Example 26 with Request
use of org.opensaml.saml.saml2.ecp.Request in project ddf by codice.
the class LogoutRequestService method getSamlpPostLogoutRequest.
private Response getSamlpPostLogoutRequest(String relayState, LogoutRequest logoutRequest) throws SimpleSign.SignatureException, WSSecurityException {
LOGGER.debug("Configuring SAML LogoutRequest for POST.");
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
LOGGER.debug("Signing SAML POST LogoutRequest.");
simpleSign.signSamlObject(logoutRequest);
LOGGER.debug("Converting SAML Request to DOM");
String assertionResponse = DOM2Writer.nodeToString(OpenSAMLUtil.toDom(logoutRequest, doc));
String encodedSamlRequest = Base64.getEncoder().encodeToString(assertionResponse.getBytes(StandardCharsets.UTF_8));
String singleLogoutLocation = idpMetadata.getSingleLogoutLocation();
String submitFormUpdated = String.format(submitForm, singleLogoutLocation, SAML_REQUEST, encodedSamlRequest, relayState);
Response.ResponseBuilder ok = Response.ok(submitFormUpdated);
return ok.build();
}
Also used :
Response(javax.ws.rs.core.Response)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Document(org.w3c.dom.Document)
Example 27 with Request
use of org.opensaml.saml.saml2.ecp.Request in project ddf by codice.
the class IdpHandler method createPaosRequest.
private String createPaosRequest(HttpServletRequest request) throws WSSecurityException {
String spIssuerId = getSpIssuerId();
String spAssertionConsumerServiceUrl = getSpAssertionConsumerServiceUrl(spIssuerId);
RequestBuilder requestBuilder = new RequestBuilder();
Request paosRequest = requestBuilder.buildObject();
paosRequest.setResponseConsumerURL(spAssertionConsumerServiceUrl);
paosRequest.setMessageID(createRelayState(request));
paosRequest.setService(Request.ECP_SERVICE);
paosRequest.setSOAP11MustUnderstand(true);
paosRequest.setSOAP11Actor(HTTP_SCHEMAS_XMLSOAP_ORG_SOAP_ACTOR_NEXT);
return convertXmlObjectToString(paosRequest);
}
Also used :
RequestBuilder(ddf.security.liberty.paos.impl.RequestBuilder)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletRequest(javax.servlet.ServletRequest)
Request(ddf.security.liberty.paos.Request)
Example 28 with Request
use of org.opensaml.saml.saml2.ecp.Request in project ddf by codice.
the class PaosInInterceptor method getHttpResponse.
HttpResponseWrapper getHttpResponse(String responseConsumerURL, String soapResponse, Message message) throws IOException {
//This used to use the ApacheHttpTransport which appeared to not work with 2 way TLS auth but this one does
HttpTransport httpTransport = new NetHttpTransport();
HttpContent httpContent = new InputStreamContent(TEXT_XML, new ByteArrayInputStream(soapResponse.getBytes("UTF-8")));
//this handles redirects for us
((InputStreamContent) httpContent).setRetrySupported(true);
HttpRequest httpRequest = httpTransport.createRequestFactory().buildPostRequest(new GenericUrl(responseConsumerURL), httpContent);
HttpUnsuccessfulResponseHandler httpUnsuccessfulResponseHandler = (request, response, supportsRetry) -> {
String redirectLocation = response.getHeaders().getLocation();
if (request.getFollowRedirects() && HttpStatusCodes.isRedirect(response.getStatusCode()) && redirectLocation != null) {
String method = (String) message.get(Message.HTTP_REQUEST_METHOD);
HttpContent content = null;
if (!isRedirectable(method)) {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
message.setContent(OutputStream.class, byteArrayOutputStream);
BodyWriter bodyWriter = new BodyWriter();
bodyWriter.handleMessage(message);
content = new InputStreamContent((String) message.get(Message.CONTENT_TYPE), new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
}
// resolve the redirect location relative to the current location
request.setUrl(new GenericUrl(request.getUrl().toURL(redirectLocation)));
request.setRequestMethod(method);
request.setContent(content);
