Example 16 with XMLObject
use of org.opensaml.core.xml.XMLObject in project ddf by codice.
the class SimpleSignTest method testForceSign.
@Test
public void testForceSign() throws Exception {
Document responseDoc = StaxUtils.read(new ByteArrayInputStream(cannedResponse.getBytes()));
XMLObject responseXmlObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
org.opensaml.saml.saml2.core.Response response = (org.opensaml.saml.saml2.core.Response) responseXmlObject;
response = simpleSign.forceSignSamlObject(response);
simpleSign.validateSignature(response.getSignature(), response.getDOM().getOwnerDocument());
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
XMLObject(org.opensaml.core.xml.XMLObject)
Document(org.w3c.dom.Document)
Test(org.junit.Test)
Example 17 with XMLObject
use of org.opensaml.core.xml.XMLObject in project ddf by codice.
the class LogoutMessageImpl method sendSamlLogoutRequest.
@Override
public String sendSamlLogoutRequest(LogoutWrapper request, String targetUri, boolean isSoap, @Nullable Cookie cookie) throws IOException, LogoutSecurityException {
XMLObject xmlObject = isSoap ? SamlProtocol.createSoapMessage((SignableSAMLObject) request.getMessage()) : (XMLObject) request;
Element requestElement = getElementFromSaml(new LogoutWrapperImpl(xmlObject));
String requestMessage = DOM2Writer.nodeToString(requestElement);
try (CloseableHttpClient httpClient = HttpClients.createDefault()) {
HttpPost post = new HttpPost(targetUri);
post.addHeader("Cache-Control", "no-cache, no-store");
post.addHeader("Pragma", "no-cache");
post.addHeader("SOAPAction", SAML_SOAP_ACTION);
post.addHeader("Content-Type", "application/soap+xml");
post.setEntity(new StringEntity(requestMessage, "utf-8"));
ResponseHandler<String> responseHandler = new BasicResponseHandler();
BasicHttpContext context = new BasicHttpContext();
if (cookie != null) {
BasicClientCookie basicClientCookie = new BasicClientCookie(cookie.getName(), cookie.getValue());
basicClientCookie.setDomain(cookie.getDomain());
basicClientCookie.setPath(cookie.getPath());
BasicCookieStore cookieStore = new BasicCookieStore();
cookieStore.addCookie(basicClientCookie);
context.setAttribute(HttpClientContext.COOKIE_STORE, cookieStore);
}
return httpClient.execute(post, responseHandler, context);
}
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpPost(org.apache.http.client.methods.HttpPost)
BasicHttpContext(org.apache.http.protocol.BasicHttpContext)
Element(org.w3c.dom.Element)
BasicResponseHandler(org.apache.http.impl.client.BasicResponseHandler)
XMLObject(org.opensaml.core.xml.XMLObject)
BasicClientCookie(org.apache.http.impl.cookie.BasicClientCookie)
StringEntity(org.apache.http.entity.StringEntity)
BasicCookieStore(org.apache.http.impl.client.BasicCookieStore)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
Example 18 with XMLObject
use of org.opensaml.core.xml.XMLObject in project ddf by codice.
the class LogoutMessageImpl method extractXmlObject.
@Override
public LogoutWrapper<SignableSAMLObject> extractXmlObject(String samlLogoutResponse) throws LogoutSecurityException, XMLStreamException {
try {
Document responseDoc = StaxUtils.read(new ByteArrayInputStream(samlLogoutResponse.getBytes(StandardCharsets.UTF_8)));
XMLObject xmlObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
if (xmlObject instanceof SignableSAMLObject) {
return new LogoutWrapperImpl<>((SignableSAMLObject) xmlObject);
}
return null;
} catch (WSSecurityException e) {
throw new LogoutSecurityException(e);
}
}
Also used :
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
ByteArrayInputStream(java.io.ByteArrayInputStream)
XMLObject(org.opensaml.core.xml.XMLObject)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
LogoutSecurityException(ddf.security.samlp.LogoutSecurityException)
Example 19 with XMLObject
use of org.opensaml.core.xml.XMLObject in project ddf by codice.
the class LogoutMessageImpl method extractResponse.
private LogoutWrapper<LogoutResponse> extractResponse(String samlObject) throws LogoutSecurityException, XMLStreamException {
try {
Document responseDoc = StaxUtils.read(new ByteArrayInputStream(samlObject.getBytes(StandardCharsets.UTF_8)));
XMLObject responseXmlObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
if (LogoutResponse.class.isAssignableFrom(responseXmlObject.getClass())) {
return new LogoutWrapperImpl<>((LogoutResponse) responseXmlObject);
}
return null;
} catch (WSSecurityException e) {
throw new LogoutSecurityException(e);
}
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
XMLObject(org.opensaml.core.xml.XMLObject)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
LogoutSecurityException(ddf.security.samlp.LogoutSecurityException)
Example 20 with XMLObject
use of org.opensaml.core.xml.XMLObject in project ddf by codice.
the class PaosInInterceptor method handleMessage.
@Override
public void handleMessage(Message message) throws Fault {
List authHeader = (List) ((Map) message.getExchange().getOutMessage().get(Message.PROTOCOL_HEADERS)).get("Authorization");
String authorization = null;
if (authHeader != null && authHeader.size() > 0) {
authorization = (String) authHeader.get(0);
}
InputStream content = message.getContent(InputStream.class);
String contentType = (String) message.get(Message.CONTENT_TYPE);
if (contentType == null || !contentType.contains(APPLICATION_VND_PAOS_XML)) {
return;
}
try {
SOAPPart soapMessage = SamlProtocol.parseSoapMessage(IOUtils.toString(content, StandardCharsets.UTF_8));
Iterator iterator = soapMessage.getEnvelope().getHeader().examineAllHeaderElements();
IDPEntry idpEntry = null;
String relayState = "";
String responseConsumerURL = "";
String messageId = "";
while (iterator.hasNext()) {
Element soapHeaderElement = (SOAPHeaderElement) iterator.next();
if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
relayState = DOM2Writer.nodeToString(soapHeaderElement);
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_OASIS_NAMES_TC_SAML_2_0_PROFILES_SSO_ECP)) {
try {
soapHeaderElement = SamlProtocol.convertDomImplementation(soapHeaderElement);
Request ecpRequest = (Request) OpenSAMLUtil.fromDom(soapHeaderElement);
IDPList idpList = ecpRequest.getIDPList();
if (idpList == null) {
throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
}
List<IDPEntry> idpEntrys = idpList.getIDPEntrys();
if (idpEntrys == null || idpEntrys.size() == 0) {
throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
}
// choose the right entry, probably need to do something better than select the first
// one
// but the spec doesn't specify how this is supposed to be done
idpEntry = idpEntrys.get(0);
} catch (WSSecurityException e) {
// TODO figure out IdP alternatively
LOGGER.info("Unable to determine IdP appropriately. ECP connection will fail. SP may be incorrectly configured. Contact the administrator for the remote system.");
}
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_LIBERTY_PAOS_2003_08)) {
responseConsumerURL = soapHeaderElement.getAttribute(RESPONSE_CONSUMER_URL);
messageId = soapHeaderElement.getAttribute(MESSAGE_ID);
}
}
if (idpEntry == null) {
throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
}
String token = createToken(authorization);
checkAuthnRequest(soapMessage);
Element authnRequestElement = SamlProtocol.getDomElement(soapMessage.getEnvelope().getBody().getFirstChild());
String loc = idpEntry.getLoc();
String soapRequest = buildSoapMessage(token, relayState, authnRequestElement, null);
HttpResponseWrapper httpResponse = getHttpResponse(loc, soapRequest, null);
InputStream httpResponseContent = httpResponse.content;
SOAPPart idpSoapResponse = SamlProtocol.parseSoapMessage(IOUtils.toString(httpResponseContent, StandardCharsets.UTF_8));
Iterator responseHeaderElements = idpSoapResponse.getEnvelope().getHeader().examineAllHeaderElements();
String newRelayState = "";
while (responseHeaderElements.hasNext()) {
SOAPHeaderElement soapHeaderElement = (SOAPHeaderElement) responseHeaderElements.next();
