org.openid4java.message.Message Java Examples
The following examples show how to use
org.openid4java.message.Message.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: SmartOpenIdController.java From springboot-shiro-cas-mybatis with MIT License | 6 votes |
|
/**
* Gets the association response. Determines the mode first.
* If mode is set to associate, will set the response. Then
* builds the response parameters next and returns.
*
* @param request the request
* @return the association response
*/
public Map<String, String> getAssociationResponse(final HttpServletRequest request) {
final ParameterList parameters = new ParameterList(request.getParameterMap());
final String mode = parameters.hasParameter(OpenIdConstants.OPENID_MODE)
? parameters.getParameterValue(OpenIdConstants.OPENID_MODE)
: null;
Message response = null;
if (StringUtils.equals(mode, OpenIdConstants.ASSOCIATE)) {
response = serverManager.associationResponse(parameters);
}
final Map<String, String> responseParams = new HashMap<>();
if (response != null) {
responseParams.putAll(response.getParameterMap());
}
return responseParams;
}
Example #2
| Source File: SmartOpenIdController.java From cas4.0.x-server-wechat with Apache License 2.0 | 6 votes |
|
public Map<String, String> getAssociationResponse(final HttpServletRequest request) {
ParameterList parameters = new ParameterList(request.getParameterMap());
final String mode = parameters.hasParameter("openid.mode")
? parameters.getParameterValue("openid.mode")
: null;
Message response = null;
if (mode != null && mode.equals("associate")) {
response = serverManager.associationResponse(parameters);
}
final Map<String, String> responseParams = new HashMap<String, String>();
if (response != null) {
responseParams.putAll(response.getParameterMap());
}
return responseParams;
}
Example #3
| Source File: CustomOpenIdProcessor.java From OpenID-Attacker with GNU General Public License v2.0 | 6 votes |
|
private Message processSRegExtension(Message token, final AuthRequest authRequest) throws MessageException {
String sregNamespace = detectSRegVersion(authRequest);
if (sregNamespace != null) {
MessageExtension ext = authRequest.getExtension(sregNamespace);
if (ext instanceof SRegRequest) {
SRegRequest sregReq = (SRegRequest) ext;
SRegResponse sregResp = SRegResponse.createSRegResponse(sregReq, getValidUser().getUserDataMap());
token.addExtension(sregResp, "sreg");
} else if (ext instanceof SRegResponse) {
// what to do here?
} else {
final String message = String.format("TODO - Support of '%s'", ext.getClass().getCanonicalName());
throw new UnsupportedOperationException(message);
}
}
return token;
}
Example #4
| Source File: CustomOpenIdProcessor.java From OpenID-Attacker with GNU General Public License v2.0 | 6 votes |
|
/**
* Creates an OpenID Token. Depending of the global config, either a token
* for the valid user or for the attacker is created.
*
* @param authRequest
*
* @return
*
* @throws MessageException
* @throws ServerException
* @throws AssociationException
*/
private AttackParameterKeeper processTokenRequest(final AuthRequest authRequest) throws OpenIdAttackerServerException {
final String userSelId = getValidUser().getIdentifier();
final String userSelClaimed = getValidUser().getClaimedId();
final Message token = serverManager.authResponse(authRequest, userSelId, userSelClaimed, true, false);
if (token instanceof AuthSuccess) {
try {
processAxExtension(token, authRequest);
processSRegExtension(token, authRequest);
generateSignatureForValidValues((AuthSuccess) token);
generateSignatureForAttackValues();
} catch (ServerException | MessageException | AssociationException ex) {
throw new OpenIdAttackerServerException(ex.getMessage());
}
} else {
throw new OpenIdAttackerServerException("Error while creating auth Response");
}
return getKeeper();
}
Example #5
| Source File: CustomOpenIdProviderHandler.java From OpenID-Attacker with GNU General Public License v2.0 | 6 votes |
|
