Example 16 with SamlException
use of org.apereo.cas.support.saml.SamlException in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnProfileRequest.
private void validateSignatureOnProfileRequest(final RequestAbstractType profileRequest, final Signature signature, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
LOGGER.debug("Validating profile signature for [{}] via [{}]...", profileRequest.getIssuer(), validator.getClass().getSimpleName());
validator.validate(signature);
LOGGER.debug("Successfully validated profile signature for [{}].", profileRequest.getIssuer());
@NonNull final Set<Credential> credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credentials.isEmpty()) {
throw new SamlException("Signing credentials for validation could not be resolved based on the provided signature");
}
boolean foundValidCredential = false;
final Iterator<Credential> it = credentials.iterator();
while (!foundValidCredential && it.hasNext()) {
try {
final Credential c = it.next();
LOGGER.debug("Validating signature using credentials for [{}]", c.getEntityId());
SignatureValidator.validate(signature, c);
LOGGER.info("Successfully validated the request signature.");
foundValidCredential = true;
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
}
}
if (!foundValidCredential) {
LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
throw new SamlException("No valid signing credentials for validation could not be resolved");
}
}
Also used :
Credential(org.opensaml.security.credential.Credential)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
NonNull(lombok.NonNull)
SamlException(org.apereo.cas.support.saml.SamlException)
SamlException(org.apereo.cas.support.saml.SamlException)
Example 17 with SamlException
use of org.apereo.cas.support.saml.SamlException in project cas by apereo.
the class SamlIdPObjectEncrypter method getDataEncryptionParameters.
/**
* Gets data encryption parameters.
*
* @param samlObject the saml object
* @param service the service
* @param adaptor the adaptor
* @param encryptionConfiguration the encryption configuration
* @return the data encryption parameters
*/
protected DataEncryptionParameters getDataEncryptionParameters(final Object samlObject, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final BasicEncryptionConfiguration encryptionConfiguration) {
try {
val params = resolveEncryptionParameters(service, encryptionConfiguration);
if (params != null) {
return new DataEncryptionParameters(params);
}
LOGGER.debug("No data encryption parameters could be determined");
return null;
} catch (final Exception e) {
throw new SamlException(e.getMessage(), e);
}
}
Also used :
lombok.val(lombok.val)
SamlException(org.apereo.cas.support.saml.SamlException)
DataEncryptionParameters(org.opensaml.xmlsec.encryption.support.DataEncryptionParameters)
SamlException(org.apereo.cas.support.saml.SamlException)
ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException)
DecryptionException(org.apereo.cas.util.crypto.DecryptionException)
Example 18 with SamlException
use of org.apereo.cas.support.saml.SamlException in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnProfileRequest.
private void validateSignatureOnProfileRequest(final RequestAbstractType profileRequest, final Signature signature, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
val validator = new SAMLSignatureProfileValidator();
LOGGER.debug("Validating profile signature for [{}] via [{}]...", profileRequest.getIssuer(), validator.getClass().getSimpleName());
validator.validate(signature);
LOGGER.debug("Successfully validated profile signature for [{}].", profileRequest.getIssuer());
val credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credentials.isEmpty()) {
throw new SamlException("Signing credentials for validation could not be resolved based on the provided signature");
}
var foundValidCredential = false;
val it = credentials.iterator();
while (!foundValidCredential && it.hasNext()) {
try {
val c = it.next();
LOGGER.debug("Validating signature using credentials for [{}]", c.getEntityId());
SignatureValidator.validate(signature, c);
LOGGER.info("Successfully validated the request signature.");
foundValidCredential = true;
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
}
}
if (!foundValidCredential) {
LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
throw new SamlException("No valid signing credentials for validation could not be resolved");
}
}
Also used :
lombok.val(lombok.val)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
SamlException(org.apereo.cas.support.saml.SamlException)
SamlException(org.apereo.cas.support.saml.SamlException)
Example 19 with SamlException
use of org.apereo.cas.support.saml.SamlException in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.
