Search in sources :

Example 26 with Saml2AuthenticationToken

use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method authenticateWhenDecryptionKeysAreWrongThenThrowAuthenticationException.

@Test
public void authenticateWhenDecryptionKeysAreWrongThenThrowAuthenticationException() {
    Response response = response();
    EncryptedAssertion encryptedAssertion = TestOpenSamlObjects.encrypted(assertion(), TestSaml2X509Credentials.assertingPartyEncryptingCredential());
    response.getEncryptedAssertions().add(encryptedAssertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), RELYING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, registration().decryptionX509Credentials((c) -> c.add(TestSaml2X509Credentials.assertingPartyPrivateCredential())));
    assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> this.provider.authenticate(token)).satisfies(errorOf(Saml2ErrorCodes.DECRYPTION_ERROR, "Failed to decrypt EncryptedData"));
}
Also used : Response(org.opensaml.saml.saml2.core.Response) Arrays(java.util.Arrays) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) EncryptedDataBuilder(org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder) EncryptedID(org.opensaml.saml.saml2.core.EncryptedID) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) BDDMockito.given(org.mockito.BDDMockito.given) Map(java.util.Map) SignatureConstants(org.opensaml.xmlsec.signature.support.SignatureConstants) Marshaller(org.opensaml.core.xml.io.Marshaller) XSDateTimeBuilder(org.opensaml.core.xml.schema.impl.XSDateTimeBuilder) Response(org.opensaml.saml.saml2.core.Response) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) EncryptedAssertionBuilder(org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder) Mockito.atLeastOnce(org.mockito.Mockito.atLeastOnce) Instant(java.time.Instant) EncryptedIDBuilder(org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) SubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData) Test(org.junit.jupiter.api.Test) List(java.util.List) XSDateTime(org.opensaml.core.xml.schema.XSDateTime) OneTimeUse(org.opensaml.saml.saml2.core.OneTimeUse) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) QName(javax.xml.namespace.QName) Authentication(org.springframework.security.core.Authentication) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Duration(org.joda.time.Duration) HashMap(java.util.HashMap) Conditions(org.opensaml.saml.saml2.core.Conditions) LinkedHashMap(java.util.LinkedHashMap) StatusCode(org.opensaml.saml.saml2.core.StatusCode) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) SAML2AssertionValidationParameters(org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters) Assertion(org.opensaml.saml.saml2.core.Assertion) Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType) ObjectOutputStream(java.io.ObjectOutputStream) AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) XMLObject(org.opensaml.core.xml.XMLObject) MarshallingException(org.opensaml.core.xml.io.MarshallingException) Converter(org.springframework.core.convert.converter.Converter) Saml2ErrorCodes(org.springframework.security.saml2.core.Saml2ErrorCodes) DateTime(org.joda.time.DateTime) Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) Saml2Exception(org.springframework.security.saml2.Saml2Exception) IOException(java.io.IOException) TestSaml2X509Credentials(org.springframework.security.saml2.core.TestSaml2X509Credentials) XMLObjectProviderRegistrySupport(org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) Mockito.verify(org.mockito.Mockito.verify) Consumer(java.util.function.Consumer) Element(org.w3c.dom.Element) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken) Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException) Collections(java.util.Collections) TestRelyingPartyRegistrations(org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations) NameID(org.opensaml.saml.saml2.core.NameID) StringUtils(org.springframework.util.StringUtils) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Test(org.junit.jupiter.api.Test)

Example 27 with Saml2AuthenticationToken

use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method authenticate.

/**
 * @param authentication the authentication request object, must be of type
 * {@link Saml2AuthenticationToken}
 * @return {@link Saml2Authentication} if the assertion is valid
 * @throws AuthenticationException if a validation exception occurs
 */
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    try {
        Saml2AuthenticationToken token = (Saml2AuthenticationToken) authentication;
        String serializedResponse = token.getSaml2Response();
        Response response = parse(serializedResponse);
        process(token, response);
        AbstractAuthenticationToken authenticationResponse = this.responseAuthenticationConverter.convert(new ResponseToken(response, token));
        if (authenticationResponse != null) {
            authenticationResponse.setDetails(authentication.getDetails());
        }
        return authenticationResponse;
    } catch (Saml2AuthenticationException ex) {
        throw ex;
    } catch (Exception ex) {
        throw createAuthenticationException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
    }
}
Also used : Response(org.opensaml.saml.saml2.core.Response) AbstractAuthenticationToken(org.springframework.security.authentication.AbstractAuthenticationToken) XSString(org.opensaml.core.xml.schema.XSString) AuthenticationException(org.springframework.security.core.AuthenticationException) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Example 28 with Saml2AuthenticationToken

use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method authenticateWhenValidationContextCustomizedThenUsers.