private void handleCheckAuthentication(String info, HttpServletResponse response, final ParameterList requestParameter) throws IOException {
LOG.info("--> BEGIN handleCheckAuthentication");
String assocHandle = requestParameter.getParameterValue("openid.assoc_handle");
String shortLog = String.format("Returning check_authentication = true for %s", assocHandle);
LOG.info(String.format(" --> assoc_handle = %s", assocHandle));
Message responseMessage;
if (idpType.equals(IdpType.ATTACKER)) {
responseMessage = getOpenIdProcessor().generatePositiveCheckAuthenticationResponse();
} else {
responseMessage = getOpenIdProcessor().generateCorrectCheckAuthenticationResponse(requestParameter);
}
String responseText = responseMessage.keyValueFormEncoding();
response.getWriter().println(responseText);
response.setStatus(HttpServletResponse.SC_OK);
String requestText = String.format("%s\n\n%s", info, requestParameter.toString());
RequestLogger.getInstance().add(RequestType.CHECK_AUTHENTICATION, shortLog, requestText, responseText, idpType);
LOG.info("--> END handleCheckAuthentication");
}
Example #6
| Source File: CustomOpenIdProcessorTest.java From OpenID-Attacker with GNU General Public License v2.0 | 5 votes |
|
@Test
public void testOpenidAssociate() throws Exception {
final String ASSOC_QUERY = "openid.dh_consumer_public=MTEK&openid.mode=associate&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.session_type=DH-SHA1&openid.assoc_type=HMAC-SHA1";
final String PARAM_ASSOC = "assoc_handle";
String EXPECTED_ASSOC_VALUE = randomAscii(20);
ParameterList assoc_parameter = ParameterList.createFromQueryString(ASSOC_QUERY);
Message response = manager.associationResponse(assoc_parameter);
String assoc_value = response.getParameterValue(PARAM_ASSOC);
assertThat(assoc_value, not(equalTo(EXPECTED_ASSOC_VALUE)));
CustomInMemoryServerAssociationStore store = new CustomInMemoryServerAssociationStore();
store.setAssociationPrefix(EXPECTED_ASSOC_VALUE);
manager.setSharedAssociations(store);
response = processor.processAssociationRequest(assoc_parameter);
assoc_value = response.getParameterValue(PARAM_ASSOC);
assertThat(assoc_value, equalTo(EXPECTED_ASSOC_VALUE));
// what happens if we ask multiple times with same assoc prefix?
for (int i = 1; i < 5; ++i) {
response = processor.processAssociationRequest(assoc_parameter);
assoc_value = response.getParameterValue(PARAM_ASSOC);
assertThat(assoc_value, equalTo(EXPECTED_ASSOC_VALUE + "-" + i));
}
// Now reset the assoc prefix
EXPECTED_ASSOC_VALUE = randomNumeric(20);
store.setAssociationPrefix(EXPECTED_ASSOC_VALUE);
response = processor.processAssociationRequest(assoc_parameter);
assoc_value = response.getParameterValue(PARAM_ASSOC);
assertThat(assoc_value, equalTo(EXPECTED_ASSOC_VALUE));
}
Example #7
| Source File: CustomOpenIdProcessor.java From OpenID-Attacker with GNU General Public License v2.0 | 5 votes |
|
private Message processAxExtension(Message token, final AuthRequest authRequest) throws MessageException {
if (authRequest.hasExtension(AxMessage.OPENID_NS_AX)) {
MessageExtension extension = authRequest.getExtension(AxMessage.OPENID_NS_AX);
if (extension instanceof FetchRequest) {
final FetchRequest fetchRequest = (FetchRequest) extension;
final Map userDataMap = getValidUser().getUserDataMap();
final FetchResponse fetchResponse = FetchResponse.createFetchResponse(fetchRequest, userDataMap);
token.addExtension(fetchResponse, "ax");
} else {
throw new UnsupportedOperationException("TODO: if (ext instanceof StoreRequest)");
}
}
return token;
}
Example #8
| Source File: CustomOpenIdProcessor.java From OpenID-Attacker with GNU General Public License v2.0 | 5 votes |
|
public Message generatePositiveCheckAuthenticationResponse() {
HashMap<String, String> result = new LinkedHashMap<>();
result.put("ns", "http://specs.openid.net/auth/2.0");
result.put("is_valid", "true");
ParameterList responseParameters = new ParameterList(result);
try {
Message m = VerifyResponse.createVerifyResponse(responseParameters);
return m;
} catch (MessageException ex) {
throw new IllegalStateException("This should never happen", ex);
