Java Code Examples for org.apache.wss4j.common.saml.SAMLUtil#doSAMLCallback()
The following examples show how to use
org.apache.wss4j.common.saml.SAMLUtil#doSAMLCallback() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SamlRetrievalInterceptor.java From cxf with Apache License 2.0 | 6 votes |
@Override public void handleMessage(Message message) throws Fault { // Create a SAML Token SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(new SamlCallbackHandler(), samlCallback); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Document doc = DOMUtils.createDocument(); Element token = assertion.toDOM(doc); message.put(SAMLConstants.SAML_TOKEN_ELEMENT, token); } catch (WSSecurityException ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } }
Example 2
Source File: SAMLResponseTest.java From cxf-fediz with Apache License 2.0 | 6 votes |
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler, String requestId) throws Exception { ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); saml2CallbackHandler.setConditions(cp); // Subject Confirmation Data SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean(); subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS); subjectConfirmationData.setInResponseTo(requestId); subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5)); subjectConfirmationData.setRecipient(TEST_REQUEST_URL); saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Element response = createSamlResponse(assertion, "mystskey", true, requestId); return encodeResponse(response); }
Example 3
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
/** * Validate SAML 2 token which includes the role attribute with 2 values * Roles are encoded as a multi-value saml attribute * Not RequestedSecurityTokenCollection in this test, default in all others */ @org.junit.Test public void validateSAML2TokenRSTR() throws Exception { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_MSG); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); configurator = null; FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); FedizProcessor wfProc = new FederationProcessorImpl(); FedizResponse wfRes = wfProc.processRequest(wfReq, config); Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername()); Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer()); Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles() .size()); Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience()); }
Example 4
Source File: SAMLResponseValidatorTest.java From cxf with Apache License 2.0 | 5 votes |
private Response createResponse( SubjectConfirmationDataBean subjectConfirmationData, SAML2CallbackHandler callbackHandler ) throws Exception { Document doc = DOMUtils.createDocument(); Status status = SAML2PResponseComponentBuilder.createStatus( SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null ); Response response = SAML2PResponseComponentBuilder.createSAMLResponse( "http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status ); // Create an AuthenticationAssertion SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); response.getAssertions().add(assertion.getSaml2()); Element policyElement = OpenSAMLUtil.toDom(response, doc); doc.appendChild(policyElement); assertNotNull(policyElement); return (Response)OpenSAMLUtil.fromDom(policyElement); }
Example 5
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
/** * Validate an encrypted SAML 2 token which includes the role attribute with 2 values * Roles are encoded as a multi-value saml attribute */ @org.junit.Test public void validateEncryptedSAML2Token() throws Exception { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = encryptAndSignToken(assertion); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); configurator = null; FedizContext config = getFederationConfigurator().getFedizContext("ROOT_DECRYPTION"); FedizProcessor wfProc = new FederationProcessorImpl(); FedizResponse wfRes = wfProc.processRequest(wfReq, config); Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername()); Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer()); Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles() .size()); Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience()); assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName()); }
Example 6
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
/** * Validate SAML 2 token which includes the role attribute with 2 values * The configured subject of the trusted issuer doesn't match with * the issuer of the SAML token */ @org.junit.Test public void validateSAML2TokenSeveralCertStoreTrustedIssuer() throws Exception { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = createSamlToken(assertion, "mystskey", true); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); // Load and update the config to enforce an error configurator = null; FedizContext config = getFederationConfigurator().getFedizContext("ROOT3"); FedizProcessor wfProc = new FederationProcessorImpl(); FedizResponse wfRes = wfProc.processRequest(wfReq, config); Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername()); Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer()); Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles() .size()); }
