Search in sources :

Example 1 with SAMLInResponseToMismatchException

use of org.pac4j.saml.exceptions.SAMLInResponseToMismatchException in project pac4j by pac4j.

the class SAML2LogoutResponseValidator method validateSamlProtocolResponse.

/**
 * Validates the SAML protocol response:
 *  - IssueInstant
 *  - Issuer
 *  - StatusCode
 *  - Signature
 *
 * @param response the response
 * @param context the context
 * @param engine the engine
 */
protected final void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
    if (!StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
        String status = response.getStatus().getStatusCode().getValue();
        if (response.getStatus().getStatusMessage() != null) {
            status += " / " + response.getStatus().getStatusMessage().getMessage();
        }
        throw new SAMLException("Logout response is not success ; actual " + status);
    }
    if (response.getSignature() != null) {
        final String entityId = context.getSAMLPeerEntityContext().getEntityId();
        validateSignature(response.getSignature(), entityId, engine);
        context.getSAMLPeerEntityContext().setAuthenticated(true);
    }
    if (!isIssueInstantValid(response.getIssueInstant())) {
        throw new SAMLIssueInstantException("Response issue instant is too old or in the future");
    }
    final SAMLMessageStorage messageStorage = context.getSAMLMessageStorage();
    if (messageStorage != null && response.getInResponseTo() != null) {
        final XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo());
        if (xmlObject == null) {
            throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
        } else if (!(xmlObject instanceof LogoutRequest)) {
            throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected LogoutRequest " + response.getInResponseTo());
        }
    }
    verifyEndpoint(context.getSAMLEndpointContext().getEndpoint(), response.getDestination());
    if (response.getIssuer() != null) {
        validateIssuer(response.getIssuer(), context);
    }
}
Also used : SAMLInResponseToMismatchException(org.pac4j.saml.exceptions.SAMLInResponseToMismatchException) XMLObject(org.opensaml.core.xml.XMLObject) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) SAMLIssueInstantException(org.pac4j.saml.exceptions.SAMLIssueInstantException) SAMLMessageStorage(org.pac4j.saml.storage.SAMLMessageStorage) SAMLException(org.pac4j.saml.exceptions.SAMLException)

Example 2 with SAMLInResponseToMismatchException

use of org.pac4j.saml.exceptions.SAMLInResponseToMismatchException in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method validateSamlProtocolResponse.

/**
 * Validates the SAML protocol response:
 * - IssueInstant
 * - Issuer
 * - StatusCode
 * - Signature
 *
 * @param response the response
 * @param context  the context
 * @param engine   the engine
 */
protected final void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
    if (!StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
        String status = response.getStatus().getStatusCode().getValue();
        if (response.getStatus().getStatusMessage() != null) {
            status += " / " + response.getStatus().getStatusMessage().getMessage();
        }
        throw new SAMLException("Authentication response is not success ; actual " + status);
    }
    if (response.getSignature() != null) {
        final String entityId = context.getSAMLPeerEntityContext().getEntityId();
        validateSignature(response.getSignature(), entityId, engine);
        context.getSAMLPeerEntityContext().setAuthenticated(true);
    }
    if (!isIssueInstantValid(response.getIssueInstant())) {
        throw new SAMLIssueInstantException("Response issue instant is too old or in the future");
    }
    AuthnRequest request = null;
    final SAMLMessageStorage messageStorage = context.getSAMLMessageStorage();
    if (messageStorage != null && response.getInResponseTo() != null) {
        final XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo());
        if (xmlObject == null) {
            throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
        } else if (xmlObject instanceof AuthnRequest) {
            request = (AuthnRequest) xmlObject;
        } else {
            throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
        }
    }
    verifyEndpoint(context.getSAMLEndpointContext().getEndpoint(), response.getDestination());
    if (request != null) {
        verifyRequest(request, context);
    }
    if (response.getIssuer() != null) {
        validateIssuer(response.getIssuer(), context);
    }
}
Also used : SAMLInResponseToMismatchException(org.pac4j.saml.exceptions.SAMLInResponseToMismatchException) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) XMLObject(org.opensaml.core.xml.XMLObject) SAMLIssueInstantException(org.pac4j.saml.exceptions.SAMLIssueInstantException) SAMLMessageStorage(org.pac4j.saml.storage.SAMLMessageStorage) SAMLException(org.pac4j.saml.exceptions.SAMLException)

Aggregations

XMLObject (org.opensaml.core.xml.XMLObject)2 SAMLException (org.pac4j.saml.exceptions.SAMLException)2 SAMLInResponseToMismatchException (org.pac4j.saml.exceptions.SAMLInResponseToMismatchException)2 SAMLIssueInstantException (org.pac4j.saml.exceptions.SAMLIssueInstantException)2 SAMLMessageStorage (org.pac4j.saml.storage.SAMLMessageStorage)2 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)1 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)1