Java Code Examples for org.apache.wss4j.common.saml.OpenSAMLUtil#isMethodHolderOfKey()

The following examples show how to use org.apache.wss4j.common.saml.OpenSAMLUtil#isMethodHolderOfKey() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SAMLUtil.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
/**
 * Check the holder-of-key requirements against the received assertion. The subject
 * credential of the SAML Assertion must match a client certificate credential when
 * 2-way TLS is used.
 * @param assertionWrapper the SAML Assertion wrapper object
 * @param tlsCerts The client certificates
 */
public static boolean checkHolderOfKey(
    SamlAssertionWrapper assertionWrapper,
    Certificate[] tlsCerts
) {
    List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
    for (String confirmationMethod : confirmationMethods) {
        if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
            if (tlsCerts == null || tlsCerts.length == 0) {
                return false;
            }
            SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (!compareCredentials(subjectKeyInfo, tlsCerts)) {
                return false;
            }
        }
    }
    return true;
}
 
Example 2
Source File: CustomSamlValidator.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    Credential returnedCredential = super.validate(credential, data);

    //
    // Do some custom validation on the assertion
    //
    SamlAssertionWrapper assertion = credential.getSamlAssertion();
    if (!"www.example.com".equals(assertion.getIssuerString())) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    if (requireSAML1Assertion && assertion.getSaml1() == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    } else if (!requireSAML1Assertion && assertion.getSaml2() == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    String confirmationMethod = assertion.getConfirmationMethods().get(0);
    if (confirmationMethod == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    } else if (requireBearer && !(SAML2Constants.CONF_BEARER.equals(confirmationMethod)
        || SAML1Constants.CONF_BEARER.equals(confirmationMethod))) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    } else if (!requireBearer && !requireSenderVouches
        && !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    return returnedCredential;
}
 
Example 3
Source File: AbstractSamlInHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected boolean checkHolderOfKey(Message message,
                                SamlAssertionWrapper assertionWrapper,
                                Certificate[] tlsCerts) {
    List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
    for (String confirmationMethod : confirmationMethods) {
        if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
            SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (!compareCredentials(subjectKeyInfo, message, tlsCerts)) {
                return false;
            }
        }
    }
    return true;
}
 
Example 4
Source File: CustomStaxSamlValidator.java    From cxf with Apache License 2.0 4 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public <T extends SamlSecurityToken & InboundSecurityToken> T validate(
    final SamlAssertionWrapper samlAssertionWrapper,
    final InboundSecurityToken subjectSecurityToken,
    final TokenContext tokenContext
) throws WSSecurityException {
    //jdk 1.6 compiler bug? http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6302954
    //type parameters of <T>T cannot be determined; no unique maximal instance exists for type variable T with
    // upper bounds org.apache.wss4j.stax.securityToken.SamlSecurityToken,
    // org.apache.wss4j.stax.securityToken.SamlSecurityToken,
    // org.apache.xml.security.stax.ext.securityToken.InboundSecurityToken
    //works fine on jdk 1.7
    final SamlSecurityToken token =
        super.</*fake @see above*/SamlSecurityTokenImpl>
                    validate(samlAssertionWrapper, subjectSecurityToken, tokenContext);

    //
    // Do some custom validation on the assertion
    //
    if (!"www.example.com".equals(samlAssertionWrapper.getIssuerString())) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    if (requireSAML1Assertion && samlAssertionWrapper.getSaml1() == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    } else if (!requireSAML1Assertion && samlAssertionWrapper.getSaml2() == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    String confirmationMethod = samlAssertionWrapper.getConfirmationMethods().get(0);
    if (confirmationMethod == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    } else if (!requireSenderVouches
        && !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    return (T)token;
}
 
Example 5
Source File: SamlSSOAssertionValidator.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Check the Subject Confirmation method requirements
 */
protected void verifySubjectConfirmationMethod(
    SamlAssertionWrapper samlAssertion
) throws WSSecurityException {

    List<String> methods = samlAssertion.getConfirmationMethods();
    if (methods == null || methods.isEmpty()) {
        if (super.getRequiredSubjectConfirmationMethod() != null) {
            LOG.warning("A required subject confirmation method was not present");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
                                      "invalidSAMLsecurity");
        } else if (super.isRequireStandardSubjectConfirmationMethod()) {
            LOG.warning("A standard subject confirmation method was not present");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
                                      "invalidSAMLsecurity");
        }
    }

    boolean signed = samlAssertion.isSigned();
    boolean requiredMethodFound = false;
    boolean standardMethodFound = false;
    for (String method : methods) {
        if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
            if (samlAssertion.getSubjectKeyInfo() == null) {
                LOG.warning("There is no Subject KeyInfo to match the holder-of-key subject conf method");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
            }

            // The assertion must have been signed for HOK
            if (!signed) {
                LOG.warning("A holder-of-key assertion must be signed");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
            standardMethodFound = true;
        }

        if (method != null) {
            if (method.equals(super.getRequiredSubjectConfirmationMethod())) {
                requiredMethodFound = true;
            }
            if (SAML2Constants.CONF_BEARER.equals(method)
                || SAML1Constants.CONF_BEARER.equals(method)) {
                standardMethodFound = true;
                if (super.isRequireBearerSignature() && !signed && !signedResponse) {
                    LOG.warning("A Bearer Assertion was not signed");
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
                                                  "invalidSAMLsecurity");
                }
            } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
                || SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
                standardMethodFound = true;
            }
        }
    }

    if (!requiredMethodFound && super.getRequiredSubjectConfirmationMethod() != null) {
        LOG.warning("A required subject confirmation method was not present");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
                                      "invalidSAMLsecurity");
    }

    if (!standardMethodFound && super.isRequireStandardSubjectConfirmationMethod()) {
        LOG.warning("A standard subject confirmation method was not present");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
                                  "invalidSAMLsecurity");
    }
}