Search in sources :

Example 6 with SAMLClaim

use of org.apache.cxf.rt.security.claims.SAMLClaim in project cxf by apache.

the class ClaimsAuthorizingInterceptor method authorize.

protected boolean authorize(ClaimsSecurityContext sc, Method method) {
    List<ClaimBean> list = claims.get(method.getName());
    org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
    for (ClaimBean claimBean : list) {
        org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
        for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
            if (cl instanceof SAMLClaim) {
                // If it's a SAMLClaim the name + nameformat must match what's configured
                if (((SAMLClaim) cl).getName().equals(claimBean.getClaim().getClaimType()) && ((SAMLClaim) cl).getNameFormat().equals(claimBean.getClaimFormat())) {
                    matchingClaim = cl;
                    break;
                }
            } else if (cl.getClaimType().equals(claimBean.getClaim().getClaimType())) {
                matchingClaim = cl;
                break;
            }
        }
        if (matchingClaim == null) {
            if (claimBean.getClaimMode() == ClaimMode.STRICT) {
                return false;
            }
            continue;
        }
        List<Object> claimValues = claimBean.getClaim().getValues();
        List<Object> matchingClaimValues = matchingClaim.getValues();
        if (claimBean.isMatchAll() && !matchingClaimValues.containsAll(claimValues)) {
            return false;
        }
        boolean matched = false;
        for (Object value : matchingClaimValues) {
            if (claimValues.contains(value)) {
                matched = true;
                break;
            }
        }
        if (!matched) {
            return false;
        }
    }
    return true;
}
Also used : SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim) ClaimBean(org.apache.cxf.rt.security.claims.ClaimBean)

Example 7 with SAMLClaim

use of org.apache.cxf.rt.security.claims.SAMLClaim in project cxf by apache.

the class SAMLClaimsTest method testSAML2MultipleRoles.

@org.junit.Test
public void testSAML2MultipleRoles() throws Exception {
    AttributeBean attributeBean = new AttributeBean();
    attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
    attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
    attributeBean.addAttributeValue("employee");
    attributeBean.addAttributeValue("boss");
    SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
    samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
    // Create the SAML Assertion via the CallbackHandler
    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
    SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
    Document doc = DOMUtils.newDocument();
    samlAssertion.toDOM(doc);
    ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
    assertEquals(claims.getDialect().toString(), "http://schemas.xmlsoap.org/ws/2005/05/identity");
    assertEquals(1, claims.size());
    // Check Claim values
    Claim claim = claims.get(0);
    assertEquals(claim.getClaimType(), SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
    assertEquals(2, claim.getValues().size());
    assertTrue(claim.getValues().contains("employee"));
    assertTrue(claim.getValues().contains("boss"));
    // Check SAMLClaim values
    assertTrue(claim instanceof SAMLClaim);
    assertEquals(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, ((SAMLClaim) claim).getName());
    assertEquals(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED, ((SAMLClaim) claim).getNameFormat());
    // Check roles
    Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
    assertEquals(2, roles.size());
}
Also used : SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean) Document(org.w3c.dom.Document) ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection) SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim) Claim(org.apache.cxf.rt.security.claims.Claim) Principal(java.security.Principal)

Aggregations

SAMLClaim (org.apache.cxf.rt.security.claims.SAMLClaim)7 ClaimCollection (org.apache.cxf.rt.security.claims.ClaimCollection)4 Principal (java.security.Principal)3 Claim (org.apache.cxf.rt.security.claims.Claim)3 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)3 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)3 AttributeBean (org.apache.wss4j.common.saml.bean.AttributeBean)3 Document (org.w3c.dom.Document)3 ClaimBean (org.apache.cxf.rt.security.claims.ClaimBean)2 AccessDeniedException (org.apache.cxf.interceptor.security.AccessDeniedException)1 SecureAnnotationsInterceptor (org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor)1 Message (org.apache.cxf.message.Message)1 Test (org.junit.Test)1 XMLObject (org.opensaml.core.xml.XMLObject)1 Attribute (org.opensaml.saml.saml2.core.Attribute)1 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)1