Examples with Saml2Error org.springframework.security.saml2.core.Saml2Error used on opensource projects

Example 1 with Saml2Error

use of org.springframework.security.saml2.core.Saml2Error in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method authenticateWhenDelegatingToDefaultAssertionValidatorThenUses.

@Test
public void authenticateWhenDelegatingToDefaultAssertionValidatorThenUses() {
    OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
    // @formatter:off
    provider.setAssertionValidator((assertionToken) -> OpenSamlAuthenticationProvider.createDefaultAssertionValidator((token) -> new ValidationContext()).convert(assertionToken).concat(new Saml2Error("wrong error", "wrong error")));
    // @formatter:on
    Response response = response();
    Assertion assertion = assertion();
    OneTimeUse oneTimeUse = build(OneTimeUse.DEFAULT_ELEMENT_NAME);
    assertion.getConditions().getConditions().add(oneTimeUse);
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    // @formatter:off
    assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token)).isInstanceOf(Saml2AuthenticationException.class).satisfies((error) -> assertThat(error.getSaml2Error().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_ASSERTION));
// @formatter:on
}

Example 2 with Saml2Error

use of org.springframework.security.saml2.core.Saml2Error in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method process.

private void process(Saml2AuthenticationToken token, Response response) {
    String issuer = response.getIssuer().getValue();
    this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
    boolean responseSigned = response.isSigned();
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2ResponseValidatorResult result = this.responseSignatureValidator.convert(responseToken);
    if (responseSigned) {
        this.responseElementsDecrypter.accept(responseToken);
    } else if (!response.getEncryptedAssertions().isEmpty()) {
        result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Did not decrypt response [" + response.getID() + "] since it is not signed"));
    }
    result = result.concat(this.responseValidator.convert(responseToken));
    boolean allAssertionsSigned = true;
    for (Assertion assertion : response.getAssertions()) {
        AssertionToken assertionToken = new AssertionToken(assertion, token);
        result = result.concat(this.assertionSignatureValidator.convert(assertionToken));
        allAssertionsSigned = allAssertionsSigned && assertion.isSigned();
        if (responseSigned || assertion.isSigned()) {
            this.assertionElementsDecrypter.accept(new AssertionToken(assertion, token));
        }
        result = result.concat(this.assertionValidator.convert(assertionToken));
    }
    if (!responseSigned && !allAssertionsSigned) {
        String description = "Either the response or one of the assertions is unsigned. " + "Please either sign the response or all of the assertions.";
        result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, description));
    }
    Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
    if (firstAssertion != null && !hasName(firstAssertion)) {
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + firstAssertion.getID() + "] is missing a subject");
        result = result.concat(error);
    }
    if (result.hasErrors()) {
        Collection<Saml2Error> errors = result.getErrors();
        if (this.logger.isTraceEnabled()) {
            this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
        } else if (this.logger.isDebugEnabled()) {
            this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
        }
        Saml2Error first = errors.iterator().next();
        throw createAuthenticationException(first.getErrorCode(), first.getDescription(), null);
    } else {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
        }
    }
}

Example 3 with Saml2Error

use of org.springframework.security.saml2.core.Saml2Error in project spring-security by spring-projects.

the class Saml2LogoutResponseFilter method doFilterInternal.

/**
 * {@inheritDoc}
 */
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    if (!this.logoutRequestMatcher.matches(request)) {
        chain.doFilter(request, response);
        return;
    }
    if (request.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
        chain.doFilter(request, response);
        return;
    }
    Saml2LogoutRequest logoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
    if (logoutRequest == null) {
        this.logger.trace("Did not process logout response since could not find associated LogoutRequest");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Failed to find associated LogoutRequest");
        return;
    }
    RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, logoutRequest.getRelyingPartyRegistrationId());
    if (registration == null) {
        this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "Failed to find associated RelyingPartyRegistration");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST, error.toString());
        return;
    }
    if (registration.getSingleLogoutServiceResponseLocation() == null) {
        this.logger.trace("Did not process logout response since RelyingPartyRegistration has not been configured with a logout response endpoint");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    if (!isCorrectBinding(request, registration)) {
        this.logger.trace("Did not process logout request since used incorrect binding");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
    Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration).samlResponse(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).binding(registration.getSingleLogoutServiceBinding()).location(registration.getSingleLogoutServiceResponseLocation()).parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG, request.getParameter(Saml2ParameterNames.SIG_ALG))).parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE, request.getParameter(Saml2ParameterNames.SIGNATURE))).build();
    Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(logoutResponse, logoutRequest, registration);
    Saml2LogoutValidatorResult result = this.logoutResponseValidator.validate(parameters);
    if (result.hasErrors()) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
        this.logger.debug(LogMessage.format("Failed to validate LogoutResponse: %s", result.getErrors()));
        return;
    }
    this.logoutSuccessHandler.onLogoutSuccess(request, response, null);
}

Example 4 with Saml2Error

use of org.springframework.security.saml2.core.Saml2Error in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method authenticateWhenDelegatingToDefaultAssertionValidatorThenUses.

@Test
public void authenticateWhenDelegatingToDefaultAssertionValidatorThenUses() {
    OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
    // @formatter:off
    provider.setAssertionValidator((assertionToken) -> OpenSaml4AuthenticationProvider.createDefaultAssertionValidator((token) -> new ValidationContext()).convert(assertionToken).concat(new Saml2Error("wrong error", "wrong error")));
    // @formatter:on
    Response response = response();
    Assertion assertion = assertion();
    OneTimeUse oneTimeUse = build(OneTimeUse.DEFAULT_ELEMENT_NAME);
    assertion.getConditions().getConditions().add(oneTimeUse);
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    // @formatter:off
    assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token)).isInstanceOf(Saml2AuthenticationException.class).satisfies((error) -> assertThat(error.getSaml2Error().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_ASSERTION));
// @formatter:on
}

Example 5 with Saml2Error

use of org.springframework.security.saml2.core.Saml2Error in project spring-security by spring-projects.

the class Saml2AuthenticationTokenConverter method samlInflate.

private String samlInflate(byte[] b) {
    try {
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(out, new Inflater(true));
        inflaterOutputStream.write(b);
        inflaterOutputStream.finish();
        return out.toString(StandardCharsets.UTF_8.name());
    } catch (Exception ex) {
        throw new Saml2AuthenticationException(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, "Unable to inflate string"), ex);
    }
}