// remove Authorization and If-* headers
request.getHeaders().setAuthorization((String) null);
request.getHeaders().setIfMatch(null);
request.getHeaders().setIfNoneMatch(null);
request.getHeaders().setIfModifiedSince(null);
request.getHeaders().setIfUnmodifiedSince(null);
request.getHeaders().setIfRange(null);
request.getHeaders().setCookie((String) ((List) response.getHeaders().get("set-cookie")).get(0));
return true;
}
return false;
};
httpRequest.setUnsuccessfulResponseHandler(httpUnsuccessfulResponseHandler);
httpRequest.getHeaders().put(SOAP_ACTION, HTTP_WWW_OASIS_OPEN_ORG_COMMITTEES_SECURITY);
//has 20 second timeout by default
HttpResponse httpResponse = httpRequest.execute();
HttpResponseWrapper httpResponseWrapper = new HttpResponseWrapper();
httpResponseWrapper.statusCode = httpResponse.getStatusCode();
httpResponseWrapper.content = httpResponse.getContent();
return httpResponseWrapper;
}
Also used :
HttpRequest(com.google.api.client.http.HttpRequest)
RestSecurity(org.codice.ddf.security.common.jaxrs.RestSecurity)
StringUtils(org.apache.commons.lang.StringUtils)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
DOMUtils(org.apache.cxf.helpers.DOMUtils)
ResponseBuilder(ddf.security.liberty.paos.impl.ResponseBuilder)
SOAPException(javax.xml.soap.SOAPException)
DOM2Writer(org.apache.wss4j.common.util.DOM2Writer)
IDPList(org.opensaml.saml.saml2.core.IDPList)
LoggerFactory(org.slf4j.LoggerFactory)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
AbstractPhaseInterceptor(org.apache.cxf.phase.AbstractPhaseInterceptor)
HttpRequest(com.google.api.client.http.HttpRequest)
SamlProtocol(ddf.security.samlp.SamlProtocol)
HttpResponse(com.google.api.client.http.HttpResponse)
IDPEntry(org.opensaml.saml.saml2.core.IDPEntry)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Charset(java.nio.charset.Charset)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
Map(java.util.Map)
XMLStreamException(javax.xml.stream.XMLStreamException)
Node(org.w3c.dom.Node)
HttpUnsuccessfulResponseHandler(com.google.api.client.http.HttpUnsuccessfulResponseHandler)
GenericUrl(com.google.api.client.http.GenericUrl)
OpenSAMLUtil(org.apache.wss4j.common.saml.OpenSAMLUtil)
XMLObject(org.opensaml.core.xml.XMLObject)
HttpContent(com.google.api.client.http.HttpContent)
OutputStream(java.io.OutputStream)
NetHttpTransport(com.google.api.client.http.javanet.NetHttpTransport)
Response(ddf.security.liberty.paos.Response)
Logger(org.slf4j.Logger)
Iterator(java.util.Iterator)
Message(org.apache.cxf.message.Message)
HttpTransport(com.google.api.client.http.HttpTransport)
IOException(java.io.IOException)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
StandardCharsets(java.nio.charset.StandardCharsets)
Request(org.opensaml.saml.saml2.ecp.Request)
IOUtils(org.apache.commons.io.IOUtils)
Base64(java.util.Base64)
List(java.util.List)
SOAPPart(javax.xml.soap.SOAPPart)
Element(org.w3c.dom.Element)
HttpStatusCodes(com.google.api.client.http.HttpStatusCodes)
InputStreamContent(com.google.api.client.http.InputStreamContent)
InputStream(java.io.InputStream)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
OutputStream(java.io.OutputStream)
HttpUnsuccessfulResponseHandler(com.google.api.client.http.HttpUnsuccessfulResponseHandler)
HttpResponse(com.google.api.client.http.HttpResponse)
GenericUrl(com.google.api.client.http.GenericUrl)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
NetHttpTransport(com.google.api.client.http.javanet.NetHttpTransport)
HttpTransport(com.google.api.client.http.HttpTransport)
ByteArrayInputStream(java.io.ByteArrayInputStream)
NetHttpTransport(com.google.api.client.http.javanet.NetHttpTransport)
InputStreamContent(com.google.api.client.http.InputStreamContent)
HttpContent(com.google.api.client.http.HttpContent)
Example 29 with Request
use of org.opensaml.saml.saml2.ecp.Request in project ddf by codice.
the class PaosInInterceptor method handleMessage.
