Search in sources :

Example 16 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class WsFederationAction method doExecute.

/**
     * Executes the webflow action.
     *
     * @param context the context
     * @return the event
     * @throws Exception all unhandled exceptions
     */
@Override
protected Event doExecute(final RequestContext context) throws Exception {
    try {
        final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
        final HttpSession session = request.getSession();
        final String wa = request.getParameter(WA);
        // it's an authentication
        if (StringUtils.isNotBlank(wa) && wa.equalsIgnoreCase(WSIGNIN)) {
            final String wResult = request.getParameter(WRESULT);
            LOGGER.debug("Parameter [{}] received: [{}]", WRESULT, wResult);
            if (StringUtils.isBlank(wResult)) {
                LOGGER.error("No [{}] parameter is found", WRESULT);
                return error();
            }
            // create credentials
            LOGGER.debug("Attempting to create an assertion from the token parameter");
            final Assertion assertion = this.wsFederationHelper.parseTokenFromString(wResult, configuration);
            if (assertion == null) {
                LOGGER.error("Could not validate assertion via parsing the token from [{}]", WRESULT);
                return error();
            }
            LOGGER.debug("Attempting to validate the signature on the assertion");
            if (!this.wsFederationHelper.validateSignature(assertion, this.configuration)) {
                LOGGER.error("WS Requested Security Token is blank or the signature is not valid.");
                return error();
            }
            try {
                final Service service = (Service) session.getAttribute(SERVICE);
                LOGGER.debug("Creating credential based on the provided assertion");
                final WsFederationCredential credential = this.wsFederationHelper.createCredentialFromToken(assertion);
                final String rpId = getRelyingPartyIdentifier(service);
                if (credential != null && credential.isValid(rpId, this.configuration.getIdentityProviderIdentifier(), this.configuration.getTolerance())) {
                    LOGGER.debug("Validated assertion for the created credential successfully");
                    if (this.configuration.getAttributeMutator() != null) {
                        LOGGER.debug("Modifying credential attributes based on [{}]", this.configuration.getAttributeMutator().getClass().getSimpleName());
                        this.configuration.getAttributeMutator().modifyAttributes(credential.getAttributes());
                    }
                } else {
                    LOGGER.warn("SAML assertions are blank or no longer valid based on RP identifier [{}] and IdP identifier [{}]", rpId, this.configuration.getIdentityProviderIdentifier());
                    final String url = authorizationUrl + rpId;
                    context.getFlowScope().put(PROVIDERURL, url);
                    LOGGER.warn("Created authentication url [{}] and returning error", url);
                    return error();
                }
                context.getFlowScope().put(SERVICE, service);
                restoreRequestAttribute(request, session, THEME);
                restoreRequestAttribute(request, session, LOCALE);
                restoreRequestAttribute(request, session, METHOD);
                LOGGER.debug("Creating final authentication result based on the given credential");
                final AuthenticationResult authenticationResult = this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(service, credential);
                LOGGER.debug("Attempting to create a ticket-granting ticket for the authentication result");
                WebUtils.putTicketGrantingTicketInScopes(context, this.centralAuthenticationService.createTicketGrantingTicket(authenticationResult));
                LOGGER.info("Token validated and new [{}] created: [{}]", credential.getClass().getName(), credential);
                return success();
            } catch (final AbstractTicketException e) {
                LOGGER.error(e.getMessage(), e);
                return error();
            }
        } else {
            // no authentication : go to login page. save parameters in web session
            final Service service = (Service) context.getFlowScope().get(SERVICE);
            if (service != null) {
                session.setAttribute(SERVICE, service);
            }
            saveRequestParameter(request, session, THEME);
            saveRequestParameter(request, session, LOCALE);
            saveRequestParameter(request, session, METHOD);
            final String url = authorizationUrl + getRelyingPartyIdentifier(service);
            LOGGER.info("Preparing to redirect to the IdP [{}]", url);
            context.getFlowScope().put(PROVIDERURL, url);
        }
        LOGGER.debug("Returning error event");
        return error();
    } catch (final Exception ex) {
        LOGGER.error(ex.getMessage(), ex);
        return error();
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpSession(javax.servlet.http.HttpSession) Assertion(org.opensaml.saml.saml1.core.Assertion) CentralAuthenticationService(org.apereo.cas.CentralAuthenticationService) RegisteredService(org.apereo.cas.services.RegisteredService) Service(org.apereo.cas.authentication.principal.Service) AbstractTicketException(org.apereo.cas.ticket.AbstractTicketException) AbstractTicketException(org.apereo.cas.ticket.AbstractTicketException) WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential) AuthenticationResult(org.apereo.cas.authentication.AuthenticationResult)

Example 17 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class WsFederationHelperTests method verifyValidateSignatureGoodToken.

