use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.
the class SecureCxfClientFactoryTest method setupMockSubject.
private Subject setupMockSubject() throws Exception {
Subject mockSubject = mock(Subject.class);
PrincipalCollection mockPrincipals = mock(PrincipalCollection.class);
SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
SecurityToken mockToken = mock(SecurityToken.class);
when(mockSubject.getPrincipals()).thenReturn(mockPrincipals);
when(mockPrincipals.asList()).thenReturn(Arrays.asList(mockSecurityAssertion));
when(mockSecurityAssertion.getToken()).thenReturn(mockToken);
when(mockToken.getToken()).thenReturn(getAssertionElement());
return mockSubject;
}
use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.
the class SamlAssertionValidatorImpl method validate.
/**
* Validates a SAMLAuthenticationToken by checking it's signature against the configured system
* certs.
*
* @param token token to validate
* @throws AuthenticationFailureException thrown when the cert fails to validate
*/
@Override
public void validate(SAMLAuthenticationToken token) throws AuthenticationFailureException {
try {
LOGGER.debug("Validation received SAML Assertion");
PrincipalCollection principalCollection = (PrincipalCollection) token.getCredentials();
Collection<SecurityAssertion> securityAssertions = principalCollection.byType(SecurityAssertion.class);
SecurityAssertion securityAssertion = null;
for (SecurityAssertion assertion : securityAssertions) {
if (SecurityAssertionSaml.SAML2_TOKEN_TYPE.equals(assertion.getTokenType())) {
securityAssertion = assertion;
break;
}
}
if (securityAssertion == null) {
throw new AuthenticationFailureException("Unable to validate SAML token. Token is not SAML.");
}
SamlAssertionWrapper assertion = new SamlAssertionWrapper((Element) securityAssertion.getToken());
// get the crypto junk
Crypto crypto = getSignatureCrypto();
Response samlResponse = createSamlResponse(token.getRequestURI(), assertion.getIssuerString(), createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null));
BUILDER.get().reset();
Document doc = BUILDER.get().newDocument();
Element policyElement = OpenSAMLUtil.toDom(samlResponse, doc);
doc.appendChild(policyElement);
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
RequestData requestData = new RequestData();
requestData.setWsDocInfo(new WSDocInfo(samlResponse.getDOM().getOwnerDocument()));
requestData.setSigVerCrypto(crypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
X509Certificate[] x509Certs = token.getX509Certs();
requestData.setTlsCerts(x509Certs);
validateHolderOfKeyConfirmation(assertion, x509Certs);
if (assertion.isSigned()) {
// Verify the signature
WSSSAMLKeyInfoProcessor wsssamlKeyInfoProcessor = new WSSSAMLKeyInfoProcessor(requestData);
assertion.verifySignature(wsssamlKeyInfoProcessor, crypto);
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
}
assertionValidator.validate(credential, requestData);
} catch (SecurityServiceException e) {
LOGGER.debug("Unable to get subject from SAML request.", e);
throw new AuthenticationFailureException(e);
} catch (WSSecurityException e) {
LOGGER.debug("Unable to read/validate security token from request.", e);
throw new AuthenticationFailureException(e);
}
}
use of org.apache.shiro.subject.PrincipalCollection in project neo4j by neo4j.
the class ShiroSubjectFactory method createSubject.
@Override
public Subject createSubject(SubjectContext context) {
SecurityManager securityManager = context.resolveSecurityManager();
Session session = context.resolveSession();
boolean sessionCreationEnabled = context.isSessionCreationEnabled();
PrincipalCollection principals = context.resolvePrincipals();
boolean authenticated = context.resolveAuthenticated();
String host = context.resolveHost();
ShiroAuthenticationInfo authcInfo = (ShiroAuthenticationInfo) context.getAuthenticationInfo();
return new ShiroSubject(principals, authenticated, host, session, sessionCreationEnabled, securityManager, authcInfo.getAuthenticationResult());
}
use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.
the class IdpEndpointTest method testPassiveLoginPkiUnsupportedPost.
@Test
public void testPassiveLoginPkiUnsupportedPost() throws SecurityServiceException, WSSecurityException, CertificateEncodingException, IOException {
String samlRequest = authNRequestPassivePkiPost;
HttpServletRequest request = mock(HttpServletRequest.class);
X509Certificate x509Certificate = mock(X509Certificate.class);
Subject subject = mock(Subject.class);
PrincipalCollection principalCollection = mock(PrincipalCollection.class);
SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
SecurityToken securityToken = mock(SecurityToken.class);
SecurityManager securityManager = mock(SecurityManager.class);
when(subject.getPrincipals()).thenReturn(principalCollection);
when(principalCollection.asList()).thenReturn(Collections.singletonList(securityAssertion));
when(securityAssertion.getSecurityToken()).thenReturn(securityToken);
//this mock element is what will cause the signature error
when(securityToken.getToken()).thenReturn(mock(Element.class));
when(securityManager.getSubject(anyObject())).thenReturn(subject);
idpEndpoint.setSecurityManager(securityManager);
idpEndpoint.setStrictSignature(false);
when(request.isSecure()).thenReturn(true);
when(request.getRequestURL()).thenReturn(requestURL);
when(request.getAttribute(ContextPolicy.ACTIVE_REALM)).thenReturn("*");
//dummy cert
when((X509Certificate[]) request.getAttribute(requestCertificateAttributeName)).thenReturn(new X509Certificate[] { x509Certificate });
when(x509Certificate.getEncoded()).thenReturn(new byte[48]);
Response response = idpEndpoint.showPostLogin(samlRequest, relayState, request);
String responseStr = StringUtils.substringBetween(response.getEntity().toString(), "SAMLResponse\" value=\"", "\" />");
responseStr = new String(Base64.getDecoder().decode(responseStr));
//the only cookie that should exist is the "1" cookie so "2" should send us to the login webapp
assertThat(responseStr, containsString("status:RequestUnsupported"));
}
use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.
the class AuthenticationEndpointTest method mockUser.
private void mockUser(String username, String password, String realm) throws SecurityServiceException {
Subject subject = mock(Subject.class);
SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
SecurityToken securityToken = mock(SecurityToken.class);
when(securityAssertion.getSecurityToken()).thenReturn(securityToken);
PrincipalCollection collection = mock(PrincipalCollection.class);
Iterator iter = mock(Iterator.class);
when(iter.hasNext()).thenReturn(true, false);
when(iter.next()).thenReturn(securityAssertion);
when(collection.iterator()).thenReturn(iter);
when(subject.getPrincipals()).thenReturn(collection);
UPAuthenticationToken token = new UPAuthenticationToken(username, password, realm);
when(securityManager.getSubject(argThat(new UsernamePasswordTokenMatcher(token)))).thenReturn(subject);
}
Aggregations