use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.
the class CustomSamlClient method validateAssertion.
private void validateAssertion(Response response) throws SAMLException {
if (response.getAssertions().size() != 1) {
throw new SAMLException("The response doesn't contain exactly 1 assertion");
}
Assertion assertion = response.getAssertions().get(0);
// Verify storage time skew
if (!isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) {
throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant());
}
if (!assertion.getIssuer().getValue().equals(responseIssuer)) {
throw new SAMLException("The assertion issuer didn't match the expected value");
}
if (assertion.getSubject().getNameID() == null) {
throw new SAMLException("The NameID value is missing from the SAML response; this is likely an IDP configuration issue");
}
SAMLMessageContext context = new SAMLMessageContext();
context.setLocalEntityId(relyingPartyIdentifier);
context.setLocalEntityEndpoint(new EndpointImpl(null, "", "") {
@Override
public String getLocation() {
return relyingPartyIdentifier + SSO_ENDPOINT;
}
});
try {
verifySubject(assertion.getSubject(), null, context);
} catch (DecryptionException e) {
throw new SAMLException(e);
}
if (assertion.getAuthnStatements().size() > 0) {
verifyAssertionConditions(assertion.getConditions(), context, true);
for (AuthnStatement statement : assertion.getAuthnStatements()) {
verifyAuthenticationStatement(statement, null, context);
}
} else {
verifyAssertionConditions(assertion.getConditions(), context, false);
}
}
use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.
the class CustomSamlClient method decodeSamlResponse.
/**
* Decode SAMLResponse with no validation
* @param encodedResponse the encoded response returned by the identity provider.
* @return An {@link Response} object containing information decoded from the SAML response.
* @throws SAMLException
*/
public static Response decodeSamlResponse(String encodedResponse) throws SAMLException {
String decodedResponse;
try {
decodedResponse = new String(Base64.decode(encodedResponse), "UTF-8");
} catch (UnsupportedEncodingException ex) {
throw new SAMLException("Cannot decode base64 encoded response", ex);
}
logger.trace("Validating SAML response: " + decodedResponse);
try {
DOMParser parser = createDOMParser();
parser.parse(new InputSource(new StringReader(decodedResponse)));
return (Response) Configuration.getUnmarshallerFactory().getUnmarshaller(parser.getDocument().getDocumentElement()).unmarshall(parser.getDocument().getDocumentElement());
} catch (IOException | SAXException | UnmarshallingException ex) {
throw new SAMLException("Cannot decode xml encoded response", ex);
}
}
use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.
the class CustomSamlClient method createMetadataProvider.
private static MetadataProvider createMetadataProvider(Reader metadata) throws SAMLException {
try {
DOMParser parser = createDOMParser();
parser.parse(new InputSource(metadata));
DOMMetadataProvider provider = new DOMMetadataProvider(parser.getDocument().getDocumentElement());
provider.initialize();
return provider;
} catch (IOException | SAXException | MetadataProviderException ex) {
throw new SAMLException("Cannot load identity provider metadata", ex);
}
}
use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.
the class CustomSamlClient method validateSignature.
private void validateSignature(Response response) throws SAMLException {
Signature responseSignature = response.getSignature();
Signature assertionSignature = response.getAssertions().get(0).getSignature();
if (responseSignature == null && assertionSignature == null) {
throw new SAMLException("No signature is present in either response or assertion");
}
if (responseSignature != null && !validate(responseSignature)) {
throw new SAMLException("The response signature is invalid");
}
if (assertionSignature != null && !validate(assertionSignature)) {
throw new SAMLException("The assertion signature is invalid");
}
}
use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.
the class SAMLProxyFilter method doFilterInternal.
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
if (!urlMatches(request)) {
filterChain.doFilter(request, response);
return;
}
List<ExternalServiceEndpoint> externalServices = preferenceManager.getPreference(SYSTEM_EXTERNAL_SERVICES_ENDPOINTS);
if (CollectionUtils.isEmpty(externalServices)) {
LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_PROXY_SECURITY_CONFIG_MISSING));
} else {
String samlResponse = request.getParameter("SAMLResponse");
if (StringUtils.isNotBlank(samlResponse)) {
try {
Response decoded = CustomSamlClient.decodeSamlResponse(samlResponse);
String audience = ListUtils.emptyIfNull(decoded.getAssertions()).stream().findFirst().map(Assertion::getConditions).map(conditions -> ListUtils.emptyIfNull(conditions.getAudienceRestrictions()).stream().findFirst()).flatMap(Function.identity()).map(audienceRestriction -> ListUtils.emptyIfNull(audienceRestriction.getAudiences()).stream().findFirst()).flatMap(Function.identity()).map(Audience::getAudienceURI).orElse(StringUtils.EMPTY);
LOGGER.debug("Received SAMLResponse for audience: {}", audience);
Optional<ExternalServiceEndpoint> endpointOpt = externalServices.stream().filter(e -> !StringUtils.EMPTY.equals(audience) && e.getEndpointId().equals(audience)).findFirst();
if (endpointOpt.isPresent()) {
authenticate(samlResponse, decoded, audience, endpointOpt.get());
}
} catch (SAMLException e) {
LOGGER.warn(e.getMessage(), e);
}
}
}
filterChain.doFilter(request, response);
}
Aggregations