use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testAudienceRestrictionMultipleValues.
@org.junit.Test
public void testAudienceRestrictionMultipleValues() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
List<String> values = new ArrayList<>();
values.add("http://unknown-service.apache.org");
values.add("http://service.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(values);
Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
validator.validateSamlResponse(response, false);
}
use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testEmptyAudienceRestriction.
@org.junit.Test
public void testEmptyAudienceRestriction() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
Response response = createResponse(subjectConfirmationData, Collections.singletonList(audienceRestriction), null);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
try {
validator.validateSamlResponse(response, false);
fail("Expected failure on bad response");
} catch (WSSecurityException ex) {
// expected
}
}
use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class SamlRequestComponentBuilder method createAuthzDecisionQuery.
@SuppressWarnings("unchecked")
public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(boolean inputContextOnly, boolean returnContext, String issuerValue, RequestType request, String namespace) {
if (xacmlAuthzDecisionQueryTypeBuilder == null) {
xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>) builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
}
XACMLAuthzDecisionQueryType authzQuery = xacmlAuthzDecisionQueryTypeBuilder.buildObject(namespace, XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME, SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX);
authzQuery.setID("_" + UUID.randomUUID().toString());
authzQuery.setVersion(SAMLVersion.VERSION_20);
authzQuery.setIssueInstant(new DateTime());
authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
authzQuery.setReturnContext(Boolean.valueOf(returnContext));
if (issuerValue != null) {
Issuer issuer = createIssuer(issuerValue);
authzQuery.setIssuer(issuer);
}
authzQuery.setRequest(request);
return authzQuery;
}
use of org.opensaml.saml.saml2.core.Issuer in project cxf by apache.
the class DifferentRealmValidator method validate.
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper transformedToken = validatedCredential.getTransformedToken();
if (transformedToken == null || transformedToken.getSaml2() == null || !"B-Issuer".equals(transformedToken.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
Assertion assertion = transformedToken.getSaml2();
if (!"B-Principal".equals(assertion.getSubject().getNameID().getValue())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
return validatedCredential;
}
use of org.opensaml.saml.saml2.core.Issuer in project syncope by apache.
the class SAML2ITCase method createResponse.
private org.opensaml.saml.saml2.core.Response createResponse(final String inResponseTo, final boolean signAssertion, final String subjectConfMethod, final String issuer) throws Exception {
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
org.opensaml.saml.saml2.core.Response response = SAML2PResponseComponentBuilder.createSAMLResponse(inResponseTo, issuer, status);
response.setDestination("http://recipient.apache.org");
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setIssuer(issuer);
callbackHandler.setSubjectName("puccini");
callbackHandler.setSubjectConfirmationMethod(subjectConfMethod);
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo(inResponseTo);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org/saml2sp/assertion-consumer");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://recipient.apache.org/"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (signAssertion) {
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance("JKS");
InputStream input = Files.newInputStream(keystorePath);
keyStore.load(input, "security".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
assertion.signAssertion("subject", "security", issuerCrypto, false);
}
response.getAssertions().add(assertion.getSaml2());
return response;
}
Aggregations