Example 16 with SecurityAssertionSaml
use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.
the class SamlAssertionValidatorImplTest method testValidateInvalidIssuer.
@Test(expected = AuthenticationFailureException.class)
public void testValidateInvalidIssuer() throws Exception {
Assertion assertion = createAssertion(false, true, "WRONG", new DateTime().minusSeconds(10));
Element securityToken = SAMLUtils.getInstance().getSecurityTokenFromSAMLAssertion(samlObjectToString(assertion));
SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
simplePrincipalCollection.add(new SecurityAssertionSaml(securityToken), "default");
SAMLAuthenticationToken samlAuthenticationToken = new SAMLAuthenticationToken(simplePrincipalCollection, simplePrincipalCollection, "127.0.0.1");
samlAssertionValidator.validate(samlAuthenticationToken);
}
Also used :
Element(org.w3c.dom.Element)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
SAMLAuthenticationToken(org.codice.ddf.security.handler.SAMLAuthenticationToken)
DateTime(org.joda.time.DateTime)
SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)
Test(org.junit.Test)
Example 17 with SecurityAssertionSaml
use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.
the class SecurityAssertionStore method getSecurityAssertion.
/**
* Return the SecurityAssertion wrapper associated with the provided message
*
* @param message Message
* @return SecurityAssertion
*/
public static SecurityAssertion getSecurityAssertion(Message message) {
if (message != null) {
TokenStore tokenStore = getTokenStore(message);
Principal principal = null;
SecurityContext context = message.get(SecurityContext.class);
if (context != null) {
principal = context.getUserPrincipal();
}
if (!(principal instanceof SAMLTokenPrincipal)) {
// Try to find the SAMLTokenPrincipal if it exists
List<?> wsResults = List.class.cast(message.get(WSHandlerConstants.RECV_RESULTS));
if (wsResults != null) {
for (Object wsResult : wsResults) {
if (wsResult instanceof WSHandlerResult) {
List<WSSecurityEngineResult> wsseResults = ((WSHandlerResult) wsResult).getResults();
for (WSSecurityEngineResult wsseResult : wsseResults) {
Object principalResult = wsseResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (principalResult instanceof SAMLTokenPrincipal) {
principal = (SAMLTokenPrincipal) principalResult;
break;
}
}
}
}
}
}
if (tokenStore != null && principal instanceof SAMLTokenPrincipal) {
String id = ((SAMLTokenPrincipal) principal).getId();
SamlAssertionWrapper samlAssertionWrapper = ((SAMLTokenPrincipal) principal).getToken();
SecurityToken token = tokenStore.getToken(id);
if (token == null) {
if (samlAssertionWrapper.getSaml2().getIssueInstant() != null && samlAssertionWrapper.getSaml2().getConditions() != null && samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter() != null) {
token = new SecurityToken(id, samlAssertionWrapper.getElement(), Instant.ofEpochMilli(samlAssertionWrapper.getSaml2().getIssueInstant().getMillis()), Instant.ofEpochMilli(samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter().getMillis()));
} else {
// we don't know how long this should last or when it was created, so just
// set it to 1 minute
// This shouldn't happen unless someone sets up a third party STS with weird
// settings.
Instant now = Instant.now();
token = new SecurityToken(id, samlAssertionWrapper.getElement(), now, now.plus(Duration.ofMinutes(1L)));
}
tokenStore.add(token);
}
return new SecurityAssertionSaml(samlAssertionWrapper.getElement());
} else if (principal instanceof SecurityAssertionPrincipal) {
return ((SecurityAssertionPrincipal) principal).getAssertion();
}
}
return new SecurityAssertionSaml();
}
Also used :
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
SecurityAssertionPrincipal(ddf.security.assertion.SecurityAssertionPrincipal)
Instant(java.time.Instant)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityContext(org.apache.cxf.security.SecurityContext)
TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Principal(java.security.Principal)
SecurityAssertionPrincipal(ddf.security.assertion.SecurityAssertionPrincipal)
SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)
Example 18 with SecurityAssertionSaml
use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.
the class AssertionConsumerService method login.
