Examples with Request org.opensaml.saml.saml2.ecp.Request used on opensource projects

Search in sources :

Example 86 with Request

use of org.opensaml.saml.saml2.ecp.Request in project verify-hub by alphagov.

the class ProtectiveMonitoringLogFormatterTest method shouldFormatAuthnSuccessResponse.

@Test
public void shouldFormatAuthnSuccessResponse() throws IOException, URISyntaxException, MarshallingException, SignatureException {
    Response response = aResponse().build();
    String logString = new ProtectiveMonitoringLogFormatter().formatAuthnResponse(response, Direction.INBOUND, true);
    String expectedLogMessage = "Protective Monitoring – Authn Response Event – " + "{responseId: default-response-id, " + "inResponseTo: default-request-id, " + "direction: INBOUND, " + "destination: http://destination.com, " + "issuerId: a-test-entity, " + "validSignature: true, " + "status: urn:oasis:names:tc:SAML:2.0:status:Success, " + "subStatus: , " + "statusDetails: []}";
    assertThat(logString).isEqualTo(expectedLogMessage);
}
Also used : ResponseBuilder.aResponse(uk.gov.ida.saml.core.test.builders.ResponseBuilder.aResponse) Response(org.opensaml.saml.saml2.core.Response) Test(org.junit.Test)

Example 87 with Request

use of org.opensaml.saml.saml2.ecp.Request in project cxf by apache.

the class SAMLTokenRenewer method validateAssertion.

private void validateAssertion(SamlAssertionWrapper assertion, ReceivedToken tokenToRenew, SecurityToken token, TokenRenewerParameters tokenParameters) throws WSSecurityException {
    // Check the cached renewal properties
    Map<String, Object> props = token.getProperties();
    if (props == null) {
        LOG.log(Level.WARNING, "Error in getting properties from cached token");
        throw new STSException("Error in getting properties from cached token", STSException.REQUEST_FAILED);
    }
    String isAllowRenewal = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW);
    String isAllowRenewalAfterExpiry = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);
    if (isAllowRenewal == null || !Boolean.valueOf(isAllowRenewal)) {
        LOG.log(Level.WARNING, "The token is not allowed to be renewed");
        throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
    }
    // Check to see whether the token has expired greater than the configured max expiry time
    if (tokenToRenew.getState() == STATE.EXPIRED) {
        if (!allowRenewalAfterExpiry || isAllowRenewalAfterExpiry == null || !Boolean.valueOf(isAllowRenewalAfterExpiry)) {
            LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
            throw new STSException("Renewal after expiry is not allowed", STSException.REQUEST_FAILED);
        }
        DateTime expiryDate = getExpiryDate(assertion);
        DateTime currentDate = new DateTime();
        if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
            LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
            throw new STSException("The token expired too long ago to be renewed", STSException.REQUEST_FAILED);
        }
    }
    // Verify Proof of Possession
    ProofOfPossessionValidator popValidator = new ProofOfPossessionValidator();
    if (verifyProofOfPossession) {
        STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
        Crypto sigCrypto = stsProperties.getSignatureCrypto();
        CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(sigCrypto);
        WSSConfig wssConfig = WSSConfig.getNewInstance();
        requestData.setWssConfig(wssConfig);
        WSDocInfo docInfo = new WSDocInfo(((Element) tokenToRenew.getToken()).getOwnerDocument());
        requestData.setWsDocInfo(docInfo);
        // Parse the HOK subject if it exists
        assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), sigCrypto, callbackHandler);
        SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
        if (keyInfo == null) {
            keyInfo = new SAMLKeyInfo((byte[]) null);
        }
        if (!popValidator.checkProofOfPossession(tokenParameters, keyInfo)) {
            throw new STSException("Failed to verify the proof of possession of the key associated with the " + "saml token. No matching key found in the request.", STSException.INVALID_REQUEST);
        }
    }
    // Check the AppliesTo address
    String appliesToAddress = tokenParameters.getAppliesToAddress();
    if (appliesToAddress != null) {
        if (assertion.getSaml1() != null) {
            List<AudienceRestrictionCondition> restrConditions = assertion.getSaml1().getConditions().getAudienceRestrictionConditions();
            if (!matchSaml1AudienceRestriction(appliesToAddress, restrConditions)) {
                LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
                throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
            }
        } else {
            List<AudienceRestriction> audienceRestrs = assertion.getSaml2().getConditions().getAudienceRestrictions();
            if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) {
                LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
                throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
            }
        }
    }
}
Also used : WSDocInfo(org.apache.wss4j.dom.WSDocInfo) CallbackHandler(javax.security.auth.callback.CallbackHandler) STSException(org.apache.cxf.ws.security.sts.provider.STSException) DateTime(org.joda.time.DateTime) Crypto(org.apache.wss4j.common.crypto.Crypto) AudienceRestriction(org.opensaml.saml.saml2.core.AudienceRestriction) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) RequestData(org.apache.wss4j.dom.handler.RequestData) AudienceRestrictionCondition(org.opensaml.saml.saml1.core.AudienceRestrictionCondition) WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)

Example 88 with Request

use of org.opensaml.saml.saml2.ecp.Request in project cxf by apache.

the class SAMLUtils method getSubject.

public static Subject getSubject(Message message, SamlAssertionWrapper assertionW) {
    if (assertionW.getSaml2() != null) {
        org.opensaml.saml.saml2.core.Subject s = assertionW.getSaml2().getSubject();
        Subject subject = new Subject();
        NameID nameId = s.getNameID();
        subject.setNameQualifier(nameId.getNameQualifier());
        // if format is transient then we may need to use STSClient
        // to request an alternate name from IDP
        subject.setNameFormat(nameId.getFormat());
        subject.setName(nameId.getValue());
        subject.setSpId(nameId.getSPProvidedID());
        subject.setSpQualifier(nameId.getSPNameQualifier());
        return subject;
    } else if (assertionW.getSaml1() != null) {
        org.opensaml.saml.saml1.core.Subject s = getSaml1Subject(assertionW);
        if (s != null) {
            Subject subject = new Subject();
            NameIdentifier nameId = s.getNameIdentifier();
            subject.setNameQualifier(nameId.getNameQualifier());
            // if format is transient then we may need to use STSClient
            // to request an alternate name from IDP
            subject.setNameFormat(nameId.getFormat());
            subject.setName(nameId.getValue());
            return subject;
        }
    }
    return null;
}
Also used : NameID(org.opensaml.saml.saml2.core.NameID) NameIdentifier(org.opensaml.saml.saml1.core.NameIdentifier) Subject(org.apache.cxf.rs.security.saml.assertion.Subject)

Aggregations

AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)24 IOException (java.io.IOException)13 LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)13 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12 SamlRegisteredServiceServiceProviderMetadataFacade (org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)11 Test (org.junit.Test)10 ValidationException (ddf.security.samlp.ValidationException)9 Response (javax.ws.rs.core.Response)9 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)9 Assertion (org.jasig.cas.client.validation.Assertion)9 MessageContext (org.opensaml.messaging.context.MessageContext)9 Assertion (org.opensaml.saml.saml2.core.Assertion)9 Document (org.w3c.dom.Document)9 XMLStreamException (javax.xml.stream.XMLStreamException)8 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)8 NameID (org.opensaml.saml.saml2.core.NameID)7 ByteArrayInputStream (java.io.ByteArrayInputStream)6 SimpleSign (ddf.security.samlp.SimpleSign)5 ZonedDateTime (java.time.ZonedDateTime)5 Path (javax.ws.rs.Path)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial