Example 6 with SAMLSecurityContext
use of org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext in project cxf by apache.
the class DefaultSAMLRoleParser method parseRolesFromAssertion.
/**
* Return the set of User/Principal roles from the Assertion.
* @param principal the Principal associated with the Assertion
* @param subject the JAAS Subject associated with a successful validation of the Assertion
* @param assertion The Assertion object
* @return the set of User/Principal roles from the Assertion.
*/
public Set<Principal> parseRolesFromAssertion(Principal principal, Subject subject, SamlAssertionWrapper assertion) {
if (subject != null && useJaasSubject) {
return super.parseRolesFromSubject(principal, subject);
}
ClaimCollection claims = SAMLUtils.getClaims(assertion);
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
SAMLSecurityContext context = new SAMLSecurityContext(principal, roles, claims);
return context.getUserRoles();
}
Also used :
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
Principal(java.security.Principal)
Example 7 with SAMLSecurityContext
use of org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext in project cxf by apache.
the class StaxSecurityContextInInterceptor method doResults.
private void doResults(SoapMessage msg, List<SecurityEvent> incomingSecurityEventList) throws WSSecurityException {
// Now go through the results in a certain order to set up a security context. Highest priority is first.
List<Event> desiredSecurityEvents = new ArrayList<>();
desiredSecurityEvents.add(WSSecurityEventConstants.SAML_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.USERNAME_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.KERBEROS_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.X509Token);
desiredSecurityEvents.add(WSSecurityEventConstants.KeyValueToken);
for (Event desiredEvent : desiredSecurityEvents) {
SubjectAndPrincipalSecurityToken token = null;
try {
token = getSubjectPrincipalToken(incomingSecurityEventList, desiredEvent, msg);
} catch (XMLSecurityException ex) {
// proceed
}
if (token != null) {
Principal p = token.getPrincipal();
Subject subject = token.getSubject();
if (subject != null) {
String roleClassifier = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
if (roleClassifier != null && !"".equals(roleClassifier)) {
String roleClassifierType = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
if (roleClassifierType == null || "".equals(roleClassifierType)) {
roleClassifierType = "prefix";
}
msg.put(SecurityContext.class, new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType));
} else {
msg.put(SecurityContext.class, new DefaultSecurityContext(subject));
}
break;
} else if (p != null) {
Object receivedAssertion = null;
if (desiredEvent == WSSecurityEventConstants.SAML_TOKEN) {
String roleAttributeName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
if (roleAttributeName == null || roleAttributeName.length() == 0) {
roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
receivedAssertion = ((SAMLTokenPrincipal) token.getPrincipal()).getToken();
if (receivedAssertion != null) {
ClaimCollection claims = SAMLUtils.getClaims((SamlAssertionWrapper) receivedAssertion);
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
SAMLSecurityContext context = new SAMLSecurityContext(p, roles, claims);
msg.put(SecurityContext.class, context);
}
} else {
msg.put(SecurityContext.class, createSecurityContext(p));
}
break;
}
}
}
}
Also used :
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Set(java.util.Set)
SubjectAndPrincipalSecurityToken(org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
ArrayList(java.util.ArrayList)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
Subject(javax.security.auth.Subject)
RolePrefixSecurityContextImpl(org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
SamlTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent)
KerberosTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent)
KeyValueTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent)
Event(org.apache.xml.security.stax.securityEvent.SecurityEventConstants.Event)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
X509TokenSecurityEvent(org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent)
UsernameTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Principal(java.security.Principal)
Example 8 with SAMLSecurityContext
use of org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext in project cxf by apache.
the class UsernameTokenInterceptor method createSecurityContext.
private SecurityContext createSecurityContext(Message msg, SamlAssertionWrapper samlAssertion) {
String roleAttributeName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
if (roleAttributeName == null || roleAttributeName.length() == 0) {
roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
SAMLSecurityContext context = new SAMLSecurityContext(new SAMLTokenPrincipalImpl(samlAssertion), roles, claims);
context.setIssuer(SAMLUtils.getIssuer(samlAssertion));
context.setAssertionElement(SAMLUtils.getAssertionElement(samlAssertion));
return context;
}
Also used :
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl)
Principal(java.security.Principal)
UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)
Example 9 with SAMLSecurityContext
use of org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext in project cxf by apache.
the class DefaultWSS4JSecurityContextCreator method createSecurityContext.
