Example 46 with SAMLCallback
use of org.apache.wss4j.common.saml.SAMLCallback in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testSignedResponseInvalidDestination.
@org.junit.Test
public void testSignedResponseInvalidDestination() throws Exception {
Document doc = DOMUtils.createDocument();
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
response.setDestination("xyz");
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
signResponse(response, "alice", "password", issuerCrypto, true);
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
try {
validator.validateSamlResponse(marshalledResponse, false);
fail("Expected failure on bad response");
} catch (WSSecurityException ex) {
// expected
}
}
Also used :
Status(org.opensaml.saml.saml2.core.Status)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
InputStream(java.io.InputStream)
Element(org.w3c.dom.Element)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Response(org.opensaml.saml.saml2.core.Response)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 47 with SAMLCallback
use of org.apache.wss4j.common.saml.SAMLCallback in project cxf by apache.
the class SAMLUtils method createAssertion.
public static SamlAssertionWrapper createAssertion(CallbackHandler handler, SelfSignInfo info) throws Fault {
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(handler, samlCallback);
try {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
assertion.signAssertion(info.getUser(), info.getPassword(), info.getCrypto(), false);
return assertion;
} catch (Exception ex) {
StringWriter sw = new StringWriter();
ex.printStackTrace(new PrintWriter(sw));
LOG.warning(sw.toString());
throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString()));
}
}
Also used :
StringWriter(java.io.StringWriter)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Fault(org.apache.cxf.interceptor.Fault)
PrintWriter(java.io.PrintWriter)
Example 48 with SAMLCallback
use of org.apache.wss4j.common.saml.SAMLCallback in project cxf by apache.
the class SAMLUtils method createAssertion.
public static SamlAssertionWrapper createAssertion(Message message, CallbackHandler handler) throws Fault {
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(handler, samlCallback);
try {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (samlCallback.isSignAssertion()) {
// --- This code will be moved to a common utility class
Crypto crypto = new CryptoLoader().getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES);
String user = RSSecurityUtils.getUserName(message, crypto, SecurityConstants.SIGNATURE_USERNAME);
if (StringUtils.isEmpty(user)) {
return assertion;
}
String password = RSSecurityUtils.getPassword(message, user, WSPasswordCallback.SIGNATURE, SAMLUtils.class);
assertion.signAssertion(user, password, crypto, false, samlCallback.getCanonicalizationAlgorithm(), samlCallback.getSignatureAlgorithm(), samlCallback.getSignatureDigestAlgorithm());
}
return assertion;
} catch (Exception ex) {
StringWriter sw = new StringWriter();
ex.printStackTrace(new PrintWriter(sw));
LOG.warning(sw.toString());
throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString()));
}
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
StringWriter(java.io.StringWriter)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Fault(org.apache.cxf.interceptor.Fault)
PrintWriter(java.io.PrintWriter)
Example 49 with SAMLCallback
use of org.apache.wss4j.common.saml.SAMLCallback in project cxf by apache.
the class SamlCallbackHandler method handle.
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
Message m = PhaseInterceptorChain.getCurrentMessage();
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
if (saml2) {
callback.setSamlVersion(Version.SAML_20);
} else {
callback.setSamlVersion(Version.SAML_11);
}
callback.setIssuer("https://idp.example.org/SAML2");
String subjectName = null;
if (m != null) {
subjectName = (String) m.getContextualProperty("saml.subject.name");
}
if (subjectName == null) {
subjectName = "uid=sts-client,o=mock-sts.com";
}
String subjectQualifier = "www.mock-sts.com";
if (!saml2 && SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) {
confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
}
SubjectBean subjectBean = new SubjectBean(subjectName, subjectQualifier, confirmationMethod);
if (SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
try {
CryptoLoader loader = new CryptoLoader();
Crypto crypto = loader.getCrypto(m, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES);
X509Certificate cert = RSSecurityUtils.getCertificates(crypto, RSSecurityUtils.getUserName(m, crypto, SecurityConstants.SIGNATURE_USERNAME))[0];
KeyInfoBean keyInfo = new KeyInfoBean();
keyInfo.setCertificate(cert);
subjectBean.setKeyInfo(keyInfo);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
