Example 16 with KeyInfoBean
use of org.apache.wss4j.common.saml.bean.KeyInfoBean in project cxf by apache.
the class SAML1CallbackHandler method handle.
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
callback.setIssuer("www.example.com");
callback.setSamlVersion(Version.SAML_11);
SubjectBean subjectBean = new SubjectBean(subjectName, subjectQualifier, confirmationMethod);
if (SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
try {
KeyInfoBean keyInfo = createKeyInfo();
subjectBean.setKeyInfo(keyInfo);
} catch (Exception ex) {
throw new IOException("Problem creating KeyInfo: " + ex.getMessage());
}
}
createAndSetStatement(subjectBean, callback);
try {
Crypto crypto = CryptoFactory.getInstance("outsecurity.properties");
callback.setIssuerCrypto(crypto);
callback.setIssuerKeyName("myalias");
callback.setIssuerKeyPassword("myAliasPassword");
callback.setSignAssertion(signAssertion);
} catch (WSSecurityException e) {
throw new IOException(e);
}
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
Also used :
SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean)
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
Example 17 with KeyInfoBean
use of org.apache.wss4j.common.saml.bean.KeyInfoBean in project cxf by apache.
the class DefaultSubjectProvider method createEncryptedKeyKeyInfo.
/**
* Create an EncryptedKey KeyInfo.
*/
protected static KeyInfoBean createEncryptedKeyKeyInfo(X509Certificate certificate, byte[] secret, Document doc, EncryptionProperties encryptionProperties, Crypto encryptionCrypto) throws WSSecurityException {
KeyInfoBean keyInfo = new KeyInfoBean();
// Create an EncryptedKey
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
encrKey.setUseThisCert(certificate);
encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
final SecretKey symmetricKey;
if (secret != null) {
symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
} else {
KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
symmetricKey = keyGen.generateKey();
}
encrKey.prepare(encryptionCrypto, symmetricKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
Element keyInfoElement = doc.createElementNS(WSS4JConstants.SIG_NS, WSS4JConstants.SIG_PREFIX + ":" + WSS4JConstants.KEYINFO_LN);
keyInfoElement.setAttributeNS(WSS4JConstants.XMLNS_NS, "xmlns:" + WSS4JConstants.SIG_PREFIX, WSS4JConstants.SIG_NS);
keyInfoElement.appendChild(encryptedKeyElement);
keyInfo.setElement(keyInfoElement);
return keyInfo;
}
Also used :
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
SecretKey(javax.crypto.SecretKey)
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
Element(org.w3c.dom.Element)
KeyGenerator(javax.crypto.KeyGenerator)
Example 18 with KeyInfoBean
use of org.apache.wss4j.common.saml.bean.KeyInfoBean in project cxf by apache.
the class DefaultSubjectProvider method getSubject.
/**
* Get a SubjectBean object.
*/
public SubjectBean getSubject(SubjectProviderParameters subjectProviderParameters) {
// 1. Get the principal
Principal principal = getPrincipal(subjectProviderParameters);
if (principal == null) {
LOG.fine("Error in getting principal");
throw new STSException("Error in getting principal", STSException.REQUEST_FAILED);
}
// 2. Create the SubjectBean using the principal
SubjectBean subjectBean = createSubjectBean(principal, subjectProviderParameters);
// 3. Create the KeyInfoBean and set it on the SubjectBean
KeyInfoBean keyInfo = createKeyInfo(subjectProviderParameters);
subjectBean.setKeyInfo(keyInfo);
return subjectBean;
}
Also used :
SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean)
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
X500Principal(javax.security.auth.x500.X500Principal)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
Principal(java.security.Principal)
UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)
Example 19 with KeyInfoBean
use of org.apache.wss4j.common.saml.bean.KeyInfoBean in project cxf by apache.
the class DefaultSubjectProvider method createPublicKeyKeyInfo.
/**
* Create a KeyInfoBean that contains an X.509 certificate or Public Key
*/
protected static KeyInfoBean createPublicKeyKeyInfo(X509Certificate certificate, PublicKey publicKey) {
KeyInfoBean keyInfo = new KeyInfoBean();
if (certificate != null) {
keyInfo.setCertificate(certificate);
keyInfo.setCertIdentifer(CERT_IDENTIFIER.X509_CERT);
} else if (publicKey != null) {
keyInfo.setPublicKey(publicKey);
keyInfo.setCertIdentifer(CERT_IDENTIFIER.KEY_VALUE);
}
return keyInfo;
}
Also used :
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
Example 20 with KeyInfoBean
use of org.apache.wss4j.common.saml.bean.KeyInfoBean in project cxf by apache.
the class SamlCallbackHandler method handle.
