use of org.springframework.security.saml2.Saml2Exception in project spring-security by spring-projects.
the class OpenSamlDecryptionUtils method decryptResponseElements.
static void decryptResponseElements(Response response, RelyingPartyRegistration registration) {
Decrypter decrypter = decrypter(registration);
for (EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) {
try {
Assertion assertion = decrypter.decrypt(encryptedAssertion);
response.getAssertions().add(assertion);
} catch (Exception ex) {
throw new Saml2Exception(ex);
}
}
}
use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.
the class MidpointAssertingPartyMetadataConverter method convert.
public RelyingPartyRegistration.Builder convert(InputStream inputStream, Saml2ProviderAuthenticationModuleType providerConfig) {
EntityDescriptor descriptor = entityDescriptor(inputStream);
IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
if (idpssoDescriptor == null) {
throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
}
List<Saml2X509Credential> verification = new ArrayList<>();
List<Saml2X509Credential> encryption = new ArrayList<>();
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
defineKeys(keyDescriptor, verification, encryption);
}
if (verification.isEmpty()) {
throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
}
RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withRegistrationId(descriptor.getEntityID()).assertingPartyDetails((party) -> party.entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption)));
List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
for (SigningMethod method : signingMethods) {
builder.assertingPartyDetails((party) -> party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm())));
}
defineSingleSingOnService(idpssoDescriptor, providerConfig.getAuthenticationRequestBinding(), builder);
defineSingleLogoutService(idpssoDescriptor, builder);
return builder;
}
use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.
the class SamlModuleWebSecurityConfiguration method getSaml2Credential.
public static Saml2X509Credential getSaml2Credential(ModuleSaml2SimpleKeyType key, boolean isActive) {
if (key == null) {
return null;
}
PrivateKey pkey;
try {
pkey = getPrivateKey(key, protector);
} catch (IOException | OperatorCreationException | PKCSException | EncryptionException e) {
throw new Saml2Exception("Unable get key from " + key, e);
}
Certificate certificate;
try {
certificate = getCertificate(key, protector);
} catch (Base64Exception | EncryptionException | CertificateException e) {
throw new Saml2Exception("Unable get certificate from " + key, e);
}
List<Saml2X509Credential.Saml2X509CredentialType> types = getTypesForKey(isActive, key.getType());
return new Saml2X509Credential(pkey, (X509Certificate) certificate, types.toArray(new Saml2X509Credential.Saml2X509CredentialType[0]));
}
use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.
the class SamlModuleWebSecurityConfiguration method getSaml2Credential.
public static Saml2X509Credential getSaml2Credential(ModuleSaml2KeyStoreKeyType key, boolean isActive) {
if (key == null) {
return null;
}
PrivateKey pkey;
try {
pkey = getPrivateKey(key, protector);
} catch (KeyStoreException | IOException | EncryptionException | CertificateException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
throw new Saml2Exception("Unable get key from " + key, e);
}
Certificate certificate;
try {
certificate = getCertificate(key, protector);
} catch (EncryptionException | CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
throw new Saml2Exception("Unable get certificate from " + key, e);
}
if (!(certificate instanceof X509Certificate)) {
throw new Saml2Exception("Alias " + key.getKeyAlias() + " don't return certificate of X509Certificate type.");
}
List<Saml2X509Credential.Saml2X509CredentialType> types = getTypesForKey(isActive, key.getType());
return new Saml2X509Credential(pkey, (X509Certificate) certificate, types.toArray(new Saml2X509Credential.Saml2X509CredentialType[0]));
}
use of org.springframework.security.saml2.Saml2Exception in project midpoint by Evolveum.
the class MidpointAssertingPartyMetadataConverter method defineSingleSingOnService.
private void defineSingleSingOnService(IDPSSODescriptor idpssoDescriptor, String authenticationRequestBinding, RelyingPartyRegistration.Builder builder) {
Saml2MessageBinding defaultBinding = Saml2MessageBinding.from(authenticationRequestBinding);
if (defaultBinding == null && StringUtils.isNotEmpty(authenticationRequestBinding) && !defaultBinding.equals(Saml2MessageBinding.POST) && !defaultBinding.equals(Saml2MessageBinding.REDIRECT)) {
throw new Saml2Exception("Default request binding '" + defaultBinding.getUrn() + "' isn't supported." + "Supported bindings are 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' and 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'.");
}
Saml2MessageBinding authBinding = null;
for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn()) && allowBaseOnConsideringDefaultBinding(defaultBinding, Saml2MessageBinding.POST)) {
authBinding = Saml2MessageBinding.POST;
} else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn()) && allowBaseOnConsideringDefaultBinding(defaultBinding, Saml2MessageBinding.REDIRECT)) {
authBinding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
Saml2MessageBinding finalAuthBinding = authBinding;
builder.assertingPartyDetails((party) -> party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(finalAuthBinding));
break;
}
if (authBinding == null) {
String message = "Supported SingleSignOnService is missing in metadata response, necessary for sending authentication request. ";
if (defaultBinding != null) {
message = "Default SingleSignOnService '" + defaultBinding.getUrn() + "' is missing in metadata response, necessary for sending authentication request. ";
}
message = message + "Supported bindings are 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' and 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'.";
throw new Saml2Exception(message);
}
}
Aggregations