Set strict default value as true. Fix Travis. Update some dependencies

Author: pitbulk

.travis.yml

@@ -1,8 +1,20 @@
 language: java
-jdk:
-  - openjdk7
-  - openjdk8
-#  - oraclejdk7 #It seems oraclejdk7 temp fail on Travis
+
+matrix:
+  include:
+  - os: linux
+    dist: trusty
+    jdk: openjdk7
+  - os: linux
+    dist: precise
+    jdk: oraclejdk7
+  - os: linux
+    ist: trusty
+    jdk: openjdk8
+  - os: linux
+    dist: trusty
+    jdk: oraclejdk8
+
 install: true
 after_success:
   - mvn clean verify org.jacoco:jacoco-maven-plugin:report org.eluder.coveralls:coveralls-maven-plugin:report

README.md

@@ -5,6 +5,10 @@
 Add SAML support to your Java applications using this library.
 Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc.
 
+Version < 2.5.0 uses an old version of xmlsec library (<2.1.4 which has a security vulnerability [CVE-2019-12400](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-460281))
+
+Version 2.4.1 sets the 'strict' setting parameter to true.
+
 Version 2.X.X, compatible with java7 / java8.
 
 We [introduced some incompatibilities](https://github.com/onelogin/java-saml/issues/90), that could be fixed and make it compatible with java6.
@@ -188,7 +192,7 @@ Here are the list of properties to be defined on the settings file:
 #  If 'strict' is True, then the Java Toolkit will reject unsigned
 #  or unencrypted messages if it expects them signed or encrypted
 #  Also will reject the messages if not strictly follow the SAML
-onelogin.saml2.strict =  false
+onelogin.saml2.strict =  true
 
 # Enable debug mode (to print errors)
 onelogin.saml2.debug =  false

core/pom.xml

@@ -48,7 +48,7 @@
 		<dependency>
 			<groupId>joda-time</groupId>
 			<artifactId>joda-time</artifactId>
-			<version>2.9.4</version>
+			<version>2.10.3</version>
 		</dependency>
 
 		<!-- commons -->
@@ -60,12 +60,12 @@
 		<dependency>
 			<groupId>org.apache.santuario</groupId>
 			<artifactId>xmlsec</artifactId>
-			<version>2.0.7</version>
+			<version>2.0.9</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
 			<artifactId>commons-codec</artifactId>
-			<version>1.10</version>
+			<version>1.12</version>
 		</dependency>
 	</dependencies>
 

core/src/main/java/com/onelogin/saml2/settings/Saml2Settings.java

@@ -31,7 +31,7 @@ public class Saml2Settings {
 	private static final Logger LOGGER = LoggerFactory.getLogger(Saml2Settings.class);
 
 	// Toolkit settings
-	private boolean strict = false;
+	private boolean strict = true;
 	private boolean debug = false;
 
 	// SP

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -364,6 +364,7 @@ public void testGetNameIdNoKey() throws Exception {
 	@Test
 	public void testGetNameIdEmptyNameIDValue() throws Exception {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		settings.setStrict(false);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/empty_nameid.xml.base64");
 		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		String nameId = samlResponse.getNameId();
@@ -499,6 +500,7 @@ public void testGetNameIdDataWrongSPNameQualifier() throws Exception {
 	@Test
 	public void testGetNameIdDataEmptyNameIDValue() throws Exception {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		settings.setStrict(false);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/empty_nameid.xml.base64");
 		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		Map<String, String> nameIdData = samlResponse.getNameIdData();
@@ -2140,6 +2142,7 @@ public void testIsInValidEncIssues() throws IOException, Error, XPathExpressionE
 	@Test
 	public void testIsInValidCert() throws IOException, Error, XPathExpressionException, ParserConfigurationException, SAXException, SettingsException, ValidationError {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.invalididpcertstring.properties").build();
+		settings.setStrict(false);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/valid_response.xml.base64");
 		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertFalse(samlResponse.isValid());

core/src/test/java/com/onelogin/saml2/test/settings/Saml2SettingsTest.java

@@ -38,12 +38,12 @@ public class Saml2SettingsTest {
 	@Test
 	public void testIsStrict() {
 		Saml2Settings settings = new Saml2Settings();
-		
-		assertFalse(settings.isStrict());
-		settings.setStrict(true);
+
 		assertTrue(settings.isStrict());
 		settings.setStrict(false);
 		assertFalse(settings.isStrict());
+		settings.setStrict(true);
+		assertTrue(settings.isStrict());
 	}
 
