Search in sources :

Example 1 with Saml2ResponseValidatorResult

use of org.springframework.security.saml2.core.Saml2ResponseValidatorResult in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method authenticateWhenCustomAssertionValidatorThenUses.

@Test
public void authenticateWhenCustomAssertionValidatorThenUses() {
    Converter<OpenSamlAuthenticationProvider.AssertionToken, Saml2ResponseValidatorResult> validator = mock(Converter.class);
    OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
    // @formatter:off
    provider.setAssertionValidator((assertionToken) -> OpenSamlAuthenticationProvider.createDefaultAssertionValidator().convert(assertionToken).concat(validator.convert(assertionToken)));
    // @formatter:on
    Response response = response();
    Assertion assertion = assertion();
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    given(validator.convert(any(OpenSamlAuthenticationProvider.AssertionToken.class))).willReturn(Saml2ResponseValidatorResult.success());
    provider.authenticate(token);
    verify(validator).convert(any(OpenSamlAuthenticationProvider.AssertionToken.class));
}
Also used : Response(org.opensaml.saml.saml2.core.Response) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) Test(org.junit.jupiter.api.Test)

Example 2 with Saml2ResponseValidatorResult

use of org.springframework.security.saml2.core.Saml2ResponseValidatorResult in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method process.

private void process(Saml2AuthenticationToken token, Response response) {
    String issuer = response.getIssuer().getValue();
    this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
    boolean responseSigned = response.isSigned();
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2ResponseValidatorResult result = this.responseSignatureValidator.convert(responseToken);
    if (responseSigned) {
        this.responseElementsDecrypter.accept(responseToken);
    } else if (!response.getEncryptedAssertions().isEmpty()) {
        result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Did not decrypt response [" + response.getID() + "] since it is not signed"));
    }
    result = result.concat(this.responseValidator.convert(responseToken));
    boolean allAssertionsSigned = true;
    for (Assertion assertion : response.getAssertions()) {
        AssertionToken assertionToken = new AssertionToken(assertion, token);
        result = result.concat(this.assertionSignatureValidator.convert(assertionToken));
        allAssertionsSigned = allAssertionsSigned && assertion.isSigned();
        if (responseSigned || assertion.isSigned()) {
            this.assertionElementsDecrypter.accept(new AssertionToken(assertion, token));
        }
        result = result.concat(this.assertionValidator.convert(assertionToken));
    }
    if (!responseSigned && !allAssertionsSigned) {
        String description = "Either the response or one of the assertions is unsigned. " + "Please either sign the response or all of the assertions.";
        result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, description));
    }
    Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
    if (firstAssertion != null && !hasName(firstAssertion)) {
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + firstAssertion.getID() + "] is missing a subject");
        result = result.concat(error);
    }
    if (result.hasErrors()) {
        Collection<Saml2Error> errors = result.getErrors();
        if (this.logger.isTraceEnabled()) {
            this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
        } else if (this.logger.isDebugEnabled()) {
            this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
        }
        Saml2Error first = errors.iterator().next();
        throw createAuthenticationException(first.getErrorCode(), first.getDescription(), null);
    } else {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
        }
    }
}
Also used : Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) XSString(org.opensaml.core.xml.schema.XSString) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult)

Example 3 with Saml2ResponseValidatorResult

use of org.springframework.security.saml2.core.Saml2ResponseValidatorResult in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method createDefaultAssertionSignatureValidator.

private Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionSignatureValidator() {
    return createAssertionValidator(Saml2ErrorCodes.INVALID_SIGNATURE, (assertionToken) -> {
        RelyingPartyRegistration registration = assertionToken.getToken().getRelyingPartyRegistration();
        SignatureTrustEngine engine = OpenSamlVerificationUtils.trustEngine(registration);
        return SAML20AssertionValidators.createSignatureValidator(engine);
    }, (assertionToken) -> new ValidationContext(Collections.singletonMap(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false)));
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext)

Example 4 with Saml2ResponseValidatorResult

use of org.springframework.security.saml2.core.Saml2ResponseValidatorResult in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method authenticateWhenCustomResponseValidatorThenUses.

@Test
public void authenticateWhenCustomResponseValidatorThenUses() {
    Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> validator = mock(Converter.class);
    OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
    // @formatter:off
    provider.setResponseValidator((responseToken) -> OpenSaml4AuthenticationProvider.createDefaultResponseValidator().convert(responseToken).concat(validator.convert(responseToken)));
    // @formatter:on
    Response response = response();
    Assertion assertion = assertion();
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    given(validator.convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class))).willReturn(Saml2ResponseValidatorResult.success());
    provider.authenticate(token);
    verify(validator).convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class));
}
Also used : Response(org.opensaml.saml.saml2.core.Response) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) Test(org.junit.jupiter.api.Test)

Example 5 with Saml2ResponseValidatorResult

use of org.springframework.security.saml2.core.Saml2ResponseValidatorResult in project spring-security by spring-projects.

the class OpenSamlAuthenticationProvider method process.

private void process(Saml2AuthenticationToken token, Response response) {
    String issuer = response.getIssuer().getValue();
    logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
    boolean responseSigned = response.isSigned();
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2ResponseValidatorResult result = this.responseSignatureValidator.convert(responseToken);
    if (responseSigned) {
        this.responseElementsDecrypter.accept(responseToken);
    }
    result = result.concat(this.responseValidator.convert(responseToken));
    boolean allAssertionsSigned = true;
    for (Assertion assertion : response.getAssertions()) {
        AssertionToken assertionToken = new AssertionToken(assertion, token);
        result = result.concat(this.assertionSignatureValidator.convert(assertionToken));
        allAssertionsSigned = allAssertionsSigned && assertion.isSigned();
        if (responseSigned || assertion.isSigned()) {
            this.assertionElementsDecrypter.accept(new AssertionToken(assertion, token));
        }
        result = result.concat(this.assertionValidator.convert(assertionToken));
    }
    if (!responseSigned && !allAssertionsSigned) {
        String description = "Either the response or one of the assertions is unsigned. " + "Please either sign the response or all of the assertions.";
        throw createAuthenticationException(Saml2ErrorCodes.INVALID_SIGNATURE, description, null);
    }
    Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
    if (!hasName(firstAssertion)) {
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + firstAssertion.getID() + "] is missing a subject");
        result = result.concat(error);
    }
    if (result.hasErrors()) {
        Collection<Saml2Error> errors = result.getErrors();
        if (logger.isTraceEnabled()) {
            logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
        } else if (logger.isDebugEnabled()) {
            logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
        }
        Saml2Error first = errors.iterator().next();
        throw createAuthenticationException(first.getErrorCode(), first.getDescription(), null);
    } else {
        if (logger.isDebugEnabled()) {
            logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
        }
    }
}
Also used : Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) XSString(org.opensaml.core.xml.schema.XSString) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult)

Aggregations

Assertion (org.opensaml.saml.saml2.core.Assertion)5 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)5 Saml2ResponseValidatorResult (org.springframework.security.saml2.core.Saml2ResponseValidatorResult)5 Test (org.junit.jupiter.api.Test)3 Response (org.opensaml.saml.saml2.core.Response)3 XSString (org.opensaml.core.xml.schema.XSString)2 ValidationContext (org.opensaml.saml.common.assertion.ValidationContext)2 SignatureTrustEngine (org.opensaml.xmlsec.signature.support.SignatureTrustEngine)2 Saml2Error (org.springframework.security.saml2.core.Saml2Error)2 RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)2 ResponseToken (org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken)1