use of org.apache.wss4j.common.crypto.Crypto in project cxf by apache.
the class CombinedValidatorTest method testWrappingAttack3.
@org.junit.Test
public void testWrappingAttack3() throws Exception {
Document doc = DOMUtils.createDocument();
Response response = createResponse(doc);
Element responseElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(responseElement);
assertNotNull(responseElement);
// Get Assertion Element
Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
assertNotNull(assertionElement);
// Clone it, strip the Signature, modify the Subject, change Subj Conf
Element clonedAssertion = (Element) assertionElement.cloneNode(true);
clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSS4JConstants.SIG_NS, "Signature").item(0);
clonedAssertion.removeChild(sigElement);
Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
subjNameIdElement.setTextContent("bob");
Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
// Now insert the modified cloned Assertion into the Response before actual assertion
responseElement.insertBefore(clonedAssertion, assertionElement);
// System.out.println(DOM2Writer.nodeToString(responseElement));
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(responseElement);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
// Test SSO validation
SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
ssoValidator.setEnforceAssertionsSigned(false);
ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
ssoValidator.setClientAddress("http://apache.org");
ssoValidator.setRequestId("12345");
ssoValidator.setSpIdentifier("http://service.apache.org");
// Parse the response
SSOValidatorResponse ssoResponse = ssoValidator.validateSamlResponse(marshalledResponse, false);
SamlAssertionWrapper parsedAssertion = new SamlAssertionWrapper(ssoResponse.getAssertionElement());
assertEquals("alice", parsedAssertion.getSubjectName());
}
use of org.apache.wss4j.common.crypto.Crypto in project cxf by apache.
the class CombinedValidatorTest method testSuccessfulValidation.
@org.junit.Test
public void testSuccessfulValidation() throws Exception {
Document doc = DOMUtils.createDocument();
Response response = createResponse(doc);
Element responseElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(responseElement);
assertNotNull(responseElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(responseElement);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
// Test SSO validation
SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
ssoValidator.setClientAddress("http://apache.org");
ssoValidator.setRequestId("12345");
ssoValidator.setSpIdentifier("http://service.apache.org");
// Parse the response
SSOValidatorResponse ssoResponse = ssoValidator.validateSamlResponse(marshalledResponse, false);
SamlAssertionWrapper parsedAssertion = new SamlAssertionWrapper(ssoResponse.getAssertionElement());
assertEquals("alice", parsedAssertion.getSubjectName());
}
use of org.apache.wss4j.common.crypto.Crypto in project cxf by apache.
the class CombinedValidatorTest method testSuccessfulSignedValidation.
@org.junit.Test
public void testSuccessfulSignedValidation() throws Exception {
Document doc = DOMUtils.createDocument();
Response response = createResponse(doc);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
signResponse(response, "alice", "password", issuerCrypto, true);
Element responseElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(responseElement);
assertNotNull(responseElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(responseElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
// Test SSO validation
SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
ssoValidator.setClientAddress("http://apache.org");
ssoValidator.setRequestId("12345");
ssoValidator.setSpIdentifier("http://service.apache.org");
// Parse the response
SSOValidatorResponse ssoResponse = ssoValidator.validateSamlResponse(marshalledResponse, false);
SamlAssertionWrapper parsedAssertion = new SamlAssertionWrapper(ssoResponse.getAssertionElement());
assertEquals("alice", parsedAssertion.getSubjectName());
}
use of org.apache.wss4j.common.crypto.Crypto in project cxf by apache.
the class SAMLResponseValidatorTest method testSignedResponse.
@org.junit.Test
public void testSignedResponse() throws Exception {
Document doc = DOMUtils.createDocument();
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
response.getAssertions().add(assertion.getSaml2());
signResponse(response, "alice", "password", issuerCrypto, true);
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
try {
validator.validateSamlResponse(marshalledResponse, null, new KeystorePasswordCallback());
fail("Expected failure on no Signature Crypto");
} catch (WSSecurityException ex) {
// expected
}
// Validate the Response
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
}
use of org.apache.wss4j.common.crypto.Crypto in project cxf by apache.
the class SAMLResponseValidatorTest method testResponseSignedAssertion.
@org.junit.Test
public void testResponseSignedAssertion() throws Exception {
Document doc = DOMUtils.createDocument();
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
assertion.signAssertion("alice", "password", issuerCrypto, false);
response.getAssertions().add(assertion.getSaml2());
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
try {
validator.validateSamlResponse(marshalledResponse, null, new KeystorePasswordCallback());
fail("Expected failure on no Signature Crypto");
} catch (WSSecurityException ex) {
// expected
}
// Validate the Response
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
}
Aggregations