@Test
public void verifyValidateSignatureGoodToken() throws Exception {
    final String wresult = testTokens.get(GOOD_TOKEN);
    final Assertion assertion = wsFederationHelper.parseTokenFromString(wresult, wsFedConfig);
    final boolean result = wsFederationHelper.validateSignature(assertion, wsFedConfig);
    assertTrue("testValidateSignatureGoodToken() - True", result);
}
Also used : Assertion(org.opensaml.saml.saml1.core.Assertion) Test(org.junit.Test)

Example 18 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class WsFederationHelperTests method verifyValidateSignatureModifiedSignature.

@Test
public void verifyValidateSignatureModifiedSignature() throws Exception {
    final String wresult = testTokens.get("badTokenModifiedSignature");
    final Assertion assertion = wsFederationHelper.parseTokenFromString(wresult, wsFedConfig);
    final boolean result = wsFederationHelper.validateSignature(assertion, wsFedConfig);
    assertFalse("testValidateSignatureModifiedSignature() - False", result);
}
Also used : Assertion(org.opensaml.saml.saml1.core.Assertion) Test(org.junit.Test)

Example 19 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class WsFederationHelperTests method verifyParseTokenString.

@Test
public void verifyParseTokenString() throws Exception {
    final String wresult = testTokens.get(GOOD_TOKEN);
    final Assertion result = wsFederationHelper.parseTokenFromString(wresult, wsFedConfig);
    assertNotNull("testParseTokenString() - Not null", result);
}
Also used : Assertion(org.opensaml.saml.saml1.core.Assertion) Test(org.junit.Test)

Example 20 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class SamlProfileSamlAssertionBuilder method build.

@Override
public Assertion build(final AuthnRequest authnRequest, final HttpServletRequest request, final HttpServletResponse response, final org.jasig.cas.client.validation.Assertion casAssertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final List<Statement> statements = new ArrayList<>();
    statements.add(this.samlProfileSamlAuthNStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    statements.add(this.samlProfileSamlAttributeStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    final String id = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final Assertion assertion = newAssertion(statements, casProperties.getAuthn().getSamlIdp().getEntityId(), ZonedDateTime.now(ZoneOffset.UTC), id);
    assertion.setSubject(this.samlProfileSamlSubjectBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    assertion.setConditions(this.samlProfileSamlConditionsBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    signAssertion(assertion, request, response, service, adaptor);
    return assertion;
}
Also used : AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Statement(org.opensaml.saml.saml2.core.Statement) ArrayList(java.util.ArrayList) Assertion(org.opensaml.saml.saml2.core.Assertion) SecureRandom(java.security.SecureRandom)

Aggregations

Assertion (org.opensaml.saml.saml1.core.Assertion)11 Assertion (org.opensaml.saml.saml2.core.Assertion)10 Test (org.junit.Test)7 Assertion (org.opensaml.saml2.core.Assertion)6 WsFederationCredential (org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)4 Element (org.w3c.dom.Element)4 SecureRandom (java.security.SecureRandom)3 ZonedDateTime (java.time.ZonedDateTime)3 ArrayList (java.util.ArrayList)3 RegisteredService (org.apereo.cas.services.RegisteredService)3 DateTime (org.joda.time.DateTime)3 SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)3 Unmarshaller (org.opensaml.core.xml.io.Unmarshaller)3 Response (org.opensaml.saml.saml2.core.Response)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 IOException (java.io.IOException)2 InputStream (java.io.InputStream)2 HashMap (java.util.HashMap)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Service (org.apereo.cas.authentication.principal.Service)2