Search in sources :

Example 1 with SAMLException

use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.

the class CustomSamlClient method validateAssertion.

private void validateAssertion(Response response) throws SAMLException {
    if (response.getAssertions().size() != 1) {
        throw new SAMLException("The response doesn't contain exactly 1 assertion");
    }
    Assertion assertion = response.getAssertions().get(0);
    // Verify storage time skew
    if (!isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) {
        throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant());
    }
    if (!assertion.getIssuer().getValue().equals(responseIssuer)) {
        throw new SAMLException("The assertion issuer didn't match the expected value");
    }
    if (assertion.getSubject().getNameID() == null) {
        throw new SAMLException("The NameID value is missing from the SAML response; this is likely an IDP configuration issue");
    }
    SAMLMessageContext context = new SAMLMessageContext();
    context.setLocalEntityId(relyingPartyIdentifier);
    context.setLocalEntityEndpoint(new EndpointImpl(null, "", "") {

        @Override
        public String getLocation() {
            return relyingPartyIdentifier + SSO_ENDPOINT;
        }
    });
    try {
        verifySubject(assertion.getSubject(), null, context);
    } catch (DecryptionException e) {
        throw new SAMLException(e);
    }
    if (assertion.getAuthnStatements().size() > 0) {
        verifyAssertionConditions(assertion.getConditions(), context, true);
        for (AuthnStatement statement : assertion.getAuthnStatements()) {
            verifyAuthenticationStatement(statement, null, context);
        }
    } else {
        verifyAssertionConditions(assertion.getConditions(), context, false);
    }
}
Also used : SAMLMessageContext(org.springframework.security.saml.context.SAMLMessageContext) EndpointImpl(org.opensaml.saml2.metadata.impl.EndpointImpl) Assertion(org.opensaml.saml2.core.Assertion) AuthnStatement(org.opensaml.saml2.core.AuthnStatement) SAMLException(org.opensaml.common.SAMLException) DecryptionException(org.opensaml.xml.encryption.DecryptionException)

Example 2 with SAMLException

use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.

the class CustomSamlClient method decodeSamlResponse.

/**
 * Decode SAMLResponse with no validation
 * @param encodedResponse the encoded response returned by the identity provider.
 * @return An {@link Response} object containing information decoded from the SAML response.
 * @throws SAMLException
 */
public static Response decodeSamlResponse(String encodedResponse) throws SAMLException {
    String decodedResponse;
    try {
        decodedResponse = new String(Base64.decode(encodedResponse), "UTF-8");
    } catch (UnsupportedEncodingException ex) {
        throw new SAMLException("Cannot decode base64 encoded response", ex);
    }
    logger.trace("Validating SAML response: " + decodedResponse);
    try {
        DOMParser parser = createDOMParser();
        parser.parse(new InputSource(new StringReader(decodedResponse)));
        return (Response) Configuration.getUnmarshallerFactory().getUnmarshaller(parser.getDocument().getDocumentElement()).unmarshall(parser.getDocument().getDocumentElement());
    } catch (IOException | SAXException | UnmarshallingException ex) {
        throw new SAMLException("Cannot decode xml encoded response", ex);
    }
}
Also used : Response(org.opensaml.saml2.core.Response) SamlResponse(com.coveo.saml.SamlResponse) InputSource(org.xml.sax.InputSource) StringReader(java.io.StringReader) UnsupportedEncodingException(java.io.UnsupportedEncodingException) DOMParser(com.sun.org.apache.xerces.internal.parsers.DOMParser) IOException(java.io.IOException) SAMLException(org.opensaml.common.SAMLException) UnmarshallingException(org.opensaml.xml.io.UnmarshallingException) SAXException(org.xml.sax.SAXException)

Example 3 with SAMLException

use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.

the class CustomSamlClient method createMetadataProvider.

private static MetadataProvider createMetadataProvider(Reader metadata) throws SAMLException {
    try {
        DOMParser parser = createDOMParser();
        parser.parse(new InputSource(metadata));
        DOMMetadataProvider provider = new DOMMetadataProvider(parser.getDocument().getDocumentElement());
        provider.initialize();
        return provider;
    } catch (IOException | SAXException | MetadataProviderException ex) {
        throw new SAMLException("Cannot load identity provider metadata", ex);
    }
}
Also used : InputSource(org.xml.sax.InputSource) DOMMetadataProvider(org.opensaml.saml2.metadata.provider.DOMMetadataProvider) DOMParser(com.sun.org.apache.xerces.internal.parsers.DOMParser) IOException(java.io.IOException) MetadataProviderException(org.opensaml.saml2.metadata.provider.MetadataProviderException) SAMLException(org.opensaml.common.SAMLException) SAXException(org.xml.sax.SAXException)

Example 4 with SAMLException

use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.

the class CustomSamlClient method validateSignature.

private void validateSignature(Response response) throws SAMLException {
    Signature responseSignature = response.getSignature();
    Signature assertionSignature = response.getAssertions().get(0).getSignature();
    if (responseSignature == null && assertionSignature == null) {
        throw new SAMLException("No signature is present in either response or assertion");
    }
    if (responseSignature != null && !validate(responseSignature)) {
        throw new SAMLException("The response signature is invalid");
    }
    if (assertionSignature != null && !validate(assertionSignature)) {
        throw new SAMLException("The assertion signature is invalid");
    }
}
Also used : Signature(org.opensaml.xml.signature.Signature) SAMLException(org.opensaml.common.SAMLException)

Example 5 with SAMLException

use of org.opensaml.common.SAMLException in project cloud-pipeline by epam.

the class SAMLProxyFilter method doFilterInternal.