@Test
public void authenticateWhenValidationContextCustomizedThenUsers() {
    Map<String, Object> parameters = new HashMap<>();
    parameters.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton("blah"));
    ValidationContext context = mock(ValidationContext.class);
    given(context.getStaticParameters()).willReturn(parameters);
    OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
    provider.setAssertionValidator(OpenSamlAuthenticationProvider.createDefaultAssertionValidator((assertionToken) -> context));
    Response response = response();
    Assertion assertion = assertion();
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    // @formatter:off
    assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token)).isInstanceOf(Saml2AuthenticationException.class).satisfies((error) -> assertThat(error).hasMessageContaining("Invalid assertion"));
    // @formatter:on
    verify(context, atLeastOnce()).getStaticParameters();
}
Also used : Arrays(java.util.Arrays) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) EncryptedDataBuilder(org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder) EncryptedID(org.opensaml.saml.saml2.core.EncryptedID) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) BDDMockito.given(org.mockito.BDDMockito.given) Map(java.util.Map) SignatureConstants(org.opensaml.xmlsec.signature.support.SignatureConstants) Marshaller(org.opensaml.core.xml.io.Marshaller) XSDateTimeBuilder(org.opensaml.core.xml.schema.impl.XSDateTimeBuilder) Response(org.opensaml.saml.saml2.core.Response) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) EncryptedAssertionBuilder(org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder) Mockito.atLeastOnce(org.mockito.Mockito.atLeastOnce) Instant(java.time.Instant) EncryptedIDBuilder(org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) SubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData) Test(org.junit.jupiter.api.Test) List(java.util.List) XSDateTime(org.opensaml.core.xml.schema.XSDateTime) OneTimeUse(org.opensaml.saml.saml2.core.OneTimeUse) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) QName(javax.xml.namespace.QName) Authentication(org.springframework.security.core.Authentication) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Duration(org.joda.time.Duration) HashMap(java.util.HashMap) Conditions(org.opensaml.saml.saml2.core.Conditions) LinkedHashMap(java.util.LinkedHashMap) StatusCode(org.opensaml.saml.saml2.core.StatusCode) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) SAML2AssertionValidationParameters(org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters) Assertion(org.opensaml.saml.saml2.core.Assertion) Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType) ObjectOutputStream(java.io.ObjectOutputStream) AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) XMLObject(org.opensaml.core.xml.XMLObject) MarshallingException(org.opensaml.core.xml.io.MarshallingException) Converter(org.springframework.core.convert.converter.Converter) Saml2ErrorCodes(org.springframework.security.saml2.core.Saml2ErrorCodes) DateTime(org.joda.time.DateTime) Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) Saml2Exception(org.springframework.security.saml2.Saml2Exception) IOException(java.io.IOException) TestSaml2X509Credentials(org.springframework.security.saml2.core.TestSaml2X509Credentials) XMLObjectProviderRegistrySupport(org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) Mockito.verify(org.mockito.Mockito.verify) Consumer(java.util.function.Consumer) Element(org.w3c.dom.Element) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken) Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException) Collections(java.util.Collections) TestRelyingPartyRegistrations(org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations) NameID(org.opensaml.saml.saml2.core.NameID) StringUtils(org.springframework.util.StringUtils) Response(org.opensaml.saml.saml2.core.Response) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) XMLObject(org.opensaml.core.xml.XMLObject) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) Test(org.junit.jupiter.api.Test)

Example 29 with Saml2AuthenticationToken

use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method createDefaultResponseAuthenticationConverterWhenResponseThenConverts.

@Test
public void createDefaultResponseAuthenticationConverterWhenResponseThenConverts() {
    Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2Authentication authentication = OpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter().convert(responseToken);
    assertThat(authentication.getName()).isEqualTo("test@saml.user");
}
Also used : Response(org.opensaml.saml.saml2.core.Response) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken) Test(org.junit.jupiter.api.Test)

Example 30 with Saml2AuthenticationToken

use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method authenticateWhenDecryptionKeysAreWrongThenThrowAuthenticationException.

