Search in sources :

Example 16 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project spring-security by spring-projects.

the class OpenSamlDecryptionUtils method decryptResponseElements.

static void decryptResponseElements(Response response, RelyingPartyRegistration registration) {
    Decrypter decrypter = decrypter(registration);
    for (EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) {
        try {
            Assertion assertion = decrypter.decrypt(encryptedAssertion);
            response.getAssertions().add(assertion);
        } catch (Exception ex) {
            throw new Saml2Exception(ex);
        }
    }
}
Also used : EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) Saml2Exception(org.springframework.security.saml2.Saml2Exception) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Example 17 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.

the class MidpointAssertingPartyMetadataConverter method convert.

public RelyingPartyRegistration.Builder convert(InputStream inputStream, Saml2ProviderAuthenticationModuleType providerConfig) {
    EntityDescriptor descriptor = entityDescriptor(inputStream);
    IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
    if (idpssoDescriptor == null) {
        throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
    }
    List<Saml2X509Credential> verification = new ArrayList<>();
    List<Saml2X509Credential> encryption = new ArrayList<>();
    for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
        defineKeys(keyDescriptor, verification, encryption);
    }
    if (verification.isEmpty()) {
        throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
    }
    RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withRegistrationId(descriptor.getEntityID()).assertingPartyDetails((party) -> party.entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption)));
    List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
    for (SigningMethod method : signingMethods) {
        builder.assertingPartyDetails((party) -> party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm())));
    }
    defineSingleSingOnService(idpssoDescriptor, providerConfig.getAuthenticationRequestBinding(), builder);
    defineSingleLogoutService(idpssoDescriptor, builder);
    return builder;
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) X509Certificate(java.security.cert.X509Certificate) UsageType(org.opensaml.security.credential.UsageType) OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService) Unmarshaller(org.opensaml.core.xml.io.Unmarshaller) Saml2Exception(org.springframework.security.saml2.Saml2Exception) ConfigurationService(org.opensaml.core.config.ConfigurationService) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) CertificateException(java.security.cert.CertificateException) StringUtils(org.apache.commons.lang3.StringUtils) XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry) KeyInfoSupport(org.opensaml.xmlsec.keyinfo.KeyInfoSupport) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) ArrayList(java.util.ArrayList) Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding) ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool) List(java.util.List) org.opensaml.saml.saml2.metadata(org.opensaml.saml.saml2.metadata) SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod) Element(org.w3c.dom.Element) Document(org.w3c.dom.Document) XMLObject(org.opensaml.core.xml.XMLObject) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) Saml2ProviderAuthenticationModuleType(com.evolveum.midpoint.xml.ns._public.common.common_3.Saml2ProviderAuthenticationModuleType) InputStream(java.io.InputStream) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) ArrayList(java.util.ArrayList) Saml2Exception(org.springframework.security.saml2.Saml2Exception) SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)

Example 18 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.

the class SamlModuleWebSecurityConfiguration method getSaml2Credential.

public static Saml2X509Credential getSaml2Credential(ModuleSaml2SimpleKeyType key, boolean isActive) {
    if (key == null) {
        return null;
    }
    PrivateKey pkey;
    try {
        pkey = getPrivateKey(key, protector);
    } catch (IOException | OperatorCreationException | PKCSException | EncryptionException e) {
        throw new Saml2Exception("Unable get key from " + key, e);
    }
    Certificate certificate;
    try {
        certificate = getCertificate(key, protector);
    } catch (Base64Exception | EncryptionException | CertificateException e) {
        throw new Saml2Exception("Unable get certificate from " + key, e);
    }
    List<Saml2X509Credential.Saml2X509CredentialType> types = getTypesForKey(isActive, key.getType());
    return new Saml2X509Credential(pkey, (X509Certificate) certificate, types.toArray(new Saml2X509Credential.Saml2X509CredentialType[0]));
}
Also used : Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) CertificateException(java.security.cert.CertificateException) Saml2Exception(org.springframework.security.saml2.Saml2Exception) PKCSException(org.bouncycastle.pkcs.PKCSException) Base64Exception(org.apache.cxf.common.util.Base64Exception) EncryptionException(com.evolveum.midpoint.prism.crypto.EncryptionException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 19 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.

the class SamlModuleWebSecurityConfiguration method getSaml2Credential.