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    if (!urlMatches(request)) {
        filterChain.doFilter(request, response);
        return;
    }
    List<ExternalServiceEndpoint> externalServices = preferenceManager.getPreference(SYSTEM_EXTERNAL_SERVICES_ENDPOINTS);
    if (CollectionUtils.isEmpty(externalServices)) {
        LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_PROXY_SECURITY_CONFIG_MISSING));
    } else {
        String samlResponse = request.getParameter("SAMLResponse");
        if (StringUtils.isNotBlank(samlResponse)) {
            try {
                Response decoded = CustomSamlClient.decodeSamlResponse(samlResponse);
                String audience = ListUtils.emptyIfNull(decoded.getAssertions()).stream().findFirst().map(Assertion::getConditions).map(conditions -> ListUtils.emptyIfNull(conditions.getAudienceRestrictions()).stream().findFirst()).flatMap(Function.identity()).map(audienceRestriction -> ListUtils.emptyIfNull(audienceRestriction.getAudiences()).stream().findFirst()).flatMap(Function.identity()).map(Audience::getAudienceURI).orElse(StringUtils.EMPTY);
                LOGGER.debug("Received SAMLResponse for audience: {}", audience);
                Optional<ExternalServiceEndpoint> endpointOpt = externalServices.stream().filter(e -> !StringUtils.EMPTY.equals(audience) && e.getEndpointId().equals(audience)).findFirst();
                if (endpointOpt.isPresent()) {
                    authenticate(samlResponse, decoded, audience, endpointOpt.get());
                }
            } catch (SAMLException e) {
                LOGGER.warn(e.getMessage(), e);
            }
        }
    }
    filterChain.doFilter(request, response);
}
Also used : Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) SamlResponse(com.coveo.saml.SamlResponse) FilterChain(javax.servlet.FilterChain) UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) ServletException(javax.servlet.ServletException) MessageConstants(com.epam.pipeline.common.MessageConstants) LoggerFactory(org.slf4j.LoggerFactory) SYSTEM_EXTERNAL_SERVICES_ENDPOINTS(com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS) Autowired(org.springframework.beans.factory.annotation.Autowired) OncePerRequestFilter(org.springframework.web.filter.OncePerRequestFilter) StringUtils(org.apache.commons.lang3.StringUtils) Function(java.util.function.Function) CollectionUtils(org.apache.commons.collections4.CollectionUtils) HttpServletRequest(javax.servlet.http.HttpServletRequest) UserContext(com.epam.pipeline.security.UserContext) MessageHelper(com.epam.pipeline.common.MessageHelper) Response(org.opensaml.saml2.core.Response) ListUtils(org.apache.commons.collections4.ListUtils) AntPathMatcher(org.springframework.util.AntPathMatcher) Assertion(org.opensaml.saml2.core.Assertion) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) PipelineUser(com.epam.pipeline.entity.user.PipelineUser) SAMLException(org.opensaml.common.SAMLException) Audience(org.opensaml.saml2.core.Audience) PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager) Logger(org.slf4j.Logger) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint) File(java.io.File) SamlResponse(com.coveo.saml.SamlResponse) List(java.util.List) UserManager(com.epam.pipeline.manager.user.UserManager) Optional(java.util.Optional) FileReader(java.io.FileReader) Assertion(org.opensaml.saml2.core.Assertion) SAMLException(org.opensaml.common.SAMLException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)

Aggregations

SAMLException (org.opensaml.common.SAMLException)7 IOException (java.io.IOException)4 Response (org.opensaml.saml2.core.Response)3 SamlResponse (com.coveo.saml.SamlResponse)2 MessageConstants (com.epam.pipeline.common.MessageConstants)2 MessageHelper (com.epam.pipeline.common.MessageHelper)2 PreferenceManager (com.epam.pipeline.manager.preference.PreferenceManager)2 SYSTEM_EXTERNAL_SERVICES_ENDPOINTS (com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS)2 ExternalServiceEndpoint (com.epam.pipeline.security.ExternalServiceEndpoint)2 DOMParser (com.sun.org.apache.xerces.internal.parsers.DOMParser)2 File (java.io.File)2 FileReader (java.io.FileReader)2 List (java.util.List)2 Optional (java.util.Optional)2 ServletException (javax.servlet.ServletException)2 CollectionUtils (org.apache.commons.collections4.CollectionUtils)2 StringUtils (org.apache.commons.lang3.StringUtils)2 Assertion (org.opensaml.saml2.core.Assertion)2 MetadataProviderException (org.opensaml.saml2.metadata.provider.MetadataProviderException)2 Autowired (org.springframework.beans.factory.annotation.Autowired)2