Example 81 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class CustomSaml2Validator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
if (!"sts".equals(assertion.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
return validatedCredential;
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 82 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class SamlTokenInterceptor method addToken.
protected void addToken(SoapMessage message) {
WSSConfig.init();
SamlToken tok = (SamlToken) assertTokens(message);
Header h = findSecurityHeader(message, true);
try {
SamlAssertionWrapper wrapper = addSamlToken(tok, message);
if (wrapper == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
}
}
return;
}
Element el = (Element) h.getObject();
el = (Element) DOMUtils.getDomElement(el);
el.appendChild(wrapper.toDOM(el.getOwnerDocument()));
} catch (WSSecurityException ex) {
policyNotAsserted(tok, ex.getMessage(), message);
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
Header(org.apache.cxf.headers.Header)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 83 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class SamlTokenInterceptor method addSamlToken.
private SamlAssertionWrapper addSamlToken(SamlToken token, SoapMessage message) throws WSSecurityException {
//
// Get the SAML CallbackHandler
//
Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_CALLBACK_HANDLER, message);
CallbackHandler handler = null;
if (o instanceof CallbackHandler) {
handler = (CallbackHandler) o;
} else if (o instanceof String) {
try {
handler = (CallbackHandler) ClassLoaderUtils.loadClass((String) o, this.getClass()).newInstance();
} catch (Exception e) {
handler = null;
}
}
if (handler == null) {
return null;
}
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
SAMLCallback samlCallback = new SAMLCallback();
SamlTokenType tokenType = token.getSamlTokenType();
if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
samlCallback.setSamlVersion(Version.SAML_11);
PolicyUtils.assertPolicy(aim, "WssSamlV11Token10");
PolicyUtils.assertPolicy(aim, "WssSamlV11Token11");
} else if (tokenType == SamlTokenType.WssSamlV20Token11) {
samlCallback.setSamlVersion(Version.SAML_20);
PolicyUtils.assertPolicy(aim, "WssSamlV20Token11");
}
SAMLUtil.doSAMLCallback(handler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (samlCallback.isSignAssertion()) {
String issuerName = samlCallback.getIssuerKeyName();
if (issuerName == null) {
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
issuerName = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
}
String password = samlCallback.getIssuerKeyPassword();
if (password == null) {
password = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.PASSWORD, message);
if (StringUtils.isEmpty(password)) {
password = getPassword(issuerName, token, WSPasswordCallback.SIGNATURE, message);
}
}
Crypto crypto = samlCallback.getIssuerCrypto();
if (crypto == null) {
crypto = getCrypto(token, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES, message);
}
assertion.signAssertion(issuerName, password, crypto, samlCallback.isSendKeyValue(), samlCallback.getCanonicalizationAlgorithm(), samlCallback.getSignatureAlgorithm());
}
return assertion;
}
Also used :
SamlTokenType(org.apache.wss4j.policy.model.SamlToken.SamlTokenType)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 84 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class StaxSecurityContextInInterceptor method doResults.
private void doResults(SoapMessage msg, List<SecurityEvent> incomingSecurityEventList) throws WSSecurityException {
// Now go through the results in a certain order to set up a security context. Highest priority is first.
List<Event> desiredSecurityEvents = new ArrayList<>();
desiredSecurityEvents.add(WSSecurityEventConstants.SAML_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.USERNAME_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.KERBEROS_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.X509Token);
desiredSecurityEvents.add(WSSecurityEventConstants.KeyValueToken);
for (Event desiredEvent : desiredSecurityEvents) {
SubjectAndPrincipalSecurityToken token = null;
try {
token = getSubjectPrincipalToken(incomingSecurityEventList, desiredEvent, msg);
} catch (XMLSecurityException ex) {
// proceed
}
if (token != null) {
Principal p = token.getPrincipal();
Subject subject = token.getSubject();
if (subject != null) {
String roleClassifier = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
if (roleClassifier != null && !"".equals(roleClassifier)) {
String roleClassifierType = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
if (roleClassifierType == null || "".equals(roleClassifierType)) {
roleClassifierType = "prefix";
}
msg.put(SecurityContext.class, new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType));
} else {
msg.put(SecurityContext.class, new DefaultSecurityContext(subject));
}
break;
} else if (p != null) {
Object receivedAssertion = null;
if (desiredEvent == WSSecurityEventConstants.SAML_TOKEN) {
String roleAttributeName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
if (roleAttributeName == null || roleAttributeName.length() == 0) {
roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
receivedAssertion = ((SAMLTokenPrincipal) token.getPrincipal()).getToken();
if (receivedAssertion != null) {
ClaimCollection claims = SAMLUtils.getClaims((SamlAssertionWrapper) receivedAssertion);
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
SAMLSecurityContext context = new SAMLSecurityContext(p, roles, claims);
msg.put(SecurityContext.class, context);
}
} else {
msg.put(SecurityContext.class, createSecurityContext(p));
}
break;
}
}
}
}
Also used :
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Set(java.util.Set)
SubjectAndPrincipalSecurityToken(org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
ArrayList(java.util.ArrayList)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
Subject(javax.security.auth.Subject)
RolePrefixSecurityContextImpl(org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
SamlTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent)
KerberosTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent)
KeyValueTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent)
Event(org.apache.xml.security.stax.securityEvent.SecurityEventConstants.Event)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
X509TokenSecurityEvent(org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent)
UsernameTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Principal(java.security.Principal)
Example 85 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class UsernameTokenInterceptor method processToken.