callback.setSubject(subjectBean);
ConditionsBean conditions = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("https://sp.example.com/SAML2"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callback.setConditions(conditions);
AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
authDecBean.setDecision(Decision.INDETERMINATE);
authDecBean.setResource("https://sp.example.com/SAML2");
ActionBean actionBean = new ActionBean();
actionBean.setContents("Read");
authDecBean.setActions(Collections.singletonList(actionBean));
callback.setAuthDecisionStatementData(Collections.singletonList(authDecBean));
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
authBean.setAuthenticationInstant(new DateTime());
authBean.setSessionIndex("123456");
// AuthnContextClassRef is not set
authBean.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
callback.setAuthenticationStatementData(Collections.singletonList(authBean));
AttributeStatementBean attrBean = new AttributeStatementBean();
attrBean.setSubject(subjectBean);
List<String> roles = null;
if (m != null) {
roles = CastUtils.cast((List<?>) m.getContextualProperty("saml.roles"));
}
if (roles == null) {
roles = Collections.singletonList("user");
}
List<AttributeBean> claims = new ArrayList<>();
AttributeBean roleClaim = new AttributeBean();
roleClaim.setSimpleName("subject-role");
roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
roleClaim.setAttributeValues(new ArrayList<>(roles));
claims.add(roleClaim);
List<String> authMethods = null;
if (m != null) {
authMethods = CastUtils.cast((List<?>) m.getContextualProperty("saml.auth"));
}
if (authMethods == null) {
authMethods = Collections.singletonList("password");
}
AttributeBean authClaim = new AttributeBean();
authClaim.setSimpleName("http://claims/authentication");
authClaim.setQualifiedName("http://claims/authentication");
authClaim.setNameFormat("http://claims/authentication-format");
authClaim.setAttributeValues(new ArrayList<>(authMethods));
claims.add(authClaim);
attrBean.setSamlAttributes(claims);
callback.setAttributeStatementData(Collections.singletonList(attrBean));
callback.setSignatureAlgorithm(signatureAlgorithm);
callback.setSignatureDigestAlgorithm(digestAlgorithm);
callback.setSignAssertion(signAssertion);
}
}
}
Also used :
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
Message(org.apache.cxf.message.Message)
AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
ArrayList(java.util.ArrayList)
ActionBean(org.apache.wss4j.common.saml.bean.ActionBean)
X509Certificate(java.security.cert.X509Certificate)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
DateTime(org.joda.time.DateTime)
SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
ArrayList(java.util.ArrayList)
List(java.util.List)
AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)
Example 50 with SAMLCallback
use of org.apache.wss4j.common.saml.SAMLCallback in project cxf by apache.
the class SamlRetrievalInterceptor method handleMessage.
@Override
public void handleMessage(Message message) throws Fault {
// Create a SAML Token
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(new SamlCallbackHandler(), samlCallback);
try {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Document doc = DOMUtils.createDocument();
Element token = assertion.toDOM(doc);
message.put(SAMLConstants.SAML_TOKEN_ELEMENT, token);
} catch (WSSecurityException ex) {
StringWriter sw = new StringWriter();
ex.printStackTrace(new PrintWriter(sw));
throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString()));
}
}
Also used :
StringWriter(java.io.StringWriter)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Fault(org.apache.cxf.interceptor.Fault)
Document(org.w3c.dom.Document)
PrintWriter(java.io.PrintWriter)
Aggregations
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)50
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)35
Document (org.w3c.dom.Document)24
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)23
Element (org.w3c.dom.Element)22
Crypto (org.apache.wss4j.common.crypto.Crypto)19
Response (org.opensaml.saml.saml2.core.Response)18
Status (org.opensaml.saml.saml2.core.Status)18
SubjectBean (org.apache.wss4j.common.saml.bean.SubjectBean)13
AttributeBean (org.apache.wss4j.common.saml.bean.AttributeBean)12
IOException (java.io.IOException)11
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)9
AttributeStatementBean (org.apache.wss4j.common.saml.bean.AttributeStatementBean)9
KeyInfoBean (org.apache.wss4j.common.saml.bean.KeyInfoBean)9
DateTime (org.joda.time.DateTime)9
InputStream (java.io.InputStream)7
KeyStore (java.security.KeyStore)7
Merlin (org.apache.wss4j.common.crypto.Merlin)7
WebClient (org.apache.cxf.jaxrs.client.WebClient)5
AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)5
