Java Code Examples for org.apache.wss4j.common.saml.SamlAssertionWrapper#getSaml2()
The following examples show how to use
org.apache.wss4j.common.saml.SamlAssertionWrapper#getSaml2() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: OnBehalfOfValidator.java From cxf with Apache License 2.0 | 6 votes |
|
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Subject subject = saml2Assertion.getSubject();
NameID nameID = subject.getNameID();
String subjectName = nameID.getValue();
if ("alice".equals(subjectName) || "bob".equals(subjectName)) {
return validatedCredential;
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Example 2
| Source File: AbstractBindingBuilder.java From cxf with Apache License 2.0 | 6 votes |
|
/**
* Store a SAML Assertion as a SecurityToken
*/
protected void storeAssertionAsSecurityToken(SamlAssertionWrapper assertion) throws TokenStoreException {
String id = findIDFromSamlToken(assertion.getElement());
if (id == null) {
return;
}
SecurityToken secToken = new SecurityToken(id);
if (assertion.getSaml2() != null) {
secToken.setTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
} else {
secToken.setTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
}
secToken.setToken(assertion.getElement());
getTokenStore().add(secToken);
message.put(SecurityConstants.TOKEN_ID, secToken.getId());
}
Example 3
| Source File: SCTTokenValidator.java From cxf with Apache License 2.0 | 6 votes |
|
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper transformedToken = validatedCredential.getTransformedToken();
if (transformedToken == null || transformedToken.getSaml2() == null
|| !"DoubleItSTSIssuer".equals(transformedToken.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
transformedToken.parseSubject(
new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(),
data.getCallbackHandler()
);
SAMLKeyInfo keyInfo = transformedToken.getSubjectKeyInfo();
byte[] secret = keyInfo.getSecret();
validatedCredential.setSecretKey(secret);
return validatedCredential;
}
Example 4
| Source File: ClaimsValidator.java From cxf with Apache License 2.0 | 6 votes |
|
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
boolean valid = false;
if (assertion.getSaml1() != null) {
valid = handleSAML1Assertion(assertion.getSaml1());
} else if (assertion.getSaml2() != null) {
valid = handleSAML2Assertion(assertion.getSaml2());
}
if (valid) {
return validatedCredential;
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Example 5
| Source File: IssuedTokenPolicyValidator.java From cxf with Apache License 2.0 | 6 votes |
|
private SecurityToken createSecurityToken(
SamlAssertionWrapper assertionWrapper
) {
SecurityToken token = new SecurityToken(assertionWrapper.getId());
SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (subjectKeyInfo != null) {
token.setSecret(subjectKeyInfo.getSecret());
X509Certificate[] certs = subjectKeyInfo.getCerts();
if (certs != null && certs.length > 0) {
token.setX509Certificate(certs[0], null);
}
if (subjectKeyInfo.getPublicKey() != null) {
token.setKey(subjectKeyInfo.getPublicKey());
}
}
if (assertionWrapper.getSaml1() != null) {
token.setTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
} else if (assertionWrapper.getSaml2() != null) {
token.setTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
}
token.setToken(assertionWrapper.getElement());
return token;
}
Example 6
| Source File: SAMLTokenRenewer.java From cxf with Apache License 2.0 | 6 votes |
|
private void createNewConditions(SamlAssertionWrapper assertion, TokenRenewerParameters tokenParameters) {
ConditionsBean conditions =
conditionsProvider.getConditions(convertToProviderParameters(tokenParameters));
if (assertion.getSaml1() != null) {
org.opensaml.saml.saml1.core.Assertion saml1Assertion = assertion.getSaml1();
saml1Assertion.setIssueInstant(new DateTime());
org.opensaml.saml.saml1.core.Conditions saml1Conditions =
SAML1ComponentBuilder.createSamlv1Conditions(conditions);
saml1Assertion.setConditions(saml1Conditions);
} else {
org.opensaml.saml.saml2.core.Assertion saml2Assertion = assertion.getSaml2();
saml2Assertion.setIssueInstant(new DateTime());
org.opensaml.saml.saml2.core.Conditions saml2Conditions =
SAML2ComponentBuilder.createConditions(conditions);