@Override
public void handleMessage(Message message) throws Fault {
List authHeader = (List) ((Map) message.getExchange().getOutMessage().get(Message.PROTOCOL_HEADERS)).get("Authorization");
String authorization = null;
if (authHeader != null && authHeader.size() > 0) {
authorization = (String) authHeader.get(0);
}
InputStream content = message.getContent(InputStream.class);
String contentType = (String) message.get(Message.CONTENT_TYPE);
if (contentType == null || !contentType.contains(APPLICATION_VND_PAOS_XML)) {
return;
}
try {
SOAPPart soapMessage = SamlProtocol.parseSoapMessage(IOUtils.toString(content, Charset.forName("UTF-8")));
Iterator iterator = soapMessage.getEnvelope().getHeader().examineAllHeaderElements();
IDPEntry idpEntry = null;
String relayState = "";
String responseConsumerURL = "";
String messageId = "";
while (iterator.hasNext()) {
Element soapHeaderElement = (SOAPHeaderElement) iterator.next();
if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
relayState = DOM2Writer.nodeToString(soapHeaderElement);
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_OASIS_NAMES_TC_SAML_2_0_PROFILES_SSO_ECP)) {
try {
soapHeaderElement = SamlProtocol.convertDomImplementation(soapHeaderElement);
Request ecpRequest = (Request) OpenSAMLUtil.fromDom(soapHeaderElement);
IDPList idpList = ecpRequest.getIDPList();
if (idpList == null) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
}
List<IDPEntry> idpEntrys = idpList.getIDPEntrys();
if (idpEntrys == null || idpEntrys.size() == 0) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
}
//choose the right entry, probably need to do something better than select the first one
//but the spec doesn't specify how this is supposed to be done
idpEntry = idpEntrys.get(0);
} catch (WSSecurityException e) {
//TODO figure out IdP alternatively
LOGGER.info("Unable to determine IdP appropriately. ECP connection will fail. SP may be incorrectly configured. Contact the administrator for the remote system.");
}
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_LIBERTY_PAOS_2003_08)) {
responseConsumerURL = soapHeaderElement.getAttribute(RESPONSE_CONSUMER_URL);
messageId = soapHeaderElement.getAttribute(MESSAGE_ID);
}
}
if (idpEntry == null) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
}
String token = createToken(authorization);
checkAuthnRequest(soapMessage);
Element authnRequestElement = SamlProtocol.getDomElement(soapMessage.getEnvelope().getBody().getFirstChild());
String loc = idpEntry.getLoc();
String soapRequest = buildSoapMessage(token, relayState, authnRequestElement, null);
HttpResponseWrapper httpResponse = getHttpResponse(loc, soapRequest, null);
InputStream httpResponseContent = httpResponse.content;
SOAPPart idpSoapResponse = SamlProtocol.parseSoapMessage(IOUtils.toString(httpResponseContent, Charset.forName("UTF-8")));
Iterator responseHeaderElements = idpSoapResponse.getEnvelope().getHeader().examineAllHeaderElements();
String newRelayState = "";
while (responseHeaderElements.hasNext()) {
SOAPHeaderElement soapHeaderElement = (SOAPHeaderElement) responseHeaderElements.next();
if (RESPONSE.equals(soapHeaderElement.getLocalName())) {
String assertionConsumerServiceURL = soapHeaderElement.getAttribute(ASSERTION_CONSUMER_SERVICE_URL);
if (!responseConsumerURL.equals(assertionConsumerServiceURL)) {
String soapFault = buildSoapFault(ECP_RESPONSE, "The responseConsumerURL does not match the assertionConsumerServiceURL.");
httpResponse = getHttpResponse(responseConsumerURL, soapFault, null);
message.setContent(InputStream.class, httpResponse.content);
return;
}
} else if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
newRelayState = DOM2Writer.nodeToString(soapHeaderElement);
if (StringUtils.isNotEmpty(relayState) && !relayState.equals(newRelayState)) {
LOGGER.debug("RelayState does not match between ECP request and response");
}
if (StringUtils.isNotEmpty(relayState)) {
newRelayState = relayState;
}
}
}
checkSamlpResponse(idpSoapResponse);
