Examples with Audience org.opensaml.saml.saml1.core.Audience used on opensource projects

Example 1 with Audience

use of org.opensaml.saml.saml1.core.Audience in project cas by apereo.

the class AbstractSaml20ObjectBuilder method newConditions.

/**
 * New conditions element.
 *
 * @param notBefore    the not before
 * @param notOnOrAfter the not on or after
 * @param audienceUri  the service id
 * @return the conditions
 */
public Conditions newConditions(final ZonedDateTime notBefore, final ZonedDateTime notOnOrAfter, final String... audienceUri) {
    LOGGER.debug("Building conditions for audience [{}] that enforce not-before [{}] and not-after [{}]", audienceUri, notBefore, notOnOrAfter);
    final Conditions conditions = newSamlObject(Conditions.class);
    conditions.setNotBefore(DateTimeUtils.dateTimeOf(notBefore));
    conditions.setNotOnOrAfter(DateTimeUtils.dateTimeOf(notOnOrAfter));
    final AudienceRestriction audienceRestriction = newSamlObject(AudienceRestriction.class);
    Arrays.stream(audienceUri).forEach(audienceEntry -> {
        final Audience audience = newSamlObject(Audience.class);
        audience.setAudienceURI(audienceEntry);
        audienceRestriction.getAudiences().add(audience);
    });
    conditions.getAudienceRestrictions().add(audienceRestriction);
    return conditions;
}

Example 2 with Audience

use of org.opensaml.saml.saml1.core.Audience in project cas by apereo.

the class Saml10ObjectBuilder method newConditions.

/**
 * New conditions element.
 *
 * @param issuedAt    the issued at
 * @param audienceUri the service id
 * @param issueLength the issue length
 * @return the conditions
 */
public Conditions newConditions(final ZonedDateTime issuedAt, final String audienceUri, final long issueLength) {
    final Conditions conditions = newSamlObject(Conditions.class);
    conditions.setNotBefore(DateTimeUtils.dateTimeOf(issuedAt));
    conditions.setNotOnOrAfter(DateTimeUtils.dateTimeOf(issuedAt.plus(issueLength, ChronoUnit.SECONDS)));
    final AudienceRestrictionCondition audienceRestriction = newSamlObject(AudienceRestrictionCondition.class);
    final Audience audience = newSamlObject(Audience.class);
    audience.setUri(audienceUri);
    audienceRestriction.getAudiences().add(audience);
    conditions.getAudienceRestrictionConditions().add(audienceRestriction);
    return conditions;
}

Example 3 with Audience

use of org.opensaml.saml.saml1.core.Audience in project cas by apereo.

the class WsFederationHelperTests method verifyCreateCredentialFromToken.

@Test
public void verifyCreateCredentialFromToken() {
    final String wresult = testTokens.get(GOOD_TOKEN);
    final Pair<Assertion, WsFederationConfiguration> assertion = wsFederationHelper.buildAndVerifyAssertion(wsFederationHelper.getRequestSecurityTokenFromResult(wresult), wsFederationConfigurations);
    final WsFederationCredential expResult = new WsFederationCredential();
    expResult.setIssuedOn(ZonedDateTime.parse("2014-02-26T22:51:16.504Z"));
    expResult.setNotBefore(ZonedDateTime.parse("2014-02-26T22:51:16.474Z"));
    expResult.setNotOnOrAfter(ZonedDateTime.parse("2014-02-26T23:51:16.474Z"));
    expResult.setIssuer("http://adfs.example.com/adfs/services/trust");
    expResult.setAudience("urn:federation:cas");
    expResult.setId("_6257b2bf-7361-4081-ae1f-ec58d4310f61");
    final WsFederationCredential result = wsFederationHelper.createCredentialFromToken(assertion.getKey());
    assertNotNull("testCreateCredentialFromToken() - Not Null", result);
    assertEquals("testCreateCredentialFromToken() - IssuedOn", expResult.getIssuedOn(), result.getIssuedOn());
    assertEquals("testCreateCredentialFromToken() - NotBefore", expResult.getNotBefore(), result.getNotBefore());
    assertEquals("testCreateCredentialFromToken() - NotOnOrAfter", expResult.getNotOnOrAfter(), result.getNotOnOrAfter());
    assertEquals("testCreateCredentialFromToken() - Issuer", expResult.getIssuer(), result.getIssuer());
    assertEquals("testCreateCredentialFromToken() - Audience", expResult.getAudience(), result.getAudience());
    assertEquals("testCreateCredentialFromToken() - Id", expResult.getId(), result.getId());
}

