Example 66 with JwsJwtCompactConsumer
use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project cxf by apache.
the class JWTProviderLifetimeTest method testJWTExceededConfiguredMaxLifetimeButUpdated.
/**
* Issue JWT token with a with a lifetime
* which exceeds configured maximum lifetime
* Lifetime reduced to maximum lifetime
*/
@org.junit.Test
public void testJWTExceededConfiguredMaxLifetimeButUpdated() throws Exception {
// 30 minutes
long maxLifetime = 30 * 60L;
JWTTokenProvider tokenProvider = new JWTTokenProvider();
DefaultJWTClaimsProvider claimsProvider = new DefaultJWTClaimsProvider();
claimsProvider.setMaxLifetime(maxLifetime);
claimsProvider.setFailLifetimeExceedance(false);
claimsProvider.setAcceptClientLifetime(true);
tokenProvider.setJwtClaimsProvider(claimsProvider);
TokenProviderParameters providerParameters = createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
// Set expected lifetime to 35 minutes
Instant creationTime = Instant.now();
long requestedLifetime = 35 * 60L;
Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
providerParameters.getTokenRequirements().setLifetime(lifetime);
TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
assertEquals(maxLifetime, duration);
String token = (String) providerResponse.getToken();
assertNotNull(token);
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
JwtToken jwt = jwtConsumer.getJwtToken();
assertEquals(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT), providerResponse.getCreated().getEpochSecond());
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
Lifetime(org.apache.cxf.sts.request.Lifetime)
Instant(java.time.Instant)
DefaultJWTClaimsProvider(org.apache.cxf.sts.token.provider.jwt.DefaultJWTClaimsProvider)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)
Example 67 with JwsJwtCompactConsumer
use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project cxf by apache.
the class STSRESTTest method validateJWTToken.
private static JwtToken validateJWTToken(String token) throws Exception {
assertNotNull(token);
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
JwtToken jwt = jwtConsumer.getJwtToken();
// Validate claims
assertEquals("DoubleItSTSIssuer", jwt.getClaims().getIssuer());
assertNotNull(jwt.getClaims().getExpiryTime());
assertNotNull(jwt.getClaims().getIssuedAt());
CryptoType alias = new CryptoType(CryptoType.TYPE.ALIAS);
alias.setAlias("mystskey");
X509Certificate stsCertificate = serviceCrypto.getX509Certificates(alias)[0];
assertTrue(jwtConsumer.verifySignatureWith(stsCertificate, SignatureAlgorithm.RS256));
return jwt;
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
Example 68 with JwsJwtCompactConsumer
use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project syncope by apache.
the class SAML2SPLogic method validateLoginResponse.
@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
public SAML2LoginResponseTO validateLoginResponse(final SAML2ReceivedResponseTO response) {
check();
// 1. first checks for the provided relay state
if (response.getRelayState() == null) {
throw new IllegalArgumentException("No Relay State was provided");
}
Boolean useDeflateEncoding = false;
String requestId = null;
if (!IDP_INITIATED_RELAY_STATE.equals(response.getRelayState())) {
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
useDeflateEncoding = Boolean.valueOf(relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
requestId = relayState.getJwtClaims().getSubject();
Long expiryTime = relayState.getJwtClaims().getExpiryTime();
if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
throw new IllegalArgumentException("Relay State is expired");
}
}
// 2. parse the provided SAML response
if (response.getSamlResponse() == null) {
throw new IllegalArgumentException("No SAML Response was provided");
}
Response samlResponse;
try {
XMLObject responseObject = saml2rw.read(useDeflateEncoding, response.getSamlResponse());
if (!(responseObject instanceof Response)) {
throw new IllegalArgumentException("Expected " + Response.class.getName() + ", got " + responseObject.getClass().getName());
}
samlResponse = (Response) responseObject;
} catch (Exception e) {
LOG.error("While parsing AuthnResponse", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
// 3. validate the SAML response and, if needed, decrypt the provided assertion(s)
if (samlResponse.getIssuer() == null || samlResponse.getIssuer().getValue() == null) {
throw new IllegalArgumentException("The SAML Response must contain an Issuer");
}
final SAML2IdPEntity idp = getIdP(samlResponse.getIssuer().getValue());
if (idp.getConnObjectKeyItem() == null) {
throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'");
}
if (IDP_INITIATED_RELAY_STATE.equals(response.getRelayState()) && !idp.isSupportUnsolicited()) {
throw new IllegalArgumentException("An unsolicited request is not allowed for idp: " + idp.getId());
}
SSOValidatorResponse validatorResponse = null;
try {
validatorResponse = saml2rw.validate(samlResponse, idp, getAssertionConsumerURL(response.getSpEntityID(), response.getUrlContext()), requestId, response.getSpEntityID());
