use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testAudienceRestrictionMultipleValues.
@org.junit.Test
public void testAudienceRestrictionMultipleValues() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
List<String> values = new ArrayList<>();
values.add("http://unknown-service.apache.org");
values.add("http://service.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(values);
Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
validator.validateSamlResponse(response, false);
}
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testEmptyAudienceRestriction.
@org.junit.Test
public void testEmptyAudienceRestriction() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
try {
validator.validateSamlResponse(response, false);
fail("Expected failure on bad response");
} catch (WSSecurityException ex) {
// expected
}
}
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class DefaultConditionsProvider method getConditions.
/**
* Get a ConditionsBean object.
*/
public ConditionsBean getConditions(TokenProviderParameters providerParameters) {
ConditionsBean conditions = new ConditionsBean();
Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime();
if (lifetime > 0) {
if (acceptClientLifetime && tokenLifetime != null && tokenLifetime.getCreated() != null && tokenLifetime.getExpires() != null) {
Instant creationTime = null;
Instant expirationTime = null;
try {
creationTime = ZonedDateTime.parse(tokenLifetime.getCreated()).toInstant();
expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires()).toInstant();
} catch (DateTimeParseException ex) {
LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
throw new STSException("Error in parsing Timestamp Created or Expiration Strings", STSException.INVALID_TIME);
}
// Check to see if the created time is in the future
Instant validCreation = Instant.now();
if (futureTimeToLive > 0) {
validCreation = validCreation.plusSeconds(futureTimeToLive);
}
if (creationTime.isAfter(validCreation)) {
LOG.fine("The Created Time is too far in the future");
throw new STSException("The Created Time is too far in the future", STSException.INVALID_TIME);
}
long requestedLifetime = Duration.between(creationTime, expirationTime).getSeconds();
if (requestedLifetime > getMaxLifetime()) {
StringBuilder sb = new StringBuilder();
sb.append("Requested lifetime [").append(requestedLifetime);
sb.append(" sec] exceed configured maximum lifetime [").append(getMaxLifetime());
sb.append(" sec]");
LOG.warning(sb.toString());
if (isFailLifetimeExceedance()) {
throw new STSException("Requested lifetime exceeds maximum lifetime", STSException.INVALID_TIME);
}
expirationTime = creationTime.plusSeconds(getMaxLifetime());
}
conditions.setNotAfter(expirationTime);
conditions.setNotBefore(creationTime);
} else {
conditions.setTokenPeriodSeconds(lifetime);
}
} else {
conditions.setTokenPeriodMinutes(5);
}
List<AudienceRestrictionBean> audienceRestrictions = createAudienceRestrictions(providerParameters);
if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
conditions.setAudienceRestrictions(audienceRestrictions);
}
return conditions;
}
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class SamlCallbackHandler method handle.
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
Message m = PhaseInterceptorChain.getCurrentMessage();
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
if (saml2) {
callback.setSamlVersion(Version.SAML_20);
} else {
callback.setSamlVersion(Version.SAML_11);
}
callback.setIssuer(issuer);
String subject = m != null ? (String) m.getContextualProperty("saml.subject.name") : null;
if (subject == null) {
subject = subjectName;
}
String subjectQualifier = "www.mock-sts.com";
SubjectBean subjectBean = new SubjectBean(subject, subjectQualifier, confirmationMethod);
callback.setSubject(subjectBean);
ConditionsBean conditions = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(audience));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callback.setConditions(conditions);
AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
authDecBean.setDecision(Decision.INDETERMINATE);
authDecBean.setResource("https://sp.example.com/SAML2");
authDecBean.setSubject(subjectBean);
ActionBean actionBean = new ActionBean();
actionBean.setContents("Read");
authDecBean.setActions(Collections.singletonList(actionBean));
callback.setAuthDecisionStatementData(Collections.singletonList(authDecBean));
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
authBean.setAuthenticationInstant(new DateTime());
authBean.setSessionIndex("123456");
authBean.setSubject(subjectBean);
// AuthnContextClassRef is not set
authBean.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
callback.setAuthenticationStatementData(Collections.singletonList(authBean));
AttributeStatementBean attrBean = new AttributeStatementBean();
attrBean.setSubject(subjectBean);
List<String> roles = m != null ? CastUtils.<String>cast((List<?>) m.getContextualProperty("saml.roles")) : null;
if (roles == null) {
roles = Collections.singletonList("user");
}
List<AttributeBean> claims = new ArrayList<>();
AttributeBean roleClaim = new AttributeBean();
roleClaim.setSimpleName("subject-role");
roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
roleClaim.setAttributeValues(new ArrayList<>(roles));
claims.add(roleClaim);
List<String> authMethods = m != null ? CastUtils.<String>cast((List<?>) m.getContextualProperty("saml.auth")) : null;
if (authMethods == null) {
authMethods = Collections.singletonList("password");
}
AttributeBean authClaim = new AttributeBean();
authClaim.setSimpleName("http://claims/authentication");
authClaim.setQualifiedName("http://claims/authentication");
authClaim.setNameFormat("http://claims/authentication-format");
authClaim.setAttributeValues(new ArrayList<>(authMethods));
claims.add(authClaim);
attrBean.setSamlAttributes(claims);
callback.setAttributeStatementData(Collections.singletonList(attrBean));
if (signAssertion) {
try {
Crypto crypto = CryptoFactory.getInstance(cryptoPropertiesFile);
callback.setIssuerCrypto(crypto);
callback.setIssuerKeyName(issuerKeyName);
callback.setIssuerKeyPassword(issuerKeyPassword);
callback.setSignAssertion(true);
} catch (WSSecurityException e) {
throw new IOException(e);
}
}
}
}
}
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class JMSWSSecurityTest method testUnsignedSAML2AudienceRestrictionTokenServiceName.
@Test
public void testUnsignedSAML2AudienceRestrictionTokenServiceName() throws Exception {
QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
HelloWorldService service = new HelloWorldService(wsdl, serviceName);
String response = new String("Bonjour");
HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setSignAssertion(true);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setTokenPeriodMinutes(5);
List<String> audiences = new ArrayList<>();
audiences.add("{http://cxf.apache.org/hello_world_jms}HelloWorldService");
AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
audienceRestrictionBean.setAudienceURIs(audiences);
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
callbackHandler.setConditions(conditions);
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
Client client = ClientProxy.getClient(greeter);
client.getOutInterceptors().add(outInterceptor);
String reply = greeter.sayHi();
assertNotNull("no response received from service", reply);
assertEquals(response, reply);
((java.io.Closeable) greeter).close();
}
Aggregations