if (RESPONSE.equals(soapHeaderElement.getLocalName())) {
String assertionConsumerServiceURL = soapHeaderElement.getAttribute(ASSERTION_CONSUMER_SERVICE_URL);
if (!responseConsumerURL.equals(assertionConsumerServiceURL)) {
String soapFault = buildSoapFault(ECP_RESPONSE, "The responseConsumerURL does not match the assertionConsumerServiceURL.");
httpResponse = getHttpResponse(responseConsumerURL, soapFault, null);
message.setContent(InputStream.class, httpResponse.content);
return;
}
} else if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
newRelayState = DOM2Writer.nodeToString(soapHeaderElement);
if (StringUtils.isNotEmpty(relayState) && !relayState.equals(newRelayState)) {
LOGGER.debug("RelayState does not match between ECP request and response");
}
if (StringUtils.isNotEmpty(relayState)) {
newRelayState = relayState;
}
}
}
checkSamlpResponse(idpSoapResponse);
Element samlpResponseElement = SamlProtocol.getDomElement(idpSoapResponse.getEnvelope().getBody().getFirstChild());
XMLObject paosResponse = null;
if (StringUtils.isNotEmpty(messageId)) {
paosResponse = getPaosResponse(messageId);
}
String soapResponse = buildSoapMessage(null, newRelayState, samlpResponseElement, paosResponse);
httpResponse = getHttpResponse(responseConsumerURL, soapResponse, message.getExchange().getOutMessage());
if (httpResponse.statusCode < 400) {
httpResponseContent = httpResponse.content;
message.setContent(InputStream.class, httpResponseContent);
Map<String, List<String>> headers = new HashMap<>();
message.put(Message.PROTOCOL_HEADERS, headers);
httpResponse.headers.forEach((entry) -> headers.put(entry.getKey(), // CXF Expects pairs of <String, List<String>>
entry.getValue() instanceof List ? ((List<Object>) entry.getValue()).stream().map(String::valueOf).collect(Collectors.toList()) : Lists.newArrayList(String.valueOf(entry.getValue()))));
} else {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection due to an error."));
}
} catch (IOException e) {
LOGGER.debug("Error encountered while performing ECP handshake.", e);
} catch (XMLStreamException | SOAPException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. The server's response was not in the correct format."));
} catch (WSSecurityException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to send SOAP request messages."));
}
}
Also used :
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
HashMap(java.util.HashMap)
InputStream(java.io.InputStream)
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
Element(org.w3c.dom.Element)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Request(org.opensaml.saml.saml2.ecp.Request)
HttpRequest(com.google.api.client.http.HttpRequest)
IDPList(org.opensaml.saml.saml2.core.IDPList)
XMLObject(org.opensaml.core.xml.XMLObject)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
XMLStreamException(javax.xml.stream.XMLStreamException)
SOAPException(javax.xml.soap.SOAPException)
SOAPPart(javax.xml.soap.SOAPPart)
Iterator(java.util.Iterator)
IDPList(org.opensaml.saml.saml2.core.IDPList)
List(java.util.List)
XMLObject(org.opensaml.core.xml.XMLObject)
IDPEntry(org.opensaml.saml.saml2.core.IDPEntry)
Aggregations
XMLObject (org.opensaml.core.xml.XMLObject)68
Element (org.w3c.dom.Element)27
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)21
Document (org.w3c.dom.Document)21
ByteArrayInputStream (java.io.ByteArrayInputStream)19
Attribute (org.opensaml.saml.saml2.core.Attribute)14
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)10
IOException (java.io.IOException)9
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)9
ArrayList (java.util.ArrayList)8
Test (org.junit.Test)8
XSString (org.opensaml.core.xml.schema.XSString)7
Assertion (org.opensaml.saml.saml2.core.Assertion)7
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)7
HashMap (java.util.HashMap)6
List (java.util.List)6
XMLStreamException (javax.xml.stream.XMLStreamException)6
InputStream (java.io.InputStream)5
InputStreamReader (java.io.InputStreamReader)5
LogoutSecurityException (ddf.security.samlp.LogoutSecurityException)4
