Java Code Examples for org.apache.wss4j.common.saml.SamlAssertionWrapper#isSigned()
The following examples show how to use
org.apache.wss4j.common.saml.SamlAssertionWrapper#isSigned() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: SecurityContextProviderImpl.java From cxf with Apache License 2.0 | 6 votes |
|
public SecurityContext getSecurityContext(Message message,
SamlAssertionWrapper wrapper) {
// First check to see if we are allowed to set up a security context
// The SAML Assertion must be signed, or we must explicitly allow unsigned
String allowUnsigned =
(String)SecurityUtils.getSecurityPropertyValue(
SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, message
);
boolean allowUnsignedSamlPrincipals = Boolean.parseBoolean(allowUnsigned);
if (!(wrapper.isSigned() || allowUnsignedSamlPrincipals)) {
return null;
}
ClaimCollection claims = getClaims(wrapper);
Subject subject = getSubject(message, wrapper, claims);
SecurityContext securityContext = doGetSecurityContext(message, subject, claims);
if (securityContext instanceof SAMLSecurityContext) {
Element assertionElement = wrapper.getElement();
((SAMLSecurityContext)securityContext).setAssertionElement(assertionElement);
}
return securityContext;
}
Example 2
| Source File: AbstractSamlInHandler.java From cxf with Apache License 2.0 | 5 votes |
|
protected boolean checkBearer(SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts) {
List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
for (String confirmationMethod : confirmationMethods) {
boolean isBearer = isMethodBearer(confirmationMethod);
if (isBearer && !assertionWrapper.isSigned() && (tlsCerts == null || tlsCerts.length == 0)) {
return false;
}
// do some more validation - time based, etc
}
return true;
}
Example 3
| Source File: StaxClaimsValidator.java From cxf with Apache License 2.0 | 4 votes |
|
@SuppressWarnings("unchecked")
@Override
public <T extends SamlSecurityToken & InboundSecurityToken> T validate(
final SamlAssertionWrapper samlAssertionWrapper,
final InboundSecurityToken subjectSecurityToken,
final TokenContext tokenContext
) throws WSSecurityException {
// Check conditions
checkConditions(samlAssertionWrapper);
// Check OneTimeUse Condition
checkOneTimeUse(samlAssertionWrapper,
tokenContext.getWssSecurityProperties().getSamlOneTimeUseReplayCache());
// Validate the assertion against schemas/profiles
validateAssertion(samlAssertionWrapper);
// Now check Claims
boolean valid = false;
if (samlAssertionWrapper.getSaml1() != null) {
valid = handleSAML1Assertion(samlAssertionWrapper.getSaml1());
} else if (samlAssertionWrapper.getSaml2() != null) {
valid = handleSAML2Assertion(samlAssertionWrapper.getSaml2());
}
if (!valid) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Crypto sigVerCrypto = null;
if (samlAssertionWrapper.isSigned()) {
sigVerCrypto = tokenContext.getWssSecurityProperties().getSignatureVerificationCrypto();
}
SamlSecurityTokenImpl securityToken = new SamlSecurityTokenImpl(
samlAssertionWrapper, subjectSecurityToken,
tokenContext.getWsSecurityContext(),
sigVerCrypto,
WSSecurityTokenConstants.KeyIdentifier_NoKeyInfo,
tokenContext.getWssSecurityProperties());
securityToken.setElementPath(tokenContext.getElementPath());
securityToken.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
return (T)securityToken;
}
Example 4
| Source File: SamlSSOAssertionValidator.java From cxf with Apache License 2.0 | 4 votes |
|
/**
* Check the Subject Confirmation method requirements
*/
protected void verifySubjectConfirmationMethod(
SamlAssertionWrapper samlAssertion
) throws WSSecurityException {
List<String> methods = samlAssertion.getConfirmationMethods();
if (methods == null || methods.isEmpty()) {
if (super.getRequiredSubjectConfirmationMethod() != null) {
LOG.warning("A required subject confirmation method was not present");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
} else if (super.isRequireStandardSubjectConfirmationMethod()) {
LOG.warning("A standard subject confirmation method was not present");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
}
}
boolean signed = samlAssertion.isSigned();
boolean requiredMethodFound = false;
boolean standardMethodFound = false;
for (String method : methods) {
if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
if (samlAssertion.getSubjectKeyInfo() == null) {
LOG.warning("There is no Subject KeyInfo to match the holder-of-key subject conf method");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
}
// The assertion must have been signed for HOK
if (!signed) {
LOG.warning("A holder-of-key assertion must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
standardMethodFound = true;
}
if (method != null) {
if (method.equals(super.getRequiredSubjectConfirmationMethod())) {
requiredMethodFound = true;
}
if (SAML2Constants.CONF_BEARER.equals(method)
|| SAML1Constants.CONF_BEARER.equals(method)) {
standardMethodFound = true;
if (super.isRequireBearerSignature() && !signed && !signedResponse) {
LOG.warning("A Bearer Assertion was not signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
}
} else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method)
|| SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) {
standardMethodFound = true;
}
}
}
if (!requiredMethodFound && super.getRequiredSubjectConfirmationMethod() != null) {
LOG.warning("A required subject confirmation method was not present");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
}
if (!standardMethodFound && super.isRequireStandardSubjectConfirmationMethod()) {
LOG.warning("A standard subject confirmation method was not present");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
}
}
Example 5
| Source File: SAMLProtocolResponseValidator.java From cxf with Apache License 2.0 | 4 votes |
|
/**
* Validate an internal Assertion
*/
private void validateAssertion(
SamlAssertionWrapper assertion,
Crypto sigCrypto,
CallbackHandler callbackHandler,
Document doc,
boolean signedResponse
) throws WSSecurityException {
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
requestData.setCallbackHandler(callbackHandler);
if (assertion.isSigned()) {
if (assertion.getSaml1() != null) {
assertion.getSaml1().getDOM().setIdAttributeNS(null, "AssertionID", true);
} else {
assertion.getSaml2().getDOM().setIdAttributeNS(null, "ID", true);
}
// Verify the signature
try {
Signature sig = assertion.getSignature();
WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
requestData.setWsDocInfo(docInfo);
SAMLKeyInfo samlKeyInfo = null;
KeyInfo keyInfo = sig.getKeyInfo();
if (keyInfo != null) {
samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(
keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), sigCrypto
);
} else if (!keyInfoMustBeAvailable) {
samlKeyInfo = createKeyInfoFromDefaultAlias(sigCrypto);
}
if (samlKeyInfo == null) {
LOG.warning("No KeyInfo supplied in the SAMLResponse assertion signature");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
assertion.verifySignature(samlKeyInfo);
assertion.parseSubject(
new WSSSAMLKeyInfoProcessor(requestData),
requestData.getSigVerCrypto(),
requestData.getCallbackHandler()
);
} catch (WSSecurityException e) {
LOG.log(Level.FINE, "Assertion failed signature validation", e);
throw e;
}
}
// Validate the Assertion & verify trust in the signature
try {
SamlSSOAssertionValidator assertionValidator = new SamlSSOAssertionValidator(signedResponse);
assertionValidator.validate(credential, requestData);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, "Assertion validation failed: " + ex.getMessage(), ex);
throw ex;
}
}
