Java Code Examples for org.apache.wss4j.common.saml.SamlAssertionWrapper#getConfirmationMethods()
The following examples show how to use
org.apache.wss4j.common.saml.SamlAssertionWrapper#getConfirmationMethods() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: STSRESTTest.java From cxf with Apache License 2.0 | 6 votes |
@org.junit.Test public void testIssueBearerSAML1TokenShorKeyType() throws Exception { WebClient client = webClient() .path("saml1.1") .query("keyType", "Bearer") .accept(MediaType.APPLICATION_XML); Document assertionDoc = client.get(Document.class); SamlAssertionWrapper assertion = validateSAMLToken(assertionDoc); assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(confirmMethod.contains("bearer")); }
Example 2
Source File: STSRESTTest.java From cxf with Apache License 2.0 | 6 votes |
@org.junit.Test public void testIssueBearerSAML1Token() throws Exception { WebClient client = webClient() .path("saml1.1") .query("keyType", STSConstants.BEARER_KEY_KEYTYPE) .accept(MediaType.APPLICATION_XML); Document assertionDoc = client.get(Document.class); SamlAssertionWrapper assertion = validateSAMLToken(assertionDoc); assertNotNull(assertion); assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(confirmMethod.contains("bearer")); }
Example 3
Source File: STSRESTTest.java From cxf with Apache License 2.0 | 6 votes |
@org.junit.Test public void testIssueSymmetricKeySaml1() throws Exception { WebClient client = webClient() .path("saml1.1") .query("keyType", STSConstants.SYMMETRIC_KEY_KEYTYPE) .accept(MediaType.APPLICATION_XML); Document assertionDoc = client.get(Document.class); SamlAssertionWrapper assertion = validateSAMLToken(assertionDoc); assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo(); assertNotNull(subjectKeyInfo.getSecret()); }
Example 4
Source File: SAMLUtil.java From cxf-fediz with Apache License 2.0 | 6 votes |
/** * Check the holder-of-key requirements against the received assertion. The subject * credential of the SAML Assertion must match a client certificate credential when * 2-way TLS is used. * @param assertionWrapper the SAML Assertion wrapper object * @param tlsCerts The client certificates */ public static boolean checkHolderOfKey( SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts ) { List<String> confirmationMethods = assertionWrapper.getConfirmationMethods(); for (String confirmationMethod : confirmationMethods) { if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) { if (tlsCerts == null || tlsCerts.length == 0) { return false; } SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); if (!compareCredentials(subjectKeyInfo, tlsCerts)) { return false; } } } return true; }
Example 5
Source File: STSRESTTest.java From cxf with Apache License 2.0 | 6 votes |
@org.junit.Test public void testIssuePublicKeySAML2Token() throws Exception { WebClient client = webClient() .path("saml2.0") .query("keyType", STSConstants.PUBLIC_KEY_KEYTYPE) .accept(MediaType.APPLICATION_XML); Document assertionDoc = client.get(Document.class); SamlAssertionWrapper assertion = validateSAMLToken(assertionDoc); assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo(); assertNotNull(subjectKeyInfo.getCerts()); }
Example 6
Source File: STSRESTTest.java From cxf with Apache License 2.0 | 6 votes |
@org.junit.Test public void testIssuePublicKeySAML2TokenShortKeyType() throws Exception { WebClient client = webClient() .path("saml2.0") .query("keyType", "PublicKey") .accept(MediaType.APPLICATION_XML); Document assertionDoc = client.get(Document.class); SamlAssertionWrapper assertion = validateSAMLToken(assertionDoc); assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo(); assertNotNull(subjectKeyInfo.getCerts()); }
Example 7
Source File: IssueUnitTest.java From cxf with Apache License 2.0 | 5 votes |
/** * Test the Symmetric Key SAML1 case */ @org.junit.Test public void testSymmetricKeySaml1() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); // Get a token SecurityToken token = requestSecurityToken(SAML1_TOKEN_TYPE, SYMMETRIC_KEY_KEYTYPE, bus, DEFAULT_ADDRESS); assertTrue(token.getSecret() != null && token.getSecret().length > 0); assertEquals(SAML1_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); // Process the token List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo(); assertNotNull(subjectKeyInfo.getSecret()); bus.shutdown(true); }
Example 8
Source File: AbstractSamlInHandler.java From cxf with Apache License 2.0 | 5 votes |
