Examples with ProtocolCriterion org.opensaml.saml.criterion.ProtocolCriterion used on opensource projects

Search in sources :

Example 1 with ProtocolCriterion

use of org.opensaml.saml.criterion.ProtocolCriterion in project cas by apereo.

the class WsFederationHelper method validateSignature.

/**
     * validateSignature checks to see if the signature on an assertion is valid.
     *
     * @param assertion                 a provided assertion
     * @param wsFederationConfiguration WS-Fed configuration provided.
     * @return true if the assertion's signature is valid, otherwise false
     */
public boolean validateSignature(final Assertion assertion, final WsFederationConfiguration wsFederationConfiguration) {
    if (assertion == null) {
        LOGGER.warn("No assertion was provided to validate signatures");
        return false;
    }
    boolean valid = false;
    if (assertion.getSignature() != null) {
        final SignaturePrevalidator validator = new SAMLSignatureProfileValidator();
        try {
            validator.validate(assertion.getSignature());
            final CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
            criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
            criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
            criteriaSet.add(new EntityIdCriterion(wsFederationConfiguration.getIdentityProviderIdentifier()));
            try {
                final SignatureTrustEngine engine = buildSignatureTrustEngine(wsFederationConfiguration);
                valid = engine.validate(assertion.getSignature(), criteriaSet);
            } catch (final SecurityException e) {
                LOGGER.warn(e.getMessage(), e);
            } finally {
                if (!valid) {
                    LOGGER.warn("Signature doesn't match any signing credential.");
                }
            }
        } catch (final SignatureException e) {
            LOGGER.warn("Failed to validate assertion signature", e);
        }
    }
    SamlUtils.logSamlObject(this.configBean, assertion);
    return valid;
}
Also used : SignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SecurityException(org.opensaml.security.SecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)

Example 2 with ProtocolCriterion

use of org.opensaml.saml.criterion.ProtocolCriterion in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method validateSignature.

/**
 * Validate the given digital signature by checking its profile and value.
 *
 * @param signature   the signature
 * @param idpEntityId the idp entity id
 * @param trustEngine the trust engine
 */
protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) {
    final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
    try {
        validator.validate(signature);
    } catch (final SignatureException e) {
        throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e);
    }
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
    criteriaSet.add(new EntityIdCriterion(idpEntityId));
    final boolean valid;
    try {
        valid = trustEngine.validate(signature, criteriaSet);
    } catch (final SecurityException e) {
        throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
    }
    if (!valid) {
        throw new SAMLSignatureValidationException("Signature is not trusted");
    }
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) SAMLSignatureValidationException(org.pac4j.saml.exceptions.SAMLSignatureValidationException) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SecurityException(org.opensaml.security.SecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)

Example 3 with ProtocolCriterion

use of org.opensaml.saml.criterion.ProtocolCriterion in project pac4j by pac4j.

the class SAML2LogoutResponseValidator method validateSignature.

/**
 * Validate the given digital signature by checking its profile and value.
 *
 * @param signature the signature
 * @param idpEntityId the idp entity id
 * @param trustEngine the trust engine
 */
protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) {
    final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
    try {
        validator.validate(signature);
    } catch (final SignatureException e) {
        throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e);
    }
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
    criteriaSet.add(new EntityIdCriterion(idpEntityId));
    final boolean valid;
    try {
        valid = trustEngine.validate(signature, criteriaSet);
    } catch (final SecurityException e) {
        throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
    }
    if (!valid) {
        throw new SAMLSignatureValidationException("Signature is not trusted");
    }
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) SAMLSignatureValidationException(org.pac4j.saml.exceptions.SAMLSignatureValidationException) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SecurityException(org.opensaml.security.SecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)

Example 4 with ProtocolCriterion

use of org.opensaml.saml.criterion.ProtocolCriterion in project cas by apereo.

the class WsFederationHelper method validateSignature.

/**
 * validateSignature checks to see if the signature on an assertion is valid.
 *
 * @param resultPair a provided assertion
 * @return true if the assertion's signature is valid, otherwise false
 */
public boolean validateSignature(final Pair<Assertion, WsFederationConfiguration> resultPair) {
    if (resultPair == null) {
        LOGGER.warn("No assertion or its configuration was provided to validate signatures");
        return false;
    }
    val configuration = resultPair.getValue();
    val assertion = resultPair.getKey();
    if (assertion == null || configuration == null) {
        LOGGER.warn("No signature or configuration was provided to validate signatures");
        return false;
    }
    val signature = assertion.getSignature();
    if (signature == null) {
        LOGGER.warn("No signature is attached to the assertion to validate");
        return false;
    }
    try {
        LOGGER.debug("Validating the signature...");
        val validator = new SAMLSignatureProfileValidator();
        validator.validate(signature);
        val criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
        criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()));
        val engine = buildSignatureTrustEngine(configuration);
        LOGGER.debug("Validating signature via trust engine for [{}]", configuration.getIdentityProviderIdentifier());
        return engine.validate(signature, criteriaSet);
    } catch (final Exception e) {
        LoggingUtils.error(LOGGER, "Failed to validate assertion signature", e);
    }
    SamlUtils.logSamlObject(this.openSamlConfigBean, assertion);
    LOGGER.error("Signature doesn't match any signing credential and cannot be validated.");
    return false;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)

Aggregations

CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)4 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)4 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)4 ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)4 SecurityException (org.opensaml.security.SecurityException)3 SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)3 SAMLSignatureValidationException (org.pac4j.saml.exceptions.SAMLSignatureValidationException)2 lombok.val (lombok.val)1 SignaturePrevalidator (org.opensaml.xmlsec.signature.support.SignaturePrevalidator)1 SignatureTrustEngine (org.opensaml.xmlsec.signature.support.SignatureTrustEngine)1 ExplicitKeySignatureTrustEngine (org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial