Example 6 with org.opensaml.saml.saml2.core
use of org.opensaml.saml.saml2.core in project cxf by apache.
the class SAMLSSOResponseValidator method validateSamlResponse.
/**
* Validate a SAML 2 Protocol Response
* @param samlResponse
* @param postBinding
* @return a SSOValidatorResponse object
* @throws WSSecurityException
*/
public SSOValidatorResponse validateSamlResponse(org.opensaml.saml.saml2.core.Response samlResponse, boolean postBinding) throws WSSecurityException {
// Check the Issuer
validateIssuer(samlResponse.getIssuer());
// The Response must contain at least one Assertion.
if (samlResponse.getAssertions() == null || samlResponse.getAssertions().isEmpty()) {
LOG.warning("The Response must contain at least one Assertion");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// The Response must contain a Destination that matches the assertionConsumerURL if it is
// signed
String destination = samlResponse.getDestination();
if (samlResponse.isSigned() && (destination == null || !destination.equals(assertionConsumerURL))) {
LOG.warning("The Response must contain a destination that matches the assertion consumer URL");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
if (enforceResponseSigned && !samlResponse.isSigned()) {
LOG.warning("The Response must be signed!");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// Validate Assertions
org.opensaml.saml.saml2.core.Assertion validAssertion = null;
Instant sessionNotOnOrAfter = null;
for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) {
// Check the Issuer
if (assertion.getIssuer() == null) {
LOG.warning("Assertion Issuer must not be null");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
validateIssuer(assertion.getIssuer());
if (!samlResponse.isSigned() && enforceAssertionsSigned && assertion.getSignature() == null) {
LOG.warning("The enclosed assertions in the SAML Response must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// Check for AuthnStatements and validate the Subject accordingly
if (assertion.getAuthnStatements() != null && !assertion.getAuthnStatements().isEmpty()) {
org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject();
org.opensaml.saml.saml2.core.SubjectConfirmation subjectConf = validateAuthenticationSubject(subject, assertion.getID(), postBinding);
if (subjectConf != null) {
validateAudienceRestrictionCondition(assertion.getConditions());
validAssertion = assertion;
sessionNotOnOrAfter = null;
// Store Session NotOnOrAfter
for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
if (authnStatment.getSessionNotOnOrAfter() != null) {
sessionNotOnOrAfter = Instant.ofEpochMilli(authnStatment.getSessionNotOnOrAfter().toDate().getTime());
}
}
// Fall back to the SubjectConfirmationData NotOnOrAfter if we have no session NotOnOrAfter
if (sessionNotOnOrAfter == null) {
sessionNotOnOrAfter = Instant.ofEpochMilli(subjectConf.getSubjectConfirmationData().getNotOnOrAfter().toDate().getTime());
}
}
}
}
if (validAssertion == null) {
LOG.warning("The Response did not contain any Authentication Statement that matched " + "the Subject Confirmation criteria");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
SSOValidatorResponse validatorResponse = new SSOValidatorResponse();
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
if (samlResponse.getIssueInstant() != null) {
validatorResponse.setCreated(Instant.ofEpochMilli(samlResponse.getIssueInstant().toDate().getTime()));
}
Element assertionElement = validAssertion.getDOM();
Element clonedAssertionElement = (Element) assertionElement.cloneNode(true);
validatorResponse.setAssertionElement(clonedAssertionElement);
validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement));
validatorResponse.setOpensamlAssertion(validAssertion);
return validatorResponse;
}
Also used :
Instant(java.time.Instant)
Element(org.w3c.dom.Element)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 7 with org.opensaml.saml.saml2.core
use of org.opensaml.saml.saml2.core in project syncope by apache.
the class SAML2ITCase method createResponse.
private org.opensaml.saml.saml2.core.Response createResponse(final String inResponseTo, final boolean signAssertion, final String subjectConfMethod, final String issuer) throws Exception {
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
org.opensaml.saml.saml2.core.Response response = SAML2PResponseComponentBuilder.createSAMLResponse(inResponseTo, issuer, status);
response.setDestination("http://recipient.apache.org");
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setIssuer(issuer);
callbackHandler.setSubjectName("puccini");
callbackHandler.setSubjectConfirmationMethod(subjectConfMethod);
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo(inResponseTo);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org/saml2sp/assertion-consumer");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://recipient.apache.org/"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (signAssertion) {
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance("JKS");
InputStream input = Files.newInputStream(keystorePath);
keyStore.load(input, "security".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
assertion.signAssertion("subject", "security", issuerCrypto, false);
}
response.getAssertions().add(assertion.getSaml2());
return response;
}
Also used :
Status(org.opensaml.saml.saml2.core.Status)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
InputStream(java.io.InputStream)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 8 with org.opensaml.saml.saml2.core
use of org.opensaml.saml.saml2.core in project security by opensearch-project.
the class MockSamlIdpServer method handleSloGetRequestBase.