protected boolean checkBearer(SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts) { List<String> confirmationMethods = assertionWrapper.getConfirmationMethods(); for (String confirmationMethod : confirmationMethods) { boolean isBearer = isMethodBearer(confirmationMethod); if (isBearer && !assertionWrapper.isSigned() && (tlsCerts == null || tlsCerts.length == 0)) { return false; } // do some more validation - time based, etc } return true; }
Example 9
Source File: AbstractSamlInHandler.java From cxf with Apache License 2.0 | 5 votes |
protected boolean checkHolderOfKey(Message message, SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts) { List<String> confirmationMethods = assertionWrapper.getConfirmationMethods(); for (String confirmationMethod : confirmationMethods) { if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) { SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); if (!compareCredentials(subjectKeyInfo, message, tlsCerts)) { return false; } } } return true; }
Example 10
Source File: AbstractSamlInHandler.java From cxf with Apache License 2.0 | 5 votes |
/** * Check the sender-vouches requirements against the received assertion. The SAML * Assertion and the request body must be signed by the same signature. */ protected boolean checkSenderVouches( Message message, SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts ) { // // If we have a 2-way TLS connection, then we don't have to check that the // assertion + body are signed // If no body is available (ex, with GET) then consider validating that // the base64-encoded token is signed by the same signature // if (tlsCerts != null && tlsCerts.length > 0) { return true; } List<String> confirmationMethods = assertionWrapper.getConfirmationMethods(); for (String confirmationMethod : confirmationMethods) { if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) { Element signedElement = message.getContent(Element.class); Node assertionParent = assertionWrapper.getElement().getParentNode(); // if we have a shared parent signed node then we can assume both // this SAML assertion and the main payload have been signed by the same // signature if (assertionParent != signedElement) { // if not then try to compare if the same cert/key was used to sign SAML token // and the payload SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSignatureKeyInfo(); if (!compareCredentials(subjectKeyInfo, message, tlsCerts)) { return false; } } } } return true; }
Example 11
Source File: HOKDelegationHandler.java From cxf with Apache License 2.0 | 5 votes |
/** * Is Delegation allowed for a particular token */ @Override protected boolean isDelegationAllowed( ReceivedToken receivedToken, String appliesToAddress ) { Element validateTargetElement = (Element)receivedToken.getToken(); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(validateTargetElement); for (String confirmationMethod : assertion.getConfirmationMethods()) { if (!(SAML1Constants.CONF_BEARER.equals(confirmationMethod) || SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod) || SAML2Constants.CONF_BEARER.equals(confirmationMethod) || SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod))) { return false; } } if (isCheckAudienceRestriction() && appliesToAddress != null) { List<String> addresses = getAudienceRestrictions(assertion); if (!(addresses.isEmpty() || addresses.contains(appliesToAddress))) { return false; } } } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Error in ascertaining whether delegation is allowed", ex); return false; } return true; }
Example 12
Source File: SAMLDelegationHandler.java From cxf with Apache License 2.0 | 5 votes |
/** * Is Delegation allowed for a particular token */ protected boolean isDelegationAllowed( ReceivedToken receivedToken, String appliesToAddress ) { Element validateTargetElement = (Element)receivedToken.getToken(); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(validateTargetElement); for (String confirmationMethod : assertion.getConfirmationMethods()) { if (!(SAML1Constants.CONF_BEARER.equals(confirmationMethod) || SAML2Constants.CONF_BEARER.equals(confirmationMethod))) { LOG.fine("An unsupported Confirmation Method was used: " + confirmationMethod); return false; } } if (checkAudienceRestriction && appliesToAddress != null) { List<String> addresses = getAudienceRestrictions(assertion); if (!(addresses.isEmpty() || addresses.contains(appliesToAddress))) { LOG.fine("The AppliesTo address " + appliesToAddress + " is not contained" + " in the Audience Restriction addresses in the assertion"); return false; } } } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Error in ascertaining whether delegation is allowed", ex); return false; } return true; }
