Search in sources :

Example 31 with org.opensaml.saml.saml2.metadata

use of org.opensaml.saml.saml2.metadata in project cas by apereo.

the class SamlProfileSamlNameIdBuilder method buildNameId.

/**
     * Build name id.
     * If there are no explicitly defined NameIDFormats, include the default format.
     * see: http://saml2int.org/profile/current/#section92
     *
     * @param authnRequest the authn request
     * @param assertion    the assertion
     * @param service      the service
     * @param adaptor      the adaptor
     * @return the name id
     * @throws SamlException the saml exception
     */
private NameID buildNameId(final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final List<String> supportedNameFormats = adaptor.getSupportedNameIdFormats();
    LOGGER.debug("Metadata for [{}] declares support for the following NameIDs [{}]", adaptor.getEntityId(), supportedNameFormats);
    if (supportedNameFormats.isEmpty()) {
        supportedNameFormats.add(NameIDType.TRANSIENT);
        LOGGER.debug("No supported nameId formats could be determined from metadata. Added default [{}]", NameIDType.TRANSIENT);
    }
    if (StringUtils.isNotBlank(service.getRequiredNameIdFormat())) {
        final String fmt = parseAndBuildRequiredNameIdFormat(service);
        supportedNameFormats.add(0, fmt);
        LOGGER.debug("Added required nameId format [{}] based on saml service configuration for [{}]", fmt, service.getServiceId());
    }
    String requiredNameFormat = null;
    if (authnRequest.getNameIDPolicy() != null) {
        requiredNameFormat = authnRequest.getNameIDPolicy().getFormat();
        LOGGER.debug("AuthN request indicates [{}] is the required NameID format", requiredNameFormat);
        if (NameID.ENCRYPTED.equals(requiredNameFormat)) {
            LOGGER.warn("Encrypted NameID formats are not supported");
            requiredNameFormat = null;
        }
    }
    if (StringUtils.isNotBlank(requiredNameFormat) && !supportedNameFormats.contains(requiredNameFormat)) {
        LOGGER.warn("Required NameID format [{}] in the AuthN request issued by [{}] is not supported based on the metadata for [{}]", requiredNameFormat, SamlIdPUtils.getIssuerFromSamlRequest(authnRequest), adaptor.getEntityId());
        throw new SamlException("Required NameID format cannot be provided because it is not supported");
    }
    for (final String nameFormat : supportedNameFormats) {
        try {
            LOGGER.debug("Evaluating NameID format [{}]", nameFormat);
            final SAML2StringNameIDEncoder encoder = new SAML2StringNameIDEncoder();
            encoder.setNameFormat(nameFormat);
            if (authnRequest.getNameIDPolicy() != null) {
                final String qualifier = authnRequest.getNameIDPolicy().getSPNameQualifier();
                LOGGER.debug("NameID qualifier is set to [{}]", qualifier);
                encoder.setNameQualifier(qualifier);
            }
            final IdPAttribute attribute = new IdPAttribute(AttributePrincipal.class.getName());
            final IdPAttributeValue<String> value = new StringAttributeValue(assertion.getPrincipal().getName());
            LOGGER.debug("NameID attribute value is set to [{}]", assertion.getPrincipal().getName());
            attribute.setValues(Collections.singletonList(value));
            LOGGER.debug("Encoding NameID based on [{}]", nameFormat);
            final NameID nameid = encoder.encode(attribute);
            LOGGER.debug("Final NameID encoded is [{}] with value [{}]", nameid.getFormat(), nameid.getValue());
            return nameid;
        } catch (final Exception e) {
            LOGGER.error(e.getMessage(), e);
        }
    }
    return null;
}
Also used : NameID(org.opensaml.saml.saml2.core.NameID) SamlException(org.apereo.cas.support.saml.SamlException) IdPAttribute(net.shibboleth.idp.attribute.IdPAttribute) StringAttributeValue(net.shibboleth.idp.attribute.StringAttributeValue) SAML2StringNameIDEncoder(net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringNameIDEncoder) AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal) SamlException(org.apereo.cas.support.saml.SamlException)

Example 32 with org.opensaml.saml.saml2.metadata

use of org.opensaml.saml.saml2.metadata in project cas by apereo.

the class SamlProfileSamlSoap11ResponseBuilder method buildResponse.