saml2Assertion.setConditions(saml2Conditions);
}
}
Example 7
| Source File: CustomSaml2Validator.java From cxf with Apache License 2.0 | 6 votes |
|
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
if (!"sts".equals(assertion.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
return validatedCredential;
}
Example 8
| Source File: DefaultClaimsPolicyValidator.java From cxf with Apache License 2.0 | 5 votes |
|
private boolean findClaimInAssertion(SamlAssertionWrapper assertion, URI claimURI) {
if (assertion.getSaml1() != null) {
return findClaimInAssertion(assertion.getSaml1(), claimURI);
} else if (assertion.getSaml2() != null) {
return findClaimInAssertion(assertion.getSaml2(), claimURI);
}
return false;
}
Example 9
| Source File: SamlResponseCreator.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken,
String consumerURL, String requestId, String requestIssuer)
throws ProcessingException {
List<Element> samlTokens =
DOMUtils.findAllElementsByTagNameNS(rpToken, WSConstants.SAML2_NS, "Assertion");
if (samlTokens.isEmpty() || samlTokens.size() != 1) {
throw new ProcessingException(TYPE.BAD_REQUEST);
}
try {
SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlTokens.get(0));
if (wrapper.getSaml2() == null) {
throw new ProcessingException(TYPE.BAD_REQUEST);
}
String remoteAddr = WebUtils.getHttpServletRequest(context).getRemoteAddr();
Assertion saml2Assertion =
createSAML2Assertion(context, idp, wrapper, requestId, requestIssuer,
remoteAddr, consumerURL);
Element response = createResponse(idp, requestId, saml2Assertion);
return encodeResponse(response);
} catch (Exception ex) {
LOG.warn("Error marshalling SAML Token: {}", ex.getMessage());
throw new ProcessingException(TYPE.BAD_REQUEST);
}
}
Example 10
| Source File: FedizSubjectCreator.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
private Assertion getSaml2Assertion(Element samlToken) {
// Should a null assertion lead to the exception ?
try {
SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken);
return wrapper.getSaml2();
} catch (WSSecurityException ex) {
throw new OAuthServiceException("Error converting SAML token", ex);
}
}
Example 11
| Source File: CustomSamlValidator.java From cxf with Apache License 2.0 | 5 votes |
|
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential returnedCredential = super.validate(credential, data);
//
// Do some custom validation on the assertion
//
SamlAssertionWrapper assertion = credential.getSamlAssertion();
if (!"www.example.com".equals(assertion.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
if (requireSAML1Assertion && assertion.getSaml1() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
} else if (!requireSAML1Assertion && assertion.getSaml2() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
String confirmationMethod = assertion.getConfirmationMethods().get(0);
if (confirmationMethod == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
} else if (requireBearer && !(SAML2Constants.CONF_BEARER.equals(confirmationMethod)
|| SAML1Constants.CONF_BEARER.equals(confirmationMethod))) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
} else if (!requireBearer && !requireSenderVouches
&& !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
return returnedCredential;
}
Example 12
| Source File: CustomBSTTokenValidator.java From cxf with Apache License 2.0 | 5 votes |
|
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper transformedToken = validatedCredential.getTransformedToken();
if (transformedToken == null || transformedToken.getSaml2() == null
|| !"DoubleItSTSIssuer".equals(transformedToken.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
return validatedCredential;
}
Example 13
| Source File: CrossDomainValidator.java From cxf with Apache License 2.0 | 5 votes |
|
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper token = validatedCredential.getSamlAssertion();
if (token == null || token.getSaml2() == null
|| !"b-issuer".equals(token.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
return validatedCredential;
}
Example 14
| Source File: ActAsValidator.java From cxf with Apache License 2.0 | 5 votes |
|
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// The technical user should be in the Subject
