Example 31 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testAudienceRestrictionMultipleValues.
@org.junit.Test
public void testAudienceRestrictionMultipleValues() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
List<String> values = new ArrayList<>();
values.add("http://unknown-service.apache.org");
values.add("http://service.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(values);
Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
validator.validateSamlResponse(response, false);
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
ArrayList(java.util.ArrayList)
DateTime(org.joda.time.DateTime)
Example 32 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testEmptyAudienceRestriction.
@org.junit.Test
public void testEmptyAudienceRestriction() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
try {
validator.validateSamlResponse(response, false);
fail("Expected failure on bad response");
} catch (WSSecurityException ex) {
// expected
}
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
DateTime(org.joda.time.DateTime)
Example 33 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class SamlRequestComponentBuilder method createAuthzDecisionQuery.
@SuppressWarnings("unchecked")
public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(boolean inputContextOnly, boolean returnContext, String issuerValue, RequestType request, String namespace) {
if (xacmlAuthzDecisionQueryTypeBuilder == null) {
xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>) builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
}
XACMLAuthzDecisionQueryType authzQuery = xacmlAuthzDecisionQueryTypeBuilder.buildObject(namespace, XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME, SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX);
authzQuery.setID("_" + UUID.randomUUID().toString());
authzQuery.setVersion(SAMLVersion.VERSION_20);
authzQuery.setIssueInstant(new DateTime());
authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
authzQuery.setReturnContext(Boolean.valueOf(returnContext));
if (issuerValue != null) {
Issuer issuer = createIssuer(issuerValue);
authzQuery.setIssuer(issuer);
}
authzQuery.setRequest(request);
return authzQuery;
}
Also used :
XACMLAuthzDecisionQueryType(org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType)
Issuer(org.opensaml.saml.saml2.core.Issuer)
DateTime(org.joda.time.DateTime)
Example 34 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class DifferentRealmValidator method validate.
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper transformedToken = validatedCredential.getTransformedToken();
if (transformedToken == null || transformedToken.getSaml2() == null || !"B-Issuer".equals(transformedToken.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
Assertion assertion = transformedToken.getSaml2();
if (!"B-Principal".equals(assertion.getSubject().getNameID().getValue())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
return validatedCredential;
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 35 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project syncope by apache.
the class SAML2ITCase method createResponse.
private org.opensaml.saml.saml2.core.Response createResponse(final String inResponseTo, final boolean signAssertion, final String subjectConfMethod, final String issuer) throws Exception {
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
org.opensaml.saml.saml2.core.Response response = SAML2PResponseComponentBuilder.createSAMLResponse(inResponseTo, issuer, status);
response.setDestination("http://recipient.apache.org");
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setIssuer(issuer);
callbackHandler.setSubjectName("puccini");
callbackHandler.setSubjectConfirmationMethod(subjectConfMethod);
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo(inResponseTo);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org/saml2sp/assertion-consumer");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://recipient.apache.org/"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (signAssertion) {
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance("JKS");
InputStream input = Files.newInputStream(keystorePath);
keyStore.load(input, "security".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
assertion.signAssertion("subject", "security", issuerCrypto, false);
}
response.getAssertions().add(assertion.getSaml2());
return response;
}
Also used :
Status(org.opensaml.saml.saml2.core.Status)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
InputStream(java.io.InputStream)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Aggregations
Issuer (org.opensaml.saml.saml2.core.Issuer)79
Response (org.opensaml.saml.saml2.core.Response)59
DateTime (org.joda.time.DateTime)57
Test (org.junit.jupiter.api.Test)37
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)36
Element (org.w3c.dom.Element)34
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)32
lombok.val (lombok.val)28
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)26
Document (org.w3c.dom.Document)25
Status (org.opensaml.saml.saml2.core.Status)24
Assertion (org.opensaml.saml.saml2.core.Assertion)22
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)20
SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)20
SAMLObjectBuilder (org.opensaml.saml.common.SAMLObjectBuilder)17
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)16
InputStream (java.io.InputStream)15
IssuerBuilder (org.opensaml.saml.saml2.core.impl.IssuerBuilder)15
Crypto (org.apache.wss4j.common.crypto.Crypto)14
KeyStore (java.security.KeyStore)13