private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
val peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
peer.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(profileRequest));
val peerEntityId = Objects.requireNonNull(peer.getEntityId());
LOGGER.debug("Validating request signature for [{}]...", peerEntityId);
val roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
peer.setRole(roleDescriptor.getElementQName());
val protocol = context.getSubcontext(SAMLProtocolContext.class, true);
protocol.setProtocol(SAMLConstants.SAML20P_NS);
LOGGER.debug("Building security parameters context for signature validation of [{}]", peerEntityId);
val secCtx = context.getSubcontext(SecurityParametersContext.class, true);
val validationParams = new SignatureValidationParameters();
if (overrideBlockedSignatureAlgorithms != null && !overrideBlockedSignatureAlgorithms.isEmpty()) {
validationParams.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
LOGGER.debug("Validation override blocked algorithms are [{}]", this.overrideAllowedAlgorithms);
}
if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
validationParams.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
LOGGER.debug("Validation override allowed algorithms are [{}]", this.overrideAllowedAlgorithms);
}
LOGGER.debug("Resolving signing credentials for [{}]", peerEntityId);
val credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credentials.isEmpty()) {
throw new SamlException("Signing credentials for validation could not be resolved");
}
var foundValidCredential = false;
val it = credentials.iterator();
while (!foundValidCredential && it.hasNext()) {
val handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
try {
val credential = it.next();
val resolver = new StaticCredentialResolver(credential);
val keyResolver = new StaticKeyInfoCredentialResolver(credential);
val trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
validationParams.setSignatureTrustEngine(trustEngine);
secCtx.setSignatureValidationParameters(validationParams);
handler.setHttpServletRequest(request);
LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
handler.initialize();
LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
handler.invoke(context);
LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
foundValidCredential = true;
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
} finally {
handler.destroy();
}
}
if (!foundValidCredential) {
LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
throw new SamlException("No valid signing credentials for validation could not be resolved");
}
}
Also used :
lombok.val(lombok.val)
SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)
SamlException(org.apereo.cas.support.saml.SamlException)
SamlException(org.apereo.cas.support.saml.SamlException)
Example 20 with SamlException
use of org.apereo.cas.support.saml.SamlException in project cas by apereo.
the class MetadataQueryProtocolMetadataResolver method getMetadataLocationForService.
@Override
protected String getMetadataLocationForService(final SamlRegisteredService service, final CriteriaSet criteriaSet) {
LOGGER.trace("Getting metadata location dynamically for [{}] based on criteria [{}]", service.getName(), criteriaSet);
val entityIdCriteria = criteriaSet.get(EntityIdCriterion.class);
val entityId = Optional.ofNullable(entityIdCriteria).map(EntityIdCriterion::getEntityId).orElseGet(service::getServiceId);
if (StringUtils.isBlank(entityId)) {
throw new SamlException("Unable to determine entity id to fetch metadata via MDQ for " + service.getName());
}
val location = super.getMetadataLocationForService(service, criteriaSet);
return location.replace("{0}", EncodingUtils.urlEncode(entityId));
}
Also used :
lombok.val(lombok.val)
SamlException(org.apereo.cas.support.saml.SamlException)
Aggregations
SamlException (org.apereo.cas.support.saml.SamlException)21
lombok.val (lombok.val)10
ArrayList (java.util.ArrayList)5
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)5
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)4
MessageContext (org.opensaml.messaging.context.MessageContext)4
Synchronized (lombok.Synchronized)3
UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)3
SAMLException (org.opensaml.saml.common.SAMLException)3
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)3
ChainingMetadataResolver (org.opensaml.saml.metadata.resolver.ChainingMetadataResolver)3
SneakyThrows (lombok.SneakyThrows)2
Slf4j (lombok.extern.slf4j.Slf4j)2
HttpResponse (org.apache.http.HttpResponse)2
OpenSamlConfigBean (org.apereo.cas.support.saml.OpenSamlConfigBean)2
SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)2
MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)2
SAML2HTTPRedirectDeflateSignatureSecurityHandler (org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)2
SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)2
Credential (org.opensaml.security.credential.Credential)2