Example 7
Source File: SAMLTokenProvider.java From cxf with Apache License 2.0 | 5 votes |
private SamlAssertionWrapper createSamlToken( TokenProviderParameters tokenParameters, byte[] secret, Document doc ) throws Exception { String realm = tokenParameters.getRealm(); RealmProperties samlRealm = null; if (realm != null && realmMap.containsKey(realm)) { samlRealm = realmMap.get(realm); } SamlCallbackHandler handler = createCallbackHandler(tokenParameters, secret, samlRealm, doc); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(handler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); if (samlCustomHandler != null) { samlCustomHandler.handle(assertion, tokenParameters); } if (signToken) { STSPropertiesMBean stsProperties = tokenParameters.getStsProperties(); signToken(assertion, samlRealm, stsProperties, tokenParameters.getKeyRequirements()); } return assertion; }
Example 8
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
/** * Validate SAML 2 token which includes the role attribute with 2 values * The configured subject of the trusted issuer doesn't match with * the issuer of the SAML token */ @org.junit.Test public void validateUnsignedSAML2Token() throws Exception { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = createSamlToken(assertion, "mystskey", false); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); // Load and update the config to enforce an error configurator = null; FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); FedizProcessor wfProc = new FederationProcessorImpl(); try { wfProc.processRequest(wfReq, config); Assert.fail("Processing must fail because of missing signature"); } catch (ProcessingException ex) { if (!TYPE.TOKEN_NO_SIGNATURE.equals(ex.getType())) { fail("Expected ProcessingException with TOKEN_NO_SIGNATURE type"); } } }
Example 9
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
/** * Validate SAML 2 token which includes the role attribute with 2 values * The configured subject of the trusted issuer doesn't match with * the issuer of the SAML token */ @org.junit.Test public void validateSAML2TokenSeveralCertStore() throws Exception { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = createSamlToken(assertion, "mystskey", true); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); // Load and update the config to enforce an error configurator = null; FedizContext config = getFederationConfigurator().getFedizContext("ROOT2"); FedizProcessor wfProc = new FederationProcessorImpl(); FedizResponse wfRes = wfProc.processRequest(wfReq, config); Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername()); Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer()); Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles() .size()); }
Example 10
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
@org.junit.Test public void validateSAML2TokenWithConfigCreatedWithAPI() throws Exception { ContextConfig config = new ContextConfig(); config.setName("whatever"); // Configure certificate store CertificateStores certStores = new CertificateStores(); TrustManagersType tm0 = new TrustManagersType(); KeyStoreType ks0 = new KeyStoreType(); ks0.setType("JKS"); ks0.setPassword("storepass"); ks0.setFile("ststrust.jks"); tm0.setKeyStore(ks0); certStores.getTrustManager().add(tm0); config.setCertificateStores(certStores); // Configure trusted IDP TrustedIssuers trustedIssuers = new TrustedIssuers(); TrustedIssuerType ti0 = new TrustedIssuerType(); ti0.setCertificateValidation(ValidationType.CHAIN_TRUST); ti0.setName("FedizSTSIssuer"); ti0.setSubject(".*CN=www.sts.com.*"); trustedIssuers.getIssuer().add(ti0); config.setTrustedIssuers(trustedIssuers); FederationProtocolType protocol = new FederationProtocolType(); config.setProtocol(protocol); AudienceUris audienceUris = new AudienceUris(); audienceUris.getAudienceItem().add("https://localhost/fedizhelloworld"); config.setAudienceUris(audienceUris); protocol.setRoleURI("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"); FedizContext fedContext = new FedizContext(config); SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_MSG); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); FedizProcessor wfProc = new FederationProcessorImpl(); FedizResponse wfRes = wfProc.processRequest(wfReq, fedContext); Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername()); Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer()); Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles() .size()); Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience()); fedContext.close(); }
Example 11
Source File: SAMLResponseConformanceTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
