Example 1 with SAML2HTTPRedirectDeflateSignatureSecurityHandler
use of org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.
private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
final SAML2HTTPRedirectDeflateSignatureSecurityHandler handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
final SAMLPeerEntityContext peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
peer.setEntityId(SamlIdPUtils.getIssuerFromSamlRequest(profileRequest));
LOGGER.debug("Validating request signature for [{}] via [{}]...", peer.getEntityId(), handler.getClass().getSimpleName());
LOGGER.debug("Resolving role descriptor for [{}]", peer.getEntityId());
final RoleDescriptor roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peer.getEntityId()), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
peer.setRole(roleDescriptor.getElementQName());
final SAMLProtocolContext protocol = context.getSubcontext(SAMLProtocolContext.class, true);
protocol.setProtocol(SAMLConstants.SAML20P_NS);
LOGGER.debug("Building security parameters context for signature validation of [{}]", peer.getEntityId());
final SecurityParametersContext secCtx = context.getSubcontext(SecurityParametersContext.class, true);
final SignatureValidationParameters validationParams = new SignatureValidationParameters();
if (overrideBlackListedSignatureAlgorithms != null && !overrideBlackListedSignatureAlgorithms.isEmpty()) {
validationParams.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
LOGGER.debug("Validation override blacklisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
}
if (overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
validationParams.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
LOGGER.debug("Validation override whitelisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
}
LOGGER.debug("Resolving signing credentials for [{}]", peer.getEntityId());
final Set<Credential> credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credentials == null || credentials.isEmpty()) {
throw new SamlException("Signing credentials for validation could not be resolved");
}
boolean foundValidCredential = false;
final Iterator<Credential> it = credentials.iterator();
while (!foundValidCredential && it.hasNext()) {
try {
final Credential c = it.next();
final CredentialResolver resolver = new StaticCredentialResolver(c);
final KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(c);
final SignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
validationParams.setSignatureTrustEngine(trustEngine);
secCtx.setSignatureValidationParameters(validationParams);
handler.setHttpServletRequest(request);
LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
handler.initialize();
LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
handler.invoke(context);
LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
foundValidCredential = true;
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
} finally {
handler.destroy();
}
}
if (!foundValidCredential) {
LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
throw new SamlException("No valid signing credentials for validation could not be resolved");
}
}
Also used :
Credential(org.opensaml.security.credential.Credential)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine)
SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)
SamlException(org.apereo.cas.support.saml.SamlException)
SamlException(org.apereo.cas.support.saml.SamlException)
SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
SAMLProtocolContext(org.opensaml.saml.common.messaging.context.SAMLProtocolContext)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
SecurityParametersContext(org.opensaml.xmlsec.context.SecurityParametersContext)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)
MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
CredentialResolver(org.opensaml.security.credential.CredentialResolver)
KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)
Example 2 with SAML2HTTPRedirectDeflateSignatureSecurityHandler
use of org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.
private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
val peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
peer.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(profileRequest));
val peerEntityId = Objects.requireNonNull(peer.getEntityId());
LOGGER.debug("Validating request signature for [{}]...", peerEntityId);
val roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
peer.setRole(roleDescriptor.getElementQName());
val protocol = context.getSubcontext(SAMLProtocolContext.class, true);
protocol.setProtocol(SAMLConstants.SAML20P_NS);
LOGGER.debug("Building security parameters context for signature validation of [{}]", peerEntityId);
val secCtx = context.getSubcontext(SecurityParametersContext.class, true);
val validationParams = new SignatureValidationParameters();
if (overrideBlockedSignatureAlgorithms != null && !overrideBlockedSignatureAlgorithms.isEmpty()) {
validationParams.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
LOGGER.debug("Validation override blocked algorithms are [{}]", this.overrideAllowedAlgorithms);
}
if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
validationParams.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
LOGGER.debug("Validation override allowed algorithms are [{}]", this.overrideAllowedAlgorithms);
}
LOGGER.debug("Resolving signing credentials for [{}]", peerEntityId);
val credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credentials.isEmpty()) {
throw new SamlException("Signing credentials for validation could not be resolved");
}
var foundValidCredential = false;
val it = credentials.iterator();
while (!foundValidCredential && it.hasNext()) {
val handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
try {
val credential = it.next();
val resolver = new StaticCredentialResolver(credential);
val keyResolver = new StaticKeyInfoCredentialResolver(credential);
val trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
validationParams.setSignatureTrustEngine(trustEngine);
secCtx.setSignatureValidationParameters(validationParams);
handler.setHttpServletRequest(request);
LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
handler.initialize();
LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
handler.invoke(context);
LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
foundValidCredential = true;
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
} finally {
handler.destroy();
}
}
if (!foundValidCredential) {
LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
throw new SamlException("No valid signing credentials for validation could not be resolved");
}
}
Also used :
lombok.val(lombok.val)
SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)
SamlException(org.apereo.cas.support.saml.SamlException)
SamlException(org.apereo.cas.support.saml.SamlException)
Aggregations
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)2
SamlException (org.apereo.cas.support.saml.SamlException)2
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)2
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)2
SAML2HTTPRedirectDeflateSignatureSecurityHandler (org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)2
StaticCredentialResolver (org.opensaml.security.credential.impl.StaticCredentialResolver)2
SignatureValidationParameters (org.opensaml.xmlsec.SignatureValidationParameters)2
StaticKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)2
ExplicitKeySignatureTrustEngine (org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)2
lombok.val (lombok.val)1
SAMLPeerEntityContext (org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext)1
SAMLProtocolContext (org.opensaml.saml.common.messaging.context.SAMLProtocolContext)1
RoleDescriptor (org.opensaml.saml.saml2.metadata.RoleDescriptor)1
MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)1
Credential (org.opensaml.security.credential.Credential)1
CredentialResolver (org.opensaml.security.credential.CredentialResolver)1
SecurityParametersContext (org.opensaml.xmlsec.context.SecurityParametersContext)1
KeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)1
SignatureTrustEngine (org.opensaml.xmlsec.signature.support.SignatureTrustEngine)1
