Examples with ResponseState - org.apache.cxf.rs.security.saml.sso.state.ResponseState

Example 1 with ResponseState

use of org.apache.cxf.rs.security.saml.sso.state.ResponseState in project cxf by apache.

the class AbstractServiceProviderFilter method getValidResponseState.

protected ResponseState getValidResponseState(Cookie securityContextCookie, Message m) {
    if (securityContextCookie == null) {
        // most likely it means that the user has not been offered
        // a chance to get logged on yet, though it might be that the browser
        // has removed an expired cookie from its cache; warning is too noisy in the
        // former case
        reportTrace("MISSING_RESPONSE_STATE");
        return null;
    }
    String contextKey = securityContextCookie.getValue();
    ResponseState responseState = getStateProvider().getResponseState(contextKey);
    if (responseState == null) {
        reportError("MISSING_RESPONSE_STATE");
        return null;
    }
    if (isStateExpired(responseState.getCreatedAt(), responseState.getExpiresAt())) {
        reportError("EXPIRED_RESPONSE_STATE");
        getStateProvider().removeResponseState(contextKey);
        return null;
    }
    String webAppContext = getWebAppContext(m);
    if (webAppDomain != null && (responseState.getWebAppDomain() == null || !webAppDomain.equals(responseState.getWebAppDomain())) || responseState.getWebAppContext() == null || !webAppContext.equals(responseState.getWebAppContext())) {
        getStateProvider().removeResponseState(contextKey);
        reportError("INVALID_RESPONSE_STATE");
        return null;
    }
    if (responseState.getAssertion() == null) {
        reportError("INVALID_RESPONSE_STATE");
        return null;
    }
    return responseState;
}

Also used : ResponseState(org.apache.cxf.rs.security.saml.sso.state.ResponseState)

Example 2 with ResponseState

use of org.apache.cxf.rs.security.saml.sso.state.ResponseState in project cxf by apache.

the class AbstractRequestAssertionConsumerHandler method createSecurityContext.

protected String createSecurityContext(RequestState requestState, String encodedSamlResponse, String relayState, boolean postBinding) {
    org.opensaml.saml.saml2.core.Response samlResponse = readSAMLResponse(postBinding, encodedSamlResponse);
    // Validate the Response
    validateSamlResponseProtocol(samlResponse);
    SSOValidatorResponse validatorResponse = validateSamlSSOResponse(postBinding, samlResponse, requestState);
    // Set the security context
    String securityContextKey = UUID.randomUUID().toString();
    long currentTime = System.currentTimeMillis();
    Instant notOnOrAfter = validatorResponse.getSessionNotOnOrAfter();
    long expiresAt = 0;
    if (notOnOrAfter != null) {
        expiresAt = notOnOrAfter.toEpochMilli();
    } else {
        expiresAt = currentTime + getStateTimeToLive();
    }
    ResponseState responseState = new ResponseState(validatorResponse.getAssertion(), relayState, requestState.getWebAppContext(), requestState.getWebAppDomain(), currentTime, expiresAt);
    getStateProvider().setResponseState(securityContextKey, responseState);
    return createCookie(SSOConstants.SECURITY_CONTEXT_TOKEN, securityContextKey, requestState.getWebAppContext(), requestState.getWebAppDomain());
}

Also used : Instant(java.time.Instant) ResponseState(org.apache.cxf.rs.security.saml.sso.state.ResponseState)

Example 3 with ResponseState

use of org.apache.cxf.rs.security.saml.sso.state.ResponseState in project cxf by apache.

the class AbstractServiceProviderFilter method checkSecurityContext.

protected boolean checkSecurityContext(Message m) {
    HttpHeaders headers = new HttpHeadersImpl(m);
    Map<String, Cookie> cookies = headers.getCookies();
    Cookie securityContextCookie = cookies.get(SSOConstants.SECURITY_CONTEXT_TOKEN);
    ResponseState responseState = getValidResponseState(securityContextCookie, m);
    if (responseState == null) {
        return false;
    }
    if (!isSupportUnsolicited()) {
        Cookie relayStateCookie = cookies.get(SSOConstants.RELAY_STATE);
        if (relayStateCookie == null) {
            reportError("MISSING_RELAY_COOKIE");
            return false;
        }
        String originalRelayState = responseState.getRelayState();
        if (!originalRelayState.equals(relayStateCookie.getValue())) {
            // perhaps the response state should also be removed
            reportError("INVALID_RELAY_STATE");
            return false;
        }
    }
    try {
        String assertion = responseState.getAssertion();
        SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(StaxUtils.read(new StringReader(assertion)).getDocumentElement());
        setSecurityContext(m, assertionWrapper);
    } catch (Exception ex) {
        reportError("INVALID_RESPONSE_STATE");
        return false;
    }
    return true;
}

Also used : Cookie(javax.ws.rs.core.Cookie) HttpHeaders(javax.ws.rs.core.HttpHeaders) ResponseState(org.apache.cxf.rs.security.saml.sso.state.ResponseState) StringReader(java.io.StringReader) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) IOException(java.io.IOException) HttpHeadersImpl(org.apache.cxf.jaxrs.impl.HttpHeadersImpl)

Aggregations

ResponseState (org.apache.cxf.rs.security.saml.sso.state.ResponseState)3 IOException (java.io.IOException)1 StringReader (java.io.StringReader)1 Instant (java.time.Instant)1 Cookie (javax.ws.rs.core.Cookie)1 HttpHeaders (javax.ws.rs.core.HttpHeaders)1 HttpHeadersImpl (org.apache.cxf.jaxrs.impl.HttpHeadersImpl)1 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)1