@Override
protected Envelope buildResponse(final Assertion assertion, final org.jasig.cas.client.validation.Assertion casAssertion, final AuthnRequest authnRequest, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final HttpServletRequest request, final HttpServletResponse response) throws SamlException {
    final Response ecpResponse = newEcpResponse(adaptor.getAssertionConsumerService().getLocation());
    final Header header = newSoapObject(Header.class);
    header.getUnknownXMLObjects().add(ecpResponse);
    final Body body = newSoapObject(Body.class);
    final org.opensaml.saml.saml2.core.Response saml2Response = (org.opensaml.saml.saml2.core.Response) saml2ResponseBuilder.build(authnRequest, request, response, casAssertion, service, adaptor);
    body.getUnknownXMLObjects().add(saml2Response);
    final Envelope envelope = newSoapObject(Envelope.class);
    envelope.setHeader(header);
    envelope.setBody(body);
    return envelope;
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(org.opensaml.saml.saml2.ecp.Response) Header(org.opensaml.soap.soap11.Header) Envelope(org.opensaml.soap.soap11.Envelope) Body(org.opensaml.soap.soap11.Body)

Example 33 with org.opensaml.saml.saml2.metadata

use of org.opensaml.saml.saml2.metadata in project ddf by codice.

the class IdpEndpoint method parseServiceProviderMetadata.