}
}
Example #9
| Source File: CustomOpenIdProcessorTest.java From OpenID-Attacker with GNU General Public License v2.0 | 5 votes |
|
@Test
public void testOpenidGenerateResponse() throws Exception {
final String EXPECTED_ASSOC_VALUE = "MY_CUSTOM_ASSOC_VALUE";
ParameterList assoc_parameter = new ParameterList();
assoc_parameter.set(new Parameter("openid.dh_consumer_public", "MTEK"));
assoc_parameter.set(new Parameter("openid.mode", "associate"));
assoc_parameter.set(new Parameter("openid.ns", "http://specs.openid.net/auth/2.0"));
assoc_parameter.set(new Parameter("openid.session_type", "DH-SHA1"));
assoc_parameter.set(new Parameter("openid.assoc_type", "HMAC-SHA1"));
// System.out.println("### REQUEST:\n" + assoc_parameter.toString());
store.setAssociationPrefix(EXPECTED_ASSOC_VALUE);
Message responseAuthenticaton = processor.processAssociationRequest(assoc_parameter);
String assoc_value = responseAuthenticaton.getParameterValue("assoc_handle");
assertThat(assoc_value, equalTo(EXPECTED_ASSOC_VALUE));
ParameterList generate_parameter = new ParameterList();
generate_parameter.set(new Parameter("openid.ns", "http://specs.openid.net/auth/2.0"));
// generate_parameter.set(new Parameter("openid.realm", "http://realm"));
generate_parameter.set(new Parameter("openid.mode", "checkid_setup"));
generate_parameter.set(new Parameter("openid.return_to", "http://return"));
generate_parameter.set(new Parameter("openid.claimed_id", "http://claimed"));
generate_parameter.set(new Parameter("openid.identity", "http://identity"));
generate_parameter.set(new Parameter("openid.assoc_handle", assoc_value));
// System.out.println("### GENERATE:\n" + generate_parameter);
AttackParameterKeeper responseToken = processor.processTokenRequest(generate_parameter);
// responseToken.validate();
// System.out.println("### TOKEN:\n" + responseToken.toString());
// is there a signature?
assertThat(responseToken.getParameter("openid.sig") != null, is(true));
}
Example #10
| Source File: CustomOpenIdProviderHandler.java From OpenID-Attacker with GNU General Public License v2.0 | 5 votes |
|
public void handleError(HttpServletResponse response, HttpServletRequest request, final String errorMessage, final int ERROR_CODE) throws IOException {
LOG.info("--> BEGIN handleError");
Message openidResponse = DirectError.createDirectError(errorMessage);
response.setStatus(ERROR_CODE);
response.setContentType("text/html;charset=utf-8");
String responseText = openidResponse.keyValueFormEncoding();
response.getWriter().println(responseText);
String requestContent = String.format("%s %s\n\nParameters:\n\n%s",
request.getMethod(),
request.getRequestURL(),
new ParameterList(request.getParameterMap()));
RequestLogger.getInstance().add(RequestType.ERROR, errorMessage, requestContent, errorMessage, idpType);
LOG.info("--> END handleError");
}
Example #11
| Source File: CustomOpenIdProviderHandler.java From OpenID-Attacker with GNU General Public License v2.0 | 5 votes |
|
public void handleAssociationRequest(String info, HttpServletResponse response, final ParameterList requestParameter) throws IOException {
LOG.info("--> BEGIN handleAssociationRequest");
Message openidResponse = getOpenIdProcessor().processAssociationRequest(requestParameter);
String assocHandle = openidResponse.getParameterValue("assoc_handle");
String shortLog = String.format("Association established: %s", assocHandle);
String requestText = info + "\n\n" + requestParameter.toString();
LOG.info(String.format(" --> assoc_handle = %s", assocHandle));
response.setStatus(HttpServletResponse.SC_OK);
String responseText = openidResponse.keyValueFormEncoding();
response.getWriter().println(responseText);
RequestLogger.getInstance().add(RequestType.ASSOCIATION, shortLog, requestText, responseText, idpType);
LOG.info("--> END handleAssociationRequest");
}
Example #12
| Source File: OpenIDToken.java From openid4java with Apache License 2.0 | 5 votes |
|
/**
* Generates the XML string representation of the OpenID token.