protected SecurityContext createSecurityContext(SoapMessage msg, boolean useJAASSubject, WSSecurityEngineResult wsResult) {
final Principal p = (Principal) wsResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
final Subject subject = (Subject) wsResult.get(WSSecurityEngineResult.TAG_SUBJECT);
if (subject != null && !(p instanceof KerberosPrincipal) && useJAASSubject) {
String roleClassifier = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
if (roleClassifier != null && !"".equals(roleClassifier)) {
String roleClassifierType = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
if (roleClassifierType == null || "".equals(roleClassifierType)) {
roleClassifierType = "prefix";
}
return new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType);
}
return new DefaultSecurityContext(p, subject);
} else if (p != null) {
boolean utWithCallbacks = MessageUtils.getContextualBoolean(msg, SecurityConstants.VALIDATE_TOKEN, true);
if (!utWithCallbacks) {
WSS4JTokenConverter.convertToken(msg, p);
}
Object receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
if (receivedAssertion == null) {
receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
}
if (wsResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) {
msg.put(SecurityConstants.DELEGATED_CREDENTIAL, wsResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL));
}
if (receivedAssertion instanceof SamlAssertionWrapper) {
String roleAttributeName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
if (roleAttributeName == null || roleAttributeName.length() == 0) {
roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
ClaimCollection claims = SAMLUtils.getClaims((SamlAssertionWrapper) receivedAssertion);
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
SAMLSecurityContext context = new SAMLSecurityContext(p, roles, claims);
context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
return context;
}
return createSecurityContext(p);
}
return null;
}
Also used :
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
RolePrefixSecurityContextImpl(org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl)
Set(java.util.Set)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
Principal(java.security.Principal)
Subject(javax.security.auth.Subject)
Example 10 with SAMLSecurityContext
use of org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext in project cxf by apache.
the class CustomWSS4JSecurityContextCreator method createSecurityContext.
/**
* Create a SecurityContext and store it on the SoapMessage parameter
*/
public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) {
Map<Integer, List<WSSecurityEngineResult>> actionResults = handlerResult.getActionResults();
Principal asymmetricPrincipal = null;
// Get Asymmetric Signature action
List<WSSecurityEngineResult> foundResults = actionResults.get(WSConstants.SIGN);
if (foundResults != null && !foundResults.isEmpty()) {
for (WSSecurityEngineResult result : foundResults) {
PublicKey publickey = (PublicKey) result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (publickey == null && cert == null) {
continue;
}
SecurityContext context = createSecurityContext(msg, true, result);
if (context != null && context.getUserPrincipal() != null) {
asymmetricPrincipal = context.getUserPrincipal();
break;
}
}
}
// We must have an asymmetric principal
if (asymmetricPrincipal == null) {
return;
}
// Get signed SAML action
SAMLSecurityContext context = null;
foundResults = actionResults.get(WSConstants.ST_SIGNED);
if (foundResults != null && !foundResults.isEmpty()) {
for (WSSecurityEngineResult result : foundResults) {
Object receivedAssertion = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
if (receivedAssertion == null) {
receivedAssertion = result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
}
if (receivedAssertion instanceof SamlAssertionWrapper) {
String roleAttributeName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
if (roleAttributeName == null || roleAttributeName.length() == 0) {
roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
ClaimCollection claims = SAMLUtils.getClaims((SamlAssertionWrapper) receivedAssertion);
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
context = new SAMLSecurityContext(asymmetricPrincipal, roles, claims);
context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
break;
}
}
}
if (context != null) {
msg.put(SecurityContext.class, context);
}
}
Also used :
PublicKey(java.security.PublicKey)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
List(java.util.List)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
Principal(java.security.Principal)
Aggregations
SAMLSecurityContext (org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)11
Principal (java.security.Principal)9
ClaimCollection (org.apache.cxf.rt.security.claims.ClaimCollection)9
SecurityContext (org.apache.cxf.security.SecurityContext)6
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)4
ArrayList (java.util.ArrayList)2
Set (java.util.Set)2
Subject (javax.security.auth.Subject)2
SimplePrincipal (org.apache.cxf.common.security.SimplePrincipal)2
DefaultSecurityContext (org.apache.cxf.interceptor.security.DefaultSecurityContext)2
RolePrefixSecurityContextImpl (org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl)2
Subject (org.apache.cxf.rs.security.saml.assertion.Subject)2
Method (java.lang.reflect.Method)1
PublicKey (java.security.PublicKey)1
X509Certificate (java.security.cert.X509Certificate)1
List (java.util.List)1
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)1
AccessDeniedException (org.apache.cxf.interceptor.security.AccessDeniedException)1
ExchangeImpl (org.apache.cxf.message.ExchangeImpl)1
Message (org.apache.cxf.message.Message)1
