Example 16 with ConditionsBean
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SCTSAMLTokenProvider method createCallbackHandler.
public SamlCallbackHandler createCallbackHandler(TokenProviderParameters tokenParameters, byte[] secret, Document doc) throws Exception {
// Parse the AttributeStatements
List<AttributeStatementBean> attrBeanList = null;
if (attributeStatementProviders != null && !attributeStatementProviders.isEmpty()) {
attrBeanList = new ArrayList<>();
for (AttributeStatementProvider statementProvider : attributeStatementProviders) {
AttributeStatementBean statementBean = statementProvider.getStatement(tokenParameters);
if (statementBean != null) {
LOG.fine("AttributeStatements" + statementBean.toString() + "returned by AttributeStatementProvider " + statementProvider.getClass().getName());
attrBeanList.add(statementBean);
}
}
}
// If no statements, then default to the DefaultAttributeStatementProvider
if (attrBeanList == null || attrBeanList.isEmpty()) {
attrBeanList = new ArrayList<>();
AttributeStatementProvider attributeProvider = new DefaultAttributeStatementProvider();
AttributeStatementBean attributeBean = attributeProvider.getStatement(tokenParameters);
attrBeanList.add(attributeBean);
}
// Get the Subject and Conditions
SubjectProviderParameters subjectProviderParameters = new SubjectProviderParameters();
subjectProviderParameters.setProviderParameters(tokenParameters);
subjectProviderParameters.setDoc(doc);
subjectProviderParameters.setSecret(secret);
subjectProviderParameters.setAttrBeanList(attrBeanList);
SubjectBean subjectBean = subjectProvider.getSubject(subjectProviderParameters);
ConditionsBean conditionsBean = conditionsProvider.getConditions(tokenParameters);
// Set all of the beans on the SamlCallbackHandler
SamlCallbackHandler handler = new SamlCallbackHandler();
handler.setTokenProviderParameters(tokenParameters);
handler.setSubjectBean(subjectBean);
handler.setConditionsBean(conditionsBean);
handler.setAttributeBeans(attrBeanList);
return handler;
}
Also used :
SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean)
SamlCallbackHandler(org.apache.cxf.sts.token.provider.SamlCallbackHandler)
AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
DefaultAttributeStatementProvider(org.apache.cxf.sts.token.provider.DefaultAttributeStatementProvider)
AttributeStatementProvider(org.apache.cxf.sts.token.provider.AttributeStatementProvider)
DefaultAttributeStatementProvider(org.apache.cxf.sts.token.provider.DefaultAttributeStatementProvider)
SubjectProviderParameters(org.apache.cxf.sts.token.provider.SubjectProviderParameters)
Example 17 with ConditionsBean
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SAMLResponseValidatorTest method testResponseInvalidVersion.
@org.junit.Test
public void testResponseInvalidVersion() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
// Create a AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
Response response = createResponse(subjectConfirmationData, callbackHandler);
response.setVersion(SAMLVersion.VERSION_10);
// Validate the Response
SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
try {
protocolValidator.validateSamlResponse(response, null, null);
fail("Expected failure on bad response");
} catch (WSSecurityException ex) {
// expected
}
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
DateTime(org.joda.time.DateTime)
Example 18 with ConditionsBean
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testSignedResponseInvalidDestination.
@org.junit.Test
public void testSignedResponseInvalidDestination() throws Exception {
Document doc = DOMUtils.createDocument();
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
response.setDestination("xyz");
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
signResponse(response, "alice", "password", issuerCrypto, true);
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
try {
validator.validateSamlResponse(marshalledResponse, false);
fail("Expected failure on bad response");
} catch (WSSecurityException ex) {
// expected
}
}
Also used :
Status(org.opensaml.saml.saml2.core.Status)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
InputStream(java.io.InputStream)
Element(org.w3c.dom.Element)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Response(org.opensaml.saml.saml2.core.Response)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 19 with ConditionsBean
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class JMSWSSecurityTest method testUnsignedSAML2AudienceRestrictionTokenBadURI.
@Test
public void testUnsignedSAML2AudienceRestrictionTokenBadURI() throws Exception {
QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
HelloWorldService service = new HelloWorldService(wsdl, serviceName);
HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setSignAssertion(true);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setTokenPeriodMinutes(5);
List<String> audiences = new ArrayList<>();
audiences.add("jms:jndi:dynamicQueues/test.jmstransport.text.bad");
AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
audienceRestrictionBean.setAudienceURIs(audiences);
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
callbackHandler.setConditions(conditions);
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
Client client = ClientProxy.getClient(greeter);
client.getOutInterceptors().add(outInterceptor);
try {
greeter.sayHi();
fail("Failure expected on a bad audience restriction");
} catch (SOAPFaultException ex) {
// expected
}
((java.io.Closeable) greeter).close();
}
Also used :
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
HelloWorldService(org.apache.cxf.hello_world_jms.HelloWorldService)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
ArrayList(java.util.ArrayList)
HelloWorldPortType(org.apache.cxf.hello_world_jms.HelloWorldPortType)
SOAPFaultException(javax.xml.ws.soap.SOAPFaultException)
URL(java.net.URL)
WSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)
Client(org.apache.cxf.endpoint.Client)
Test(org.junit.Test)
Example 20 with ConditionsBean
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SamlCallbackHandler method handle.
