Search in sources :

Example 26 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project spring-security by spring-projects.

the class OpenSamlMetadataResolver method buildKeyDescriptor.

private KeyDescriptor buildKeyDescriptor(UsageType usageType, java.security.cert.X509Certificate certificate) {
    KeyDescriptor keyDescriptor = build(KeyDescriptor.DEFAULT_ELEMENT_NAME);
    KeyInfo keyInfo = build(KeyInfo.DEFAULT_ELEMENT_NAME);
    X509Certificate x509Certificate = build(X509Certificate.DEFAULT_ELEMENT_NAME);
    X509Data x509Data = build(X509Data.DEFAULT_ELEMENT_NAME);
    try {
        x509Certificate.setValue(new String(Base64.getEncoder().encode(certificate.getEncoded())));
    } catch (CertificateEncodingException ex) {
        throw new Saml2Exception("Cannot encode certificate " + certificate.toString());
    }
    x509Data.getX509Certificates().add(x509Certificate);
    keyInfo.getX509Datas().add(x509Data);
    keyDescriptor.setUse(usageType);
    keyDescriptor.setKeyInfo(keyInfo);
    return keyDescriptor;
}
Also used : KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) CertificateEncodingException(java.security.cert.CertificateEncodingException) Saml2Exception(org.springframework.security.saml2.Saml2Exception) X509Data(org.opensaml.xmlsec.signature.X509Data) X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)

Example 27 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project spring-security by spring-projects.

the class OpenSamlMetadataAssertingPartyDetailsConverter method xmlObject.

private XMLObject xmlObject(InputStream inputStream) {
    Document document = document(inputStream);
    Element element = document.getDocumentElement();
    Unmarshaller unmarshaller = this.registry.getUnmarshallerFactory().getUnmarshaller(element);
    if (unmarshaller == null) {
        throw new Saml2Exception("Unsupported element of type " + element.getTagName());
    }
    try {
        return unmarshaller.unmarshall(element);
    } catch (Exception ex) {
        throw new Saml2Exception(ex);
    }
}
Also used : Element(org.w3c.dom.Element) Document(org.w3c.dom.Document) Unmarshaller(org.opensaml.core.xml.io.Unmarshaller) Saml2Exception(org.springframework.security.saml2.Saml2Exception) Saml2Exception(org.springframework.security.saml2.Saml2Exception) CertificateException(java.security.cert.CertificateException)

Example 28 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project spring-security by spring-projects.

the class OpenSamlMetadataAssertingPartyDetailsConverter method convert.