} catch (Exception e) {
LOG.error("While validating AuthnResponse", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
// 4. prepare the result: find matching user (if any) and return the received attributes
final SAML2LoginResponseTO responseTO = new SAML2LoginResponseTO();
responseTO.setIdp(idp.getId());
responseTO.setSloSupported(idp.getSLOLocation(idp.getBindingType()) != null);
Assertion assertion = validatorResponse.getOpensamlAssertion();
NameID nameID = assertion.getSubject().getNameID();
if (nameID == null) {
throw new IllegalArgumentException("NameID not found");
}
String keyValue = null;
if (StringUtils.isNotBlank(nameID.getValue()) && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) {
keyValue = nameID.getValue();
}
if (assertion.getConditions().getNotOnOrAfter() != null) {
responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate());
}
assertion.getAuthnStatements().forEach(authnStmt -> {
responseTO.setSessionIndex(authnStmt.getSessionIndex());
responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate());
if (authnStmt.getSessionNotOnOrAfter() != null) {
responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
}
});
for (AttributeStatement attrStmt : assertion.getAttributeStatements()) {
for (Attribute attr : attrStmt.getAttributes()) {
if (!attr.getAttributeValues().isEmpty()) {
String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName();
if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName())) {
if (attr.getAttributeValues().get(0) instanceof XSString) {
keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue();
} else if (attr.getAttributeValues().get(0) instanceof XSAny) {
keyValue = ((XSAny) attr.getAttributeValues().get(0)).getTextContent();
}
}
AttrTO attrTO = new AttrTO();
attrTO.setSchema(attrName);
attr.getAttributeValues().stream().filter(value -> value.getDOM() != null).forEachOrdered(value -> {
attrTO.getValues().add(value.getDOM().getTextContent());
});
responseTO.getAttrs().add(attrTO);
}
}
}
final List<String> matchingUsers = keyValue == null ? Collections.<String>emptyList() : userManager.findMatchingUser(keyValue, idp.getKey());
LOG.debug("Found {} matching users for {}", matchingUsers.size(), keyValue);
String username;
if (matchingUsers.isEmpty()) {
if (idp.isCreateUnmatching()) {
LOG.debug("No user matching {}, about to create", keyValue);
username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.create(idp, responseTO, nameID.getValue()));
} else if (idp.isSelfRegUnmatching()) {
responseTO.setNameID(nameID.getValue());
UserTO userTO = new UserTO();
userManager.fill(idp.getKey(), responseTO, userTO);
responseTO.getAttrs().clear();
responseTO.getAttrs().addAll(userTO.getPlainAttrs());
responseTO.getAttrs().addAll(userTO.getVirAttrs());
if (StringUtils.isNotBlank(userTO.getUsername())) {
responseTO.setUsername(userTO.getUsername());
}
responseTO.setSelfReg(true);
return responseTO;
} else {
throw new NotFoundException("User matching the provided value " + keyValue);
}
} else if (matchingUsers.size() > 1) {
throw new IllegalArgumentException("Several users match the provided value " + keyValue);
} else {
if (idp.isUpdateMatching()) {
LOG.debug("About to update {} for {}", matchingUsers.get(0), keyValue);
username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.update(matchingUsers.get(0), idp, responseTO));
} else {
username = matchingUsers.get(0);
}
}
responseTO.setUsername(username);
responseTO.setNameID(nameID.getValue());
// 5. generate JWT for further access
Map<String, Object> claims = new HashMap<>();
claims.put(JWT_CLAIM_IDP_ENTITYID, idp.getId());
claims.put(JWT_CLAIM_NAMEID_FORMAT, nameID.getFormat());
claims.put(JWT_CLAIM_NAMEID_VALUE, nameID.getValue());
claims.put(JWT_CLAIM_SESSIONINDEX, responseTO.getSessionIndex());
byte[] authorities = null;
try {
authorities = ENCRYPTOR.encode(POJOHelper.serialize(authDataAccessor.getAuthorities(responseTO.getUsername())), CipherAlgorithm.AES).getBytes();
} catch (Exception e) {
LOG.error("Could not fetch authorities", e);
}
Pair<String, Date> accessTokenInfo = accessTokenDataBinder.create(responseTO.getUsername(), claims, authorities, true);
responseTO.setAccessToken(accessTokenInfo.getLeft());
responseTO.setAccessTokenExpiryTime(accessTokenInfo.getRight());
return responseTO;
}
Also used :
SAMLVersion(org.opensaml.saml.common.SAMLVersion)
XSAny(org.opensaml.core.xml.schema.XSAny)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
Date(java.util.Date)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Autowired(org.springframework.beans.factory.annotation.Autowired)
SAML2ReaderWriter(org.apache.syncope.core.logic.saml2.SAML2ReaderWriter)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
SAML2IdP(org.apache.syncope.core.persistence.api.entity.SAML2IdP)
KeyInfoGenerator(org.opensaml.xmlsec.keyinfo.KeyInfoGenerator)
StringUtils(org.apache.commons.lang3.StringUtils)