private void parseServiceProviderMetadata(List<String> serviceProviderMetadata) {
    if (serviceProviderMetadata != null) {
        try {
            MetadataConfigurationParser metadataConfigurationParser = new MetadataConfigurationParser(serviceProviderMetadata, ed -> {
                EntityInformation entityInfo = new EntityInformation.Builder(ed, SUPPORTED_BINDINGS).build();
                if (entityInfo != null) {
                    serviceProviders.put(ed.getEntityID(), entityInfo);
                }
            });
            serviceProviders.putAll(metadataConfigurationParser.getEntryDescriptions().entrySet().stream().map(e -> Maps.immutableEntry(e.getKey(), new EntityInformation.Builder(e.getValue(), SUPPORTED_BINDINGS).build())).filter(e -> nonNull(e.getValue())).collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue)));
        } catch (IOException e) {
            LOGGER.warn("Unable to parse SP metadata configuration. Check the configuration for SP metadata.", e);
        }
    }
}
Also used : RedirectBinding(org.codice.ddf.security.idp.binding.redirect.RedirectBinding) Encoded(javax.ws.rs.Encoded) Produces(javax.ws.rs.Produces) SOAPException(javax.xml.soap.SOAPException) SSOConstants(org.apache.cxf.rs.security.saml.sso.SSOConstants) DOM2Writer(org.apache.wss4j.common.util.DOM2Writer) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) EntityInformation(ddf.security.samlp.impl.EntityInformation) BasicAuthenticationHandler(org.codice.ddf.security.handler.basic.BasicAuthenticationHandler) SamlProtocol(ddf.security.samlp.SamlProtocol) ConstraintViolationException(net.shibboleth.utilities.java.support.logic.ConstraintViolationException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Document(org.w3c.dom.Document) Map(java.util.Map) XMLStreamException(javax.xml.stream.XMLStreamException) RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext) UriBuilder(javax.ws.rs.core.UriBuilder) UsageType(org.opensaml.security.credential.UsageType) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) Set(java.util.Set) ResponseCreator(org.codice.ddf.security.idp.binding.api.ResponseCreator) StandardCharsets(java.nio.charset.StandardCharsets) SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject) IOUtils(org.apache.commons.io.IOUtils) ResponseUnmarshaller(ddf.security.liberty.paos.impl.ResponseUnmarshaller) HttpUtils(org.codice.ddf.security.common.HttpUtils) CertificateEncodingException(java.security.cert.CertificateEncodingException) GET(javax.ws.rs.GET) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) CookieCache(org.codice.ddf.security.idp.cache.CookieCache) ArrayList(java.util.ArrayList) RequestBuilder(ddf.security.liberty.paos.impl.RequestBuilder) SOAPElement(javax.xml.soap.SOAPElement) SecurityServiceException(ddf.security.service.SecurityServiceException) HttpServletRequest(javax.servlet.http.HttpServletRequest) OpenSAMLUtil(org.apache.wss4j.common.saml.OpenSAMLUtil) BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) Boon(org.boon.Boon) Request(ddf.security.liberty.paos.Request) IOException(java.io.IOException) ConfigurationService(org.opensaml.core.config.ConfigurationService) Subject(ddf.security.Subject) SimpleSign(ddf.security.samlp.SimpleSign) SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken) StringReader(java.io.StringReader) Soap11(org.apache.cxf.binding.soap.Soap11) X509Certificate(java.security.cert.X509Certificate) ServletException(javax.servlet.ServletException) URL(java.net.URL) SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) XMLInputFactory(javax.xml.stream.XMLInputFactory) DOMUtils(org.apache.cxf.helpers.DOMUtils) SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl) Path(javax.ws.rs.Path) CryptoType(org.apache.wss4j.common.crypto.CryptoType) LoggerFactory(org.slf4j.LoggerFactory) NewCookie(javax.ws.rs.core.NewCookie) SoapRequestDecoder(org.codice.ddf.security.idp.binding.soap.SoapRequestDecoder) XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) SoapBinding(org.codice.ddf.security.idp.binding.soap.SoapBinding) XMLStreamReader(javax.xml.stream.XMLStreamReader) Binding(org.codice.ddf.security.idp.binding.api.Binding) SAAJInInterceptor(org.apache.cxf.binding.soap.saaj.SAAJInInterceptor) PKIAuthenticationTokenFactory(org.codice.ddf.security.handler.api.PKIAuthenticationTokenFactory) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Context(javax.ws.rs.core.Context) ImmutableSet(com.google.common.collect.ImmutableSet) StringUtils.isEmpty(org.apache.commons.lang.StringUtils.isEmpty) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) ValidationException(ddf.security.samlp.ValidationException) UUID(java.util.UUID) AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef) Collectors(java.util.stream.Collectors) SoapMessage(org.apache.cxf.binding.soap.SoapMessage) RequestUnmarshaller(ddf.security.liberty.paos.impl.RequestUnmarshaller) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Base64(java.util.Base64) List(java.util.List) PKIHandler(org.codice.ddf.security.handler.pki.PKIHandler) RequestMarshaller(ddf.security.liberty.paos.impl.RequestMarshaller) Response(javax.ws.rs.core.Response) Optional(java.util.Optional) ResponseMarshaller(ddf.security.liberty.paos.impl.ResponseMarshaller) Objects.nonNull(java.util.Objects.nonNull) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) MetadataConfigurationParser(ddf.security.samlp.MetadataConfigurationParser) RestSecurity(org.codice.ddf.security.common.jaxrs.RestSecurity) PostBinding(org.codice.ddf.security.idp.binding.post.PostBinding) ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy) ResponseBuilder(ddf.security.liberty.paos.impl.ResponseBuilder) HashMap(java.util.HashMap) StatusCode(org.opensaml.saml.saml2.core.StatusCode) XMLInputFactory2(org.codehaus.stax2.XMLInputFactory2) Node(org.w3c.dom.Node) SAML2Constants(org.apache.wss4j.common.saml.builder.SAML2Constants) Assertion(org.opensaml.saml.saml2.core.Assertion) EncryptionService(ddf.security.encryption.EncryptionService) HtmlResponseTemplate(ddf.security.samlp.impl.HtmlResponseTemplate) Cookie(javax.servlet.http.Cookie) XMLObject(org.opensaml.core.xml.XMLObject) GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken) FormParam(javax.ws.rs.FormParam) POST(javax.ws.rs.POST) Logger(org.slf4j.Logger) Iterator(java.util.Iterator) SystemBaseUrl(org.codice.ddf.configuration.SystemBaseUrl) MalformedURLException(java.net.MalformedURLException) ResponseCreatorImpl(org.codice.ddf.security.idp.binding.api.impl.ResponseCreatorImpl) SamlValidator(ddf.security.samlp.impl.SamlValidator) Maps(com.google.common.collect.Maps) URLEncoder(java.net.URLEncoder) SOAPPart(javax.xml.soap.SOAPPart) Element(org.w3c.dom.Element) SystemCrypto(ddf.security.samlp.SystemCrypto) RelayStates(ddf.security.samlp.impl.RelayStates) SecurityManager(ddf.security.service.SecurityManager) Collections(java.util.Collections) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) InputStream(java.io.InputStream) LogoutMessage(ddf.security.samlp.LogoutMessage) MetadataConfigurationParser(ddf.security.samlp.MetadataConfigurationParser) UriBuilder(javax.ws.rs.core.UriBuilder) RequestBuilder(ddf.security.liberty.paos.impl.RequestBuilder) ResponseBuilder(ddf.security.liberty.paos.impl.ResponseBuilder) EntityInformation(ddf.security.samlp.impl.EntityInformation) IOException(java.io.IOException)