private boolean login(org.opensaml.saml.saml2.core.Response samlResponse) {
if (!request.isSecure()) {
return false;
}
Map<String, Cookie> cookieMap = HttpUtils.getCookieMap(request);
if (cookieMap.containsKey("JSESSIONID") && sessionFactory != null) {
sessionFactory.getOrCreateSession(request).invalidate();
}
HandlerResult handlerResult = new HandlerResultImpl();
SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
simplePrincipalCollection.add(new SecurityAssertionSaml(samlResponse.getAssertions().get(0).getDOM()), "default");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, simplePrincipalCollection, request.getRemoteAddr());
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
if (handlerResult.getStatus() != HandlerResult.Status.COMPLETED) {
LOGGER.debug("Failed to handle SAML assertion.");
return false;
}
if (handlerResult.getToken() instanceof BaseAuthenticationToken) {
((BaseAuthenticationToken) handlerResult.getToken()).setAllowGuest(contextPolicyManager.getGuestAccess());
}
request.setAttribute(AUTHENTICATION_TOKEN_KEY, handlerResult);
request.removeAttribute(ContextPolicy.NO_AUTH_POLICY);
try {
LOGGER.trace("Trying to login with provided SAML assertion.");
loginFilter.doFilter(request, null, (servletRequest, servletResponse) -> {
});
} catch (IOException | AuthenticationException e) {
LOGGER.debug("Failed to apply login filter to SAML assertion", e);
return false;
}
return true;
}
Also used :
Cookie(javax.servlet.http.Cookie)
AuthenticationException(org.codice.ddf.platform.filter.AuthenticationException)
HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
IOException(java.io.IOException)
SAMLAuthenticationToken(org.codice.ddf.security.handler.SAMLAuthenticationToken)
SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)
Example 19 with SecurityAssertionSaml
use of ddf.security.assertion.saml.impl.SecurityAssertionSaml in project ddf by codice.
the class IdpHandler method checkForAssertionInHttpHeader.
private HandlerResult checkForAssertionInHttpHeader(ServletRequest request) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String authHeader = ((HttpServletRequest) request).getHeader(SecurityConstants.SAML_HEADER_NAME);
HandlerResult handlerResult = new HandlerResultImpl();
// check for full SAML assertions coming in (federated requests, etc.)
if (authHeader != null) {
String[] tokenizedAuthHeader = authHeader.split(" ");
if (tokenizedAuthHeader.length == 2 && tokenizedAuthHeader[0].equals("SAML") && samlSecurity != null) {
String encodedSamlAssertion = tokenizedAuthHeader[1];
LOGGER.trace("Header retrieved");
try {
String tokenString = samlSecurity.inflateBase64(encodedSamlAssertion);
LOGGER.trace("Header value: {}", LogSanitizer.sanitize(tokenString));
SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
simplePrincipalCollection.add(new SecurityAssertionSaml(SAMLUtils.getInstance().getSecurityTokenFromSAMLAssertion(tokenString)), "default");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(simplePrincipalCollection, simplePrincipalCollection, request.getRemoteAddr());
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
} catch (IOException e) {
LOGGER.info("Unexpected error converting header value to string", e);
}
return handlerResult;
}
}
// Check for legacy SAML cookie
Map<String, Cookie> cookies = HttpUtils.getCookieMap(httpRequest);
Cookie samlCookie = cookies.get(SecurityConstants.SAML_COOKIE_NAME);
if (samlCookie != null && samlSecurity != null) {
String cookieValue = samlCookie.getValue();
LOGGER.trace("Cookie retrieved");
try {
String tokenString = samlSecurity.inflateBase64(cookieValue);
LOGGER.trace("Cookie value: {}", LogSanitizer.sanitize(tokenString));
Element thisToken = StaxUtils.read(new StringReader(tokenString)).getDocumentElement();
SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
simplePrincipalCollection.add(new SecurityAssertionSaml(thisToken), "default");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, simplePrincipalCollection, request.getRemoteAddr());
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
} catch (IOException e) {
LOGGER.info("Unexpected error converting cookie value to string - proceeding without SAML token.", e);
} catch (XMLStreamException e) {
LOGGER.info("Unexpected error converting XML string to element - proceeding without SAML token.", e);
}
return handlerResult;
}
return null;
}
Also used :
Cookie(javax.servlet.http.Cookie)
HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl)
Element(org.w3c.dom.Element)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
IOException(java.io.IOException)
SAMLAuthenticationToken(org.codice.ddf.security.handler.SAMLAuthenticationToken)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
XMLStreamException(javax.xml.stream.XMLStreamException)
StringReader(java.io.StringReader)
SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)
Aggregations
SecurityAssertionSaml (ddf.security.assertion.saml.impl.SecurityAssertionSaml)19
Element (org.w3c.dom.Element)15
Test (org.junit.Test)14
SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)10
SAMLAuthenticationToken (org.codice.ddf.security.handler.SAMLAuthenticationToken)9
Assertion (org.opensaml.saml.saml2.core.Assertion)6
DateTime (org.joda.time.DateTime)5
IOException (java.io.IOException)2
Principal (java.security.Principal)2
X509Certificate (java.security.cert.X509Certificate)2
Cookie (javax.servlet.http.Cookie)2
HandlerResultImpl (org.codice.ddf.security.handler.HandlerResultImpl)2
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)2
AuthenticationStatement (ddf.security.assertion.AuthenticationStatement)1
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
SecurityAssertionPrincipal (ddf.security.assertion.SecurityAssertionPrincipal)1
StringReader (java.io.StringReader)1
Instant (java.time.Instant)1
Objects (java.util.Objects)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