RelyingPartyRegistration.AssertingPartyDetails.Builder convert(EntityDescriptor descriptor) {
    IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
    if (idpssoDescriptor == null) {
        throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
    }
    List<Saml2X509Credential> verification = new ArrayList<>();
    List<Saml2X509Credential> encryption = new ArrayList<>();
    for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
        if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
            List<X509Certificate> certificates = certificates(keyDescriptor);
            for (X509Certificate certificate : certificates) {
                verification.add(Saml2X509Credential.verification(certificate));
            }
        }
        if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
            List<X509Certificate> certificates = certificates(keyDescriptor);
            for (X509Certificate certificate : certificates) {
                encryption.add(Saml2X509Credential.encryption(certificate));
            }
        }
        if (keyDescriptor.getUse().equals(UsageType.UNSPECIFIED)) {
            List<X509Certificate> certificates = certificates(keyDescriptor);
            for (X509Certificate certificate : certificates) {
                verification.add(Saml2X509Credential.verification(certificate));
                encryption.add(Saml2X509Credential.encryption(certificate));
            }
        }
    }
    if (verification.isEmpty()) {
        throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
    }
    RelyingPartyRegistration.AssertingPartyDetails.Builder party = OpenSamlAssertingPartyDetails.withEntityDescriptor(descriptor).entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption));
    List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
    for (SigningMethod method : signingMethods) {
        party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm()));
    }
    if (idpssoDescriptor.getSingleSignOnServices().isEmpty()) {
        throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
    }
    for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
        Saml2MessageBinding binding;
        if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
            binding = Saml2MessageBinding.POST;
        } else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
            binding = Saml2MessageBinding.REDIRECT;
        } else {
            continue;
        }
        party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(binding);
        break;
    }
    for (SingleLogoutService singleLogoutService : idpssoDescriptor.getSingleLogoutServices()) {
        Saml2MessageBinding binding;
        if (singleLogoutService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
            binding = Saml2MessageBinding.POST;
        } else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
            binding = Saml2MessageBinding.REDIRECT;
        } else {
            continue;
        }
        String responseLocation = (singleLogoutService.getResponseLocation() == null) ? singleLogoutService.getLocation() : singleLogoutService.getResponseLocation();
        party.singleLogoutServiceLocation(singleLogoutService.getLocation()).singleLogoutServiceResponseLocation(responseLocation).singleLogoutServiceBinding(binding);
        break;
    }
    return party;
}
Also used : X509Certificate(java.security.cert.X509Certificate) Arrays(java.util.Arrays) OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry) Extensions(org.opensaml.saml.saml2.metadata.Extensions) ArrayList(java.util.ArrayList) SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod) SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService) Document(org.w3c.dom.Document) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) XMLObject(org.opensaml.core.xml.XMLObject) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) EntitiesDescriptor(org.opensaml.saml.saml2.metadata.EntitiesDescriptor) UsageType(org.opensaml.security.credential.UsageType) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) Collection(java.util.Collection) Unmarshaller(org.opensaml.core.xml.io.Unmarshaller) Saml2Exception(org.springframework.security.saml2.Saml2Exception) ConfigurationService(org.opensaml.core.config.ConfigurationService) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) CertificateException(java.security.cert.CertificateException) KeyInfoSupport(org.opensaml.xmlsec.keyinfo.KeyInfoSupport) ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool) List(java.util.List) Element(org.w3c.dom.Element) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) InputStream(java.io.InputStream) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) ArrayList(java.util.ArrayList) SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService) Saml2Exception(org.springframework.security.saml2.Saml2Exception) X509Certificate(java.security.cert.X509Certificate) SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)

Example 29 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project spring-security by spring-projects.

the class Saml2Utils method samlDeflate.

static byte[] samlDeflate(String s) {
    try {
        ByteArrayOutputStream b = new ByteArrayOutputStream();
        DeflaterOutputStream deflater = new DeflaterOutputStream(b, new Deflater(Deflater.DEFLATED, true));
        deflater.write(s.getBytes(StandardCharsets.UTF_8));
        deflater.finish();
        return b.toByteArray();
    } catch (IOException ex) {
        throw new Saml2Exception("Unable to deflate string", ex);
    }
}
Also used : Deflater(java.util.zip.Deflater) DeflaterOutputStream(java.util.zip.DeflaterOutputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) IOException(java.io.IOException) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Example 30 with Saml2Exception

use of org.springframework.security.saml2.Saml2Exception in project spring-security by spring-projects.

the class Saml2Utils method samlInflate.

static String samlInflate(byte[] b) {
    try {
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true));
        iout.write(b);
        iout.finish();
        return new String(out.toByteArray(), StandardCharsets.UTF_8);
    } catch (IOException ex) {
        throw new Saml2Exception("Unable to inflate string", ex);
    }
}
Also used : InflaterOutputStream(java.util.zip.InflaterOutputStream) Inflater(java.util.zip.Inflater) ByteArrayOutputStream(java.io.ByteArrayOutputStream) IOException(java.io.IOException) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Aggregations

Saml2Exception (org.springframework.security.saml2.Saml2Exception)46 Element (org.w3c.dom.Element)19 Document (org.w3c.dom.Document)13 MarshallingException (org.opensaml.core.xml.io.MarshallingException)12 ByteArrayOutputStream (java.io.ByteArrayOutputStream)10 IOException (java.io.IOException)10 ByteArrayInputStream (java.io.ByteArrayInputStream)9 Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)9 X509Certificate (java.security.cert.X509Certificate)7 CertificateException (java.security.cert.CertificateException)6 Marshaller (org.opensaml.core.xml.io.Marshaller)6 Deflater (java.util.zip.Deflater)5 DeflaterOutputStream (java.util.zip.DeflaterOutputStream)5 Inflater (java.util.zip.Inflater)5 InflaterOutputStream (java.util.zip.InflaterOutputStream)5 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)4 XMLObject (org.opensaml.core.xml.XMLObject)4 Unmarshaller (org.opensaml.core.xml.io.Unmarshaller)4 SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)4 SecurityException (org.opensaml.security.SecurityException)4