Added require response signing attribute

OpenConext · Nov 16, 2023 · 86f31be · 86f31be
1 parent 79c4624
commit 86f31be
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 7 deletions.
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 
     <groupId>org.openconext</groupId>
     <artifactId>saml-idp</artifactId>
-    <version>0.0.7-SNAPSHOT</version>
+    <version>0.0.8-SNAPSHOT</version>
     <name>saml-idp</name>
 
     <properties>

diff --git a/src/main/java/saml/DefaultSAMLService.java b/src/main/java/saml/DefaultSAMLService.java
@@ -165,10 +165,10 @@ private static Map<String, Boolean> getParserBuilderFeatures() {
     }
 
     @SneakyThrows
-    private void validateSignature(SignableSAMLObject target, Credential credential) {
+    private void validateSignature(SignableSAMLObject target, Credential credential, boolean signatureRequired) {
         Signature signature = target.getSignature();
         if (signature == null) {
-            if (this.configuration.isRequiresSignedAuthnRequest()) {
+            if (signatureRequired) {
                 throw new SignatureException("Signature element not found.");
             }
         } else {
@@ -204,7 +204,7 @@ public AuthnRequest parseAuthnRequest(String xml, boolean encoded, boolean defla
             throw new IllegalArgumentException(String.format("ACS locations (%s, %s) does not match", serviceProvider.getAcsLocation(),
                     authnRequest.getAssertionConsumerServiceURL()));
         }
-        this.validateSignature(authnRequest, serviceProvider.getCredential());
+        this.validateSignature(authnRequest, serviceProvider.getCredential(), this.configuration.isRequiresSignedAuthnRequest());
         return authnRequest;
     }
 
@@ -250,7 +250,7 @@ public String createAuthnRequest(SAMLServiceProvider serviceProvider,
     @SneakyThrows
     public Response parseResponse(String xml) {
         Response response = (Response) parseXMLObject(xml, true, false);
-        this.validateSignature(response, this.signingCredential);
+        this.validateSignature(response, this.signingCredential, this.configuration.isRequiresSignedResponse());
         return response;
     }
 

diff --git a/src/main/java/saml/SAMLService.java b/src/main/java/saml/SAMLService.java
@@ -91,6 +91,5 @@ void sendResponse(String spEntityID,
      * @param serviceProvider the (e.g. {@link SAMLServiceProvider}) containing the entityID and certificate
      * @return SAML metadata
      */
-    @SneakyThrows
     String serviceProviderMetaData(SAMLServiceProvider serviceProvider);
 }
diff --git a/src/main/java/saml/model/SAMLConfiguration.java b/src/main/java/saml/model/SAMLConfiguration.java
@@ -13,4 +13,10 @@ public class SAMLConfiguration {
     private SAMLIdentityProvider identityProvider;
     private List<SAMLServiceProvider> serviceProviders;
     private boolean requiresSignedAuthnRequest;
+    private boolean requiresSignedResponse;
+
+    public SAMLConfiguration(SAMLIdentityProvider identityProvider, List<SAMLServiceProvider> serviceProviders, boolean requiresSignedAuthnRequest) {
+        this(identityProvider, serviceProviders, requiresSignedAuthnRequest, true);
+    }
+
 }
diff --git a/src/test/java/saml/DefaultSAMLServiceTest.java b/src/test/java/saml/DefaultSAMLServiceTest.java
@@ -107,7 +107,8 @@ private SAMLConfiguration getSamlConfiguration(boolean requiresSignedAuthnReques
                         readFile("saml_idp.pem"),
                         spEntityId),
                 List.of(serviceProvider),
-                requiresSignedAuthnRequest
+                requiresSignedAuthnRequest,
+                true
         );
         return samlConfiguration;
     }