Search in sources :

Example 1 with QueryParametersPartial

use of org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial in project spring-security by spring-projects.

the class OpenSamlLogoutResponseResolver method resolve.

Saml2LogoutResponse resolve(HttpServletRequest request, Authentication authentication, BiConsumer<RelyingPartyRegistration, LogoutResponse> logoutResponseConsumer) {
    String registrationId = getRegistrationId(authentication);
    RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, registrationId);
    if (registration == null) {
        return null;
    }
    if (registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation() == null) {
        return null;
    }
    String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
    byte[] b = Saml2Utils.samlDecode(serialized);
    LogoutRequest logoutRequest = parse(inflateIfRequired(registration, b));
    LogoutResponse logoutResponse = this.logoutResponseBuilder.buildObject();
    logoutResponse.setDestination(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
    Issuer issuer = this.issuerBuilder.buildObject();
    issuer.setValue(registration.getEntityId());
    logoutResponse.setIssuer(issuer);
    StatusCode code = this.statusCodeBuilder.buildObject();
    code.setValue(StatusCode.SUCCESS);
    Status status = this.statusBuilder.buildObject();
    status.setStatusCode(code);
    logoutResponse.setStatus(status);
    logoutResponse.setInResponseTo(logoutRequest.getID());
    if (logoutResponse.getID() == null) {
        logoutResponse.setID("LR" + UUID.randomUUID());
    }
    logoutResponseConsumer.accept(registration, logoutResponse);
    Saml2LogoutResponse.Builder result = Saml2LogoutResponse.withRelyingPartyRegistration(registration);
    if (registration.getAssertingPartyDetails().getSingleLogoutServiceBinding() == Saml2MessageBinding.POST) {
        String xml = serialize(OpenSamlSigningUtils.sign(logoutResponse, registration));
        String samlResponse = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
        result.samlResponse(samlResponse);
        if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
            result.relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE));
        }
        return result.build();
    } else {
        String xml = serialize(logoutResponse);
        String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
        result.samlResponse(deflatedAndEncoded);
        QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_RESPONSE, deflatedAndEncoded);
        if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
            partial.param(Saml2ParameterNames.RELAY_STATE, request.getParameter(Saml2ParameterNames.RELAY_STATE));
        }
        return result.parameters((params) -> params.putAll(partial.parameters())).build();
    }
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Status(org.opensaml.saml.saml2.core.Status) QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial) LogoutResponseBuilder(org.opensaml.saml.saml2.core.impl.LogoutResponseBuilder) HttpServletRequest(jakarta.servlet.http.HttpServletRequest) OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse) XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Status(org.opensaml.saml.saml2.core.Status) StatusCode(org.opensaml.saml.saml2.core.StatusCode) ByteArrayInputStream(java.io.ByteArrayInputStream) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) Document(org.w3c.dom.Document) BiConsumer(java.util.function.BiConsumer) StatusCodeBuilder(org.opensaml.saml.saml2.core.impl.StatusCodeBuilder) MarshallingException(org.opensaml.core.xml.io.MarshallingException) QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial) RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver) Saml2Exception(org.springframework.security.saml2.Saml2Exception) ConfigurationService(org.opensaml.core.config.ConfigurationService) UUID(java.util.UUID) StandardCharsets(java.nio.charset.StandardCharsets) XMLObjectProviderRegistrySupport(org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport) StatusBuilder(org.opensaml.saml.saml2.core.impl.StatusBuilder) IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder) ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool) LogoutResponseMarshaller(org.opensaml.saml.saml2.core.impl.LogoutResponseMarshaller) Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames) Element(org.w3c.dom.Element) Issuer(org.opensaml.saml.saml2.core.Issuer) Log(org.apache.commons.logging.Log) LogFactory(org.apache.commons.logging.LogFactory) Authentication(org.springframework.security.core.Authentication) Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal) LogoutRequestUnmarshaller(org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller) Assert(org.springframework.util.Assert) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse) Issuer(org.opensaml.saml.saml2.core.Issuer) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse) StatusCode(org.opensaml.saml.saml2.core.StatusCode)

Example 2 with QueryParametersPartial

use of org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial in project spring-security by spring-projects.

the class OpenSamlLogoutRequestResolver method resolve.