Example 34 with org.opensaml.saml.saml2.metadata

use of org.opensaml.saml.saml2.metadata in project ddf by codice.

the class IdpEndpoint method processLogin.

@GET
@Path("/login/sso")
public Response processLogin(@QueryParam(SAML_REQ) String samlRequest, @QueryParam(RELAY_STATE) String relayState, @QueryParam(AUTH_METHOD) String authMethod, @QueryParam(SSOConstants.SIG_ALG) String signatureAlgorithm, @QueryParam(SSOConstants.SIGNATURE) String signature, @QueryParam(ORIGINAL_BINDING) String originalBinding, @Context HttpServletRequest request) {
    LOGGER.debug("Processing login request: [ authMethod {} ], [ sigAlg {} ], [ relayState {} ]", authMethod, signatureAlgorithm, relayState);
    try {
        Binding binding;
        String template;
        if (!request.isSecure()) {
            throw new IllegalArgumentException("Authn Request must use TLS.");
        }
        //the authn request is always encoded as if it came in via redirect when coming from the web app
        Binding redirectBinding = new RedirectBinding(systemCrypto, serviceProviders);
        AuthnRequest authnRequest = redirectBinding.decoder().decodeRequest(samlRequest);
        String assertionConsumerServiceBinding = ResponseCreator.getAssertionConsumerServiceBinding(authnRequest, serviceProviders);
        if (HTTP_POST_BINDING.equals(originalBinding)) {
            binding = new PostBinding(systemCrypto, serviceProviders);
            template = submitForm;
        } else if (HTTP_REDIRECT_BINDING.equals(originalBinding)) {
            binding = redirectBinding;
            template = redirectPage;
        } else {
            throw new IdpException(new UnsupportedOperationException("Must use HTTP POST or Redirect bindings."));
        }
        binding.validator().validateAuthnRequest(authnRequest, samlRequest, relayState, signatureAlgorithm, signature, strictSignature);
        if (HTTP_POST_BINDING.equals(assertionConsumerServiceBinding)) {
            if (!(binding instanceof PostBinding)) {
                binding = new PostBinding(systemCrypto, serviceProviders);
            }
        } else if (HTTP_REDIRECT_BINDING.equals(assertionConsumerServiceBinding)) {
            if (!(binding instanceof RedirectBinding)) {
                binding = new RedirectBinding(systemCrypto, serviceProviders);
            }
        }
        org.opensaml.saml.saml2.core.Response encodedSaml = handleLogin(authnRequest, authMethod, request, null, false, false);
        LOGGER.debug("Returning SAML Response for relayState: {}" + relayState);
        NewCookie newCookie = createCookie(request, encodedSaml);
        Response response = binding.creator().getSamlpResponse(relayState, authnRequest, encodedSaml, newCookie, template);
        if (newCookie != null) {
            cookieCache.addActiveSp(newCookie.getValue(), authnRequest.getIssuer().getValue());
            logAddedSp(authnRequest);
        }
        return response;
    } catch (SecurityServiceException e) {
        LOGGER.info("Unable to retrieve subject for user.", e);
        return Response.status(Response.Status.UNAUTHORIZED).build();
    } catch (WSSecurityException e) {
        LOGGER.info("Unable to encode SAMLP response.", e);
    } catch (SimpleSign.SignatureException e) {
        LOGGER.info("Unable to sign SAML response.", e);
    } catch (IllegalArgumentException e) {
        LOGGER.info(e.getMessage(), e);
        return Response.status(Response.Status.BAD_REQUEST).build();
    } catch (ValidationException e) {
        LOGGER.info("AuthnRequest schema validation failed.", e);
        return Response.status(Response.Status.BAD_REQUEST).build();
    } catch (IOException e) {
        LOGGER.info("Unable to create SAML Response.", e);
    } catch (IdpException e) {
        LOGGER.info(e.getMessage(), e);
        return Response.status(Response.Status.BAD_REQUEST).build();
    }
    return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
}
Also used : RedirectBinding(org.codice.ddf.security.idp.binding.redirect.RedirectBinding) SoapBinding(org.codice.ddf.security.idp.binding.soap.SoapBinding) Binding(org.codice.ddf.security.idp.binding.api.Binding) PostBinding(org.codice.ddf.security.idp.binding.post.PostBinding) RedirectBinding(org.codice.ddf.security.idp.binding.redirect.RedirectBinding) SecurityServiceException(ddf.security.service.SecurityServiceException) ValidationException(ddf.security.samlp.ValidationException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) Response(javax.ws.rs.core.Response) SimpleSign(ddf.security.samlp.SimpleSign) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) PostBinding(org.codice.ddf.security.idp.binding.post.PostBinding) NewCookie(javax.ws.rs.core.NewCookie) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET)