Example 13
Source File: IssueUnitTest.java From cxf with Apache License 2.0 | 5 votes |
/** * Test the Bearer SAML1 case with a Lifetime element */ @org.junit.Test public void testBearerSaml1Lifetime() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); // Get a token SecurityToken token = requestSecurityTokenTTL(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, DEFAULT_ADDRESS); assertEquals(SAML1_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); // Process the token List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(confirmMethod != null && confirmMethod.contains("bearer")); bus.shutdown(true); }
Example 14
Source File: IssueUnitTest.java From cxf with Apache License 2.0 | 5 votes |
/** * Test the Bearer SAML1 case with a Context Attribute */ @org.junit.Test public void testBearerSaml1Context() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); // Get a token String context = "AuthenticationContext"; SecurityToken token = requestSecurityToken(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, DEFAULT_ADDRESS, context); assertEquals(SAML1_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); // Process the token List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(confirmMethod != null && confirmMethod.contains("bearer")); bus.shutdown(true); }
Example 15
Source File: IssueUnitTest.java From cxf with Apache License 2.0 | 5 votes |
/** * Test the Bearer Sender Vouches SAML2 case */ @org.junit.Test public void testBearerSVSaml2() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); // Get a token SecurityToken token = requestSecurityToken( SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null, bus, DEFAULT_ADDRESS, null, null, null, null ); assertEquals(SAML2_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); // Process the token List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.getSaml1() == null && assertion.getSaml2() != null); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertNotNull(confirmMethod); bus.shutdown(true); }
Example 16
Source File: IssueUnitTest.java From cxf with Apache License 2.0 | 5 votes |
/** * Test the Bearer SAML1 case */ @org.junit.Test public void testBearerSaml1() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); // Get a token SecurityToken token = requestSecurityToken(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, DEFAULT_ADDRESS); assertEquals(SAML1_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); // Process the token List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(confirmMethod != null && confirmMethod.contains("bearer")); bus.shutdown(true); }
Example 17
Source File: IssueUnitTest.java From cxf with Apache License 2.0 | 5 votes |
/** * Test the Public Key SAML2 case */ @org.junit.Test public void testPublicKeySaml2() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); // Get a token SecurityToken token = requestSecurityToken(SAML2_TOKEN_TYPE, PUBLIC_KEY_KEYTYPE, bus, DEFAULT_ADDRESS); assertTrue(token.getSecret() == null && token.getX509Certificate() != null); assertEquals(SAML2_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); // Process the token List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.getSaml1() == null && assertion.getSaml2() != null); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)); SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo(); assertNotNull(subjectKeyInfo.getCerts()); bus.shutdown(true); }
Example 18
Source File: STSUnitTest.java From cxf with Apache License 2.0 | 5 votes |
@Test public void testBearerSAML2Token() throws URISyntaxException, Exception { Bus bus = BusFactory.getDefaultBus(); String stsEndpoint = "http://localhost:" + System.getProperty("BasicSTSIntegrationTest.PORT") + "/cxf/X509"; //sts could take a second or two to fully startup, make sure we can get the wsdl waitForWSDL(stsEndpoint); // Get a token SecurityToken token = requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus, stsEndpoint); assertEquals(SAML2_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); // Process the token List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.getSaml1() == null && assertion.getSaml2() != null); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(confirmMethod.contains("bearer")); bus.shutdown(true); }