Element samlpResponseElement = SamlProtocol.getDomElement(idpSoapResponse.getEnvelope().getBody().getFirstChild());
Response paosResponse = null;
if (StringUtils.isNotEmpty(messageId)) {
paosResponse = getPaosResponse(messageId);
}
String soapResponse = buildSoapMessage(null, newRelayState, samlpResponseElement, paosResponse);
httpResponse = getHttpResponse(responseConsumerURL, soapResponse, message.getExchange().getOutMessage());
if (httpResponse.statusCode < 400) {
httpResponseContent = httpResponse.content;
message.setContent(InputStream.class, httpResponseContent);
} else {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection due to an error."));
}
} catch (IOException e) {
LOGGER.debug("Error encountered while performing ECP handshake.", e);
} catch (XMLStreamException | SOAPException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. The server's response was not in the correct format."));
} catch (WSSecurityException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to send SOAP request messages."));
}
}
Also used :
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
Element(org.w3c.dom.Element)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
HttpRequest(com.google.api.client.http.HttpRequest)
Request(org.opensaml.saml.saml2.ecp.Request)
IDPList(org.opensaml.saml.saml2.core.IDPList)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
HttpResponse(com.google.api.client.http.HttpResponse)
Response(ddf.security.liberty.paos.Response)
XMLStreamException(javax.xml.stream.XMLStreamException)
SOAPException(javax.xml.soap.SOAPException)
SOAPPart(javax.xml.soap.SOAPPart)
Iterator(java.util.Iterator)
IDPList(org.opensaml.saml.saml2.core.IDPList)
List(java.util.List)
IDPEntry(org.opensaml.saml.saml2.core.IDPEntry)
Example 30 with Request
use of org.opensaml.saml.saml2.ecp.Request in project ddf by codice.
the class AttributeQueryClaimsHandler method getAttributes.
/**
* Gets the attributes for the supplied user from the external attribute store.
* Returns null if the AttributeQueryClient is null.
*
* @param nameId used for the request.
* @return The collection of attributes retrieved from the external attribute store.
* @throws URISyntaxException
*/
protected ProcessedClaimCollection getAttributes(String nameId) throws URISyntaxException {
ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
LOGGER.debug("Sending AttributeQuery Request.");
AttributeQueryClient attributeQueryClient;
Assertion assertion;
try {
attributeQueryClient = createAttributeQueryClient(simpleSign, externalAttributeStoreUrl, issuer, destination);
if (attributeQueryClient == null) {
return null;
}
assertion = attributeQueryClient.query(nameId);
if (assertion != null) {
createClaims(claimCollection, assertion);
}
} catch (AttributeQueryException ex) {
LOGGER.info("Error occurred in AttributeQueryClient, did not retrieve response. Set log level for \"org.codice.ddf.security.claims.attributequery.common\" to DEBUG for more information.");
LOGGER.debug("Error occurred in AttributeQueryClient, did not retrieve response.", ex);
}
return claimCollection;
}
Also used :
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
Assertion(org.opensaml.saml.saml2.core.Assertion)
Aggregations
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)16
IOException (java.io.IOException)13
LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)13
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
ValidationException (ddf.security.samlp.ValidationException)9
Response (javax.ws.rs.core.Response)9
Document (org.w3c.dom.Document)9
XMLStreamException (javax.xml.stream.XMLStreamException)8
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
Test (org.junit.Test)6
Matchers.anyString (org.mockito.Matchers.anyString)6
Assertion (org.opensaml.saml.saml2.core.Assertion)6
Element (org.w3c.dom.Element)6
SimpleSign (ddf.security.samlp.SimpleSign)5
Path (javax.ws.rs.Path)5
NewCookie (javax.ws.rs.core.NewCookie)5
XMLObject (org.opensaml.core.xml.XMLObject)5
MessageContext (org.opensaml.messaging.context.MessageContext)5
ServletException (javax.servlet.ServletException)4