*/
public String getToken()
{
StringBuffer token = new StringBuffer();
token.append("<openid:OpenIDToken xmlns:openid=\"" +
Message.OPENID2_NS + "\">");
token.append(_openidMessage.keyValueFormEncoding());
token.append("</openid:OpenIDToken>");
return token.toString();
}
Example #13
| Source File: OpenIDToken.java From openid4java with Apache License 2.0 | 5 votes |
|
/**
* Sets the OpenID Message to encapsulate into the token.
*/
public void setOpenIDMessage(Message openidMessage)
{
this._openidMessage = openidMessage;
if (OpenIDTokenType.OPENID20_TOKEN.toString().equals(
openidMessage.getParameterValue("openid.ns")))
_tokenType = OpenIDTokenType.OPENID20_TOKEN;
else
_tokenType = OpenIDTokenType.OPENID11_TOKEN;
}
Example #14
| Source File: OpenIDServerManager.java From carbon-identity with Apache License 2.0 | 5 votes |
|
@Override
public Message authResponse(AuthRequest authReq, String userSelId, String userSelClaimed,
boolean authenticatedAndApproved, String opEndpoint, boolean signNow) {
if(log.isDebugEnabled()) {
log.debug("Association handle in AuthRequest : " + authReq.getHandle());
}
return super.authResponse(authReq, userSelId, userSelClaimed, authenticatedAndApproved, opEndpoint, signNow);
}
Example #15
| Source File: OpenIDToken.java From openid4java with Apache License 2.0 | 5 votes |
|
/**
* Constructs an OpenID token encapsulating the provided OpenID Message.
* Should be used on the OP/STS side to generate a RSTR.
*
* @param openidMessage The OpenID message obtained from
* ServerManager.authResponse().
*/
public OpenIDToken(Message openidMessage)
{
setOpenIDMessage(openidMessage);
if (DEBUG)
_log.debug("Created " + _tokenType +" token");
}
Example #16
| Source File: OpenIDProviderService.java From carbon-identity with Apache License 2.0 | 5 votes |
|
/**
* @param params
* @return
* @throws Exception
*/
public String getOpenIDAssociationResponse(OpenIDParameterDTO[] params) {
Message message = null;
ParameterList paramList = null;
paramList = getParameterList(params);
message = OpenIDProvider.getInstance().getManager().associationResponse(paramList);
return message.keyValueFormEncoding();
}
Example #17
| Source File: OpenIDProviderService.java From carbon-identity with Apache License 2.0 | 5 votes |
|
/**
* The verify method used by the OpenID Provider when using the OpenID Dumb
* Mode
*
* @param params
* @return
* @throws Exception
*/
public String verify(OpenIDParameterDTO[] params) throws IdentityProviderException {
String disableDumbMode = IdentityUtil.getProperty(IdentityConstants.ServerConfig.OPENID_DISABLE_DUMB_MODE);
if ("true".equalsIgnoreCase(disableDumbMode)) {
throw new IdentityProviderException("OpenID relying parties with dumb mode not supported");
}
ParameterList paramList = getParameterList(params);
Message message = OpenIDProvider.getInstance().getManager().verify(paramList);
return message.keyValueFormEncoding();
}
Example #18
| Source File: OpenIDServerManager.java From carbon-identity with Apache License 2.0 | 4 votes |
|
public Message verify(ParameterList requestParams) {
if(log.isDebugEnabled()) {
log.debug("Processing verification request...");
}
boolean isVersion2 = true;
try {
// build request message from response params (+ ntegrity check)
VerifyRequest vrfyReq = VerifyRequest.createVerifyRequest(requestParams);
isVersion2 = vrfyReq.isVersion2();
String handle = vrfyReq.getHandle();
boolean verified = false;
Association assoc = getPrivateAssociations().load(handle);
String sigMod = null;
if (assoc != null) { // verify the signature
if (log.isDebugEnabled()) {
log.debug("Loaded private association; handle: " + handle);
}
sigMod = vrfyReq.getSignature().replaceAll("\\s", "+");
verified = assoc.verifySignature(vrfyReq.getSignedText(), sigMod);
// remove the association so that the request
// cannot be verified more than once
getPrivateAssociations().remove(handle);
} else {
log.error("No association loaded from the database; handle: " + handle);
}
VerifyResponse vrfyResp =
VerifyResponse.createVerifyResponse(!vrfyReq.isVersion2());
vrfyResp.setSignatureVerified(verified);
if (verified) {
String invalidateHandle = vrfyReq.getInvalidateHandle();
if (invalidateHandle != null &&
getSharedAssociations().load(invalidateHandle) == null) {
if (log.isDebugEnabled()) {
log.debug("Shared association invalidated; handle: " + invalidateHandle);
}
vrfyResp.setInvalidateHandle(invalidateHandle);
}
} else {
log.error("Signature verification failed. handle : " + handle +
" , signed text : " + vrfyReq.getSignedText() +
" , signature : " + sigMod);
}
if (log.isDebugEnabled()) {
log.debug("Responding with " + (verified ? "positive" : "negative") + " verification response");
}
return vrfyResp;
} catch (OpenIDException e) {
log.error("Error processing verification request; responding with verification error", e);
return DirectError.createDirectError(e, !isVersion2);
}
}
Example #19
| Source File: OpenIdService.java From springboot-shiro-cas-mybatis with MIT License | 4 votes |
|
/**
* Generates an Openid response.
* If no ticketId is found, response is negative.
* If we have a ticket id, then we check if we have an association.
* If so, we ask OpenId server manager to generate the answer according with the existing association.
* If not, we send back an answer with the ticket id as association handle.
* This will force the consumer to ask a verification, which will validate the service ticket.
* @param ticketId the service ticket to provide to the service.
* @return the generated authentication answer
*/
@Override
public Response getResponse(final String ticketId) {
final Map<String, String> parameters = new HashMap<>();
if (ticketId != null) {
final ServerManager manager = (ServerManager) ApplicationContextProvider.getApplicationContext().getBean("serverManager");
final CentralAuthenticationService cas = ApplicationContextProvider.getApplicationContext()
.getBean("centralAuthenticationService", CentralAuthenticationService.class);
boolean associated = false;
boolean associationValid = true;
try {
final AuthRequest authReq = AuthRequest.createAuthRequest(requestParameters, manager.getRealmVerifier());
final Map parameterMap = authReq.getParameterMap();
if (parameterMap != null && parameterMap.size() > 0) {
final String assocHandle = (String) parameterMap.get(OpenIdConstants.OPENID_ASSOCHANDLE);
if (assocHandle != null) {
final Association association = manager.getSharedAssociations().load(assocHandle);
if (association != null) {
associated = true;
if (association.hasExpired()) {
associationValid = false;
}
}
}
}
} catch (final MessageException me) {
LOGGER.error("Message exception : {}", me.getMessage(), me);
}
boolean successFullAuthentication = true;
Assertion assertion = null;
try {
if (associated) {
if (associationValid) {
assertion = cas.validateServiceTicket(ticketId, this);
LOGGER.info("Validated openid ticket");
} else {
successFullAuthentication = false;
}
}
} catch (final TicketException te) {
LOGGER.error("Could not validate ticket : {}", te.getMessage(), te);
successFullAuthentication = false;
}
final String id;
if (assertion != null && OpenIdConstants.OPENID_IDENTIFIERSELECT.equals(this.identity)) {
id = this.openIdPrefixUrl + '/' + assertion.getPrimaryAuthentication().getPrincipal().getId();
} else {
id = this.identity;
}
// We sign directly (final 'true') because we don't add extensions
// response message can be either a DirectError or an AuthSuccess here.
