use of org.pac4j.saml.credentials.SAML2Credentials in project hive by apache.
the class HiveSaml2Client method validate.
/**
* Given a response which may contain a SAML Assertion, validates it. If the validation
* is successful, it extracts the nameId from the assertion which is used as the
* identity of the end user.
*
* @param request
* @param response
* @return the NameId as received in the assertion if the assertion was valid.
* @throws HttpSamlAuthenticationException In case the assertion is not present or is
* invalid.
*/
public String validate(HttpServletRequest request, HttpServletResponse response) throws HttpSamlAuthenticationException {
Optional<SAML2Credentials> credentials;
try {
SAML2CredentialsExtractor credentialsExtractor = new SAML2CredentialsExtractor(this);
credentials = credentialsExtractor.extract(new JEEContext(request, response));
} catch (Exception ex) {
throw new HttpSamlAuthenticationException("Could not validate the SAML response", ex);
}
if (!credentials.isPresent()) {
throw new HttpSamlAuthenticationException("Credentials could not be extracted");
}
String nameId = credentials.get().getNameId().getValue();
if (!groupNameFilter.apply(credentials.get().getAttributes())) {
LOG.warn("Could not match any groups for the nameid {}", nameId);
throw new HttpSamlNoGroupsMatchedException("None of the configured groups match for the user");
}
return nameId;
}
use of org.pac4j.saml.credentials.SAML2Credentials in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method buildSAML2Credentials.
protected final SAML2Credentials buildSAML2Credentials(final SAML2MessageContext context) {
final NameID nameId = context.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID();
final Assertion subjectAssertion = context.getSubjectAssertion();
final String sessionIndex = getSessionIndex(subjectAssertion);
final String issuerEntityId = subjectAssertion.getIssuer().getValue();
List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
List<String> authnContexts = new ArrayList<String>();
for (AuthnStatement authnStatement : authnStatements) {
authnContexts.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
}
final List<Attribute> attributes = new ArrayList<Attribute>();
for (final AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
for (final Attribute attribute : attributeStatement.getAttributes()) {
attributes.add(attribute);
}
if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
if (decrypter == null) {
logger.warn("Encrypted attributes returned, but no keystore was provided.");
} else {
for (final EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
try {
attributes.add(decrypter.decrypt(encryptedAttribute));
} catch (final DecryptionException e) {
logger.warn("Decryption of attribute failed, continue with the next one", e);
}
}
}
}
}
return new SAML2Credentials(nameId, issuerEntityId, attributes, subjectAssertion.getConditions(), sessionIndex, authnContexts);
}
use of org.pac4j.saml.credentials.SAML2Credentials in project pac4j by pac4j.
the class SAML2Client method clientInit.
@Override
protected void clientInit() {
CommonHelper.assertNotNull("configuration", this.configuration);
// First of all, initialize the configuration. It may dynamically load some properties, if it is not a static one.
this.configuration.init(getName());
initCredentialProvider();
initDecrypter();
initSignatureSigningParametersProvider();
final MetadataResolver metadataManager = initChainingMetadataResolver(initIdentityProviderMetadataResolver(), initServiceProviderMetadataResolver());
initSAMLContextProvider(metadataManager);
initSignatureTrustEngineProvider(metadataManager);
initSAMLResponseValidator();
initSAMLProfileHandler();
defaultRedirectActionBuilder(new SAML2RedirectActionBuilder(this));
defaultCredentialsExtractor(ctx -> {
final SAML2MessageContext samlContext = this.contextProvider.buildContext(ctx);
final SAML2Credentials credentials = (SAML2Credentials) this.profileHandler.receive(samlContext);
return credentials;
});
defaultAuthenticator(new SAML2Authenticator());
defaultLogoutActionBuilder(new SAML2LogoutActionBuilder<>(this));
}
Aggregations