Examples with CriteriaSet net.shibboleth.utilities.java.support.resolver.CriteriaSet used on opensource projects

Search in sources :

Example 41 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlIdPObjectEncrypter method resolveEncryptionParameters.

/**
 * Resolve encryption parameters.
 *
 * @param service                 the service
 * @param encryptionConfiguration the encryption configuration
 * @return the encryption parameters
 * @throws ResolverException the exception
 */
protected EncryptionParameters resolveEncryptionParameters(final SamlRegisteredService service, final BasicEncryptionConfiguration encryptionConfiguration) throws ResolverException {
    val criteria = new CriteriaSet();
    criteria.add(new EncryptionConfigurationCriterion(encryptionConfiguration));
    criteria.add(new EncryptionOptionalCriterion(service.isEncryptionOptional()));
    return new BasicEncryptionParametersResolver().resolveSingle(criteria);
}
Also used : lombok.val(lombok.val) EncryptionOptionalCriterion(org.opensaml.xmlsec.criterion.EncryptionOptionalCriterion) EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) BasicEncryptionParametersResolver(org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver)

Example 42 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.

private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
    val peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
    peer.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(profileRequest));
    val peerEntityId = Objects.requireNonNull(peer.getEntityId());
    LOGGER.debug("Validating request signature for [{}]...", peerEntityId);
    val roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
    peer.setRole(roleDescriptor.getElementQName());
    val protocol = context.getSubcontext(SAMLProtocolContext.class, true);
    protocol.setProtocol(SAMLConstants.SAML20P_NS);
    LOGGER.debug("Building security parameters context for signature validation of [{}]", peerEntityId);
    val secCtx = context.getSubcontext(SecurityParametersContext.class, true);
    val validationParams = new SignatureValidationParameters();
    if (overrideBlockedSignatureAlgorithms != null && !overrideBlockedSignatureAlgorithms.isEmpty()) {
        validationParams.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
        LOGGER.debug("Validation override blocked algorithms are [{}]", this.overrideAllowedAlgorithms);
    }
    if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
        validationParams.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
        LOGGER.debug("Validation override allowed algorithms are [{}]", this.overrideAllowedAlgorithms);
    }
    LOGGER.debug("Resolving signing credentials for [{}]", peerEntityId);
    val credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
    if (credentials.isEmpty()) {
        throw new SamlException("Signing credentials for validation could not be resolved");
    }
    var foundValidCredential = false;
    val it = credentials.iterator();
    while (!foundValidCredential && it.hasNext()) {
        val handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
        try {
            val credential = it.next();
            val resolver = new StaticCredentialResolver(credential);
            val keyResolver = new StaticKeyInfoCredentialResolver(credential);
            val trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
            validationParams.setSignatureTrustEngine(trustEngine);
            secCtx.setSignatureValidationParameters(validationParams);
            handler.setHttpServletRequest(request);
            LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
            handler.initialize();
            LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
            handler.invoke(context);
            LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
            foundValidCredential = true;
        } catch (final Exception e) {
            LOGGER.debug(e.getMessage(), e);
        } finally {
            handler.destroy();
        }
    }
    if (!foundValidCredential) {
        LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
        throw new SamlException("No valid signing credentials for validation could not be resolved");
    }
}
Also used : lombok.val(lombok.val) SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler) SamlException(org.apereo.cas.support.saml.SamlException) SamlException(org.apereo.cas.support.saml.SamlException)

Example 43 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlObjectSignatureValidator method getSigningCredential.

@SneakyThrows
private Set<Credential> getSigningCredential(final RoleDescriptorResolver resolver, final RequestAbstractType profileRequest) {
    val kekCredentialResolver = new MetadataCredentialResolver();
    val config = getSignatureValidationConfiguration();
    kekCredentialResolver.setRoleDescriptorResolver(resolver);
    kekCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
    kekCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new SignatureValidationConfigurationCriterion(config));
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    buildEntityCriteriaForSigningCredential(profileRequest, criteriaSet);
    return Sets.newLinkedHashSet(kekCredentialResolver.resolve(criteriaSet));
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) SignatureValidationConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureValidationConfigurationCriterion) SneakyThrows(lombok.SneakyThrows)

Example 44 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class DefaultSamlIdPObjectSigner method buildSignatureSigningParameters.

/**
 * Build signature signing parameters signature signing parameters.
 *
 * @param descriptor the descriptor
 * @param service    the service
 * @return the signature signing parameters
 */
@SneakyThrows
protected SignatureSigningParameters buildSignatureSigningParameters(final RoleDescriptor descriptor, final SamlRegisteredService service) {
    val criteria = new CriteriaSet();
    val signatureSigningConfiguration = getSignatureSigningConfiguration(service);
    criteria.add(new SignatureSigningConfigurationCriterion(signatureSigningConfiguration));
    criteria.add(new RoleDescriptorCriterion(descriptor));
    val resolver = new SAMLMetadataSignatureSigningParametersResolver();
    LOGGER.trace("Resolving signature signing parameters for [{}]", descriptor.getElementQName().getLocalPart());
    val params = resolver.resolveSingle(criteria);
    if (params != null) {
        LOGGER.trace("Created signature signing parameters." + "\nSignature algorithm: [{}]" + "\nSignature canonicalization algorithm: [{}]" + "\nSignature reference digest methods: [{}]" + "\nSignature reference canonicalization algorithm: [{}]", params.getSignatureAlgorithm(), params.getSignatureCanonicalizationAlgorithm(), params.getSignatureReferenceDigestMethod(), params.getSignatureReferenceCanonicalizationAlgorithm());
    } else {
        LOGGER.warn("Unable to resolve SignatureSigningParameters, response signing will fail." + " Make sure domain names in IDP metadata URLs and certificates match CAS domain name");
    }
    return params;
}
Also used : lombok.val(lombok.val) RoleDescriptorCriterion(org.opensaml.saml.criterion.RoleDescriptorCriterion) SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) SignatureSigningConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion) SneakyThrows(lombok.SneakyThrows)

Example 45 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlIdPMetadataResolverTests method verifyOperation.

@RepeatedTest(2)
public void verifyOperation() throws Exception {
    val criteria = new CriteriaSet(new EntityIdCriterion(casProperties.getAuthn().getSamlIdp().getCore().getEntityId()));
    val result1 = casSamlIdPMetadataResolver.resolve(criteria);
    assertFalse(Iterables.isEmpty(result1));
    val result2 = casSamlIdPMetadataResolver.resolve(criteria);
    assertFalse(Iterables.isEmpty(result2));
    assertEquals(Iterables.size(result1), Iterables.size(result2));
}
Also used : lombok.val(lombok.val) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) RepeatedTest(org.junit.jupiter.api.RepeatedTest)

Aggregations

CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)68 lombok.val (lombok.val)44 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)40 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)28 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)18 Test (org.junit.jupiter.api.Test)16 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)11 SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)10 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)10 ArrayList (java.util.ArrayList)9 SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)9 MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)8 SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)8 SneakyThrows (lombok.SneakyThrows)7 StringUtils (org.apache.commons.lang3.StringUtils)7 SignatureSigningParameters (org.opensaml.xmlsec.SignatureSigningParameters)7 FileSystemResource (org.springframework.core.io.FileSystemResource)7 SamlException (org.apereo.cas.support.saml.SamlException)6 EvaluableEntityRoleEntityDescriptorCriterion (org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion)6 Credential (org.opensaml.security.credential.Credential)6
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial