Search in sources :

Example 1 with AuthenticationStatementBean

use of org.apache.wss4j.common.saml.bean.AuthenticationStatementBean in project ddf by codice.

the class AuthNStatementProvider method getStatement.

/*
     * (non-Javadoc)
     * 
     * @see
     * org.apache.cxf.sts.token.provider.AuthenticationStatementProvider#getStatement(org.apache
     * .cxf.sts.token.provider.TokenProviderParameters)
     */
@Override
public AuthenticationStatementBean getStatement(TokenProviderParameters providerParameters) {
    AuthenticationStatementBean authBean = new AuthenticationStatementBean();
    authBean.setSessionIndex(Integer.toString(secureRandom.nextInt()));
    TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
    ReceivedToken receivedToken = null;
    if (tokenRequirements.getValidateTarget() != null) {
        receivedToken = tokenRequirements.getValidateTarget();
    } else if (tokenRequirements.getOnBehalfOf() != null) {
        receivedToken = tokenRequirements.getOnBehalfOf();
    } else if (tokenRequirements.getActAs() != null) {
        receivedToken = tokenRequirements.getActAs();
    } else if (tokenRequirements.getRenewTarget() != null) {
        receivedToken = tokenRequirements.getRenewTarget();
    }
    if (receivedToken != null) {
        Principal principal = receivedToken.getPrincipal();
        if (principal instanceof UsernameTokenPrincipal) {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_PASSWORD_PROTECTED_TRANSPORT);
        } else if (principal instanceof X500Principal) {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_X509);
        } else if (principal instanceof KerberosPrincipal) {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_KERBEROS);
        } else {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_UNSPECIFIED);
        }
    } else {
        authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_UNSPECIFIED);
    }
    return authBean;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) X500Principal(javax.security.auth.x500.X500Principal) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Principal(java.security.Principal) X500Principal(javax.security.auth.x500.X500Principal) UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)

Example 2 with AuthenticationStatementBean

use of org.apache.wss4j.common.saml.bean.AuthenticationStatementBean in project cxf by apache.

the class AbstractSAMLCallbackHandler method createAndSetStatement.

/**
 * Note that the SubjectBean parameter should be null for SAML2.0
 */
protected void createAndSetStatement(SubjectBean subjectBean, SAMLCallback callback) {
    if (statement == Statement.AUTHN) {
        AuthenticationStatementBean authBean = new AuthenticationStatementBean();
        if (subjectBean != null) {
            authBean.setSubject(subjectBean);
        }
        authBean.setAuthenticationMethod("Password");
        callback.setAuthenticationStatementData(Collections.singletonList(authBean));
    } else if (statement == Statement.ATTR) {
        AttributeStatementBean attrBean = new AttributeStatementBean();
        if (multiValue) {
            // <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
            // AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
            // <saml:AttributeValue>Value1</saml:AttributeValue>
            // <saml:AttributeValue>Value2</saml:AttributeValue>
            // </saml:Attribute>
            AttributeBean attributeBean = new AttributeBean();
            if (subjectBean != null) {
                attrBean.setSubject(subjectBean);
                attributeBean.setSimpleName("role");
                attributeBean.setQualifiedName("http://custom-ns");
            } else {
                attributeBean.setQualifiedName("role");
            }
            attributeBean.addAttributeValue("user");
            attributeBean.addAttributeValue("admin");
            attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
        } else {
            // <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
            // AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
            // <saml:AttributeValue>Value1</saml:AttributeValue>
            // </saml:Attribute>
            // <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
            // AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
            // <saml:AttributeValue>Value2</saml:AttributeValue>
            // </saml:Attribute>
            AttributeBean attributeBean = new AttributeBean();
            if (subjectBean != null) {
                attrBean.setSubject(subjectBean);
                attributeBean.setSimpleName("role");
                attributeBean.setQualifiedName("http://custom-ns");
            } else {
                attributeBean.setQualifiedName("role");
            }
            attributeBean.addAttributeValue("user");
            AttributeBean attributeBean2 = new AttributeBean();
            if (subjectBean != null) {
                attributeBean2.setSimpleName("role");
                attributeBean2.setQualifiedName("http://custom-ns");
            } else {
                attributeBean2.setQualifiedName("role");
            }
            attributeBean2.addAttributeValue("admin");
            attrBean.setSamlAttributes(Arrays.asList(attributeBean, attributeBean2));
        }
        callback.setAttributeStatementData(Collections.singletonList(attrBean));
    } else {
        AuthDecisionStatementBean authzBean = new AuthDecisionStatementBean();
        if (subjectBean != null) {
            authzBean.setSubject(subjectBean);
        }
        ActionBean actionBean = new ActionBean();
        actionBean.setContents("Read");
        authzBean.setActions(Collections.singletonList(actionBean));
        authzBean.setResource("endpoint");
        authzBean.setDecision(AuthDecisionStatementBean.Decision.PERMIT);
        callback.setAuthDecisionStatementData(Collections.singletonList(authzBean));
    }
}
Also used : AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean) AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean) ActionBean(org.apache.wss4j.common.saml.bean.ActionBean)

Example 3 with AuthenticationStatementBean

use of org.apache.wss4j.common.saml.bean.AuthenticationStatementBean in project cxf by apache.

the class SamlCallbackHandler method handle.

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    Message m = PhaseInterceptorChain.getCurrentMessage();
    for (int i = 0; i < callbacks.length; i++) {
        if (callbacks[i] instanceof SAMLCallback) {
            SAMLCallback callback = (SAMLCallback) callbacks[i];
            if (saml2) {
                callback.setSamlVersion(Version.SAML_20);
            } else {
                callback.setSamlVersion(Version.SAML_11);
            }
            callback.setIssuer(issuer);
            String subject = m != null ? (String) m.getContextualProperty("saml.subject.name") : null;
            if (subject == null) {
                subject = subjectName;
            }
            String subjectQualifier = "www.mock-sts.com";
            SubjectBean subjectBean = new SubjectBean(subject, subjectQualifier, confirmationMethod);
            callback.setSubject(subjectBean);
            ConditionsBean conditions = new ConditionsBean();
            AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
            audienceRestriction.setAudienceURIs(Collections.singletonList(audience));
            conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
            callback.setConditions(conditions);
            AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
            authDecBean.setDecision(Decision.INDETERMINATE);
            authDecBean.setResource("https://sp.example.com/SAML2");
            authDecBean.setSubject(subjectBean);
            ActionBean actionBean = new ActionBean();
            actionBean.setContents("Read");
            authDecBean.setActions(Collections.singletonList(actionBean));
            callback.setAuthDecisionStatementData(Collections.singletonList(authDecBean));
            AuthenticationStatementBean authBean = new AuthenticationStatementBean();
            authBean.setSubject(subjectBean);
            authBean.setAuthenticationInstant(new DateTime());
            authBean.setSessionIndex("123456");
            authBean.setSubject(subjectBean);
            // AuthnContextClassRef is not set
            authBean.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
            callback.setAuthenticationStatementData(Collections.singletonList(authBean));
            AttributeStatementBean attrBean = new AttributeStatementBean();
            attrBean.setSubject(subjectBean);
            List<String> roles = m != null ? CastUtils.<String>cast((List<?>) m.getContextualProperty("saml.roles")) : null;
            if (roles == null) {
                roles = Collections.singletonList("user");
            }
            List<AttributeBean> claims = new ArrayList<>();
            AttributeBean roleClaim = new AttributeBean();
            roleClaim.setSimpleName("subject-role");
            roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
            roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
            roleClaim.setAttributeValues(new ArrayList<>(roles));
            claims.add(roleClaim);
            List<String> authMethods = m != null ? CastUtils.<String>cast((List<?>) m.getContextualProperty("saml.auth")) : null;
            if (authMethods == null) {
                authMethods = Collections.singletonList("password");
            }
            AttributeBean authClaim = new AttributeBean();
            authClaim.setSimpleName("http://claims/authentication");
            authClaim.setQualifiedName("http://claims/authentication");
            authClaim.setNameFormat("http://claims/authentication-format");
            authClaim.setAttributeValues(new ArrayList<>(authMethods));
            claims.add(authClaim);
            attrBean.setSamlAttributes(claims);
            callback.setAttributeStatementData(Collections.singletonList(attrBean));
            if (signAssertion) {
                try {
                    Crypto crypto = CryptoFactory.getInstance(cryptoPropertiesFile);
                    callback.setIssuerCrypto(crypto);
                    callback.setIssuerKeyName(issuerKeyName);
                    callback.setIssuerKeyPassword(issuerKeyPassword);
                    callback.setSignAssertion(true);
                } catch (WSSecurityException e) {
                    throw new IOException(e);
                }
            }
        }
    }
}
Also used : AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) Message(org.apache.cxf.message.Message) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) ActionBean(org.apache.wss4j.common.saml.bean.ActionBean) DateTime(org.joda.time.DateTime) SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) Crypto(org.apache.wss4j.common.crypto.Crypto) AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) ArrayList(java.util.ArrayList) List(java.util.List) AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)

Example 4 with AuthenticationStatementBean

use of org.apache.wss4j.common.saml.bean.AuthenticationStatementBean in project testcases by coheigea.

the class SAML2CallbackHandler method createAndSetStatement.

private void createAndSetStatement(SAMLCallback callback) {
    AuthenticationStatementBean authBean = new AuthenticationStatementBean();
    authBean.setAuthenticationMethod("Password");
    callback.setAuthenticationStatementData(Collections.singletonList(authBean));
    // Add roles for certain users
    List<Object> roles = new ArrayList<Object>();
    if ("alice".equals(subjectName)) {
        roles.add("boss");
        roles.add("employee");
        roles.add("User");
    } else if ("bob".equals(subjectName)) {
        roles.add("employee");
    }
    if (!roles.isEmpty()) {
        AttributeStatementBean attrBean = new AttributeStatementBean();
        AttributeBean attributeBean = new AttributeBean();
        attributeBean.setQualifiedName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
        attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
        attributeBean.setAttributeValues(roles);
        attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
        callback.setAttributeStatementData(Collections.singletonList(attrBean));
    }
}
Also used : AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) ArrayList(java.util.ArrayList) AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)

Example 5 with AuthenticationStatementBean

use of org.apache.wss4j.common.saml.bean.AuthenticationStatementBean in project syncope by apache.

the class SAML2CallbackHandler method handle.

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (Callback callback : callbacks) {
        if (callback instanceof SAMLCallback) {
            SAMLCallback samlCallback = (SAMLCallback) callback;
            samlCallback.setSamlVersion(Version.SAML_20);
            samlCallback.setIssuer(issuer);
            if (conditions != null) {
                samlCallback.setConditions(conditions);
            }
            SubjectBean subjectBean = new SubjectBean(subjectName, subjectQualifier, subjectConfirmationMethod);
            subjectBean.setSubjectConfirmationData(subjectConfirmationData);
            samlCallback.setSubject(subjectBean);
            AuthenticationStatementBean authBean = new AuthenticationStatementBean();
            authBean.setAuthenticationMethod("Password");
            samlCallback.setAuthenticationStatementData(Collections.singletonList(authBean));
        } else {
            throw new UnsupportedCallbackException(callback, "Unrecognized Callback");
        }
    }
}
Also used : SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) Callback(javax.security.auth.callback.Callback) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)

Aggregations

AuthenticationStatementBean (org.apache.wss4j.common.saml.bean.AuthenticationStatementBean)9 AttributeStatementBean (org.apache.wss4j.common.saml.bean.AttributeStatementBean)6 AttributeBean (org.apache.wss4j.common.saml.bean.AttributeBean)5 AuthDecisionStatementBean (org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean)5 ActionBean (org.apache.wss4j.common.saml.bean.ActionBean)4 SubjectBean (org.apache.wss4j.common.saml.bean.SubjectBean)4 ArrayList (java.util.ArrayList)3 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)3 ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)3 IOException (java.io.IOException)2 List (java.util.List)2 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2 Message (org.apache.cxf.message.Message)2 Crypto (org.apache.wss4j.common.crypto.Crypto)2 AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)2 SubjectLocalityBean (org.apache.wss4j.common.saml.bean.SubjectLocalityBean)2 DateTime (org.joda.time.DateTime)2 Principal (java.security.Principal)1 X509Certificate (java.security.cert.X509Certificate)1 Callback (javax.security.auth.callback.Callback)1