@org.junit.Test public void testNotOnOfAfter() throws Exception { // Mock up a Request FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); RequestState requestState = new RequestState(TEST_REQUEST_URL, TEST_IDP_ISSUER, requestId, TEST_REQUEST_URL, (String)config.getProtocol().getIssuer(), null, relayState, System.currentTimeMillis()); // Create SAML Response SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setAlsoAddAuthnStatement(true); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_IDP_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); // Subject Confirmation Data SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean(); subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS); subjectConfirmationData.setInResponseTo(requestId); subjectConfirmationData.setRecipient(TEST_REQUEST_URL); callbackHandler.setSubjectConfirmationData(subjectConfirmationData); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Element response = createSamlResponse(assertion, "mystskey", true, requestId, null); String responseStr = encodeResponse(response); HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); EasyMock.replay(req); FedizRequest wfReq = new FedizRequest(); wfReq.setResponseToken(responseStr); wfReq.setState(relayState); wfReq.setRequest(req); wfReq.setRequestState(requestState); FedizProcessor wfProc = new SAMLProcessorImpl(); try { wfProc.processRequest(wfReq, config); fail("Failure expected"); } catch (ProcessingException ex) { if (!TYPE.INVALID_REQUEST.equals(ex.getType())) { fail("Expected ProcessingException with INVALID_REQUEST type"); } } }
Example 12
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
@org.junit.Test public void testModifiedSignature() throws Exception { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); WSPasswordCallback[] cb = { new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE) }; cbPasswordHandler.handle(cb); String password = cb[0].getPassword(); assertion.signAssertion("mystskey", password, crypto, false); Document doc = STSUtil.toSOAPPart(STSUtil.SAMPLE_RSTR_COLL_MSG); Element token = assertion.toDOM(doc); // Change IssueInstant attribute String issueInstance = token.getAttributeNS(null, "IssueInstant"); DateTime issueDateTime = new DateTime(issueInstance, DateTimeZone.UTC); issueDateTime = issueDateTime.plusSeconds(1); token.setAttributeNS(null, "IssueInstant", issueDateTime.toString()); Element e = XMLUtils.findElement(doc, "RequestedSecurityToken", FederationConstants.WS_TRUST_13_NS); if (e == null) { e = XMLUtils.findElement(doc, "RequestedSecurityToken", FederationConstants.WS_TRUST_2005_02_NS); } e.appendChild(token); String rstr = DOM2Writer.nodeToString(doc); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); configurator = null; FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); FedizProcessor wfProc = new FederationProcessorImpl(); try { wfProc.processRequest(wfReq, config); fail("Failure expected on signature validation"); } catch (ProcessingException ex) { // expected } }
Example 13
Source File: SamlResponseCreator.java From cxf-fediz with Apache License 2.0 | 4 votes |
private Assertion createSAML2Assertion(RequestContext context, Idp idp, SamlAssertionWrapper receivedToken, String requestID, String requestIssuer, String remoteAddr, String racs) throws Exception { // Create an AuthenticationAssertion SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); String issuer = isUseRealmForIssuer() ? idp.getRealm() : idp.getIdpUrl().toString(); callbackHandler.setIssuer(issuer); callbackHandler.setSubject(receivedToken.getSaml2().getSubject()); // Test Subject against received Subject (if applicable) SAMLAuthnRequest authnRequest = (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); if (authnRequest.getSubjectNameId() != null && receivedToken.getSaml2().getSubject().getNameID() != null) { NameID issuedNameId = receivedToken.getSaml2().getSubject().getNameID(); if (!authnRequest.getSubjectNameId().equals(issuedNameId.getValue())) { LOG.debug("Received NameID value of {} does not match issued value {}", authnRequest.getSubjectNameId(), issuedNameId.getValue()); throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST); } } // Subject Confirmation Data SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean(); subjectConfirmationData.setAddress(remoteAddr); subjectConfirmationData.setInResponseTo(requestID); subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5)); subjectConfirmationData.setRecipient(racs); callbackHandler.setSubjectConfirmationData(subjectConfirmationData); // Audience Restriction ConditionsBean conditions = new ConditionsBean(); conditions.setTokenPeriodMinutes(5); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.setAudienceURIs(Collections.singletonList(requestIssuer)); conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(conditions); // Attributes callbackHandler.setAttributeStatements(receivedToken.getSaml2().getAttributeStatements()); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Crypto issuerCrypto = CertsUtils.getCryptoFromCertificate(idp.getCertificate()); assertion.signAssertion(issuerCrypto.getDefaultX509Identifier(), idp.getCertificatePassword(), issuerCrypto, false); return assertion.getSaml2(); }
Example 14
Source File: SAMLClaimsTest.java From cxf with Apache License 2.0 | 4 votes |
