Search in sources :

Example 16 with SecurityAssertionSaml

use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.

the class SamlAssertionValidatorImplTest method testValidateInvalidIssuer.

@Test(expected = AuthenticationFailureException.class)
public void testValidateInvalidIssuer() throws Exception {
    Assertion assertion = createAssertion(false, true, "WRONG", new DateTime().minusSeconds(10));
    Element securityToken = SAMLUtils.getInstance().getSecurityTokenFromSAMLAssertion(samlObjectToString(assertion));
    SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
    simplePrincipalCollection.add(new SecurityAssertionSaml(securityToken), "default");
    SAMLAuthenticationToken samlAuthenticationToken = new SAMLAuthenticationToken(simplePrincipalCollection, simplePrincipalCollection, "127.0.0.1");
    samlAssertionValidator.validate(samlAuthenticationToken);
}
Also used : Element(org.w3c.dom.Element) Assertion(org.opensaml.saml.saml2.core.Assertion) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SAMLAuthenticationToken(org.codice.ddf.security.handler.SAMLAuthenticationToken) DateTime(org.joda.time.DateTime) SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml) Test(org.junit.Test)

Example 17 with SecurityAssertionSaml

use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.

the class SecurityAssertionStore method getSecurityAssertion.

/**
 * Return the SecurityAssertion wrapper associated with the provided message
 *
 * @param message Message
 * @return SecurityAssertion
 */
public static SecurityAssertion getSecurityAssertion(Message message) {
    if (message != null) {
        TokenStore tokenStore = getTokenStore(message);
        Principal principal = null;
        SecurityContext context = message.get(SecurityContext.class);
        if (context != null) {
            principal = context.getUserPrincipal();
        }
        if (!(principal instanceof SAMLTokenPrincipal)) {
            // Try to find the SAMLTokenPrincipal if it exists
            List<?> wsResults = List.class.cast(message.get(WSHandlerConstants.RECV_RESULTS));
            if (wsResults != null) {
                for (Object wsResult : wsResults) {
                    if (wsResult instanceof WSHandlerResult) {
                        List<WSSecurityEngineResult> wsseResults = ((WSHandlerResult) wsResult).getResults();
                        for (WSSecurityEngineResult wsseResult : wsseResults) {
                            Object principalResult = wsseResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                            if (principalResult instanceof SAMLTokenPrincipal) {
                                principal = (SAMLTokenPrincipal) principalResult;
                                break;
                            }
                        }
                    }
                }
            }
        }
        if (tokenStore != null && principal instanceof SAMLTokenPrincipal) {
            String id = ((SAMLTokenPrincipal) principal).getId();
            SamlAssertionWrapper samlAssertionWrapper = ((SAMLTokenPrincipal) principal).getToken();
            SecurityToken token = tokenStore.getToken(id);
            if (token == null) {
                if (samlAssertionWrapper.getSaml2().getIssueInstant() != null && samlAssertionWrapper.getSaml2().getConditions() != null && samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter() != null) {
                    token = new SecurityToken(id, samlAssertionWrapper.getElement(), Instant.ofEpochMilli(samlAssertionWrapper.getSaml2().getIssueInstant().getMillis()), Instant.ofEpochMilli(samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter().getMillis()));
                } else {
                    // we don't know how long this should last or when it was created, so just
                    // set it to 1 minute
                    // This shouldn't happen unless someone sets up a third party STS with weird
                    // settings.
                    Instant now = Instant.now();
                    token = new SecurityToken(id, samlAssertionWrapper.getElement(), now, now.plus(Duration.ofMinutes(1L)));
                }
                tokenStore.add(token);
            }
            return new SecurityAssertionSaml(samlAssertionWrapper.getElement());
        } else if (principal instanceof SecurityAssertionPrincipal) {
            return ((SecurityAssertionPrincipal) principal).getAssertion();
        }
    }
    return new SecurityAssertionSaml();
}
Also used : SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal) SecurityAssertionPrincipal(ddf.security.assertion.SecurityAssertionPrincipal) Instant(java.time.Instant) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SecurityContext(org.apache.cxf.security.SecurityContext) TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore) SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal) Principal(java.security.Principal) SecurityAssertionPrincipal(ddf.security.assertion.SecurityAssertionPrincipal) SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)

Example 18 with SecurityAssertionSaml

use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.

the class AssertionConsumerService method login.