Subject subject = saml2Assertion.getSubject();
if (subject == null || subject.getNameID() == null
|| !subject.getNameID().getValue().contains("www.client.com")) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
for (AttributeStatement statement : attributeStatements) {
List<Attribute> attributes = statement.getAttributes();
for (Attribute attribute : attributes) {
if (!"CustomActAs".equals(attribute.getName()) && !"ActAs".equals(attribute.getName())) {
continue;
}
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
if (text.contains("alice") || text.contains("bob")) {
return validatedCredential;
}
}
}
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Example 15
| Source File: StaxClaimsValidator.java From cxf with Apache License 2.0 | 4 votes |
|
@SuppressWarnings("unchecked")
@Override
public <T extends SamlSecurityToken & InboundSecurityToken> T validate(
final SamlAssertionWrapper samlAssertionWrapper,
final InboundSecurityToken subjectSecurityToken,
final TokenContext tokenContext
) throws WSSecurityException {
// Check conditions
checkConditions(samlAssertionWrapper);
// Check OneTimeUse Condition
checkOneTimeUse(samlAssertionWrapper,
tokenContext.getWssSecurityProperties().getSamlOneTimeUseReplayCache());
// Validate the assertion against schemas/profiles
validateAssertion(samlAssertionWrapper);
// Now check Claims
boolean valid = false;
if (samlAssertionWrapper.getSaml1() != null) {
valid = handleSAML1Assertion(samlAssertionWrapper.getSaml1());
} else if (samlAssertionWrapper.getSaml2() != null) {
valid = handleSAML2Assertion(samlAssertionWrapper.getSaml2());
}
if (!valid) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Crypto sigVerCrypto = null;
if (samlAssertionWrapper.isSigned()) {
sigVerCrypto = tokenContext.getWssSecurityProperties().getSignatureVerificationCrypto();
}
SamlSecurityTokenImpl securityToken = new SamlSecurityTokenImpl(
samlAssertionWrapper, subjectSecurityToken,
tokenContext.getWsSecurityContext(),
sigVerCrypto,
WSSecurityTokenConstants.KeyIdentifier_NoKeyInfo,
tokenContext.getWssSecurityProperties());
securityToken.setElementPath(tokenContext.getElementPath());
securityToken.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
return (T)securityToken;
}
Example 16
| Source File: CustomStaxSamlValidator.java From cxf with Apache License 2.0 | 4 votes |
|
@SuppressWarnings("unchecked")
@Override
public <T extends SamlSecurityToken & InboundSecurityToken> T validate(
final SamlAssertionWrapper samlAssertionWrapper,
final InboundSecurityToken subjectSecurityToken,
final TokenContext tokenContext
) throws WSSecurityException {
//jdk 1.6 compiler bug? http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6302954
//type parameters of <T>T cannot be determined; no unique maximal instance exists for type variable T with
// upper bounds org.apache.wss4j.stax.securityToken.SamlSecurityToken,
// org.apache.wss4j.stax.securityToken.SamlSecurityToken,
// org.apache.xml.security.stax.ext.securityToken.InboundSecurityToken
//works fine on jdk 1.7
final SamlSecurityToken token =
super.</*fake @see above*/SamlSecurityTokenImpl>
validate(samlAssertionWrapper, subjectSecurityToken, tokenContext);
//
// Do some custom validation on the assertion
//
if (!"www.example.com".equals(samlAssertionWrapper.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
if (requireSAML1Assertion && samlAssertionWrapper.getSaml1() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
} else if (!requireSAML1Assertion && samlAssertionWrapper.getSaml2() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
String confirmationMethod = samlAssertionWrapper.getConfirmationMethods().get(0);
if (confirmationMethod == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
} else if (!requireSenderVouches
&& !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
return (T)token;
}
Example 17
| Source File: SamlOAuthValidator.java From cxf with Apache License 2.0 | 4 votes |
|
private void validateSAMLVersion(SamlAssertionWrapper assertionW) {
if (assertionW.getSaml2() == null) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
}
Example 18
| Source File: CustomSAMLPRequestBuilder.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@Override