 	/**

core/src/test/java/com/onelogin/saml2/test/settings/SettingBuilderTest.java

@@ -76,7 +76,7 @@ public void testLoadFromFileEmpty() throws IOException, CertificateException, UR
 		Saml2Settings setting = new SettingsBuilder().fromFile("config/config.empty.properties").build();
 
 		assertFalse(setting.isDebugActive());
-		assertFalse(setting.isStrict());
+		assertTrue(setting.isStrict());
 
 		assertTrue(setting.getSpEntityId().isEmpty());
 		assertNull(setting.getSpAssertionConsumerServiceUrl());
@@ -130,7 +130,7 @@ public void testLoadFromFileMinProp() throws IOException, CertificateException,
 		Saml2Settings setting = new SettingsBuilder().fromFile("config/config.min.properties").build();
 
 		assertFalse(setting.isDebugActive());
-		assertFalse(setting.isStrict());
+		assertTrue(setting.isStrict());
 
 		assertEquals("http://localhost:8080/java-saml-jspsample/metadata.jsp", setting.getSpEntityId());
 		assertEquals("http://localhost:8080/java-saml-jspsample/acs.jsp", setting.getSpAssertionConsumerServiceUrl().toString());
@@ -569,7 +569,7 @@ public void testFromProperties() throws IOException, Error, CertificateException
 		Saml2Settings setting2 = new SettingsBuilder().fromProperties(prop).build();
 
 		assertFalse(setting2.isDebugActive());
-		assertFalse(setting2.isStrict());
+		assertTrue(setting2.isStrict());
 
 		assertEquals("http://localhost:8080/java-saml-jspsample/metadata.jsp", setting2.getSpEntityId());
 		assertEquals("http://localhost:8080/java-saml-jspsample/acs.jsp", setting2.getSpAssertionConsumerServiceUrl().toString());

samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties

@@ -1,7 +1,7 @@
 #  If 'strict' is True, then the Java Toolkit will reject unsigned
 #  or unencrypted messages if it expects them signed or encrypted
 #  Also will reject the messages if not strictly follow the SAML
-onelogin.saml2.strict =  false
+onelogin.saml2.strict =  true
 
 # Enable debug mode (to print errors)
 onelogin.saml2.debug =  false
@@ -42,41 +42,40 @@ onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspe
 
 onelogin.saml2.sp.x509cert =
 
-# Requires Format PKCS#8   BEGIN PRIVATE KEY	     
+# Requires Format PKCS#8   BEGIN PRIVATE KEY         
 # If you have     PKCS#1   BEGIN RSA PRIVATE KEY  convert it by   openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
 onelogin.saml2.sp.privatekey =
 
 # Identity Provider Data that we want connect with our SP
 #
 
 # Identifier of the IdP entity  (must be a URI)
-onelogin.saml2.idp.entityid = https://app.onelogin.com/saml/metadata/672234
+onelogin.saml2.idp.entityid =
 
 # SSO endpoint info of the IdP. (Authentication Request protocol)
 # URL Target of the IdP where the SP will send the Authentication Request Message
-onelogin.saml2.idp.single_sign_on_service.url = https://sgarcia-us-preprod.onelogin.com/trust/saml2/http-post/sso/672234
-
+onelogin.saml2.idp.single_sign_on_service.url =
 # SAML protocol binding to be used when returning the <Response>
 # message.  Onelogin Toolkit supports for this endpoint the
 # HTTP-Redirect binding only
 onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
 
 # SLO endpoint info of the IdP.
 # URL Location of the IdP where the SP will send the SLO Request
-onelogin.saml2.idp.single_logout_service.url = https://sgarcia-us-preprod.onelogin.com/trust/saml2/http-redirect/slo/672234
+onelogin.saml2.idp.single_logout_service.url =
 
 # Optional SLO Response endpoint info of the IdP.
 # URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
 # Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
-onelogin.saml2.idp.single_logout_service.response.url = https://sgarcia-us-preprod.onelogin.com/trust/saml2/http-redirect/slo/672234
+onelogin.saml2.idp.single_logout_service.response.url =
 
 # SAML protocol binding to be used when returning the <Response>
 # message.  Onelogin Toolkit supports for this endpoint the
 # HTTP-Redirect binding only
 onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
 