@Test
public void authenticateWhenDecryptionKeysAreWrongThenThrowAuthenticationException() {
    Response response = response();
    EncryptedAssertion encryptedAssertion = TestOpenSamlObjects.encrypted(assertion(), TestSaml2X509Credentials.assertingPartyEncryptingCredential());
    response.getEncryptedAssertions().add(encryptedAssertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), RELYING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, registration().decryptionX509Credentials((c) -> c.add(TestSaml2X509Credentials.assertingPartyPrivateCredential())));
    assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> this.provider.authenticate(token)).satisfies(errorOf(Saml2ErrorCodes.DECRYPTION_ERROR, "Failed to decrypt EncryptedData"));
}
Also used : Response(org.opensaml.saml.saml2.core.Response) Arrays(java.util.Arrays) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) EncryptedDataBuilder(org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken) EncryptedID(org.opensaml.saml.saml2.core.EncryptedID) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) BDDMockito.given(org.mockito.BDDMockito.given) Duration(java.time.Duration) Map(java.util.Map) SignatureConstants(org.opensaml.xmlsec.signature.support.SignatureConstants) Marshaller(org.opensaml.core.xml.io.Marshaller) XSDateTimeBuilder(org.opensaml.core.xml.schema.impl.XSDateTimeBuilder) Response(org.opensaml.saml.saml2.core.Response) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) EncryptedAssertionBuilder(org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder) Mockito.atLeastOnce(org.mockito.Mockito.atLeastOnce) Instant(java.time.Instant) EncryptedIDBuilder(org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) SubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData) Test(org.junit.jupiter.api.Test) List(java.util.List) XSDateTime(org.opensaml.core.xml.schema.XSDateTime) OneTimeUse(org.opensaml.saml.saml2.core.OneTimeUse) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) QName(javax.xml.namespace.QName) Authentication(org.springframework.security.core.Authentication) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) ByteArrayOutputStream(java.io.ByteArrayOutputStream) HashMap(java.util.HashMap) Conditions(org.opensaml.saml.saml2.core.Conditions) LinkedHashMap(java.util.LinkedHashMap) StatusCode(org.opensaml.saml.saml2.core.StatusCode) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) SAML2AssertionValidationParameters(org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters) Assertion(org.opensaml.saml.saml2.core.Assertion) Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType) ObjectOutputStream(java.io.ObjectOutputStream) AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) XMLObject(org.opensaml.core.xml.XMLObject) MarshallingException(org.opensaml.core.xml.io.MarshallingException) Converter(org.springframework.core.convert.converter.Converter) Saml2ErrorCodes(org.springframework.security.saml2.core.Saml2ErrorCodes) CustomOpenSamlObject(org.springframework.security.saml2.provider.service.authentication.TestCustomOpenSamlObjects.CustomOpenSamlObject) Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) Saml2Exception(org.springframework.security.saml2.Saml2Exception) IOException(java.io.IOException) TestSaml2X509Credentials(org.springframework.security.saml2.core.TestSaml2X509Credentials) XMLObjectProviderRegistrySupport(org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) Mockito.verify(org.mockito.Mockito.verify) Consumer(java.util.function.Consumer) Element(org.w3c.dom.Element) Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException) Collections(java.util.Collections) TestRelyingPartyRegistrations(org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations) NameID(org.opensaml.saml.saml2.core.NameID) StringUtils(org.springframework.util.StringUtils) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Test(org.junit.jupiter.api.Test)

Aggregations

Test (org.junit.jupiter.api.Test)24 Response (org.opensaml.saml.saml2.core.Response)19 Assertion (org.opensaml.saml.saml2.core.Assertion)17 Authentication (org.springframework.security.core.Authentication)14 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)13 Saml2AuthenticationToken (org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken)13 RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)13 Instant (java.time.Instant)11 Saml2ResponseValidatorResult (org.springframework.security.saml2.core.Saml2ResponseValidatorResult)11 IOException (java.io.IOException)10 Collections (java.util.Collections)10 Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)10 Assertions.assertThatExceptionOfType (org.assertj.core.api.Assertions.assertThatExceptionOfType)10 ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)10 BDDMockito.given (org.mockito.BDDMockito.given)10 Mockito.mock (org.mockito.Mockito.mock)10 Mockito.verify (org.mockito.Mockito.verify)10 Converter (org.springframework.core.convert.converter.Converter)10 Saml2ErrorCodes (org.springframework.security.saml2.core.Saml2ErrorCodes)10 TestSaml2X509Credentials (org.springframework.security.saml2.core.TestSaml2X509Credentials)10