protected void processToken(SoapMessage message) {
Header h = findSecurityHeader(message, false);
if (h == null) {
return;
}
boolean utWithCallbacks = MessageUtils.getContextualBoolean(message, SecurityConstants.VALIDATE_TOKEN, true);
Element el = (Element) h.getObject();
Element child = DOMUtils.getFirstElement(el);
while (child != null) {
if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName()) && WSS4JConstants.WSSE_NS.equals(child.getNamespaceURI())) {
try {
boolean bspCompliant = isWsiBSPCompliant(message);
Principal principal = null;
Subject subject = null;
Object transformedToken = null;
if (utWithCallbacks) {
final WSSecurityEngineResult result = validateToken(child, message);
subject = (Subject) result.get(WSSecurityEngineResult.TAG_SUBJECT);
transformedToken = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
principal = (Principal) result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (principal == null) {
principal = parseTokenAndCreatePrincipal(child, bspCompliant);
}
} else {
principal = parseTokenAndCreatePrincipal(child, bspCompliant);
WSS4JTokenConverter.convertToken(message, principal);
}
SecurityContext sc = message.get(SecurityContext.class);
if (sc == null || sc.getUserPrincipal() == null) {
if (transformedToken instanceof SamlAssertionWrapper) {
message.put(SecurityContext.class, createSecurityContext(message, (SamlAssertionWrapper) transformedToken));
} else if (subject != null && principal != null) {
message.put(SecurityContext.class, createSecurityContext(principal, subject));
} else {
UsernameTokenPrincipal utPrincipal = (UsernameTokenPrincipal) principal;
String nonce = null;
if (utPrincipal.getNonce() != null) {
nonce = Base64.getMimeEncoder().encodeToString(utPrincipal.getNonce());
}
subject = createSubject(utPrincipal.getName(), utPrincipal.getPassword(), utPrincipal.isPasswordDigest(), nonce, utPrincipal.getCreatedTime());
message.put(SecurityContext.class, createSecurityContext(utPrincipal, subject));
}
}
if (principal instanceof UsernameTokenPrincipal) {
storeResults((UsernameTokenPrincipal) principal, subject, message);
}
} catch (WSSecurityException ex) {
throw new Fault(ex);
} catch (Base64DecodingException ex) {
throw new Fault(ex);
}
}
child = DOMUtils.getNextElement(child);
}
}
Also used :
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Subject(javax.security.auth.Subject)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
Header(org.apache.cxf.headers.Header)
UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
Principal(java.security.Principal)
UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)
Aggregations
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)141
Element (org.w3c.dom.Element)68
Document (org.w3c.dom.Document)55
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)44
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)40
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)35
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)27
Crypto (org.apache.wss4j.common.crypto.Crypto)26
Response (org.opensaml.saml.saml2.core.Response)23
URL (java.net.URL)22
Bus (org.apache.cxf.Bus)20
SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)19
ArrayList (java.util.ArrayList)18
WebClient (org.apache.cxf.jaxrs.client.WebClient)18
Status (org.opensaml.saml.saml2.core.Status)18
HashMap (java.util.HashMap)16
Test (org.junit.Test)16
Principal (java.security.Principal)15
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)14
Response (javax.ws.rs.core.Response)13