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
Message m = PhaseInterceptorChain.getCurrentMessage();
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
if (saml2) {
callback.setSamlVersion(Version.SAML_20);
} else {
callback.setSamlVersion(Version.SAML_11);
}
callback.setIssuer("https://idp.example.org/SAML2");
String subjectName = null;
if (m != null) {
subjectName = (String) m.getContextualProperty("saml.subject.name");
}
if (subjectName == null) {
subjectName = "uid=sts-client,o=mock-sts.com";
}
String subjectQualifier = "www.mock-sts.com";
if (!saml2 && SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) {
confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
}
SubjectBean subjectBean = new SubjectBean(subjectName, subjectQualifier, confirmationMethod);
if (SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
try {
CryptoLoader loader = new CryptoLoader();
Crypto crypto = loader.getCrypto(m, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES);
X509Certificate cert = RSSecurityUtils.getCertificates(crypto, RSSecurityUtils.getUserName(m, crypto, SecurityConstants.SIGNATURE_USERNAME))[0];
KeyInfoBean keyInfo = new KeyInfoBean();
keyInfo.setCertificate(cert);
subjectBean.setKeyInfo(keyInfo);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
callback.setSubject(subjectBean);
ConditionsBean conditions = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("https://sp.example.com/SAML2"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callback.setConditions(conditions);
AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
authDecBean.setDecision(Decision.INDETERMINATE);
authDecBean.setResource("https://sp.example.com/SAML2");
ActionBean actionBean = new ActionBean();
actionBean.setContents("Read");
authDecBean.setActions(Collections.singletonList(actionBean));
callback.setAuthDecisionStatementData(Collections.singletonList(authDecBean));
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
authBean.setAuthenticationInstant(new DateTime());
authBean.setSessionIndex("123456");
// AuthnContextClassRef is not set
authBean.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
callback.setAuthenticationStatementData(Collections.singletonList(authBean));
AttributeStatementBean attrBean = new AttributeStatementBean();
attrBean.setSubject(subjectBean);
List<String> roles = null;
if (m != null) {
roles = CastUtils.cast((List<?>) m.getContextualProperty("saml.roles"));
}
if (roles == null) {
roles = Collections.singletonList("user");
}
List<AttributeBean> claims = new ArrayList<>();
AttributeBean roleClaim = new AttributeBean();
roleClaim.setSimpleName("subject-role");
roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
roleClaim.setAttributeValues(new ArrayList<>(roles));
claims.add(roleClaim);
List<String> authMethods = null;
if (m != null) {
authMethods = CastUtils.cast((List<?>) m.getContextualProperty("saml.auth"));
}
if (authMethods == null) {
authMethods = Collections.singletonList("password");
}
AttributeBean authClaim = new AttributeBean();
authClaim.setSimpleName("http://claims/authentication");
authClaim.setQualifiedName("http://claims/authentication");
authClaim.setNameFormat("http://claims/authentication-format");
authClaim.setAttributeValues(new ArrayList<>(authMethods));
claims.add(authClaim);
attrBean.setSamlAttributes(claims);
callback.setAttributeStatementData(Collections.singletonList(attrBean));
callback.setSignatureAlgorithm(signatureAlgorithm);
callback.setSignatureDigestAlgorithm(digestAlgorithm);
callback.setSignAssertion(signAssertion);
}
}
}
Also used :
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
Message(org.apache.cxf.message.Message)
AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
ArrayList(java.util.ArrayList)
ActionBean(org.apache.wss4j.common.saml.bean.ActionBean)
X509Certificate(java.security.cert.X509Certificate)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
DateTime(org.joda.time.DateTime)
SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
ArrayList(java.util.ArrayList)
List(java.util.List)
AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)
Aggregations
ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)20
AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)16
ArrayList (java.util.ArrayList)9
DateTime (org.joda.time.DateTime)9
URL (java.net.URL)8
QName (javax.xml.namespace.QName)8
Response (org.opensaml.saml.saml2.core.Response)6
Client (org.apache.cxf.endpoint.Client)5
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)5
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)5
SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)5
HashMap (java.util.HashMap)4
Service (javax.xml.ws.Service)4
Bus (org.apache.cxf.Bus)4
SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)4
HelloWorldPortType (org.apache.cxf.hello_world_jms.HelloWorldPortType)4
HelloWorldService (org.apache.cxf.hello_world_jms.HelloWorldService)4
SamlCallbackHandler (org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler)4
WSS4JOutInterceptor (org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)4
Crypto (org.apache.wss4j.common.crypto.Crypto)4
