Example 6 with AudienceRestriction
use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.
the class ConditionsImpl method makeImmutable.
/**
* Makes the object immutable
*/
public void makeImmutable() {
if (isMutable) {
if (conditions != null) {
int length = conditions.size();
for (int i = 0; i < length; i++) {
Condition condition = (Condition) conditions.get(i);
condition.makeImmutable();
}
conditions = Collections.unmodifiableList(conditions);
}
if (audienceRestrictions != null) {
int length = audienceRestrictions.size();
for (int i = 0; i < length; i++) {
AudienceRestriction ar = (AudienceRestriction) audienceRestrictions.get(i);
ar.makeImmutable();
}
audienceRestrictions = Collections.unmodifiableList(audienceRestrictions);
}
if (oneTimeUses != null) {
int length = oneTimeUses.size();
for (int i = 0; i < length; i++) {
OneTimeUse oneTimeUse = (OneTimeUse) oneTimeUses.get(i);
oneTimeUse.makeImmutable();
}
oneTimeUses = Collections.unmodifiableList(oneTimeUses);
}
if (proxyRestrictions != null) {
int length = proxyRestrictions.size();
for (int i = 0; i < length; i++) {
ProxyRestriction pr = (ProxyRestriction) proxyRestrictions.get(i);
pr.makeImmutable();
}
proxyRestrictions = Collections.unmodifiableList(proxyRestrictions);
}
isMutable = false;
}
}
Also used :
Condition(com.sun.identity.saml2.assertion.Condition)
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
OneTimeUse(com.sun.identity.saml2.assertion.OneTimeUse)
ProxyRestriction(com.sun.identity.saml2.assertion.ProxyRestriction)
Example 7 with AudienceRestriction
use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.
the class SAML2Utils method checkAudience.
private static void checkAudience(final Conditions conds, final String hostEntityId, final String assertionID) throws SAML2Exception {
final String method = "SAML2Utils.checkAudience:";
if (conds == null) {
if (debug.messageEnabled()) {
debug.message(method + "Conditions is missing from Assertion.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_CONDITIONS, data, null);
throw new SAML2Exception(bundle.getString("missingConditions"));
}
List restrictions = conds.getAudienceRestrictions();
if (restrictions == null) {
if (debug.messageEnabled()) {
debug.message(method + "missing AudienceRestriction.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_AUDIENCE_RESTRICTION, data, null);
throw new SAML2Exception(bundle.getString("missingAudienceRestriction"));
}
Iterator restIter = restrictions.iterator();
boolean found = false;
while (restIter.hasNext()) {
List audienceList = ((AudienceRestriction) restIter.next()).getAudience();
if (audienceList.contains(hostEntityId)) {
found = true;
break;
}
}
if (!found) {
if (debug.messageEnabled()) {
debug.message(method + "This SP is not the intended audience.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_AUDIENCE, data, null);
throw new SAML2Exception(bundle.getString("audienceNotMatch"));
}
}
Also used :
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 8 with AudienceRestriction
use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method validAssertion.
private boolean validAssertion(Assertion assertion, String deploymentURL) throws SAML2Exception {
//must contain issuer
final Issuer issuer = assertion.getIssuer();
if (issuer == null) {
logger.error("Issuer does not exist");
return false;
}
/**
* The Assertion MUST contain <Conditions> element with an
* <AudienceRestriction> element with an <Audience> element
* containing a URI reference that identifies the authorization
* server, or the service provider SAML entity of its controlling
* domain, as an intended audience. The token endpoint URL of the
* authorization server MAY be used as an acceptable value for an
* <Audience> element. The authorization server MUST verify that it
* is an intended audience for the Assertion.
