(notBefore.getNodeValue());
+						Calendar now = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
+						if(notBeforeDate.before(now)){
+							validSubjectConfirmation = false;
+						}
+					}
+				}
+			}
+		}
+		if (!validSubjectConfirmation) {
+            throw new Exception("A valid SubjectConfirmation was not found on this Response");
+        }
+		
+		
+//		if (setIdAttributeExists()) {
+//			tagIdAttributes(xmlDoc);
+//		}
+
+		X509Certificate cert = certificate.getX509Cert();		
+		DOMValidateContext ctx = new DOMValidateContext(cert.getPublicKey(), nodes.item(0));		
+		XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");		
+		XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);		
 
 		return xmlSignature.validate(ctx);
 	}
@@ -141,7 +208,10 @@ private boolean setIdAttributeExists() {
 	}
 
 	private void tagIdAttributes(Document xmlDoc) {
-		throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+		throw new UnsupportedOperationException("Not supported yet."); 
 	}
 
+	public void setDestinationUrl(String urld){
+		currentUrl = urld;
+	}
 }

sample/pom.xml

@@ -0,0 +1,46 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.onelogin</groupId>
+  <artifactId>java-saml</artifactId>
+  <packaging>war</packaging>
+  <version>1.0-SNAPSHOT</version>
+  <name>java-saml Sample Webapp</name>
+  
+  <properties>
+    <jettyVersion>9.1.0.RC2</jettyVersion>
+  </properties>
+  
+  <dependencies>
+	<dependency>
+		<groupId>commons-codec</groupId>
+		<artifactId>commons-codec</artifactId>
+		<version>1.9</version>
+	</dependency>
+	<dependency>
+        <groupId>org.eclipse.jetty</groupId>
+        <artifactId>jetty-servlet</artifactId>
+        <version>${jettyVersion}</version>
+    </dependency>
+  </dependencies>
+  
+  <build>
+    <finalName>java-saml</finalName>
+	<plugins>
+		<plugin>
+			<groupId>org.apache.maven.plugins</groupId>
+			<artifactId>maven-compiler-plugin</artifactId>
+			<version>3.0</version>
+			<configuration>
+				<source>1.7</source>
+				<target>1.7</target>
+			</configuration>
+		</plugin>
+		<plugin>
+		  <groupId>org.eclipse.jetty</groupId>
+		  <artifactId>jetty-maven-plugin</artifactId>
+		  <version>${jettyVersion}</version>
+		</plugin>		
+	</plugins>
+  </build>
+</project>

sample/src/main/java/com/onelogin/AccountSettings.java

@@ -0,0 +1,19 @@
+package com.onelogin;
+
+public class AccountSettings {
+	private String certificate;
+	private String idp_sso_target_url;
+	
+	public String getCertificate() {
+		return certificate;
+	}
+	public void setCertificate(String certificate) {
+		this.certificate = certificate;
+	}
+	public String getIdp_sso_target_url() {
+		return idp_sso_target_url;
+	}
+	public void setIdpSsoTargetUrl(String idp_sso_target_url) {
+		this.idp_sso_target_url = idp_sso_target_url;
+	}
+}

sample/src/main/java/com/onelogin/AppSettings.java

@@ -0,0 +1,20 @@
+package com.onelogin;
+
+public class AppSettings {
+	private String assertionConsumerServiceUrl;
+	private String issuer;
+	
+	public String getAssertionConsumerServiceUrl() {
+		return assertionConsumerServiceUrl;
+	}
+	public void setAssertionConsumerServiceUrl(String assertionConsumerServiceUrl) {
+		this.assertionConsumerServiceUrl = assertionConsumerServiceUrl;
+	}
+	public String getIssuer() {
+		return issuer;
+	}
+	public void setIssuer(String issuer) {
+		this.issuer = issuer;
+	}
+
+}