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
Message m = PhaseInterceptorChain.getCurrentMessage();
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
if (saml2) {
callback.setSamlVersion(Version.SAML_20);
} else {
callback.setSamlVersion(Version.SAML_11);
}
callback.setIssuer("https://idp.example.org/SAML2");
String subjectName = null;
if (m != null) {
subjectName = (String) m.getContextualProperty("saml.subject.name");
}
if (subjectName == null) {
subjectName = "uid=sts-client,o=mock-sts.com";
}
String subjectQualifier = "www.mock-sts.com";
if (!saml2 && SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) {
confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
}
SubjectBean subjectBean = new SubjectBean(subjectName, subjectQualifier, confirmationMethod);
if (SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
try {
CryptoLoader loader = new CryptoLoader();
Crypto crypto = loader.getCrypto(m, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES);
X509Certificate cert = RSSecurityUtils.getCertificates(crypto, RSSecurityUtils.getUserName(m, crypto, SecurityConstants.SIGNATURE_USERNAME))[0];
KeyInfoBean keyInfo = new KeyInfoBean();
keyInfo.setCertificate(cert);
subjectBean.setKeyInfo(keyInfo);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
callback.setSubject(subjectBean);
ConditionsBean conditions = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("https://sp.example.com/SAML2"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callback.setConditions(conditions);
AuthDecisionStatementBean authDecBean = new AuthDecisionStatementBean();
authDecBean.setDecision(Decision.INDETERMINATE);
authDecBean.setResource("https://sp.example.com/SAML2");
ActionBean actionBean = new ActionBean();
actionBean.setContents("Read");
authDecBean.setActions(Collections.singletonList(actionBean));
callback.setAuthDecisionStatementData(Collections.singletonList(authDecBean));
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSubject(subjectBean);
authBean.setAuthenticationInstant(new DateTime());
authBean.setSessionIndex("123456");
// AuthnContextClassRef is not set
authBean.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
callback.setAuthenticationStatementData(Collections.singletonList(authBean));
AttributeStatementBean attrBean = new AttributeStatementBean();
attrBean.setSubject(subjectBean);
List<String> roles = null;
if (m != null) {
roles = CastUtils.cast((List<?>) m.getContextualProperty("saml.roles"));
}
if (roles == null) {
roles = Collections.singletonList("user");
}
List<AttributeBean> claims = new ArrayList<>();
AttributeBean roleClaim = new AttributeBean();
roleClaim.setSimpleName("subject-role");
roleClaim.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
roleClaim.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
roleClaim.setAttributeValues(new ArrayList<>(roles));
claims.add(roleClaim);
List<String> authMethods = null;
if (m != null) {
authMethods = CastUtils.cast((List<?>) m.getContextualProperty("saml.auth"));
}
if (authMethods == null) {
authMethods = Collections.singletonList("password");
}
AttributeBean authClaim = new AttributeBean();
authClaim.setSimpleName("http://claims/authentication");
authClaim.setQualifiedName("http://claims/authentication");
authClaim.setNameFormat("http://claims/authentication-format");
authClaim.setAttributeValues(new ArrayList<>(authMethods));
claims.add(authClaim);
attrBean.setSamlAttributes(claims);
callback.setAttributeStatementData(Collections.singletonList(attrBean));
callback.setSignatureAlgorithm(signatureAlgorithm);
callback.setSignatureDigestAlgorithm(digestAlgorithm);
callback.setSignAssertion(signAssertion);
}
}
}
Also used :
KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean)
AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
Message(org.apache.cxf.message.Message)
AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
ArrayList(java.util.ArrayList)
ActionBean(org.apache.wss4j.common.saml.bean.ActionBean)
X509Certificate(java.security.cert.X509Certificate)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
DateTime(org.joda.time.DateTime)
SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
ArrayList(java.util.ArrayList)
List(java.util.List)
AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)
Aggregations
KeyInfoBean (org.apache.wss4j.common.saml.bean.KeyInfoBean)22
Crypto (org.apache.wss4j.common.crypto.Crypto)15
SubjectBean (org.apache.wss4j.common.saml.bean.SubjectBean)12
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)11
IOException (java.io.IOException)10
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)10
X509Certificate (java.security.cert.X509Certificate)7
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)7
AttributeBean (org.apache.wss4j.common.saml.bean.AttributeBean)7
AttributeStatementBean (org.apache.wss4j.common.saml.bean.AttributeStatementBean)7
CryptoType (org.apache.wss4j.common.crypto.CryptoType)6
Element (org.w3c.dom.Element)4
KeyGenerator (javax.crypto.KeyGenerator)3
SecretKey (javax.crypto.SecretKey)3
WSSecEncryptedKey (org.apache.wss4j.dom.message.WSSecEncryptedKey)3
DocumentBuilder (javax.xml.parsers.DocumentBuilder)2
DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)2
Document (org.w3c.dom.Document)2
InputStream (java.io.InputStream)1
Principal (java.security.Principal)1