@org.junit.Test public void testSAML2MultipleClaims() throws Exception { AttributeBean attributeBean = new AttributeBean(); attributeBean.setQualifiedName(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT); attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED); attributeBean.addAttributeValue("employee"); AttributeBean attributeBean2 = new AttributeBean(); attributeBean2.setQualifiedName( "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"); attributeBean2.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED); attributeBean2.addAttributeValue("smith"); SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(); List<AttributeBean> attributes = new ArrayList<>(); attributes.add(attributeBean); attributes.add(attributeBean2); samlCallbackHandler.setAttributes(attributes); // Create the SAML Assertion via the CallbackHandler SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback); SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback); Document doc = DOMUtils.newDocument(); samlAssertion.toDOM(doc); ClaimCollection claims = SAMLUtils.getClaims(samlAssertion); assertEquals(claims.getDialect().toString(), "http://schemas.xmlsoap.org/ws/2005/05/identity"); assertEquals(2, claims.size()); // Check roles Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED); assertEquals(1, roles.size()); Principal p = roles.iterator().next(); assertEquals("employee", p.getName()); }
Example 15
Source File: ClaimsProcessorTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
private FedizResponse performLogin(String claimType, boolean setClaimNameFormat, String claimValue, String claimsProcessorClass) throws WSSecurityException, IOException, UnsupportedCallbackException, JAXBException, ProcessingException, SAXException, ParserConfigurationException { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(ISSUER); callbackHandler.setSubjectName("alice"); if (setClaimNameFormat) { callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString()); } callbackHandler.setCustomClaimName(claimType); callbackHandler.setCustomAttributeValues(Collections.singletonList(claimValue)); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(AUDIENCE_URI_1); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = createSamlToken(assertion, "mystskey", true); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); FedizConfig config = createConfiguration(claimsProcessorClass); StringWriter writer = new StringWriter(); final JAXBContext jaxbContext = JAXBContext.newInstance(FedizConfig.class); jaxbContext.createMarshaller().marshal(config, writer); StringReader reader = new StringReader(writer.toString()); FedizConfigurator configurator = new FedizConfigurator(); configurator.loadConfig(reader); FedizContext context = configurator.getFedizContext(CONFIG_NAME); FedizProcessor wfProc = new FederationProcessorImpl(); return wfProc.processRequest(wfReq, context); }
Example 16
Source File: SAMLResponseConformanceTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
@org.junit.Test public void testNoBearerSubjectConfirmation() throws Exception { // Mock up a Request FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); RequestState requestState = new RequestState(TEST_REQUEST_URL, TEST_IDP_ISSUER, requestId, TEST_REQUEST_URL, (String)config.getProtocol().getIssuer(), null, relayState, System.currentTimeMillis()); // Create SAML Response SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setAlsoAddAuthnStatement(true); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES); callbackHandler.setIssuer(TEST_IDP_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); // Subject Confirmation Data SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean(); subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS); subjectConfirmationData.setInResponseTo(requestId); subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5)); subjectConfirmationData.setRecipient(TEST_REQUEST_URL); callbackHandler.setSubjectConfirmationData(subjectConfirmationData); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Element response = createSamlResponse(assertion, "mystskey", true, requestId, null); String responseStr = encodeResponse(response); HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); EasyMock.replay(req); FedizRequest wfReq = new FedizRequest(); wfReq.setResponseToken(responseStr); wfReq.setState(relayState); wfReq.setRequest(req); wfReq.setRequestState(requestState); FedizProcessor wfProc = new SAMLProcessorImpl(); try { wfProc.processRequest(wfReq, config); fail("Failure expected"); } catch (ProcessingException ex) { if (!TYPE.INVALID_REQUEST.equals(ex.getType())) { fail("Expected ProcessingException with INVALID_REQUEST type"); } } }
Example 17
Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
/** * Validate SAML 2 token twice which causes an exception * due to replay attack */ @org.junit.Test public void testReplayAttack() throws Exception { SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_RSTR_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); String rstr = createSamlToken(assertion, "mystskey", true); FedizRequest wfReq = new FedizRequest(); wfReq.setAction(FederationConstants.ACTION_SIGNIN); wfReq.setResponseToken(rstr); configurator = null; FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); FedizProcessor wfProc = new FederationProcessorImpl(); FedizResponse wfRes = wfProc.processRequest(wfReq, config); Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername()); Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer()); wfProc = new FederationProcessorImpl(); try { wfProc.processRequest(wfReq, config); fail("Failure expected on a replay attack"); } catch (ProcessingException ex) { if (!TYPE.TOKEN_REPLAY.equals(ex.getType())) { fail("Expected ProcessingException with TOKEN_REPLAY type"); } } }