 # Public x509 certificate of the IdP
-onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----MIIGZTCCBE2gAwIBAgIULEW2UPHc+tQMo/j0NBM+8SbWK7IwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNzA2MjAxMDA4MTlaFw0yMjA2MjExMDA4MTlaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDzOWemVjGJTRG72AlAYnNapp26qnnNeNQVt4e56xi+56hjW5OTfgriP27rvAOd+CePIYA3ZyL0pk2LOPA/JtA0JA8LKN1vcGvfJcrpcsbFM5Y2BN5wTnqprT8rvG5eFmeK4r72qJ4wb4bUZJroT9+fU/gs/JOizhP4Z79icLQcbTTe0mc4n+/yoTxThAAraAsiOr3KQzXlTYB8zPMA2GI9TJ5Djc+g52C2vk2OhLEaSAPXGKLhvWukbyUMS34ofnqHaNO0ZbwUmw+8lgHBjIndXsSaFsm18SPnKTtfs1cLekzDveFvJ0T5V8PQWooqWUdg3hkrIiKZpOIcz8uYElpkQDJ2q++MjC7VsT1tKkjMGTv7SMicPscxAG89OaWRg+zmaDzqvdtNPGFe+8oatXp0FBMsnlsyIwdcoHTstloVEcOTSiT8wmjvkkIg5YR6vScmLhR6AQArRP2lWR0kXoSddEDk5fFDG+qMLus+N09YfUOKPswP6MtT9vNhPeIBP87qZLl4qbVCY+TWdNr5lONAH+Xmtk3Pf2phg74qZIZ87bEmJBSXKp8/Qm6Y4ruj6S+SPYt3/vKw130VfaGaSFyOlfAq3naiJqffa2tzneJ7Om/sHFee2Zj2hYqncxu6KR1qeR7lucB5o7z0ljGeUukp8GiVcubsQ3RNnfuCdsaeSwIDAQABo4HyMIHvMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKewY7diVRP96TRYhW2f/1ktWrJAMIGvBgNVHSMEgacwgaSAFKewY7diVRP96TRYhW2f/1ktWrJAoXakdDByMQswCQYDVQQGEwJVUzErMCkGA1UECgwiT25lTG9naW4gVGVzdCAoc2dhcmNpYS11cy1wcmVwcm9kKTEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDg5MTQ2ghQsRbZQ8dz61Ayj+PQ0Ez7xJtYrsjAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAC2TQ4yqwk0ePey99JYI5PfMRVEnUyyCSPfKmyVJgoOZwk97+CZuq1MNqGavcExd1ofc4wkN3unk/g7qVRPBV24k9FZaicYrp5maSHakL2SJD8qo/deohYFaeH8RzszxEZbJJYMLiXyRJi44T28TyF8admIwUJVg/KBhNAHi/IlAsRWPL92nWJjSCBHgiPaG5HF10t/GaQSJuQpdhxniUlseuqXZ/Qm0MjAgSTlyaBIxLyOErrpVujwiR5RTHLw0wn+2P0WmfVp7e79GOqzFuwmoLfxUtJgalc7av9VwFdEB2nWF2hu7BwE9rzg8FTaw1uAEu+LQ++IUuI+ydparFWoo/IwtSrXF59mBoKMld58K4L+TfWwUYF3hAmH2XNiSBTFZn1HBsK+XqS1CUGD8R0WSVvQC2jjFbxztFkrOIzz5ITLzKcjr1E86r5PvBQXeeTvVz6g2L+wEA5VXGYh/RItHEkuwn7EPWpvJUfc5B0m57rfr0+UqWZaLbhczrmHFn0HaDXcs2ldi7y+Eiv6IP3vrJrHhdCDlVPLQH8w0f4vNcR8YYVOfWFHYzyo4oqRYFMRmoqfubs90zGLcB5ugm56k5VaseP+VGwjjTEyiD4CYPLEvKm0Z2M0L6MIkhp/9VYl8ZAWvPGKFMSaANkiMlux2uEBeG3s4nLQcunumphAo-----END CERTIFICATE-----
+onelogin.saml2.idp.x509cert =
 
 # Instead of use the whole x509cert you can use a fingerprint
 # (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
@@ -156,4 +155,4 @@ onelogin.saml2.organization.lang =
 onelogin.saml2.contacts.technical.given_name = Technical Guy
 onelogin.saml2.contacts.technical.email_address = technical@example.com
 onelogin.saml2.contacts.support.given_name = Support Guy
-onelogin.saml2.contacts.support.email_address = support@@example.com
+onelogin.saml2.contacts.support.email_address = support@@example.com

toolkit/pom.xml

@@ -69,7 +69,7 @@
 		<dependency>
 			<groupId>joda-time</groupId>
 			<artifactId>joda-time</artifactId>
-			<version>2.9.4</version>
+			<version>2.10.3</version>
 		</dependency>
 
 		<!-- commons -->
@@ -81,12 +81,12 @@
 		<dependency>
 			<groupId>org.apache.santuario</groupId>
 			<artifactId>xmlsec</artifactId>
-			<version>2.0.7</version>
+			<version>2.0.9</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
 			<artifactId>commons-codec</artifactId>
-			<version>1.10</version>
+			<version>1.12</version>
 		</dependency>
 	</dependencies>