Example 4 with Audience

use of org.opensaml.saml.saml1.core.Audience in project cxf by apache.

the class SamlOAuthValidator method validateAudience.

private void validateAudience(Message message, Conditions cs) {
    String absoluteAddress = getAbsoluteTargetAddress(message);
    List<AudienceRestriction> restrictions = cs.getAudienceRestrictions();
    for (AudienceRestriction ar : restrictions) {
        List<Audience> audiences = ar.getAudiences();
        for (Audience a : audiences) {
            if (absoluteAddress.equals(a.getAudienceURI())) {
                return;
            }
        }
    }
    throw ExceptionUtils.toNotAuthorizedException(null, null);
}

Example 5 with Audience

use of org.opensaml.saml.saml1.core.Audience in project cxf by apache.

the class SAMLTokenRenewer method validateAssertion.

private void validateAssertion(SamlAssertionWrapper assertion, ReceivedToken tokenToRenew, SecurityToken token, TokenRenewerParameters tokenParameters) throws WSSecurityException {
    // Check the cached renewal properties
    Map<String, Object> props = token.getProperties();
    if (props == null) {
        LOG.log(Level.WARNING, "Error in getting properties from cached token");
        throw new STSException("Error in getting properties from cached token", STSException.REQUEST_FAILED);
    }
    String isAllowRenewal = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW);
    String isAllowRenewalAfterExpiry = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);
    if (isAllowRenewal == null || !Boolean.valueOf(isAllowRenewal)) {
        LOG.log(Level.WARNING, "The token is not allowed to be renewed");
        throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
    }
    // Check to see whether the token has expired greater than the configured max expiry time
    if (tokenToRenew.getState() == STATE.EXPIRED) {
        if (!allowRenewalAfterExpiry || isAllowRenewalAfterExpiry == null || !Boolean.valueOf(isAllowRenewalAfterExpiry)) {
            LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
            throw new STSException("Renewal after expiry is not allowed", STSException.REQUEST_FAILED);
        }
        DateTime expiryDate = getExpiryDate(assertion);
        DateTime currentDate = new DateTime();
        if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
            LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
            throw new STSException("The token expired too long ago to be renewed", STSException.REQUEST_FAILED);
        }
    }
    // Verify Proof of Possession
    ProofOfPossessionValidator popValidator = new ProofOfPossessionValidator();
    if (verifyProofOfPossession) {
        STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
        Crypto sigCrypto = stsProperties.getSignatureCrypto();
        CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(sigCrypto);
        WSSConfig wssConfig = WSSConfig.getNewInstance();
        requestData.setWssConfig(wssConfig);
        WSDocInfo docInfo = new WSDocInfo(((Element) tokenToRenew.getToken()).getOwnerDocument());
        requestData.setWsDocInfo(docInfo);
        // Parse the HOK subject if it exists
        assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), sigCrypto, callbackHandler);
        SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
        if (keyInfo == null) {
            keyInfo = new SAMLKeyInfo((byte[]) null);
        }
        if (!popValidator.checkProofOfPossession(tokenParameters, keyInfo)) {
            throw new STSException("Failed to verify the proof of possession of the key associated with the " + "saml token. No matching key found in the request.", STSException.INVALID_REQUEST);
        }
    }
    // Check the AppliesTo address
    String appliesToAddress = tokenParameters.getAppliesToAddress();
    if (appliesToAddress != null) {
        if (assertion.getSaml1() != null) {
            List<AudienceRestrictionCondition> restrConditions = assertion.getSaml1().getConditions().getAudienceRestrictionConditions();
            if (!matchSaml1AudienceRestriction(appliesToAddress, restrConditions)) {
                LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
                throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
            }
        } else {
            List<AudienceRestriction> audienceRestrs = assertion.getSaml2().getConditions().getAudienceRestrictions();
            if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) {
                LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
                throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
            }
        }
    }
}