Example 18
Source File: SAMLResponseValidatorTest.java From cxf with Apache License 2.0 | 4 votes |
@org.junit.Test public void testFutureAuthnInstant() throws Exception { Document doc = DOMUtils.createDocument(); Status status = SAML2PResponseComponentBuilder.createStatus( SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null ); Response response = SAML2PResponseComponentBuilder.createSAMLResponse( "http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status ); // Create an AuthenticationAssertion SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN); callbackHandler.setIssuer("http://cxf.apache.org/issuer"); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES); callbackHandler.setAuthnInstant(new DateTime().plusDays(1)); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); response.getAssertions().add(assertion.getSaml2()); Element policyElement = OpenSAMLUtil.toDom(response, doc); doc.appendChild(policyElement); assertNotNull(policyElement); Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(policyElement); // Validate the Response SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator(); try { validator.validateSamlResponse(marshalledResponse, null, null); fail("Expected failure on an invalid Assertion AuthnInstant"); } catch (WSSecurityException ex) { // expected } }
Example 19
Source File: SAMLResponseConformanceTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
@org.junit.Test public void testNoAuthnStatement() throws Exception { // Mock up a Request FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); RequestState requestState = new RequestState(TEST_REQUEST_URL, TEST_IDP_ISSUER, requestId, TEST_REQUEST_URL, (String)config.getProtocol().getIssuer(), null, relayState, System.currentTimeMillis()); // Create SAML Response SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_IDP_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); // Subject Confirmation Data SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean(); subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS); subjectConfirmationData.setInResponseTo(requestId); subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5)); subjectConfirmationData.setRecipient(TEST_REQUEST_URL); callbackHandler.setSubjectConfirmationData(subjectConfirmationData); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Element response = createSamlResponse(assertion, "mystskey", true, requestId, null); String responseStr = encodeResponse(response); HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); EasyMock.replay(req); FedizRequest wfReq = new FedizRequest(); wfReq.setResponseToken(responseStr); wfReq.setState(relayState); wfReq.setRequest(req); wfReq.setRequestState(requestState); FedizProcessor wfProc = new SAMLProcessorImpl(); try { wfProc.processRequest(wfReq, config); fail("Failure expected"); } catch (ProcessingException ex) { if (!TYPE.INVALID_REQUEST.equals(ex.getType())) { fail("Expected ProcessingException with INVALID_REQUEST type"); } } }
Example 20
Source File: SAMLResponseConformanceTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
@org.junit.Test public void testNonMatchingAddress() throws Exception { // Mock up a Request FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); RequestState requestState = new RequestState(TEST_REQUEST_URL, TEST_IDP_ISSUER, requestId, TEST_REQUEST_URL, (String)config.getProtocol().getIssuer(), null, relayState, System.currentTimeMillis()); // Create SAML Response SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); callbackHandler.setAlsoAddAuthnStatement(true); callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); callbackHandler.setIssuer(TEST_IDP_ISSUER); callbackHandler.setSubjectName(TEST_USER); ConditionsBean cp = new ConditionsBean(); AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL); cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); callbackHandler.setConditions(cp); // Subject Confirmation Data SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean(); subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS + "xyz"); subjectConfirmationData.setInResponseTo(requestId); subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5)); subjectConfirmationData.setRecipient(TEST_REQUEST_URL); callbackHandler.setSubjectConfirmationData(subjectConfirmationData); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Element response = createSamlResponse(assertion, "mystskey", true, requestId, null); String responseStr = encodeResponse(response); HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); EasyMock.replay(req); FedizRequest wfReq = new FedizRequest(); wfReq.setResponseToken(responseStr); wfReq.setState(relayState); wfReq.setRequest(req); wfReq.setRequestState(requestState); FedizProcessor wfProc = new SAMLProcessorImpl(); try { wfProc.processRequest(wfReq, config); fail("Failure expected"); } catch (ProcessingException ex) { if (!TYPE.INVALID_REQUEST.equals(ex.getType())) { fail("Expected ProcessingException with INVALID_REQUEST type"); } } }