Example 26 with XMLObject
use of org.opensaml.core.xml.XMLObject in project cxf by apache.
the class SAMLProviderActAsTest method testSAML2ActAsUsernameTokenClaims.
@org.junit.Test
public void testSAML2ActAsUsernameTokenClaims() throws Exception {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
UsernameTokenType usernameToken = new UsernameTokenType();
AttributedString username = new AttributedString();
username.setValue("bob");
usernameToken.setUsername(username);
JAXBElement<UsernameTokenType> usernameTokenType = new JAXBElement<UsernameTokenType>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken);
TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType);
// Principal must be set in ReceivedToken/ActAs
providerParameters.getTokenRequirements().getActAs().setPrincipal(new CustomTokenPrincipal(username.getValue()));
// Add Claims
ClaimsManager claimsManager = new ClaimsManager();
ClaimsHandler claimsHandler = new CustomClaimsHandler();
claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler));
providerParameters.setClaimsManager(claimsManager);
ClaimCollection claims = createClaims();
providerParameters.setRequestedPrimaryClaims(claims);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
// Verify the token
Element token = (Element) providerResponse.getToken();
SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
Assert.assertEquals("technical-user", assertion.getSubjectName());
boolean foundActAsAttribute = false;
for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement : assertion.getSaml2().getAttributeStatements()) {
for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
if ("ActAs".equals(attribute.getName())) {
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
if (text.contains("bob")) {
foundActAsAttribute = true;
break;
}
}
}
}
}
assertTrue(foundActAsAttribute);
// Check that claims are also present
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
assertTrue(tokenString.contains(ClaimTypes.EMAILADDRESS.toString()));
assertTrue(tokenString.contains(ClaimTypes.FIRSTNAME.toString()));
assertTrue(tokenString.contains(ClaimTypes.LASTNAME.toString()));
}
Also used :
ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler)
CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler)
UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType)
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
JAXBElement(javax.xml.bind.JAXBElement)
AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString)
CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler)
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString)
ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
Example 27 with XMLObject
use of org.opensaml.core.xml.XMLObject in project cxf by apache.
the class SAMLProviderActAsTest method testDefaultSaml2ActAsAssertion.
/**
* Create a default Saml2 Bearer Assertion with ActAs from a SAML Assertion
*/
@org.junit.Test
public void testDefaultSaml2ActAsAssertion() throws Exception {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
String user = "bob";
Element saml1Assertion = getSAMLAssertion();
TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, saml1Assertion);
// Principal must be set in ReceivedToken/ActAs
providerParameters.getTokenRequirements().getActAs().setPrincipal(new CustomTokenPrincipal(user));
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
// Verify the token
Element token = (Element) providerResponse.getToken();
SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
Assert.assertEquals("technical-user", assertion.getSubjectName());
boolean foundActAsAttribute = false;
for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement : assertion.getSaml2().getAttributeStatements()) {
for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
if ("ActAs".equals(attribute.getName())) {
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
if (text.contains("bob")) {
foundActAsAttribute = true;
break;
}
}
}
}
}
assertTrue(foundActAsAttribute);
}
Also used :
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString)
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
Example 28 with XMLObject
use of org.opensaml.core.xml.XMLObject in project cxf by apache.
the class SAMLProviderActAsTest method testIncludeOtherActAsAttributesInTheToken.
@org.junit.Test
public void testIncludeOtherActAsAttributesInTheToken() throws Exception {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
UsernameTokenType usernameToken = new UsernameTokenType();
AttributedString username = new AttributedString();
username.setValue("bob");
usernameToken.setUsername(username);
JAXBElement<UsernameTokenType> usernameTokenType = new JAXBElement<UsernameTokenType>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken);
TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType);
// Principal must be set in ReceivedToken/ActAs
providerParameters.getTokenRequirements().getActAs().setPrincipal(new CustomTokenPrincipal(username.getValue()));
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
// Verify the token
Element token = (Element) providerResponse.getToken();
SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
Assert.assertEquals("technical-user", assertion.getSubjectName());
boolean foundActAsAttribute = false;
for (org.opensaml.saml.saml1.core.AttributeStatement attributeStatement : assertion.getSaml1().getAttributeStatements()) {
for (org.opensaml.saml.saml1.core.Attribute attribute : attributeStatement.getAttributes()) {
if ("ActAs".equals(attribute.getAttributeName())) {
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
if (text.contains("bob")) {
foundActAsAttribute = true;
break;
}
}
}
}
}
assertTrue(foundActAsAttribute);
// Now get another token "ActAs" the previous token
providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, token);
// Principal must be set in ReceivedToken/ActAs
providerParameters.getTokenRequirements().getActAs().setPrincipal(new CustomTokenPrincipal("service-A"));
providerParameters.setPrincipal(new CustomTokenPrincipal("service-A"));
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
// Verify the token
token = (Element) providerResponse.getToken();
assertion = new SamlAssertionWrapper(token);
Assert.assertEquals("service-A", assertion.getSubjectName());
boolean foundBob = false;
boolean foundTechnical = false;
for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement : assertion.getSaml2().getAttributeStatements()) {
for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
if ("ActAs".equals(attribute.getName())) {
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
if (text.contains("bob")) {
foundBob = true;
} else if (text.contains("technical-user")) {
foundTechnical = true;
}
}
}
}
}
assertTrue(foundBob);
assertTrue(foundTechnical);
}
Also used :
UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType)
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
JAXBElement(javax.xml.bind.JAXBElement)
AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString)
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString)
Example 29 with XMLObject
use of org.opensaml.core.xml.XMLObject in project cxf by apache.