Saml2LogoutRequest resolve(HttpServletRequest request, Authentication authentication, BiConsumer<RelyingPartyRegistration, LogoutRequest> logoutRequestConsumer) {
    String registrationId = getRegistrationId(authentication);
    RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, registrationId);
    if (registration == null) {
        return null;
    }
    if (registration.getAssertingPartyDetails().getSingleLogoutServiceLocation() == null) {
        return null;
    }
    LogoutRequest logoutRequest = this.logoutRequestBuilder.buildObject();
    logoutRequest.setDestination(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
    Issuer issuer = this.issuerBuilder.buildObject();
    issuer.setValue(registration.getEntityId());
    logoutRequest.setIssuer(issuer);
    NameID nameId = this.nameIdBuilder.buildObject();
    nameId.setValue(authentication.getName());
    logoutRequest.setNameID(nameId);
    if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal) {
        Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
        for (String index : principal.getSessionIndexes()) {
            SessionIndex sessionIndex = this.sessionIndexBuilder.buildObject();
            sessionIndex.setSessionIndex(index);
            logoutRequest.getSessionIndexes().add(sessionIndex);
        }
    }
    logoutRequestConsumer.accept(registration, logoutRequest);
    if (logoutRequest.getID() == null) {
        logoutRequest.setID("LR" + UUID.randomUUID());
    }
    String relayState = UUID.randomUUID().toString();
    Saml2LogoutRequest.Builder result = Saml2LogoutRequest.withRelyingPartyRegistration(registration).id(logoutRequest.getID());
    if (registration.getAssertingPartyDetails().getSingleLogoutServiceBinding() == Saml2MessageBinding.POST) {
        String xml = serialize(OpenSamlSigningUtils.sign(logoutRequest, registration));
        String samlRequest = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
        return result.samlRequest(samlRequest).relayState(relayState).build();
    } else {
        String xml = serialize(logoutRequest);
        String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
        result.samlRequest(deflatedAndEncoded);
        QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded).param(Saml2ParameterNames.RELAY_STATE, relayState);
        return result.parameters((params) -> params.putAll(partial.parameters())).build();
    }
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial) HttpServletRequest(jakarta.servlet.http.HttpServletRequest) OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService) LogoutRequestMarshaller(org.opensaml.saml.saml2.core.impl.LogoutRequestMarshaller) XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) BiConsumer(java.util.function.BiConsumer) MarshallingException(org.opensaml.core.xml.io.MarshallingException) QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial) RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver) SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder) Saml2Exception(org.springframework.security.saml2.Saml2Exception) ConfigurationService(org.opensaml.core.config.ConfigurationService) UUID(java.util.UUID) LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder) StandardCharsets(java.nio.charset.StandardCharsets) IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) SessionIndex(org.opensaml.saml.saml2.core.SessionIndex) Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames) Element(org.w3c.dom.Element) Issuer(org.opensaml.saml.saml2.core.Issuer) Log(org.apache.commons.logging.Log) LogFactory(org.apache.commons.logging.LogFactory) Authentication(org.springframework.security.core.Authentication) Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) NameID(org.opensaml.saml.saml2.core.NameID) Assert(org.springframework.util.Assert) Issuer(org.opensaml.saml.saml2.core.Issuer) NameID(org.opensaml.saml.saml2.core.NameID) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) SessionIndex(org.opensaml.saml.saml2.core.SessionIndex) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)

Example 3 with QueryParametersPartial

use of org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial in project spring-security by spring-projects.

the class OpenSaml4AuthenticationRequestFactory method createRedirectAuthenticationRequest.

/**
 * {@inheritDoc}
 */
@Override
public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext context) {
    AuthnRequest authnRequest = this.authenticationRequestContextConverter.convert(context);
    RelyingPartyRegistration registration = context.getRelyingPartyRegistration();
    String xml = OpenSamlSigningUtils.serialize(authnRequest);
    Saml2RedirectAuthenticationRequest.Builder result = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(context);
    String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
    result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
    if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
        QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
        if (StringUtils.hasText(context.getRelayState())) {
            partial.param(Saml2ParameterNames.RELAY_STATE, context.getRelayState());
        }
        Map<String, String> parameters = partial.parameters();
        return result.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG)).signature(parameters.get(Saml2ParameterNames.SIGNATURE)).build();
    }
    return result.build();
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) QueryParametersPartial(org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)

Example 4 with QueryParametersPartial

use of org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial in project spring-security by spring-projects.

the class OpenSamlAuthenticationRequestFactory method createRedirectAuthenticationRequest.

@Override
public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext context) {
    AuthnRequest authnRequest = this.authenticationRequestContextConverter.convert(context);
    RelyingPartyRegistration registration = context.getRelyingPartyRegistration();
    String xml = OpenSamlSigningUtils.serialize(authnRequest);
    Saml2RedirectAuthenticationRequest.Builder result = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(context);
    String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
    result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
    if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
        QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
        if (StringUtils.hasText(context.getRelayState())) {
            partial.param(Saml2ParameterNames.RELAY_STATE, context.getRelayState());
        }
        Map<String, String> parameters = partial.parameters();
        return result.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG)).signature(parameters.get(Saml2ParameterNames.SIGNATURE)).build();
    }
    return result.build();
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) QueryParametersPartial(org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)

Aggregations

RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)4 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)2 StandardCharsets (java.nio.charset.StandardCharsets)2 UUID (java.util.UUID)2 BiConsumer (java.util.function.BiConsumer)2 SerializeSupport (net.shibboleth.utilities.java.support.xml.SerializeSupport)2 Log (org.apache.commons.logging.Log)2 LogFactory (org.apache.commons.logging.LogFactory)2 ConfigurationService (org.opensaml.core.config.ConfigurationService)2 XMLObjectProviderRegistry (org.opensaml.core.xml.config.XMLObjectProviderRegistry)2 MarshallingException (org.opensaml.core.xml.io.MarshallingException)2 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)2 Issuer (org.opensaml.saml.saml2.core.Issuer)2 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)2 IssuerBuilder (org.opensaml.saml.saml2.core.impl.IssuerBuilder)2 Authentication (org.springframework.security.core.Authentication)2 Saml2Exception (org.springframework.security.saml2.Saml2Exception)2 OpenSamlInitializationService (org.springframework.security.saml2.core.OpenSamlInitializationService)2 Saml2ParameterNames (org.springframework.security.saml2.core.Saml2ParameterNames)2 QueryParametersPartial (org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial)2