Example 19
Source File: IssueUnitTest.java From cxf with Apache License 2.0 | 4 votes |
@org.junit.Test public void testSAMLinWSSecToOtherRealm() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); CallbackHandler callbackHandler = new CommonCallbackHandler(); //Create SAML token Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, null, "alice", "a-issuer"); String id = null; QName elName = DOMUtils.getElementQName(samlToken); if (elName.equals(new QName(WSS4JConstants.SAML_NS, "Assertion")) && samlToken.hasAttributeNS(null, "AssertionID")) { id = samlToken.getAttributeNS(null, "AssertionID"); } else if (elName.equals(new QName(WSS4JConstants.SAML2_NS, "Assertion")) && samlToken.hasAttributeNS(null, "ID")) { id = samlToken.getAttributeNS(null, "ID"); } if (id == null) { id = samlToken.getAttributeNS(WSS4JConstants.WSU_NS, "Id"); } SecurityToken wstoken = new SecurityToken(id, samlToken, null, null); Map<String, Object> properties = new HashMap<>(); properties.put(SecurityConstants.TOKEN, wstoken); properties.put(SecurityConstants.TOKEN_ID, wstoken.getId()); // Get a token SecurityToken token = requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null, bus, DEFAULT_ADDRESS, null, properties, "b-issuer", "Transport_SAML_Port"); /* SecurityToken token = requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null, bus, DEFAULT_ADDRESS, null, properties, "b-issuer", null); */ assertEquals(SAML2_TOKEN_TYPE, token.getTokenType()); assertNotNull(token.getToken()); List<WSSecurityEngineResult> results = processToken(token); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); assertNotNull(assertion); assertTrue(assertion.isSigned()); List<String> methods = assertion.getConfirmationMethods(); String confirmMethod = null; if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } assertTrue(confirmMethod != null && confirmMethod.contains("bearer")); assertEquals("b-issuer", assertion.getIssuerString()); String subjectName = assertion.getSaml2().getSubject().getNameID().getValue(); assertEquals("Subject must be ALICE instead of " + subjectName, "ALICE", subjectName); }
Example 20
Source File: SamlSSOAssertionValidator.java From cxf with Apache License 2.0 | 4 votes |
/** * Check the Subject Confirmation method requirements */ protected void verifySubjectConfirmationMethod( SamlAssertionWrapper samlAssertion ) throws WSSecurityException { List<String> methods = samlAssertion.getConfirmationMethods(); if (methods == null || methods.isEmpty()) { if (super.getRequiredSubjectConfirmationMethod() != null) { LOG.warning("A required subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } else if (super.isRequireStandardSubjectConfirmationMethod()) { LOG.warning("A standard subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } boolean signed = samlAssertion.isSigned(); boolean requiredMethodFound = false; boolean standardMethodFound = false; for (String method : methods) { if (OpenSAMLUtil.isMethodHolderOfKey(method)) { if (samlAssertion.getSubjectKeyInfo() == null) { LOG.warning("There is no Subject KeyInfo to match the holder-of-key subject conf method"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken"); } // The assertion must have been signed for HOK if (!signed) { LOG.warning("A holder-of-key assertion must be signed"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } standardMethodFound = true; } if (method != null) { if (method.equals(super.getRequiredSubjectConfirmationMethod())) { requiredMethodFound = true; } if (SAML2Constants.CONF_BEARER.equals(method) || SAML1Constants.CONF_BEARER.equals(method)) { standardMethodFound = true; if (super.isRequireBearerSignature() && !signed && !signedResponse) { LOG.warning("A Bearer Assertion was not signed"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } else if (SAML2Constants.CONF_SENDER_VOUCHES.equals(method) || SAML1Constants.CONF_SENDER_VOUCHES.equals(method)) { standardMethodFound = true; } } } if (!requiredMethodFound && super.getRequiredSubjectConfirmationMethod() != null) { LOG.warning("A required subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } if (!standardMethodFound && super.isRequireStandardSubjectConfirmationMethod()) { LOG.warning("A standard subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }