Examples with ValidationException - ddf.security.samlp.impl.ValidationException

Example 1 with ValidationException

use of ddf.security.samlp.impl.ValidationException in project ddf by codice.

the class LogoutRequestService method soapLogoutRequest.

@POST
@Consumes({ "text/xml", "application/soap+xml" })
public Response soapLogoutRequest(InputStream body, @Context HttpServletRequest request) {
    XMLObject xmlObject;
    try {
        String bodyString = IOUtils.toString(body, StandardCharsets.UTF_8);
        SOAPPart soapMessage = SamlProtocol.parseSoapMessage(bodyString);
        xmlObject = SamlProtocol.getXmlObjectFromNode(soapMessage.getEnvelope().getBody().getFirstChild());
        if (!(xmlObject instanceof LogoutRequest)) {
            LOGGER.info(UNABLE_TO_PARSE_LOGOUT_REQUEST);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Type of object is {}", xmlObject == null ? "null" : xmlObject.getSchemaType());
            }
            return Response.serverError().build();
        }
    } catch (SOAPException | XMLStreamException | IOException | WSSecurityException e) {
        LOGGER.debug("Error parsing input", e);
        return Response.serverError().build();
    }
    LogoutRequest logoutRequest = (LogoutRequest) xmlObject;
    if (logoutMessage == null) {
        LOGGER.info("Logout message not available yet");
        return Response.serverError().build();
    }
    // Pre-build response with success status
    LogoutWrapper<LogoutResponse> logoutResponse = logoutMessage.buildLogoutResponse(logoutRequest.getIssuer().getValue(), StatusCode.SUCCESS, logoutRequest.getID());
    try {
        if (!validateSignature(logoutRequest)) {
            return getSamlpSoapLogoutResponse(logoutResponse, StatusCode.AUTHN_FAILED, null);
        }
        new SamlValidator.Builder(simpleSign).buildAndValidate(this.request.getRequestURL().toString(), SamlProtocol.Binding.HTTP_POST, logoutRequest);
        httpSessionInvalidator.invalidateSession(logoutRequest.getNameID().getValue(), this::extractSubject);
        securityLogger.audit("Subject logged out by backchannel request: {}", logoutRequest.getNameID().getValue());
        return getSamlpSoapLogoutResponse(logoutResponse);
    } catch (ValidationException e) {
        LOGGER.info(UNABLE_TO_VALIDATE_LOGOUT_REQUEST, e);
        return getSamlpSoapLogoutResponse(logoutResponse, StatusCode.RESPONDER, e.getMessage());
    }
}

Also used : ValidationException(ddf.security.samlp.impl.ValidationException) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject) XMLObject(org.opensaml.core.xml.XMLObject) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) XMLStreamException(javax.xml.stream.XMLStreamException) SOAPException(javax.xml.soap.SOAPException) SamlValidator(ddf.security.samlp.impl.SamlValidator) SOAPPart(javax.xml.soap.SOAPPart) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes)

Example 2 with ValidationException

use of ddf.security.samlp.impl.ValidationException in project ddf by codice.

the class AuthnResponseValidator method validate.

public void validate(XMLObject xmlObject) throws ValidationException {
    if (!(xmlObject instanceof Response)) {
        throw new ValidationException("Invalid AuthN response XML.");
    }
    Response authnResponse = (Response) xmlObject;
    String status = authnResponse.getStatus().getStatusCode().getValue();
    if (!StatusCode.SUCCESS.equals(status)) {
        throw new ValidationException("AuthN request was unsuccessful.  Received status: " + status);
    }
    if (authnResponse.getAssertions().size() < 1) {
        throw new ValidationException("Assertion missing in AuthN response.");
    }
    if (authnResponse.getAssertions().size() > 1) {
        LOGGER.info("Received multiple assertions in AuthN response.  Only using the first assertion.");
    }
    if (wasRedirectSigned) {
        if (authnResponse.getDestination() == null) {
            throw new ValidationException("Invalid Destination attribute, must be not null for signed responses.");
        } else if (!authnResponse.getDestination().equals(getSpAssertionConsumerServiceUrl(getSpIssuerId()))) {
            throw new ValidationException("Invalid Destination attribute, does not match requested destination.");
        }
    }
    if (authnResponse.getSignature() != null) {
        try {
            simpleSign.validateSignature(authnResponse.getSignature(), authnResponse.getDOM().getOwnerDocument());
        } catch (SignatureException e) {
            throw new ValidationException("Invalid or untrusted signature.");
        }
    }
}

Also used : Response(org.opensaml.saml.saml2.core.Response) ValidationException(ddf.security.samlp.impl.ValidationException) SignatureException(ddf.security.samlp.SignatureException)

Aggregations

ValidationException (ddf.security.samlp.impl.ValidationException)2 SignatureException (ddf.security.samlp.SignatureException)1 SamlValidator (ddf.security.samlp.impl.SamlValidator)1 IOException (java.io.IOException)1 Consumes (javax.ws.rs.Consumes)1 POST (javax.ws.rs.POST)1 SOAPException (javax.xml.soap.SOAPException)1 SOAPPart (javax.xml.soap.SOAPPart)1 XMLStreamException (javax.xml.stream.XMLStreamException)1 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)1 XMLObject (org.opensaml.core.xml.XMLObject)1 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)1 LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)1 Response (org.opensaml.saml.saml2.core.Response)1 SignableXMLObject (org.opensaml.xmlsec.signature.SignableXMLObject)1