use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class ManageNameIDRequestImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement: " + "Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an EncryptedAssertion.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals(elementName))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement:" + "not ManageNameIDRequest.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
requestId = element.getAttribute("ID");
validateID(requestId);
version = element.getAttribute(SAML2Constants.VERSION);
validateVersion(version);
String issueInstantStr = element.getAttribute("IssueInstant");
validateIssueInstant(issueInstantStr);
destinationURI = element.getAttribute("Destination");
consent = element.getAttribute("Consent");
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals("Issuer")) {
nameID = assertionFactory.createIssuer((Element) childNode);
} else if (cName.equals("Signature")) {
signatureString = XMLUtils.getElementString((Element) childNode);
isSigned = true;
} else if (cName.equals("Extensions")) {
extensions = protocolFactory.createExtensions((Element) childNode);
} else if (cName.equals("NameID")) {
nameid = assertionFactory.createNameID((Element) childNode);
} else if (cName.equals("EncryptedID")) {
encryptedID = assertionFactory.createEncryptedID((Element) childNode);
} else if (cName.equals("NewID")) {
newID = protocolFactory.createNewID((Element) childNode);
} else if (cName.equals("NewEncryptedID")) {
newEncryptedID = protocolFactory.createNewEncryptedID((Element) childNode);
} else if (cName.equals("Terminate")) {
terminate = true;
}
}
}
}
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class ArtifactResponseImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl.parseElement: " + "element input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an ArtifactResponse.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals("ArtifactResponse"))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl.parseElement: " + "not ArtifactResponse.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
// handle the attributes of <ArtifactResponse> element
NamedNodeMap atts = ((Node) element).getAttributes();
if (atts != null) {
int length = atts.getLength();
for (int i = 0; i < length; i++) {
Attr attr = (Attr) atts.item(i);
String attrName = attr.getName();
String attrValue = attr.getValue().trim();
if (attrName.equals("ID")) {
responseId = attrValue;
} else if (attrName.equals("InResponseTo")) {
inResponseTo = attrValue;
} else if (attrName.equals("Version")) {
version = attrValue;
} else if (attrName.equals("IssueInstant")) {
try {
issueInstant = DateUtils.stringToDate(attrValue);
} catch (ParseException pe) {
throw new SAML2Exception(pe.getMessage());
}
} else if (attrName.equals("Destination")) {
destination = attrValue;
} else if (attrName.equals("Consent")) {
consent = attrValue;
}
}
}
// handle child elements
NodeList nl = element.getChildNodes();
Node child;
String childName;
int length = nl.getLength();
for (int i = 0; i < length; i++) {
child = nl.item(i);
if ((childName = child.getLocalName()) != null) {
if (childName.equals("Issuer")) {
if (issuer != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement: included more than one " + "Issuer.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (signatureString != null || extensions != null || status != null || anyString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
issuer = AssertionFactory.getInstance().createIssuer((Element) child);
} else if (childName.equals("Signature")) {
if (signatureString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement:included more than one " + "Signature.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (extensions != null || status != null || anyString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
signatureString = XMLUtils.print((Element) child);
isSigned = true;
} else if (childName.equals("Extensions")) {
if (extensions != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement:included more than one " + "Extensions.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (status != null || anyString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
extensions = ProtocolFactory.getInstance().createExtensions((Element) child);
} else if (childName.equals("Status")) {
if (status != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement: included more than one " + "Status.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (anyString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
status = ProtocolFactory.getInstance().createStatus((Element) child);
} else {
if (anyString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResponseImpl." + "parseElement: included more than one " + "any element.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
anyString = XMLUtils.print((Element) child);
}
}
}
super.validateData();
isMutable = false;
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class NameIDMappingResponseImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
AssertionFactory af = AssertionFactory.getInstance();
ProtocolFactory pf = ProtocolFactory.getInstance();
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("NameIDMappingResponseImpl.parseElement: Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an EncryptedAssertion.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals(elementName))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("NameIDMappingResponseImpl.parseElement: " + "not ManageNameIDResponse.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
responseId = element.getAttribute("ID");
validateID(responseId);
version = element.getAttribute("Version");
validateVersion(version);
String issueInstantStr = element.getAttribute("IssueInstant");
validateIssueInstant(issueInstantStr);
destination = element.getAttribute("Destination");
consent = element.getAttribute("Consent");
inResponseTo = element.getAttribute("InResponseTo");
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals("Issuer")) {
issuer = af.createIssuer((Element) childNode);
} else if (cName.equals("Signature")) {
signatureString = XMLUtils.getElementString((Element) childNode);
isSigned = true;
} else if (cName.equals("Extensions")) {
extensions = pf.createExtensions((Element) childNode);
} else if (cName.equals("NameID")) {
nameID = af.createNameID((Element) childNode);
} else if (cName.equals("EncryptedID")) {
encryptedID = af.createEncryptedID((Element) childNode);
} else if (cName.equals("Status")) {
status = pf.createStatus((Element) childNode);
}
}
}
}
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method validAssertion.
private boolean validAssertion(Assertion assertion, String deploymentURL) throws SAML2Exception {
//must contain issuer
final Issuer issuer = assertion.getIssuer();
if (issuer == null) {
logger.error("Issuer does not exist");
return false;
}
/**
* The Assertion MUST contain <Conditions> element with an
* <AudienceRestriction> element with an <Audience> element
* containing a URI reference that identifies the authorization
* server, or the service provider SAML entity of its controlling
* domain, as an intended audience. The token endpoint URL of the
* authorization server MAY be used as an acceptable value for an
* <Audience> element. The authorization server MUST verify that it
* is an intended audience for the Assertion.
*
*/
final Conditions conditions = assertion.getConditions();
if (conditions == null) {
logger.error("Saml2BearerServerResource.validAssertion(): Conditions does not exist");
return false;
}
final List<AudienceRestriction> audienceRestriction = conditions.getAudienceRestrictions();
if (audienceRestriction == null || audienceRestriction.isEmpty()) {
logger.error("Saml2BearerServerResource.validAssertion(): Audience Restriction does not exist");
return false;
}
boolean found = false;
logger.trace("Saml2BearerServerResource.validAssertion(): URL of authorization server: " + deploymentURL);
for (final AudienceRestriction restriction : audienceRestriction) {
final List<String> audiences = restriction.getAudience();
if (audiences == null || audiences.isEmpty()) {
continue;
}
for (final String audience : audiences) {
String deployURL = deploymentURL;
String aud = audience;
//check for the url with and without trailing /
if (deployURL.endsWith("/")) {
deployURL = deploymentURL.substring(0, deployURL.length() - 1);
}
if (aud.endsWith("/")) {
aud = aud.substring(0, aud.length() - 1);
}
if (aud.equalsIgnoreCase(deployURL)) {
found = true;
}
}
}
if (found == false) {
logger.error("Didn't find the oauth2 provider in audience restrictions");
return false;
}
/**
* The Assertion MUST contain a <Subject> element. The subject MAY
* identify the resource owner for whom the access token is being
* requested. For client authentication, the Subject MUST be the
* "client_id" of the OAuth client. When using an Assertion as an
* authorization grant, the Subject SHOULD identify an authorized
* accessor for whom the access token is being requested (typically
* the resource owner, or an authorized delegate). Additional
* information identifying the subject/principal of the transaction
* MAY be included in an <AttributeStatement>.
*/
final Subject subject = assertion.getSubject();
if (subject == null) {
logger.error("Subject does not exist");
return false;
}
final String resourceOwner = subject.getNameID().getValue();
/**
* The Assertion MUST have an expiry that limits the time window
* during which it can be used. The expiry can be expressed either
* as the NotOnOrAfter attribute of the <Conditions> element or as
* the NotOnOrAfter attribute of a suitable <SubjectConfirmationData>
* element.
*/
/**
* The <Subject> element MUST contain at least one
* <SubjectConfirmation> element that allows the authorization server
* to confirm it as a Bearer Assertion. Such a <SubjectConfirmation>
* element MUST have a Method attribute with a value of
* "urn:oasis:names:tc:SAML:2.0:cm:bearer". The
* <SubjectConfirmation> element MUST contain a
* <SubjectConfirmationData> element, unless the Assertion has a
* suitable NotOnOrAfter attribute on the <Conditions> element, in
* which case the <SubjectConfirmationData> element MAY be omitted.
* When present, the <SubjectConfirmationData> element MUST have a
* Recipient attribute with a value indicating the token endpoint URL
* of the authorization server (or an acceptable alias). The
* authorization server MUST verify that the value of the Recipient
* attribute matches the token endpoint URL (or an acceptable alias)
* to which the Assertion was delivered. The
* <SubjectConfirmationData> element MUST have a NotOnOrAfter
* attribute that limits the window during which the Assertion can be
* confirmed. The <SubjectConfirmationData> element MAY also contain
* an Address attribute limiting the client address from which the
* Assertion can be delivered. Verification of the Address is at the
* discretion of the authorization server.
*/
final List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmation();
found = false;
if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
logger.error("Subject Confirmations does not exist");
return false;
}
//if conditions is expired assertion is expired
if (!assertion.isTimeValid()) {
logger.error("Assertion expired");
return false;
} else {
found = true;
}
for (final SubjectConfirmation subjectConfirmation : subjectConfirmations) {
if (subjectConfirmation.getMethod() == null) {
continue;
}
if (subjectConfirmation.getMethod().equalsIgnoreCase(OAuth2Constants.SAML20.SUBJECT_CONFIRMATION_METHOD)) {
final SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
if (subjectConfirmationData == null) {
continue;
} else if (subjectConfirmationData.getNotOnOrAfter().before(new Date()) && subjectConfirmationData.getRecipient().equalsIgnoreCase(deploymentURL)) {
found = true;
}
//TODO check Client Address
}
}
if (!found) {
logger.error("Assertion expired or subject expired");
return false;
}
if (!assertion.isSigned()) {
logger.error("Assertion must be signed");
return false;
}
if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
logger.error("Assertion signature verification failed");
return false;
}
return true;
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AssertionGen method getAssertion.
/**
*Generate SAML arrestion and return Assertion object
*
*/
private Assertion getAssertion(String[] attrName, String[] attrValue) {
Assertion assertion = AssertionFactory.getInstance().createAssertion();
MetaDataParser lparser = new MetaDataParser();
String IDPEntityID = lparser.getIDPEntityID();
String SPEntityID = lparser.getSPEntityID();
String SPBaseUrl = lparser.getSPbaseUrl();
try {
assertion.setID(SAML2Utils.generateID());
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(IDPEntityID);
assertion.setIssuer(issuer);
assertion.setAuthnStatements(getAuthStatementList());
assertion.setSubject(getSubject(SPEntityID, SPBaseUrl, IDPEntityID));
assertion.setConditions(getCondition(SPEntityID));
if (attrName.length > 0 && !attrName[0].equals("null"))
assertion.setAttributeStatements(getAttributeList(attrName, attrValue));
KeyProvider kp = KeyUtil.getKeyProviderInstance();
assertion.sign(kp.getPrivateKey("test"), kp.getX509Certificate("test"));
return assertion;
} catch (SAML2Exception ex) {
Logger.getLogger(AssertionGen.class.getName()).log(Level.SEVERE, null, ex);
}
return assertion;
}
Aggregations