Example 21 with Saml2AuthenticationToken
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.
the class OpenSamlAuthenticationProvider method authenticate.
/**
* @param authentication the authentication request object, must be of type
* {@link Saml2AuthenticationToken}
* @return {@link Saml2Authentication} if the assertion is valid
* @throws AuthenticationException if a validation exception occurs
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
try {
Saml2AuthenticationToken token = (Saml2AuthenticationToken) authentication;
String serializedResponse = token.getSaml2Response();
Response response = parse(serializedResponse);
process(token, response);
return this.responseAuthenticationConverter.convert(new ResponseToken(response, token));
} catch (Saml2AuthenticationException ex) {
throw ex;
} catch (Exception ex) {
throw createAuthenticationException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
}
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
XSString(org.opensaml.core.xml.schema.XSString)
AuthenticationException(org.springframework.security.core.AuthenticationException)
AssertionValidationException(org.opensaml.saml.common.assertion.AssertionValidationException)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
Example 22 with Saml2AuthenticationToken
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.
the class OpenSamlAuthenticationProvider method process.
private void process(Saml2AuthenticationToken token, Response response) {
String issuer = response.getIssuer().getValue();
logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
boolean responseSigned = response.isSigned();
ResponseToken responseToken = new ResponseToken(response, token);
Saml2ResponseValidatorResult result = this.responseSignatureValidator.convert(responseToken);
if (responseSigned) {
this.responseElementsDecrypter.accept(responseToken);
}
result = result.concat(this.responseValidator.convert(responseToken));
boolean allAssertionsSigned = true;
for (Assertion assertion : response.getAssertions()) {
AssertionToken assertionToken = new AssertionToken(assertion, token);
result = result.concat(this.assertionSignatureValidator.convert(assertionToken));
allAssertionsSigned = allAssertionsSigned && assertion.isSigned();
if (responseSigned || assertion.isSigned()) {
this.assertionElementsDecrypter.accept(new AssertionToken(assertion, token));
}
result = result.concat(this.assertionValidator.convert(assertionToken));
}
if (!responseSigned && !allAssertionsSigned) {
String description = "Either the response or one of the assertions is unsigned. " + "Please either sign the response or all of the assertions.";
throw createAuthenticationException(Saml2ErrorCodes.INVALID_SIGNATURE, description, null);
}
Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
if (!hasName(firstAssertion)) {
Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + firstAssertion.getID() + "] is missing a subject");
result = result.concat(error);
}
if (result.hasErrors()) {
Collection<Saml2Error> errors = result.getErrors();
if (logger.isTraceEnabled()) {
logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
} else if (logger.isDebugEnabled()) {
logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
}
Saml2Error first = errors.iterator().next();
throw createAuthenticationException(first.getErrorCode(), first.getDescription(), null);
} else {
if (logger.isDebugEnabled()) {
logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
}
}
}
Also used :
Saml2Error(org.springframework.security.saml2.core.Saml2Error)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
XSString(org.opensaml.core.xml.schema.XSString)
Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult)
Example 23 with Saml2AuthenticationToken
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.
the class Saml2WebSsoAuthenticationFilterTests method attemptAuthenticationAddsDetails.
@Test
public void attemptAuthenticationAddsDetails() {
AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class);
final Saml2AuthenticationToken token = TestSaml2AuthenticationTokens.token();
given(authenticationConverter.convert(this.request)).willReturn(token);
final AuthenticationDetailsSource authenticationDetailsSource = mock(AuthenticationDetailsSource.class);
final WebAuthenticationDetails details = mock(WebAuthenticationDetails.class);
given(authenticationDetailsSource.buildDetails(this.request)).willReturn(details);
this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverter, "/some/other/path/{registrationId}");
this.filter.setAuthenticationManager((authentication) -> null);
this.filter.setAuthenticationDetailsSource(authenticationDetailsSource);
this.request.setPathInfo("/some/other/path/idp-registration-id");
this.filter.attemptAuthentication(this.request, this.response);
Assertions.assertEquals(details, token.getDetails());
}
Also used :
AuthenticationConverter(org.springframework.security.web.authentication.AuthenticationConverter)
AuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource)
WebAuthenticationDetails(org.springframework.security.web.authentication.WebAuthenticationDetails)
Saml2AuthenticationToken(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken)
Test(org.junit.jupiter.api.Test)
Example 24 with Saml2AuthenticationToken
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.
the class Saml2AuthenticationTokenConverterTests method convertWhenUsingSamlUtilsBase64ThenXmlIsValid.
@Test
public void convertWhenUsingSamlUtilsBase64ThenXmlIsValid() throws Exception {
Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter(this.relyingPartyRegistrationResolver);
given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class))).willReturn(this.relyingPartyRegistration);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, getSsoCircleEncodedXml());
Saml2AuthenticationToken token = converter.convert(request);
validateSsoCircleXml(token.getSaml2Response());
}
Also used :
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
Saml2AuthenticationToken(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken)
Test(org.junit.jupiter.api.Test)
Example 25 with Saml2AuthenticationToken
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.
the class Saml2AuthenticationTokenConverterTests method convertWhenSamlResponseThenToken.
@Test
public void convertWhenSamlResponseThenToken() {
Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter(this.relyingPartyRegistrationResolver);
given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class))).willReturn(this.relyingPartyRegistration);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
Saml2AuthenticationToken token = converter.convert(request);
assertThat(token.getSaml2Response()).isEqualTo("response");
assertThat(token.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(this.relyingPartyRegistration.getRegistrationId());
}
Also used :
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
Saml2AuthenticationToken(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken)
Test(org.junit.jupiter.api.Test)
Aggregations
Test (org.junit.jupiter.api.Test)24
Response (org.opensaml.saml.saml2.core.Response)19
Assertion (org.opensaml.saml.saml2.core.Assertion)17
Authentication (org.springframework.security.core.Authentication)14
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)13
Saml2AuthenticationToken (org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken)13
RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)13
Instant (java.time.Instant)11
Saml2ResponseValidatorResult (org.springframework.security.saml2.core.Saml2ResponseValidatorResult)11
IOException (java.io.IOException)10
Collections (java.util.Collections)10
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)10
Assertions.assertThatExceptionOfType (org.assertj.core.api.Assertions.assertThatExceptionOfType)10
ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)10
BDDMockito.given (org.mockito.BDDMockito.given)10
Mockito.mock (org.mockito.Mockito.mock)10
Mockito.verify (org.mockito.Mockito.verify)10
Converter (org.springframework.core.convert.converter.Converter)10
Saml2ErrorCodes (org.springframework.security.saml2.core.Saml2ErrorCodes)10
TestSaml2X509Credentials (org.springframework.security.saml2.core.TestSaml2X509Credentials)10