Example 35 with org.opensaml.saml.saml2.metadata

use of org.opensaml.saml.saml2.metadata in project ddf by codice.

the class IdpEndpoint method showLoginPage.

private Response showLoginPage(String samlRequest, String relayState, String signatureAlgorithm, String signature, HttpServletRequest request, Binding binding, String template, String originalBinding) throws WSSecurityException {
    String responseStr;
    AuthnRequest authnRequest = null;
    try {
        Map<String, Object> responseMap = new HashMap<>();
        binding.validator().validateRelayState(relayState);
        authnRequest = binding.decoder().decodeRequest(samlRequest);
        authnRequest.getIssueInstant();
        binding.validator().validateAuthnRequest(authnRequest, samlRequest, relayState, signatureAlgorithm, signature, strictSignature);
        if (!request.isSecure()) {
            throw new IllegalArgumentException("Authn Request must use TLS.");
        }
        X509Certificate[] certs = (X509Certificate[]) request.getAttribute(CERTIFICATES_ATTR);
        boolean hasCerts = (certs != null && certs.length > 0);
        boolean hasCookie = hasValidCookie(request, authnRequest.isForceAuthn());
        if ((authnRequest.isPassive() && hasCerts) || hasCookie) {
            LOGGER.debug("Received Passive & PKI AuthnRequest.");
            org.opensaml.saml.saml2.core.Response samlpResponse;
            try {
                samlpResponse = handleLogin(authnRequest, PKI, request, null, authnRequest.isPassive(), hasCookie);
                LOGGER.debug("Passive & PKI AuthnRequest logged in successfully.");
            } catch (SecurityServiceException e) {
                LOGGER.debug(e.getMessage(), e);
                return getErrorResponse(relayState, authnRequest, StatusCode.AUTHN_FAILED, binding);
            } catch (WSSecurityException e) {
                LOGGER.debug(e.getMessage(), e);
                return getErrorResponse(relayState, authnRequest, StatusCode.REQUEST_DENIED, binding);
            } catch (SimpleSign.SignatureException | ConstraintViolationException e) {
                LOGGER.debug(e.getMessage(), e);
                return getErrorResponse(relayState, authnRequest, StatusCode.REQUEST_UNSUPPORTED, binding);
            }
            LOGGER.debug("Returning Passive & PKI SAML Response.");
            NewCookie cookie = null;
            if (hasCookie) {
                cookieCache.addActiveSp(getCookie(request).getValue(), authnRequest.getIssuer().getValue());
            } else {
                cookie = createCookie(request, samlpResponse);
                if (cookie != null) {
                    cookieCache.addActiveSp(cookie.getValue(), authnRequest.getIssuer().getValue());
                }
            }
            logAddedSp(authnRequest);
            return binding.creator().getSamlpResponse(relayState, authnRequest, samlpResponse, cookie, template);
        } else {
            LOGGER.debug("Building the JSON map to embed in the index.html page for login.");
            Document doc = DOMUtils.createDocument();
            doc.appendChild(doc.createElement("root"));
            String authn = DOM2Writer.nodeToString(OpenSAMLUtil.toDom(authnRequest, doc, false));
            String encodedAuthn = RestSecurity.deflateAndBase64Encode(authn);
            responseMap.put(PKI, hasCerts);
            responseMap.put(GUEST, guestAccess);
            responseMap.put(SAML_REQ, encodedAuthn);
            responseMap.put(RELAY_STATE, relayState);
            String assertionConsumerServiceURL = ((ResponseCreatorImpl) binding.creator()).getAssertionConsumerServiceURL(authnRequest);
            responseMap.put(ACS_URL, assertionConsumerServiceURL);
            responseMap.put(SSOConstants.SIG_ALG, signatureAlgorithm);
            responseMap.put(SSOConstants.SIGNATURE, signature);
            responseMap.put(ORIGINAL_BINDING, originalBinding);
        }
        String json = Boon.toJson(responseMap);
        LOGGER.debug("Returning index.html page.");
        responseStr = indexHtml.replace(IDP_STATE_OBJ, json);
        return Response.ok(responseStr).build();
    } catch (IllegalArgumentException e) {
        LOGGER.debug(e.getMessage(), e);
        if (authnRequest != null) {
            try {
                return getErrorResponse(relayState, authnRequest, StatusCode.REQUEST_UNSUPPORTED, binding);
            } catch (IOException | SimpleSign.SignatureException e1) {
                LOGGER.debug(e1.getMessage(), e1);
            }
        }
    } catch (UnsupportedOperationException e) {
        LOGGER.debug(e.getMessage(), e);
        if (authnRequest != null) {
            try {
                return getErrorResponse(relayState, authnRequest, StatusCode.UNSUPPORTED_BINDING, binding);
            } catch (IOException | SimpleSign.SignatureException e1) {
                LOGGER.debug(e1.getMessage(), e1);
            }
        }
    } catch (SimpleSign.SignatureException e) {
        LOGGER.debug("Unable to validate AuthRequest Signature", e);
    } catch (IOException e) {
        LOGGER.debug("Unable to decode AuthRequest", e);
    } catch (ValidationException e) {
        LOGGER.debug("AuthnRequest schema validation failed.", e);
    }
    return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
}
Also used : SecurityServiceException(ddf.security.service.SecurityServiceException) ValidationException(ddf.security.samlp.ValidationException) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) Document(org.w3c.dom.Document) SimpleSign(ddf.security.samlp.SimpleSign) ConstraintViolationException(net.shibboleth.utilities.java.support.logic.ConstraintViolationException) NewCookie(javax.ws.rs.core.NewCookie) ResponseCreatorImpl(org.codice.ddf.security.idp.binding.api.impl.ResponseCreatorImpl) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject) XMLObject(org.opensaml.core.xml.XMLObject)

Aggregations

EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)24 SamlRegisteredServiceServiceProviderMetadataFacade (org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)12 lombok.val (lombok.val)11 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)11 InputStream (java.io.InputStream)10 ArrayList (java.util.ArrayList)10 IOException (java.io.IOException)9 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)9 Document (org.w3c.dom.Document)9 Element (org.w3c.dom.Element)9 List (java.util.List)8 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)8 SamlRegisteredServiceCachingMetadataResolver (org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)8 Map (java.util.Map)7 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)7 XMLObject (org.opensaml.core.xml.XMLObject)7 X509Certificate (java.security.cert.X509Certificate)6 HashMap (java.util.HashMap)6 Slf4j (lombok.extern.slf4j.Slf4j)6 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)6