the class ActAsAttributeStatementProvider method handleAdditionalParameters.
/**
* Handle an ActAs element.
*/
private AttributeBean handleAdditionalParameters(Object parameter, String tokenType) throws WSSecurityException {
AttributeBean parameterBean = new AttributeBean();
String claimType = "ActAs";
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
parameterBean.setSimpleName(claimType);
parameterBean.setQualifiedName("http://cxf.apache.org/sts");
} else {
parameterBean.setQualifiedName(claimType);
parameterBean.setNameFormat("http://cxf.apache.org/sts");
}
if (parameter instanceof UsernameTokenType) {
parameterBean.addAttributeValue(((UsernameTokenType) parameter).getUsername().getValue());
} else if (parameter instanceof Element) {
SamlAssertionWrapper wrapper = new SamlAssertionWrapper((Element) parameter);
SAMLTokenPrincipal principal = new SAMLTokenPrincipalImpl(wrapper);
parameterBean.addAttributeValue(principal.getName());
// Check for other ActAs attributes here + add them in
if (wrapper.getSaml2() != null) {
for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement : wrapper.getSaml2().getAttributeStatements()) {
for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
if ("ActAs".equals(attribute.getName())) {
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
parameterBean.addAttributeValue(text);
}
}
}
}
} else if (wrapper.getSaml1() != null) {
for (org.opensaml.saml.saml1.core.AttributeStatement attributeStatement : wrapper.getSaml1().getAttributeStatements()) {
for (org.opensaml.saml.saml1.core.Attribute attribute : attributeStatement.getAttributes()) {
if ("ActAs".equals(attribute.getAttributeName())) {
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
parameterBean.addAttributeValue(text);
}
}
}
}
}
}
return parameterBean;
}
Also used :
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)
SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl)
Example 30 with XMLObject
use of org.opensaml.core.xml.XMLObject in project cxf by apache.
the class ActAsValidator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// The technical user should be in the Subject
Subject subject = saml2Assertion.getSubject();
if (subject == null || subject.getNameID() == null || !subject.getNameID().getValue().contains("www.client.com")) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
for (AttributeStatement statement : attributeStatements) {
List<Attribute> attributes = statement.getAttributes();
for (Attribute attribute : attributes) {
if (!"CustomActAs".equals(attribute.getName()) && !"ActAs".equals(attribute.getName())) {
continue;
}
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
if (text.contains("alice") || text.contains("bob")) {
return validatedCredential;
}
}
}
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Element(org.w3c.dom.Element)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Subject(org.opensaml.saml.saml2.core.Subject)
Aggregations
XMLObject (org.opensaml.core.xml.XMLObject)68
Element (org.w3c.dom.Element)27
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)21
Document (org.w3c.dom.Document)21
ByteArrayInputStream (java.io.ByteArrayInputStream)19
Attribute (org.opensaml.saml.saml2.core.Attribute)14
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)10
IOException (java.io.IOException)9
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)9
ArrayList (java.util.ArrayList)8
Test (org.junit.Test)8
XSString (org.opensaml.core.xml.schema.XSString)7
Assertion (org.opensaml.saml.saml2.core.Assertion)7
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)7
HashMap (java.util.HashMap)6
List (java.util.List)6
XMLStreamException (javax.xml.stream.XMLStreamException)6
InputStream (java.io.InputStream)5
InputStreamReader (java.io.InputStreamReader)5
LogoutSecurityException (ddf.security.samlp.LogoutSecurityException)4
