Example 16 with Subject
use of org.opensaml.saml.saml2.core.Subject in project ddf by codice.
the class IdpEndpoint method processLogin.
@GET
@Path("/login/sso")
public Response processLogin(@QueryParam(SAML_REQ) String samlRequest, @QueryParam(RELAY_STATE) String relayState, @QueryParam(AUTH_METHOD) String authMethod, @QueryParam(SSOConstants.SIG_ALG) String signatureAlgorithm, @QueryParam(SSOConstants.SIGNATURE) String signature, @QueryParam(ORIGINAL_BINDING) String originalBinding, @Context HttpServletRequest request) {
LOGGER.debug("Processing login request: [ authMethod {} ], [ sigAlg {} ], [ relayState {} ]", authMethod, signatureAlgorithm, relayState);
try {
Binding binding;
String template;
if (!request.isSecure()) {
throw new IllegalArgumentException("Authn Request must use TLS.");
}
//the authn request is always encoded as if it came in via redirect when coming from the web app
Binding redirectBinding = new RedirectBinding(systemCrypto, serviceProviders);
AuthnRequest authnRequest = redirectBinding.decoder().decodeRequest(samlRequest);
String assertionConsumerServiceBinding = ResponseCreator.getAssertionConsumerServiceBinding(authnRequest, serviceProviders);
if (HTTP_POST_BINDING.equals(originalBinding)) {
binding = new PostBinding(systemCrypto, serviceProviders);
template = submitForm;
} else if (HTTP_REDIRECT_BINDING.equals(originalBinding)) {
binding = redirectBinding;
template = redirectPage;
} else {
throw new IdpException(new UnsupportedOperationException("Must use HTTP POST or Redirect bindings."));
}
binding.validator().validateAuthnRequest(authnRequest, samlRequest, relayState, signatureAlgorithm, signature, strictSignature);
if (HTTP_POST_BINDING.equals(assertionConsumerServiceBinding)) {
if (!(binding instanceof PostBinding)) {
binding = new PostBinding(systemCrypto, serviceProviders);
}
} else if (HTTP_REDIRECT_BINDING.equals(assertionConsumerServiceBinding)) {
if (!(binding instanceof RedirectBinding)) {
binding = new RedirectBinding(systemCrypto, serviceProviders);
}
}
org.opensaml.saml.saml2.core.Response encodedSaml = handleLogin(authnRequest, authMethod, request, null, false, false);
LOGGER.debug("Returning SAML Response for relayState: {}" + relayState);
NewCookie newCookie = createCookie(request, encodedSaml);
Response response = binding.creator().getSamlpResponse(relayState, authnRequest, encodedSaml, newCookie, template);
if (newCookie != null) {
cookieCache.addActiveSp(newCookie.getValue(), authnRequest.getIssuer().getValue());
logAddedSp(authnRequest);
}
return response;
} catch (SecurityServiceException e) {
LOGGER.info("Unable to retrieve subject for user.", e);
return Response.status(Response.Status.UNAUTHORIZED).build();
} catch (WSSecurityException e) {
LOGGER.info("Unable to encode SAMLP response.", e);
} catch (SimpleSign.SignatureException e) {
LOGGER.info("Unable to sign SAML response.", e);
} catch (IllegalArgumentException e) {
LOGGER.info(e.getMessage(), e);
return Response.status(Response.Status.BAD_REQUEST).build();
} catch (ValidationException e) {
LOGGER.info("AuthnRequest schema validation failed.", e);
return Response.status(Response.Status.BAD_REQUEST).build();
} catch (IOException e) {
LOGGER.info("Unable to create SAML Response.", e);
} catch (IdpException e) {
LOGGER.info(e.getMessage(), e);
return Response.status(Response.Status.BAD_REQUEST).build();
}
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
}
Also used :
RedirectBinding(org.codice.ddf.security.idp.binding.redirect.RedirectBinding)
SoapBinding(org.codice.ddf.security.idp.binding.soap.SoapBinding)
Binding(org.codice.ddf.security.idp.binding.api.Binding)
PostBinding(org.codice.ddf.security.idp.binding.post.PostBinding)
RedirectBinding(org.codice.ddf.security.idp.binding.redirect.RedirectBinding)
SecurityServiceException(ddf.security.service.SecurityServiceException)
ValidationException(ddf.security.samlp.ValidationException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Response(javax.ws.rs.core.Response)
SimpleSign(ddf.security.samlp.SimpleSign)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
PostBinding(org.codice.ddf.security.idp.binding.post.PostBinding)
NewCookie(javax.ws.rs.core.NewCookie)
Path(javax.ws.rs.Path)
GET(javax.ws.rs.GET)
Example 17 with Subject
use of org.opensaml.saml.saml2.core.Subject in project ddf by codice.
the class SubjectUtilsTest method getSubjectWithAttributes.
private Subject getSubjectWithAttributes(Map<String, List<String>> attributes) {
Subject subject = mock(Subject.class);
PrincipalCollection pc = mock(PrincipalCollection.class);
SecurityAssertion assertion = mock(SecurityAssertion.class);
AttributeStatement as = mock(AttributeStatement.class);
List<Attribute> attrs = attributes.entrySet().stream().map(this::getAttribute).collect(Collectors.toList());
doReturn(pc).when(subject).getPrincipals();
doReturn(assertion).when(pc).oneByType(SecurityAssertion.class);
doReturn(ImmutableList.of(assertion)).when(pc).byType(SecurityAssertion.class);
doReturn(Collections.singletonList(as)).when(assertion).getAttributeStatements();
doReturn(attrs).when(as).getAttributes();
return subject;
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Aggregations
SecurityAssertion (ddf.security.assertion.SecurityAssertion)4
SecurityServiceException (ddf.security.service.SecurityServiceException)3
ZonedDateTime (java.time.ZonedDateTime)3
PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)3
XSString (org.opensaml.core.xml.schema.XSString)3
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)3
Subject (org.opensaml.saml.saml2.core.Subject)3
Subject (ddf.security.Subject)2
X509Certificate (java.security.cert.X509Certificate)2
Map (java.util.Map)2
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2
Subject (org.opensaml.saml.saml1.core.Subject)2
Attribute (org.opensaml.saml.saml2.core.Attribute)2
SubjectConfirmation (org.opensaml.saml.saml2.core.SubjectConfirmation)2
Expansion (ddf.security.expansion.Expansion)1
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)1
KeyValuePermission (ddf.security.permission.KeyValuePermission)1
GuestPrincipal (ddf.security.principal.GuestPrincipal)1
SimpleSign (ddf.security.samlp.SimpleSign)1
ValidationException (ddf.security.samlp.ValidationException)1