private boolean login(org.opensaml.saml.saml2.core.Response samlResponse) {
    if (!request.isSecure()) {
        return false;
    }
    Map<String, Cookie> cookieMap = HttpUtils.getCookieMap(request);
    if (cookieMap.containsKey("JSESSIONID") && sessionFactory != null) {
        sessionFactory.getOrCreateSession(request).invalidate();
    }
    HandlerResult handlerResult = new HandlerResultImpl();
    SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
    simplePrincipalCollection.add(new SecurityAssertionSaml(samlResponse.getAssertions().get(0).getDOM()), "default");
    SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, simplePrincipalCollection, request.getRemoteAddr());
    handlerResult.setToken(samlToken);
    handlerResult.setStatus(HandlerResult.Status.COMPLETED);
    if (handlerResult.getStatus() != HandlerResult.Status.COMPLETED) {
        LOGGER.debug("Failed to handle SAML assertion.");
        return false;
    }
    if (handlerResult.getToken() instanceof BaseAuthenticationToken) {
        ((BaseAuthenticationToken) handlerResult.getToken()).setAllowGuest(contextPolicyManager.getGuestAccess());
    }
    request.setAttribute(AUTHENTICATION_TOKEN_KEY, handlerResult);
    request.removeAttribute(ContextPolicy.NO_AUTH_POLICY);
    try {
        LOGGER.trace("Trying to login with provided SAML assertion.");
        loginFilter.doFilter(request, null, (servletRequest, servletResponse) -> {
        });
    } catch (IOException | AuthenticationException e) {
        LOGGER.debug("Failed to apply login filter to SAML assertion", e);
        return false;
    }
    return true;
}
Also used : Cookie(javax.servlet.http.Cookie) AuthenticationException(org.codice.ddf.platform.filter.AuthenticationException) HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl) BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) IOException(java.io.IOException) SAMLAuthenticationToken(org.codice.ddf.security.handler.SAMLAuthenticationToken) SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)

Example 19 with SecurityAssertionSaml

use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.

the class IdpHandler method checkForAssertionInHttpHeader.

private HandlerResult checkForAssertionInHttpHeader(ServletRequest request) {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    String authHeader = ((HttpServletRequest) request).getHeader(SecurityConstants.SAML_HEADER_NAME);
    HandlerResult handlerResult = new HandlerResultImpl();
    // check for full SAML assertions coming in (federated requests, etc.)
    if (authHeader != null) {
        String[] tokenizedAuthHeader = authHeader.split(" ");
        if (tokenizedAuthHeader.length == 2 && tokenizedAuthHeader[0].equals("SAML") && samlSecurity != null) {
            String encodedSamlAssertion = tokenizedAuthHeader[1];
            LOGGER.trace("Header retrieved");
            try {
                String tokenString = samlSecurity.inflateBase64(encodedSamlAssertion);
                LOGGER.trace("Header value: {}", LogSanitizer.sanitize(tokenString));
                SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
                simplePrincipalCollection.add(new SecurityAssertionSaml(SAMLUtils.getInstance().getSecurityTokenFromSAMLAssertion(tokenString)), "default");
                SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(simplePrincipalCollection, simplePrincipalCollection, request.getRemoteAddr());
                handlerResult.setToken(samlToken);
                handlerResult.setStatus(HandlerResult.Status.COMPLETED);
            } catch (IOException e) {
                LOGGER.info("Unexpected error converting header value to string", e);
            }
            return handlerResult;
        }
    }
    // Check for legacy SAML cookie
    Map<String, Cookie> cookies = HttpUtils.getCookieMap(httpRequest);
    Cookie samlCookie = cookies.get(SecurityConstants.SAML_COOKIE_NAME);
    if (samlCookie != null && samlSecurity != null) {
        String cookieValue = samlCookie.getValue();
        LOGGER.trace("Cookie retrieved");
        try {
            String tokenString = samlSecurity.inflateBase64(cookieValue);
            LOGGER.trace("Cookie value: {}", LogSanitizer.sanitize(tokenString));
            Element thisToken = StaxUtils.read(new StringReader(tokenString)).getDocumentElement();
            SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
            simplePrincipalCollection.add(new SecurityAssertionSaml(thisToken), "default");
            SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, simplePrincipalCollection, request.getRemoteAddr());
            handlerResult.setToken(samlToken);
            handlerResult.setStatus(HandlerResult.Status.COMPLETED);
        } catch (IOException e) {
            LOGGER.info("Unexpected error converting cookie value to string - proceeding without SAML token.", e);
        } catch (XMLStreamException e) {
            LOGGER.info("Unexpected error converting XML string to element - proceeding without SAML token.", e);
        }
        return handlerResult;
    }
    return null;
}
Also used : Cookie(javax.servlet.http.Cookie) HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl) Element(org.w3c.dom.Element) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) IOException(java.io.IOException) SAMLAuthenticationToken(org.codice.ddf.security.handler.SAMLAuthenticationToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) XMLStreamException(javax.xml.stream.XMLStreamException) StringReader(java.io.StringReader) SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)

Aggregations

SecurityAssertionSaml (ddf.security.assertion.saml.impl.SecurityAssertionSaml)19 Element (org.w3c.dom.Element)15 Test (org.junit.Test)14 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)10 SAMLAuthenticationToken (org.codice.ddf.security.handler.SAMLAuthenticationToken)9 Assertion (org.opensaml.saml.saml2.core.Assertion)6 DateTime (org.joda.time.DateTime)5 IOException (java.io.IOException)2 Principal (java.security.Principal)2 X509Certificate (java.security.cert.X509Certificate)2 Cookie (javax.servlet.http.Cookie)2 HandlerResultImpl (org.codice.ddf.security.handler.HandlerResultImpl)2 HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)2 AuthenticationStatement (ddf.security.assertion.AuthenticationStatement)1 SecurityAssertion (ddf.security.assertion.SecurityAssertion)1 SecurityAssertionPrincipal (ddf.security.assertion.SecurityAssertionPrincipal)1 StringReader (java.io.StringReader)1 Instant (java.time.Instant)1 Objects (java.util.Objects)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1