// Anyway, handling is the same : send the response message
final Message response = manager.authResponse(requestParameters,
id,
id,
successFullAuthentication,
true);
parameters.putAll(response.getParameterMap());
if (!associated) {
parameters.put(OpenIdConstants.OPENID_ASSOCHANDLE, ticketId);
}
} else {
parameters.put(OpenIdConstants.OPENID_MODE, OpenIdConstants.CANCEL);
}
return DefaultResponse.getRedirectResponse(getOriginalUrl(), parameters);
}
Example #20
| Source File: HttpPostRedirect.java From OpenID-Attacker with GNU General Public License v2.0 | 4 votes |
|
public static String createPostRedirect(Message openidMessage) {
return createPostRedirect(openidMessage.getDestinationUrl(value), openidMessage.getParameterMap(), new HashMap<String, String>());
}
Example #21
| Source File: CustomOpenIdProcessor.java From OpenID-Attacker with GNU General Public License v2.0 | 4 votes |
|
public Message generateCorrectCheckAuthenticationResponse(final ParameterList request) {
return serverManager.verify(request);
}
Example #22
| Source File: OpenIDToken.java From openid4java with Apache License 2.0 | 4 votes |
|
/**
* Gets the OpenID message contained in the OpenID token.
*/
public Message getOpenIDMessage()
{
return _openidMessage;
}
Example #23
| Source File: VerificationResult.java From openid4java with Apache License 2.0 | 4 votes |
|
/**
* Sets the authentication response message received from the server.
*/
public void setAuthResponse(Message authResponse)
{
this._authResponse = authResponse;
}
Example #24
| Source File: VerificationResult.java From openid4java with Apache License 2.0 | 4 votes |
|
/**
* Gets the authentication response message received from the server.
*/
public Message getAuthResponse()
{
return _authResponse;
}
Example #25
| Source File: OpenIdService.java From cas4.0.x-server-wechat with Apache License 2.0 | 4 votes |
|
/**
* Generates an Openid response.
* If no ticketId is found, response is negative.
* If we have a ticket id, then we check if we have an association.
* If so, we ask OpenId server manager to generate the answer according with the existing association.
* If not, we send back an answer with the ticket id as association handle.
* This will force the consumer to ask a verification, which will validate the service ticket.
* @param ticketId the service ticket to provide to the service.
* @return the generated authentication answer
*/
@Override
public Response getResponse(final String ticketId) {
final Map<String, String> parameters = new HashMap<String, String>();
if (ticketId != null) {
ServerManager manager = (ServerManager) ApplicationContextProvider.getApplicationContext().getBean("serverManager");
CentralAuthenticationService cas = (CentralAuthenticationService) ApplicationContextProvider.getApplicationContext()
.getBean("centralAuthenticationService");
boolean associated = false;
boolean associationValid = true;
try {
AuthRequest authReq = AuthRequest.createAuthRequest(requestParameters, manager.getRealmVerifier());
Map parameterMap = authReq.getParameterMap();
if (parameterMap != null && parameterMap.size() > 0) {
String assocHandle = (String) parameterMap.get("openid.assoc_handle");
if (assocHandle != null) {
Association association = manager.getSharedAssociations().load(assocHandle);
if (association != null) {
associated = true;
if (association.hasExpired()) {
associationValid = false;
}
}
}
}
} catch (final MessageException me) {
LOGGER.error("Message exception : {}", me.getMessage(), me);
}
boolean successFullAuthentication = true;
try {
if (associated) {
if (associationValid) {
cas.validateServiceTicket(ticketId, this);
LOGGER.info("Validated openid ticket");
} else {
successFullAuthentication = false;
}
}
} catch (final TicketException te) {
LOGGER.error("Could not validate ticket : {}", te.getMessage(), te);
successFullAuthentication = false;
}
// We sign directly (final 'true') because we don't add extensions
// response message can be either a DirectError or an AuthSuccess here.
// Anyway, handling is the same : send the response message
Message response = manager.authResponse(requestParameters,
this.identity,
this.identity,
successFullAuthentication,
true);
parameters.putAll(response.getParameterMap());
if (!associated) {
parameters.put("openid.assoc_handle", ticketId);
}
} else {
parameters.put("openid.mode", "cancel");
}
return Response.getRedirectResponse(getOriginalUrl(), parameters);
}
Example #26
| Source File: CustomOpenIdProcessor.java From OpenID-Attacker with GNU General Public License v2.0 | 2 votes |
|
/**
* Generates an Association. Uses DHKE.
*
* @param assoc_parameter
*
* @return
*/
public Message processAssociationRequest(final ParameterList assoc_parameter) {
return serverManager.associationResponse(assoc_parameter);
}