@SuppressWarnings("unchecked")
public void handleSloGetRequestBase(HttpRequest request) {
try {
HttpServletRequest httpServletRequest = new FakeHttpServletRequest(request);
HTTPRedirectDeflateDecoder decoder = new HTTPRedirectDeflateDecoder();
decoder.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
decoder.setHttpServletRequest(httpServletRequest);
decoder.initialize();
decoder.decode();
MessageContext<SAMLObject> messageContext = decoder.getMessageContext();
if (!(messageContext.getMessage() instanceof LogoutRequest)) {
throw new RuntimeException("Expected LogoutRequest; received: " + messageContext.getMessage());
}
LogoutRequest logoutRequest = (LogoutRequest) messageContext.getMessage();
SAML2HTTPRedirectDeflateSignatureSecurityHandler signatureSecurityHandler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
SignatureValidationParameters validationParams = new SignatureValidationParameters();
SecurityParametersContext securityParametersContext = messageContext.getSubcontext(SecurityParametersContext.class, true);
SAMLPeerEntityContext peerEntityContext = messageContext.getSubcontext(SAMLPeerEntityContext.class, true);
peerEntityContext.setEntityId(idpEntityId);
peerEntityContext.setRole(org.opensaml.saml.saml2.metadata.SPSSODescriptor.DEFAULT_ELEMENT_NAME);
SAMLProtocolContext protocolContext = messageContext.getSubcontext(SAMLProtocolContext.class, true);
protocolContext.setProtocol(SAMLConstants.SAML20P_NS);
validationParams.setSignatureTrustEngine(buildSignatureTrustEngine(this.spSignatureCertificate));
securityParametersContext.setSignatureValidationParameters(validationParams);
signatureSecurityHandler.setHttpServletRequest(httpServletRequest);
signatureSecurityHandler.initialize();
signatureSecurityHandler.invoke(messageContext);
if (!this.authenticateUser.equals(logoutRequest.getNameID().getValue())) {
throw new RuntimeException("Unexpected NameID in LogoutRequest: " + logoutRequest);
}
} catch (URISyntaxException | ComponentInitializationException | MessageDecodingException | MessageHandlerException e) {
throw new RuntimeException(e);
}
}
Also used :
ComponentInitializationException(net.shibboleth.utilities.java.support.component.ComponentInitializationException)
SAMLObject(org.opensaml.saml.common.SAMLObject)
SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext)
MessageHandlerException(org.opensaml.messaging.handler.MessageHandlerException)
SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)
URISyntaxException(java.net.URISyntaxException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters)
MessageDecodingException(org.opensaml.messaging.decoder.MessageDecodingException)
SAMLProtocolContext(org.opensaml.saml.common.messaging.context.SAMLProtocolContext)
SecurityParametersContext(org.opensaml.xmlsec.context.SecurityParametersContext)
HTTPRedirectDeflateDecoder(org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Example 9 with org.opensaml.saml.saml2.core
use of org.opensaml.saml.saml2.core in project cxf by apache.
the class SamlOAuthValidator method validateAuthenticationSubject.
private boolean validateAuthenticationSubject(Message m, Conditions cs, org.opensaml.saml.saml2.core.Subject subject) {
// We need to find a Bearer Subject Confirmation method
boolean bearerSubjectConfFound = false;
if (subject.getSubjectConfirmations() != null) {
for (SubjectConfirmation subjectConf : subject.getSubjectConfirmations()) {
if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) {
validateSubjectConfirmation(m, cs, subjectConf.getSubjectConfirmationData());
bearerSubjectConfFound = true;
}
}
}
return bearerSubjectConfFound;
}
Also used :
SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation)
Example 10 with org.opensaml.saml.saml2.core
use of org.opensaml.saml.saml2.core in project cxf by apache.
the class SAMLUtils method getSubject.
public static Subject getSubject(Message message, SamlAssertionWrapper assertionW) {
if (assertionW.getSaml2() != null) {
org.opensaml.saml.saml2.core.Subject s = assertionW.getSaml2().getSubject();
Subject subject = new Subject();
NameID nameId = s.getNameID();
subject.setNameQualifier(nameId.getNameQualifier());
// if format is transient then we may need to use STSClient
// to request an alternate name from IDP
subject.setNameFormat(nameId.getFormat());
subject.setName(nameId.getValue());
subject.setSpId(nameId.getSPProvidedID());
subject.setSpQualifier(nameId.getSPNameQualifier());
return subject;
} else if (assertionW.getSaml1() != null) {
org.opensaml.saml.saml1.core.Subject s = getSaml1Subject(assertionW);
if (s != null) {
Subject subject = new Subject();
NameIdentifier nameId = s.getNameIdentifier();
subject.setNameQualifier(nameId.getNameQualifier());
// if format is transient then we may need to use STSClient
// to request an alternate name from IDP
subject.setNameFormat(nameId.getFormat());
subject.setName(nameId.getValue());
return subject;
}
}
return null;
}
Also used :
NameID(org.opensaml.saml.saml2.core.NameID)
NameIdentifier(org.opensaml.saml.saml1.core.NameIdentifier)
Subject(org.apache.cxf.rs.security.saml.assertion.Subject)
Aggregations
Assertion (org.opensaml.saml.saml2.core.Assertion)6
IOException (java.io.IOException)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
SimpleSign (ddf.security.samlp.SimpleSign)3
ValidationException (ddf.security.samlp.ValidationException)3
SecurityServiceException (ddf.security.service.SecurityServiceException)3
NewCookie (javax.ws.rs.core.NewCookie)3
Response (javax.ws.rs.core.Response)3
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)3
MalformedURLException (java.net.MalformedURLException)2
X509Certificate (java.security.cert.X509Certificate)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
Test (org.junit.Test)2
XMLObject (org.opensaml.core.xml.XMLObject)2
XSString (org.opensaml.core.xml.schema.XSString)2
AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)2
Issuer (org.opensaml.saml.saml2.core.Issuer)2
NameID (org.opensaml.saml.saml2.core.NameID)2
SubjectConfirmation (org.opensaml.saml.saml2.core.SubjectConfirmation)2
SubjectConfirmationData (org.opensaml.saml.saml2.core.SubjectConfirmationData)2