*
*/
final Conditions conditions = assertion.getConditions();
if (conditions == null) {
logger.error("Saml2BearerServerResource.validAssertion(): Conditions does not exist");
return false;
}
final List<AudienceRestriction> audienceRestriction = conditions.getAudienceRestrictions();
if (audienceRestriction == null || audienceRestriction.isEmpty()) {
logger.error("Saml2BearerServerResource.validAssertion(): Audience Restriction does not exist");
return false;
}
boolean found = false;
logger.trace("Saml2BearerServerResource.validAssertion(): URL of authorization server: " + deploymentURL);
for (final AudienceRestriction restriction : audienceRestriction) {
final List<String> audiences = restriction.getAudience();
if (audiences == null || audiences.isEmpty()) {
continue;
}
for (final String audience : audiences) {
String deployURL = deploymentURL;
String aud = audience;
//check for the url with and without trailing /
if (deployURL.endsWith("/")) {
deployURL = deploymentURL.substring(0, deployURL.length() - 1);
}
if (aud.endsWith("/")) {
aud = aud.substring(0, aud.length() - 1);
}
if (aud.equalsIgnoreCase(deployURL)) {
found = true;
}
}
}
if (found == false) {
logger.error("Didn't find the oauth2 provider in audience restrictions");
return false;
}
/**
* The Assertion MUST contain a <Subject> element. The subject MAY
* identify the resource owner for whom the access token is being
* requested. For client authentication, the Subject MUST be the
* "client_id" of the OAuth client. When using an Assertion as an
* authorization grant, the Subject SHOULD identify an authorized
* accessor for whom the access token is being requested (typically
* the resource owner, or an authorized delegate). Additional
* information identifying the subject/principal of the transaction
* MAY be included in an <AttributeStatement>.
*/
final Subject subject = assertion.getSubject();
if (subject == null) {
logger.error("Subject does not exist");
return false;
}
final String resourceOwner = subject.getNameID().getValue();
/**
* The Assertion MUST have an expiry that limits the time window
* during which it can be used. The expiry can be expressed either
* as the NotOnOrAfter attribute of the <Conditions> element or as
* the NotOnOrAfter attribute of a suitable <SubjectConfirmationData>
* element.
*/
/**
* The <Subject> element MUST contain at least one
* <SubjectConfirmation> element that allows the authorization server
* to confirm it as a Bearer Assertion. Such a <SubjectConfirmation>
* element MUST have a Method attribute with a value of
* "urn:oasis:names:tc:SAML:2.0:cm:bearer". The
* <SubjectConfirmation> element MUST contain a
* <SubjectConfirmationData> element, unless the Assertion has a
* suitable NotOnOrAfter attribute on the <Conditions> element, in
* which case the <SubjectConfirmationData> element MAY be omitted.
* When present, the <SubjectConfirmationData> element MUST have a
* Recipient attribute with a value indicating the token endpoint URL
* of the authorization server (or an acceptable alias). The
* authorization server MUST verify that the value of the Recipient
* attribute matches the token endpoint URL (or an acceptable alias)
* to which the Assertion was delivered. The
* <SubjectConfirmationData> element MUST have a NotOnOrAfter
* attribute that limits the window during which the Assertion can be
* confirmed. The <SubjectConfirmationData> element MAY also contain
* an Address attribute limiting the client address from which the
* Assertion can be delivered. Verification of the Address is at the
* discretion of the authorization server.
*/
final List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmation();
found = false;
if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
logger.error("Subject Confirmations does not exist");
return false;
}
//if conditions is expired assertion is expired
if (!assertion.isTimeValid()) {
logger.error("Assertion expired");
return false;
} else {
found = true;
}
for (final SubjectConfirmation subjectConfirmation : subjectConfirmations) {
if (subjectConfirmation.getMethod() == null) {
continue;
}
if (subjectConfirmation.getMethod().equalsIgnoreCase(OAuth2Constants.SAML20.SUBJECT_CONFIRMATION_METHOD)) {
final SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
if (subjectConfirmationData == null) {
continue;
} else if (subjectConfirmationData.getNotOnOrAfter().before(new Date()) && subjectConfirmationData.getRecipient().equalsIgnoreCase(deploymentURL)) {
found = true;
}
//TODO check Client Address
}
}
if (!found) {
logger.error("Assertion expired or subject expired");
return false;
}
if (!assertion.isSigned()) {
logger.error("Assertion must be signed");
return false;
}
if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
logger.error("Assertion signature verification failed");
return false;
}
return true;
}
Also used :
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Subject(com.sun.identity.saml2.assertion.Subject)
Date(java.util.Date)
Example 9 with AudienceRestriction
use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.
the class DefaultConditionsProvider method get.
/**
* @see org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider#get(
* org.forgerock.openam.sts.config.user.SAML2Config, java.util.Date,
* org.forgerock.openam.sts.token.SAML2SubjectConfirmation)
*/
public Conditions get(SAML2Config saml2Config, Date issueInstant, SAML2SubjectConfirmation saml2SubjectConfirmation) throws TokenCreationException {
Conditions conditions = AssertionFactory.getInstance().createConditions();
try {
conditions.setNotBefore(issueInstant);
conditions.setNotOnOrAfter(new Date(issueInstant.getTime() + (saml2Config.getTokenLifetimeInSeconds() * 1000)));
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting token lifetime state in SAML2TokenGenerationImpl: " + e, e);
}
String audience = saml2Config.getSpEntityId();
/*
Section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf specifies that
Audiences specifying the entity ids of SPs, must be contained in the AudienceRestriction for bearer tokens.
*/
if (((audience == null) || audience.isEmpty()) && SAML2SubjectConfirmation.BEARER.equals(saml2SubjectConfirmation)) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "The audiences field in the SAML2Config is empty, " + "but the BEARER SubjectConfirmation is required. BEARER tokens must include Conditions with " + "AudienceRestrictions specifying the SP entity ids.");
}
if ((audience != null) && !audience.isEmpty()) {
try {
AudienceRestriction audienceRestriction = AssertionFactory.getInstance().createAudienceRestriction();
List<String> audienceList = new ArrayList<String>(1);
audienceList.add(audience);
audienceRestriction.setAudience(audienceList);
List<AudienceRestriction> audienceRestrictionList = new ArrayList<AudienceRestriction>(1);
audienceRestrictionList.add(audienceRestriction);
conditions.setAudienceRestrictions(audienceRestrictionList);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting audience restriction state in SAML2TokenGenerationImpl: " + e, e);
}
}
return conditions;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
ArrayList(java.util.ArrayList)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Date(java.util.Date)
Example 10 with AudienceRestriction
use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.
the class DefaultConditionsProviderTest method testBearerWithAudiences.
@Test
public void testBearerWithAudiences() throws TokenCreationException, UnsupportedEncodingException {
Date issueInstant = new Date();
ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
Conditions conditions = conditionsProvider.get(createSAML2Config(), issueInstant, SAML2SubjectConfirmation.BEARER);
assertTrue(issueInstant.equals(conditions.getNotBefore()));
assertTrue((issueInstant.getTime() + (TOKEN_LIFETIME_SECONDS * 1000)) == conditions.getNotOnOrAfter().getTime());
AudienceRestriction audienceRestriction = (AudienceRestriction) conditions.getAudienceRestrictions().get(0);
assertTrue(audienceRestriction.getAudience().contains(AM_SP_AUDIENCE));
}
Also used :
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
Date(java.util.Date)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Test(org.testng.annotations.Test)
Aggregations
AudienceRestriction (com.sun.identity.saml2.assertion.AudienceRestriction)8
ArrayList (java.util.ArrayList)5
Date (java.util.Date)5
Conditions (com.sun.identity.saml2.assertion.Conditions)4
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)4
List (java.util.List)4
Condition (com.sun.identity.saml2.assertion.Condition)2
OneTimeUse (com.sun.identity.saml2.assertion.OneTimeUse)2
ProxyRestriction (com.sun.identity.saml2.assertion.ProxyRestriction)2
Issuer (com.sun.identity.saml2.assertion.Issuer)1
Subject (com.sun.identity.saml2.assertion.Subject)1
SubjectConfirmation (com.sun.identity.saml2.assertion.SubjectConfirmation)1
SubjectConfirmationData (com.sun.identity.saml2.assertion.SubjectConfirmationData)1
Iterator (java.util.Iterator)1
TokenCreationException (org.forgerock.openam.sts.TokenCreationException)1
Test (org.testng.annotations.Test)1
Element (org.w3c.dom.Element)1
Node (org.w3c.dom.Node)1
NodeList (org.w3c.dom.NodeList)1