AuthnRequestBuilder(org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AuthnContextComparisonTypeEnumeration(org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration)
Pair(org.apache.commons.lang3.tuple.Pair)
SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Map(java.util.Map)
RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext)
SAML2IdPDAO(org.apache.syncope.core.persistence.api.dao.SAML2IdPDAO)
AuthContextUtils(org.apache.syncope.core.spring.security.AuthContextUtils)
XSString(org.opensaml.core.xml.schema.XSString)
Method(java.lang.reflect.Method)
Triple(org.apache.commons.lang3.tuple.Triple)
Response(org.opensaml.saml.saml2.core.Response)
AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder)
RandomBasedGenerator(com.fasterxml.uuid.impl.RandomBasedGenerator)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
Resource(javax.annotation.Resource)
AccessTokenDataBinder(org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder)
AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef)
SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
StandardCharsets(java.nio.charset.StandardCharsets)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
List(java.util.List)
Issuer(org.opensaml.saml.saml2.core.Issuer)
NameIDFormatBuilder(org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)
AbstractBaseBean(org.apache.syncope.common.lib.AbstractBaseBean)
AuthnContext(org.opensaml.saml.saml2.core.AuthnContext)
StandardEntitlement(org.apache.syncope.common.lib.types.StandardEntitlement)
POJOHelper(org.apache.syncope.core.provisioning.api.serialization.POJOHelper)
AttrTO(org.apache.syncope.common.lib.to.AttrTO)
SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO)
SAML2BindingType(org.apache.syncope.common.lib.types.SAML2BindingType)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
HashMap(java.util.HashMap)
NameIDPolicyBuilder(org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder)
StatusCode(org.opensaml.saml.saml2.core.StatusCode)
SPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder)
EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder)
SingleLogoutServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder)
SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO)
Assertion(org.opensaml.saml.saml2.core.Assertion)
OutputStreamWriter(java.io.OutputStreamWriter)
ClientExceptionType(org.apache.syncope.common.lib.types.ClientExceptionType)
SAML2IdPCache(org.apache.syncope.core.logic.saml2.SAML2IdPCache)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
CipherAlgorithm(org.apache.syncope.common.lib.types.CipherAlgorithm)
OutputStream(java.io.OutputStream)
KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder)
Encryptor(org.apache.syncope.core.spring.security.Encryptor)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
DateTime(org.joda.time.DateTime)
SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder)
SAML2UserManager(org.apache.syncope.core.logic.saml2.SAML2UserManager)
LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder)
AuthDataAccessor(org.apache.syncope.core.spring.security.AuthDataAccessor)
AccessTokenDAO(org.apache.syncope.core.persistence.api.dao.AccessTokenDAO)
JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier)
NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder)
ResourceUtils(org.springframework.util.ResourceUtils)
SessionIndex(org.opensaml.saml.saml2.core.SessionIndex)
URLEncoder(java.net.URLEncoder)
Component(org.springframework.stereotype.Component)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
RequestedAuthnContextBuilder(org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder)
NameIDType(org.opensaml.saml.saml2.core.NameIDType)
Generators(com.fasterxml.uuid.Generators)
NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy)
UserTO(org.apache.syncope.common.lib.to.UserTO)
Collections(java.util.Collections)
NameID(org.opensaml.saml.saml2.core.NameID)
SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity)
Attribute(org.opensaml.saml.saml2.core.Attribute)
HashMap(java.util.HashMap)
AttrTO(org.apache.syncope.common.lib.to.AttrTO)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
XSString(org.opensaml.core.xml.schema.XSString)
XSAny(org.opensaml.core.xml.schema.XSAny)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse)
SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO)
NameID(org.opensaml.saml.saml2.core.NameID)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
Assertion(org.opensaml.saml.saml2.core.Assertion)
XMLObject(org.opensaml.core.xml.XMLObject)
XSString(org.opensaml.core.xml.schema.XSString)
Date(java.util.Date)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
Response(org.opensaml.saml.saml2.core.Response)
SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
UserTO(org.apache.syncope.common.lib.to.UserTO)
XMLObject(org.opensaml.core.xml.XMLObject)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 69 with JwsJwtCompactConsumer
use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project syncope by apache.
the class SAML2SPLogic method validateLogoutResponse.
@PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS + "'))")
public void validateLogoutResponse(final String accessToken, final SAML2ReceivedResponseTO response) {
check();
// 1. fetch the current JWT used for Syncope authentication
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken);
if (!consumer.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Access Token");
}
// 2. extract raw SAML response and relay state
JwsJwtCompactConsumer relayState = null;
Boolean useDeflateEncoding = false;
if (StringUtils.isNotBlank(response.getRelayState())) {
// first checks for the provided relay state, if available
relayState = new JwsJwtCompactConsumer(response.getRelayState());
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
Long expiryTime = relayState.getJwtClaims().getExpiryTime();
if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
throw new IllegalArgumentException("Relay State is expired");
}
useDeflateEncoding = Boolean.valueOf(relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
}
// 3. parse the provided SAML response
LogoutResponse logoutResponse;
try {
XMLObject responseObject = saml2rw.read(useDeflateEncoding, response.getSamlResponse());
if (!(responseObject instanceof LogoutResponse)) {
throw new IllegalArgumentException("Expected " + LogoutResponse.class.getName() + ", got " + responseObject.getClass().getName());
}
logoutResponse = (LogoutResponse) responseObject;
} catch (Exception e) {
LOG.error("While parsing LogoutResponse", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
// 4. if relay state was available, check the SAML Reponse's InResponseTo
if (relayState != null && !relayState.getJwtClaims().getSubject().equals(logoutResponse.getInResponseTo())) {
throw new IllegalArgumentException("Unmatching request ID: " + logoutResponse.getInResponseTo());
}
// 5. finally check for the logout status
if (StatusCode.SUCCESS.equals(logoutResponse.getStatus().getStatusCode().getValue())) {
accessTokenDAO.delete(consumer.getJwtClaims().getTokenId());
} else {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
if (logoutResponse.getStatus().getStatusMessage() == null) {
sce.getElements().add(logoutResponse.getStatus().getStatusCode().getValue());
} else {
sce.getElements().add(logoutResponse.getStatus().getStatusMessage().getMessage());
}
throw sce;
}
}
Also used :
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
XMLObject(org.opensaml.core.xml.XMLObject)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
Date(java.util.Date)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 70 with JwsJwtCompactConsumer
use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project syncope by apache.
the class SAML2ITCase method unsignedAssertionInLoginResponse.
@Test
public void unsignedAssertionInLoginResponse() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
// Get a valid login request for the Fediz realm
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
assertNotNull(loginRequest);
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
response.setRelayState(loginRequest.getRelayState());
// Create a SAML Response using WSS4J
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
String inResponseTo = relayState.getJwtClaims().getSubject();
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo, false, SAML2Constants.CONF_SENDER_VOUCHES, "urn:org:apache:cxf:fediz:idp:realm-A");
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on an unsigned Assertion");
} catch (SyncopeClientException e) {
assertNotNull(e);
}
}
Also used :
SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService)
SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO)
SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)
Element(org.w3c.dom.Element)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
Document(org.w3c.dom.Document)
Test(org.junit.jupiter.api.Test)
Aggregations
JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)84
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)71
JWTTokenProvider (org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)33
WebClient (org.apache.cxf.jaxrs.client.WebClient)19
HashMap (java.util.HashMap)16
Response (javax.ws.rs.core.Response)15
Element (org.w3c.dom.Element)15
X509Certificate (java.security.cert.X509Certificate)14
KeyStore (java.security.KeyStore)13
JAXBElement (javax.xml.bind.JAXBElement)13
Crypto (org.apache.wss4j.common.crypto.Crypto)13
Settings (org.opensearch.common.settings.Settings)11
RestRequest (org.opensearch.rest.RestRequest)11
FakeRestRequest (org.opensearch.security.util.FakeRestRequest)11
URL (java.net.URL)10
ClaimsHandler (org.apache.cxf.sts.claims.ClaimsHandler)10
ClaimsManager (org.apache.cxf.sts.claims.ClaimsManager)10
CustomClaimsHandler (org.apache.cxf.sts.common.CustomClaimsHandler)10
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)10
Test (org.junit.Test)10