public LogoutRequest createLogoutRequest(
String issuerId,
String reason,
SamlAssertionWrapper authenticatedAssertion
) throws Exception {
Issuer issuer =
SamlpRequestComponentBuilder.createIssuer(issuerId);
NameID nameID = null;
List<String> sessionIndices = new ArrayList<>();
if (authenticatedAssertion != null) {
if (authenticatedAssertion.getSaml2() != null) {
org.opensaml.saml.saml2.core.Subject subject =
authenticatedAssertion.getSaml2().getSubject();
if (subject != null && subject.getNameID() != null) {
nameID = subject.getNameID();
}
}
if (nameID != null) {
nameID.detach();
}
List<AuthnStatement> authnStatements =
authenticatedAssertion.getSaml2().getAuthnStatements();
if (authnStatements != null && !authnStatements.isEmpty()) {
for (AuthnStatement authnStatement : authnStatements) {
if (authnStatement.getSessionIndex() != null) {
sessionIndices.add(authnStatement.getSessionIndex());
}
}
}
}
//CHECKSTYLE:OFF
return SamlpRequestComponentBuilder.createLogoutRequest(
issuer,
reason,
nameID,
sessionIndices
);
}
Example 19
| Source File: SamlResponseCreator.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
private Assertion createSAML2Assertion(RequestContext context, Idp idp, SamlAssertionWrapper receivedToken,
String requestID, String requestIssuer,
String remoteAddr, String racs) throws Exception {
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
String issuer = isUseRealmForIssuer() ? idp.getRealm() : idp.getIdpUrl().toString();
callbackHandler.setIssuer(issuer);
callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
// Test Subject against received Subject (if applicable)
SAMLAuthnRequest authnRequest =
(SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
if (authnRequest.getSubjectNameId() != null && receivedToken.getSaml2().getSubject().getNameID() != null) {
NameID issuedNameId = receivedToken.getSaml2().getSubject().getNameID();
if (!authnRequest.getSubjectNameId().equals(issuedNameId.getValue())) {
LOG.debug("Received NameID value of {} does not match issued value {}",
authnRequest.getSubjectNameId(), issuedNameId.getValue());
throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
}
}
// Subject Confirmation Data
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress(remoteAddr);
subjectConfirmationData.setInResponseTo(requestID);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient(racs);
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
// Audience Restriction
ConditionsBean conditions = new ConditionsBean();
conditions.setTokenPeriodMinutes(5);
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(requestIssuer));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
// Attributes
callbackHandler.setAttributeStatements(receivedToken.getSaml2().getAttributeStatements());
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Crypto issuerCrypto = CertsUtils.getCryptoFromCertificate(idp.getCertificate());
assertion.signAssertion(issuerCrypto.getDefaultX509Identifier(), idp.getCertificatePassword(),
issuerCrypto, false);
return assertion.getSaml2();
}
Example 20
| Source File: DefaultSAMLPRequestBuilder.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@Override
public LogoutRequest createLogoutRequest(
String issuerId,
String reason,
SamlAssertionWrapper authenticatedAssertion
) throws Exception {
Issuer issuer =
SamlpRequestComponentBuilder.createIssuer(issuerId);
NameID nameID = null;
List<String> sessionIndices = new ArrayList<>();
if (authenticatedAssertion != null) {
if (authenticatedAssertion.getSaml2() != null) {
org.opensaml.saml.saml2.core.Subject subject =
authenticatedAssertion.getSaml2().getSubject();
if (subject != null && subject.getNameID() != null) {
nameID = subject.getNameID();
}
}
if (nameID != null) {
nameID.detach();
}
List<AuthnStatement> authnStatements =
authenticatedAssertion.getSaml2().getAuthnStatements();
if (authnStatements != null && !authnStatements.isEmpty()) {
for (AuthnStatement authnStatement : authnStatements) {
if (authnStatement.getSessionIndex() != null) {
sessionIndices.add(authnStatement.getSessionIndex());
}
}
}
}
//CHECKSTYLE:OFF
return SamlpRequestComponentBuilder.createLogoutRequest(
issuer,
reason,
nameID,
sessionIndices
);
}
