Examples with AudienceRestrictionBean org.apache.wss4j.common.saml.bean.AudienceRestrictionBean used on opensource projects

Search in sources :

Example 1 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SamlTokenTest method testDisableAudienceRestrictionValidation.

@org.junit.Test
public void testDisableAudienceRestrictionValidation() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SamlTokenTest.class.getResource("client.xml");
    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);
    URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
    DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
    String portNumber = PORT2;
    if (STAX_PORT.equals(test.getPort())) {
        portNumber = STAX_PORT2;
    }
    updateAddressPort(saml2Port, portNumber);
    // Create a SAML Token with an AudienceRestrictionCondition
    ConditionsBean conditions = new ConditionsBean();
    List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList(service.getServiceName().toString() + ".xyz"));
    audienceRestrictions.add(audienceRestriction);
    conditions.setAudienceRestrictions(audienceRestrictions);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setConditions(conditions);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    // It should fail with validation enabled
    try {
        saml2Port.doubleIt(25);
        fail("Failure expected on unknown AudienceRestriction");
    } catch (javax.xml.ws.soap.SOAPFaultException ex) {
    // expected
    }
    // It should pass with validation disabled
    portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3");
    saml2Port = service.getPort(portQName, DoubleItPortType.class);
    updateAddressPort(saml2Port, portNumber);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    saml2Port.doubleIt(25);
    // It should pass because we explicitly allow the given audience restriction
    portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort4");
    saml2Port = service.getPort(portQName, DoubleItPortType.class);
    updateAddressPort(saml2Port, portNumber);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    saml2Port.doubleIt(25);
}
Also used : Bus(org.apache.cxf.Bus) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) QName(javax.xml.namespace.QName) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) Service(javax.xml.ws.Service) URL(java.net.URL) SamlCallbackHandler(org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)

Example 2 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class CombinedValidatorTest method createResponse.

private Response createResponse(Document doc) throws Exception {
    Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
    Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
    response.setDestination("http://recipient.apache.org");
    // Create an AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
    callbackHandler.setIssuer("http://cxf.apache.org/issuer");
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setSubjectName("alice");
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo("12345");
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient("http://recipient.apache.org");
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setNotBefore(new DateTime());
    conditions.setNotAfter(new DateTime().plusMinutes(5));
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(conditions);
    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    Crypto issuerCrypto = new Merlin();
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
    InputStream input = Merlin.loadInputStream(loader, "alice.jks");
    keyStore.load(input, "password".toCharArray());
    ((Merlin) issuerCrypto).setKeyStore(keyStore);
    assertion.signAssertion("alice", "password", issuerCrypto, false);
    response.getAssertions().add(assertion.getSaml2());
    return response;
}
Also used : Status(org.opensaml.saml.saml2.core.Status) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) InputStream(java.io.InputStream) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) KeyStore(java.security.KeyStore) DateTime(org.joda.time.DateTime) Response(org.opensaml.saml.saml2.core.Response) Crypto(org.apache.wss4j.common.crypto.Crypto) SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) Merlin(org.apache.wss4j.common.crypto.Merlin)

Example 3 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SAMLResponseValidatorTest method testAssertionBadSubjectConfirmationMethod.

@org.junit.Test
public void testAssertionBadSubjectConfirmationMethod() throws Exception {
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo("12345");
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient("http://recipient.apache.org");
    // Create a AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
    callbackHandler.setIssuer("http://cxf.apache.org/issuer");
    callbackHandler.setConfirmationMethod("xyz");
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setNotBefore(new DateTime());
    conditions.setNotAfter(new DateTime().plusMinutes(5));
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(conditions);
    Response response = createResponse(subjectConfirmationData, callbackHandler);
    // Validate the Response
    SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
    try {
        protocolValidator.validateSamlResponse(response, null, null);
        fail("Expected failure on bad response");
    } catch (WSSecurityException ex) {
    // expected
    }
}
Also used : Response(org.opensaml.saml.saml2.core.Response) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) DateTime(org.joda.time.DateTime)

Example 4 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SAMLSSOResponseValidatorTest method createResponse.

private Response createResponse(SubjectConfirmationDataBean subjectConfirmationData, List<AudienceRestrictionBean> audienceRestrictions, String authnClassRef) throws Exception {
    Document doc = DOMUtils.createDocument();
    Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
    Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
    // Create an AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
    callbackHandler.setIssuer("http://cxf.apache.org/issuer");
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setNotBefore(new DateTime());
    conditions.setNotAfter(new DateTime().plusMinutes(5));
    if (audienceRestrictions == null) {
        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
        audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
        conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    } else {
        conditions.setAudienceRestrictions(audienceRestrictions);
    }
    callbackHandler.setConditions(conditions);
    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    response.getAssertions().add(assertion.getSaml2());
    if (authnClassRef != null) {
        AuthnStatement authnStatement = response.getAssertions().get(0).getAuthnStatements().get(0);
        authnStatement.getAuthnContext().setAuthnContextClassRef(SAML2PResponseComponentBuilder.createAuthnContextClassRef(authnClassRef));
    }
    Element policyElement = OpenSAMLUtil.toDom(response, doc);
    doc.appendChild(policyElement);
    assertNotNull(policyElement);
    return (Response) OpenSAMLUtil.fromDom(policyElement);
}
Also used : Status(org.opensaml.saml.saml2.core.Status) Response(org.opensaml.saml.saml2.core.Response) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) Element(org.w3c.dom.Element) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) Document(org.w3c.dom.Document) DateTime(org.joda.time.DateTime)

Example 5 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SAMLSSOResponseValidatorTest method testAssertionBadIssuer.

@org.junit.Test
public void testAssertionBadIssuer() throws Exception {
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo("12345");
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient("http://recipient.apache.org");
    // Create a AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
    callbackHandler.setIssuer("http://cxf.apache.org/bad-issuer");
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setNotBefore(new DateTime());
    conditions.setNotAfter(new DateTime().plusMinutes(5));
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(conditions);
    Response response = createResponse(subjectConfirmationData, callbackHandler);
    // Validate the Response
    SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
    validator.setEnforceAssertionsSigned(false);
    validator.setIssuerIDP("http://cxf.apache.org/issuer");
    validator.setAssertionConsumerURL("http://recipient.apache.org");
    validator.setClientAddress("http://apache.org");
    validator.setRequestId("12345");
    validator.setSpIdentifier("http://service.apache.org");
    try {
        validator.validateSamlResponse(response, false);
        fail("Expected failure on bad response");
    } catch (WSSecurityException ex) {
    // expected
    }
}
Also used : Response(org.opensaml.saml.saml2.core.Response) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) DateTime(org.joda.time.DateTime)

Aggregations

AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)25 ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)20 DateTime (org.joda.time.DateTime)14 ArrayList (java.util.ArrayList)12 SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)11 Response (org.opensaml.saml.saml2.core.Response)11 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)9 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8 URL (java.net.URL)7 QName (javax.xml.namespace.QName)7 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)7 Crypto (org.apache.wss4j.common.crypto.Crypto)6 Status (org.opensaml.saml.saml2.core.Status)5 HashMap (java.util.HashMap)4 Client (org.apache.cxf.endpoint.Client)4 HelloWorldPortType (org.apache.cxf.hello_world_jms.HelloWorldPortType)4 HelloWorldService (org.apache.cxf.hello_world_jms.HelloWorldService)4 WSS4JOutInterceptor (org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)4 InputStream (java.io.InputStream)3 KeyStore (java.security.KeyStore)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial