Search in sources :

Example 6 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SAMLSSOResponseValidatorTest method testAudienceRestrictionMultipleValues.

@org.junit.Test
public void testAudienceRestrictionMultipleValues() throws Exception {
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo("12345");
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient("http://recipient.apache.org");
    List<String> values = new ArrayList<>();
    values.add("http://unknown-service.apache.org");
    values.add("http://service.apache.org");
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(values);
    Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
    // Validate the Response
    SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
    validator.setEnforceAssertionsSigned(false);
    validator.setIssuerIDP("http://cxf.apache.org/issuer");
    validator.setAssertionConsumerURL("http://recipient.apache.org");
    validator.setClientAddress("http://apache.org");
    validator.setRequestId("12345");
    validator.setSpIdentifier("http://service.apache.org");
    validator.validateSamlResponse(response, false);
}
Also used : Response(org.opensaml.saml.saml2.core.Response) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean) ArrayList(java.util.ArrayList) DateTime(org.joda.time.DateTime)

Example 7 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SAMLSSOResponseValidatorTest method testEmptyAudienceRestriction.

@org.junit.Test
public void testEmptyAudienceRestriction() throws Exception {
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo("12345");
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient("http://recipient.apache.org");
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
    // Validate the Response
    SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
    validator.setEnforceAssertionsSigned(false);
    validator.setIssuerIDP("http://cxf.apache.org/issuer");
    validator.setAssertionConsumerURL("http://recipient.apache.org");
    validator.setClientAddress("http://apache.org");
    validator.setRequestId("12345");
    validator.setSpIdentifier("http://service.apache.org");
    try {
        validator.validateSamlResponse(response, false);
        fail("Expected failure on bad response");
    } catch (WSSecurityException ex) {
    // expected
    }
}
Also used : Response(org.opensaml.saml.saml2.core.Response) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) DateTime(org.joda.time.DateTime)

Example 8 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class DefaultConditionsProvider method getConditions.

/**
 * Get a ConditionsBean object.
 */
public ConditionsBean getConditions(TokenProviderParameters providerParameters) {
    ConditionsBean conditions = new ConditionsBean();
    Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime();
    if (lifetime > 0) {
        if (acceptClientLifetime && tokenLifetime != null && tokenLifetime.getCreated() != null && tokenLifetime.getExpires() != null) {
            Instant creationTime = null;
            Instant expirationTime = null;
            try {
                creationTime = ZonedDateTime.parse(tokenLifetime.getCreated()).toInstant();
                expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires()).toInstant();
            } catch (DateTimeParseException ex) {
                LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
                throw new STSException("Error in parsing Timestamp Created or Expiration Strings", STSException.INVALID_TIME);
            }
            // Check to see if the created time is in the future
            Instant validCreation = Instant.now();
            if (futureTimeToLive > 0) {
                validCreation = validCreation.plusSeconds(futureTimeToLive);
            }
            if (creationTime.isAfter(validCreation)) {
                LOG.fine("The Created Time is too far in the future");
                throw new STSException("The Created Time is too far in the future", STSException.INVALID_TIME);
            }
            long requestedLifetime = Duration.between(creationTime, expirationTime).getSeconds();
            if (requestedLifetime > getMaxLifetime()) {
                StringBuilder sb = new StringBuilder();
                sb.append("Requested lifetime [").append(requestedLifetime);
                sb.append(" sec] exceed configured maximum lifetime [").append(getMaxLifetime());
                sb.append(" sec]");
                LOG.warning(sb.toString());
                if (isFailLifetimeExceedance()) {
                    throw new STSException("Requested lifetime exceeds maximum lifetime", STSException.INVALID_TIME);
                }
                expirationTime = creationTime.plusSeconds(getMaxLifetime());
            }
            conditions.setNotAfter(expirationTime);
            conditions.setNotBefore(creationTime);
        } else {
            conditions.setTokenPeriodSeconds(lifetime);
        }
    } else {
        conditions.setTokenPeriodMinutes(5);
    }
    List<AudienceRestrictionBean> audienceRestrictions = createAudienceRestrictions(providerParameters);
    if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
        conditions.setAudienceRestrictions(audienceRestrictions);
    }
    return conditions;
}
Also used : DateTimeParseException(java.time.format.DateTimeParseException) Lifetime(org.apache.cxf.sts.request.Lifetime) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) Instant(java.time.Instant) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) STSException(org.apache.cxf.ws.security.sts.provider.STSException)

Example 9 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SamlCallbackHandler method handle.