public static Saml2X509Credential getSaml2Credential(ModuleSaml2KeyStoreKeyType key, boolean isActive) {
    if (key == null) {
        return null;
    }
    PrivateKey pkey;
    try {
        pkey = getPrivateKey(key, protector);
    } catch (KeyStoreException | IOException | EncryptionException | CertificateException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
        throw new Saml2Exception("Unable get key from " + key, e);
    }
    Certificate certificate;
    try {
        certificate = getCertificate(key, protector);
    } catch (EncryptionException | CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
        throw new Saml2Exception("Unable get certificate from " + key, e);
    }
    if (!(certificate instanceof X509Certificate)) {
        throw new Saml2Exception("Alias " + key.getKeyAlias() + " don't return certificate of X509Certificate type.");
    }
    List<Saml2X509Credential.Saml2X509CredentialType> types = getTypesForKey(isActive, key.getType());
    return new Saml2X509Credential(pkey, (X509Certificate) certificate, types.toArray(new Saml2X509Credential.Saml2X509CredentialType[0]));
}
Also used : Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) CertificateException(java.security.cert.CertificateException) Saml2Exception(org.springframework.security.saml2.Saml2Exception) X509Certificate(java.security.cert.X509Certificate) EncryptionException(com.evolveum.midpoint.prism.crypto.EncryptionException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 20 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.

the class MidpointAssertingPartyMetadataConverter method defineSingleSingOnService.

private void defineSingleSingOnService(IDPSSODescriptor idpssoDescriptor, String authenticationRequestBinding, RelyingPartyRegistration.Builder builder) {
    Saml2MessageBinding defaultBinding = Saml2MessageBinding.from(authenticationRequestBinding);
    if (defaultBinding == null && StringUtils.isNotEmpty(authenticationRequestBinding) && !defaultBinding.equals(Saml2MessageBinding.POST) && !defaultBinding.equals(Saml2MessageBinding.REDIRECT)) {
        throw new Saml2Exception("Default request binding '" + defaultBinding.getUrn() + "' isn't supported." + "Supported bindings are 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' and 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'.");
    }
    Saml2MessageBinding authBinding = null;
    for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
        if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn()) && allowBaseOnConsideringDefaultBinding(defaultBinding, Saml2MessageBinding.POST)) {
            authBinding = Saml2MessageBinding.POST;
        } else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn()) && allowBaseOnConsideringDefaultBinding(defaultBinding, Saml2MessageBinding.REDIRECT)) {
            authBinding = Saml2MessageBinding.REDIRECT;
        } else {
            continue;
        }
        Saml2MessageBinding finalAuthBinding = authBinding;
        builder.assertingPartyDetails((party) -> party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(finalAuthBinding));
        break;
    }
    if (authBinding == null) {
        String message = "Supported SingleSignOnService is missing in metadata response, necessary for sending authentication request. ";
        if (defaultBinding != null) {
            message = "Default SingleSignOnService '" + defaultBinding.getUrn() + "' is missing in metadata response, necessary for sending authentication request. ";
        }
        message = message + "Supported bindings are 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' and 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'.";
        throw new Saml2Exception(message);
    }
}
Also used : Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Aggregations

Saml2Exception (org.springframework.security.saml2.Saml2Exception)46 Element (org.w3c.dom.Element)19 Document (org.w3c.dom.Document)13 MarshallingException (org.opensaml.core.xml.io.MarshallingException)12 ByteArrayOutputStream (java.io.ByteArrayOutputStream)10 IOException (java.io.IOException)10 ByteArrayInputStream (java.io.ByteArrayInputStream)9 Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)9 X509Certificate (java.security.cert.X509Certificate)7 CertificateException (java.security.cert.CertificateException)6 Marshaller (org.opensaml.core.xml.io.Marshaller)6 Deflater (java.util.zip.Deflater)5 DeflaterOutputStream (java.util.zip.DeflaterOutputStream)5 Inflater (java.util.zip.Inflater)5 InflaterOutputStream (java.util.zip.InflaterOutputStream)5 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)4 XMLObject (org.opensaml.core.xml.XMLObject)4 Unmarshaller (org.opensaml.core.xml.io.Unmarshaller)4 SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)4 SecurityException (org.opensaml.security.SecurityException)4