Search in sources :

Example 6 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSamlAuthenticationProvider method authenticate.

/**
 * @param authentication the authentication request object, must be of type
 * {@link Saml2AuthenticationToken}
 * @return {@link Saml2Authentication} if the assertion is valid
 * @throws AuthenticationException if a validation exception occurs
 */
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    try {
        Saml2AuthenticationToken token = (Saml2AuthenticationToken) authentication;
        String serializedResponse = token.getSaml2Response();
        Response response = parse(serializedResponse);
        process(token, response);
        return this.responseAuthenticationConverter.convert(new ResponseToken(response, token));
    } catch (Saml2AuthenticationException ex) {
        throw ex;
    } catch (Exception ex) {
        throw createAuthenticationException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
    }
}
Also used : Response(org.opensaml.saml.saml2.core.Response) XSString(org.opensaml.core.xml.schema.XSString) AuthenticationException(org.springframework.security.core.AuthenticationException) AssertionValidationException(org.opensaml.saml.common.assertion.AssertionValidationException) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Example 7 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSamlAuthenticationProvider method process.

private void process(Saml2AuthenticationToken token, Response response) {
    String issuer = response.getIssuer().getValue();
    logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
    boolean responseSigned = response.isSigned();
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2ResponseValidatorResult result = this.responseSignatureValidator.convert(responseToken);
    if (responseSigned) {
        this.responseElementsDecrypter.accept(responseToken);
    }
    result = result.concat(this.responseValidator.convert(responseToken));
    boolean allAssertionsSigned = true;
    for (Assertion assertion : response.getAssertions()) {
        AssertionToken assertionToken = new AssertionToken(assertion, token);
        result = result.concat(this.assertionSignatureValidator.convert(assertionToken));
        allAssertionsSigned = allAssertionsSigned && assertion.isSigned();
        if (responseSigned || assertion.isSigned()) {
            this.assertionElementsDecrypter.accept(new AssertionToken(assertion, token));
        }
        result = result.concat(this.assertionValidator.convert(assertionToken));
    }
    if (!responseSigned && !allAssertionsSigned) {
        String description = "Either the response or one of the assertions is unsigned. " + "Please either sign the response or all of the assertions.";
        throw createAuthenticationException(Saml2ErrorCodes.INVALID_SIGNATURE, description, null);
    }
    Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
    if (!hasName(firstAssertion)) {
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + firstAssertion.getID() + "] is missing a subject");
        result = result.concat(error);
    }
    if (result.hasErrors()) {
        Collection<Saml2Error> errors = result.getErrors();
        if (logger.isTraceEnabled()) {
            logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
        } else if (logger.isDebugEnabled()) {
            logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
        }
        Saml2Error first = errors.iterator().next();
        throw createAuthenticationException(first.getErrorCode(), first.getDescription(), null);
    } else {
        if (logger.isDebugEnabled()) {
            logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
        }
    }
}
Also used : Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) XSString(org.opensaml.core.xml.schema.XSString) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult)

Example 8 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method authenticate.

/**
 * @param authentication the authentication request object, must be of type
 * {@link Saml2AuthenticationToken}
 * @return {@link Saml2Authentication} if the assertion is valid
 * @throws AuthenticationException if a validation exception occurs
 */
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    try {
        Saml2AuthenticationToken token = (Saml2AuthenticationToken) authentication;
        String serializedResponse = token.getSaml2Response();
        Response response = parse(serializedResponse);
        process(token, response);
        AbstractAuthenticationToken authenticationResponse = this.responseAuthenticationConverter.convert(new ResponseToken(response, token));
        if (authenticationResponse != null) {
            authenticationResponse.setDetails(authentication.getDetails());
        }
        return authenticationResponse;
    } catch (Saml2AuthenticationException ex) {
        throw ex;
    } catch (Exception ex) {
        throw createAuthenticationException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
    }
}
Also used : Response(org.opensaml.saml.saml2.core.Response) AbstractAuthenticationToken(org.springframework.security.authentication.AbstractAuthenticationToken) XSString(org.opensaml.core.xml.schema.XSString) AuthenticationException(org.springframework.security.core.AuthenticationException) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Example 9 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method createDefaultResponseAuthenticationConverterWhenResponseThenConverts.

@Test
public void createDefaultResponseAuthenticationConverterWhenResponseThenConverts() {
    Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2Authentication authentication = OpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter().convert(responseToken);
    assertThat(authentication.getName()).isEqualTo("test@saml.user");
}
Also used : Response(org.opensaml.saml.saml2.core.Response) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken) Test(org.junit.jupiter.api.Test)

Example 10 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method createDefaultResponseAuthenticationConverterWhenResponseThenConverts.

@Test
public void createDefaultResponseAuthenticationConverterWhenResponseThenConverts() {
    Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2Authentication authentication = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter().convert(responseToken);
    assertThat(authentication.getName()).isEqualTo("test@saml.user");
}
Also used : Response(org.opensaml.saml.saml2.core.Response) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken) Test(org.junit.jupiter.api.Test)

Aggregations

Response (org.opensaml.saml.saml2.core.Response)7 Test (org.junit.jupiter.api.Test)5 XSString (org.opensaml.core.xml.schema.XSString)4 Assertion (org.opensaml.saml.saml2.core.Assertion)3 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)3 Saml2ResponseValidatorResult (org.springframework.security.saml2.core.Saml2ResponseValidatorResult)3 ResponseToken (org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken)3 AuthenticationException (org.springframework.security.core.AuthenticationException)2 Saml2Exception (org.springframework.security.saml2.Saml2Exception)2 Saml2Error (org.springframework.security.saml2.core.Saml2Error)2 ResponseToken (org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken)2 LinkedHashMap (java.util.LinkedHashMap)1 List (java.util.List)1 AssertionValidationException (org.opensaml.saml.common.assertion.AssertionValidationException)1 AbstractAuthenticationToken (org.springframework.security.authentication.AbstractAuthenticationToken)1 DefaultSaml2AuthenticatedPrincipal (org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal)1 Saml2Authentication (org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)1