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    Message m = PhaseInterceptorChain.getCurrentMessage();
    for (int i = 0; i < callbacks.length; i++) {
        if (callbacks[i] instanceof SAMLCallback) {
            SAMLCallback callback = (SAMLCallback) callbacks[i];
            if (saml2) {
                callback.setSamlVersion(Version.SAML_20);
            } else {
                callback.setSamlVersion(Version.SAML_11);
            }
            callback.setIssuer(issuer);
            String subject = m != null ? (String) m.getContextualProperty("saml.subject.name") : null;
            if (subject == null) {
                subject = subjectName;
            }
            String subjectQualifier = "www.mock-sts.com";
            SubjectBean subjectBean = new SubjectBean(subject, subjectQualifier, confirmationMethod);
            callback.setSubject(subjectBean);
            ConditionsBean conditions = new ConditionsBean();
            AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
            audienceRestriction.setAudienceURIs(Collections.singletonList(audience));
            conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
            callback.setConditions(conditions);
            AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
            authDecBean.setDecision(Decision.INDETERMINATE);
            authDecBean.setResource("https://sp.example.com/SAML2");
            authDecBean.setSubject(subjectBean);
            ActionBean actionBean = new ActionBean();
            actionBean.setContents("Read");
            authDecBean.setActions(Collections.singletonList(actionBean));
            callback.setAuthDecisionStatementData(Collections.singletonList(authDecBean));
            AuthenticationStatementBean authBean = new AuthenticationStatementBean();
            authBean.setSubject(subjectBean);
            authBean.setAuthenticationInstant(new DateTime());
            authBean.setSessionIndex("123456");
            authBean.setSubject(subjectBean);
            // AuthnContextClassRef is not set
            authBean.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
            callback.setAuthenticationStatementData(Collections.singletonList(authBean));
            AttributeStatementBean attrBean = new AttributeStatementBean();
            attrBean.setSubject(subjectBean);
            List<String> roles = m != null ? CastUtils.<String>cast((List<?>) m.getContextualProperty("saml.roles")) : null;
            if (roles == null) {
                roles = Collections.singletonList("user");
            }
            List<AttributeBean> claims = new ArrayList<>();
            AttributeBean roleClaim = new AttributeBean();
            roleClaim.setSimpleName("subject-role");
            roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
            roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
            roleClaim.setAttributeValues(new ArrayList<>(roles));
            claims.add(roleClaim);
            List<String> authMethods = m != null ? CastUtils.<String>cast((List<?>) m.getContextualProperty("saml.auth")) : null;
            if (authMethods == null) {
                authMethods = Collections.singletonList("password");
            }
            AttributeBean authClaim = new AttributeBean();
            authClaim.setSimpleName("http://claims/authentication");
            authClaim.setQualifiedName("http://claims/authentication");
            authClaim.setNameFormat("http://claims/authentication-format");
            authClaim.setAttributeValues(new ArrayList<>(authMethods));
            claims.add(authClaim);
            attrBean.setSamlAttributes(claims);
            callback.setAttributeStatementData(Collections.singletonList(attrBean));
            if (signAssertion) {
                try {
                    Crypto crypto = CryptoFactory.getInstance(cryptoPropertiesFile);
                    callback.setIssuerCrypto(crypto);
                    callback.setIssuerKeyName(issuerKeyName);
                    callback.setIssuerKeyPassword(issuerKeyPassword);
                    callback.setSignAssertion(true);
                } catch (WSSecurityException e) {
                    throw new IOException(e);
                }
            }
        }
    }
}
Also used : AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) Message(org.apache.cxf.message.Message) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) ActionBean(org.apache.wss4j.common.saml.bean.ActionBean) DateTime(org.joda.time.DateTime) SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) Crypto(org.apache.wss4j.common.crypto.Crypto) AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) ArrayList(java.util.ArrayList) List(java.util.List) AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)

Example 10 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class JMSWSSecurityTest method testUnsignedSAML2AudienceRestrictionTokenServiceName.

@Test
public void testUnsignedSAML2AudienceRestrictionTokenServiceName() throws Exception {
    QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
    QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
    URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
    HelloWorldService service = new HelloWorldService(wsdl, serviceName);
    String response = new String("Bonjour");
    HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setSignAssertion(true);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setTokenPeriodMinutes(5);
    List<String> audiences = new ArrayList<>();
    audiences.add("{http://cxf.apache.org/hello_world_jms}HelloWorldService");
    AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
    audienceRestrictionBean.setAudienceURIs(audiences);
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
    callbackHandler.setConditions(conditions);
    Map<String, Object> outProperties = new HashMap<>();
    outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
    outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
    WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
    Client client = ClientProxy.getClient(greeter);
    client.getOutInterceptors().add(outInterceptor);
    String reply = greeter.sayHi();
    assertNotNull("no response received from service", reply);
    assertEquals(response, reply);
    ((java.io.Closeable) greeter).close();
}
Also used : AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) HashMap(java.util.HashMap) QName(javax.xml.namespace.QName) HelloWorldService(org.apache.cxf.hello_world_jms.HelloWorldService) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) HelloWorldPortType(org.apache.cxf.hello_world_jms.HelloWorldPortType) URL(java.net.URL) WSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor) Client(org.apache.cxf.endpoint.Client) Test(org.junit.Test)

Aggregations

AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)25 ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)20 DateTime (org.joda.time.DateTime)14 ArrayList (java.util.ArrayList)12 SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)11 Response (org.opensaml.saml.saml2.core.Response)11 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)9 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8 URL (java.net.URL)7 QName (javax.xml.namespace.QName)7 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)7 Crypto (org.apache.wss4j.common.crypto.Crypto)6 Status (org.opensaml.saml.saml2.core.Status)5 HashMap (java.util.HashMap)4 Client (org.apache.cxf.endpoint.Client)4 HelloWorldPortType (org.apache.cxf.hello_world_jms.HelloWorldPortType)4 HelloWorldService (org.apache.cxf.hello_world_jms.HelloWorldService)4 WSS4JOutInterceptor (org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)4 InputStream (java.io.InputStream)3 KeyStore (java.security.KeyStore)3