Java Code Examples for org.apache.wss4j.common.saml.bean.ConditionsBean#setAudienceRestrictions()
The following examples show how to use
org.apache.wss4j.common.saml.bean.ConditionsBean#setAudienceRestrictions() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: SAMLResponseTest.java From cxf-fediz with Apache License 2.0 | 6 votes |
|
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
String requestId) throws Exception {
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
saml2CallbackHandler.setConditions(cp);
// Subject Confirmation Data
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
subjectConfirmationData.setInResponseTo(requestId);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Element response = createSamlResponse(assertion, "mystskey", true, requestId);
return encodeResponse(response);
}
Example 2
| Source File: SAMLEncryptedResponseTest.java From cxf-fediz with Apache License 2.0 | 6 votes |
|
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
String requestId,
boolean signAssertion) throws Exception {
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
saml2CallbackHandler.setConditions(cp);
// Subject Confirmation Data
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
subjectConfirmationData.setInResponseTo(requestId);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Element response = createEncryptedSamlResponse(assertion, "mystskey", signAssertion, requestId);
return encodeResponse(response);
}
Example 3
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* The configured subject of the trusted issuer doesn't match with
* the issuer of the SAML token
*/
@org.junit.Test
public void validateUnsignedSAML2Token() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", false);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
// Load and update the config to enforce an error
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
try {
wfProc.processRequest(wfReq, config);
Assert.fail("Processing must fail because of missing signature");
} catch (ProcessingException ex) {
if (!TYPE.TOKEN_NO_SIGNATURE.equals(ex.getType())) {
fail("Expected ProcessingException with TOKEN_NO_SIGNATURE type");
}
}
}
Example 4
| Source File: SAMLTokenValidatorOldTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token where role information is provided
* within another SAML attribute
*/
@org.junit.Test
public void validateSAML2TokenDifferentRoleURI() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
callbackHandler.setCountryClaimName("country");
callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example 5
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 1.1 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
*/
@org.junit.Test
public void validateSAML1Token() throws Exception {
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example 6
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 1 token where role information is provided
* within another SAML attribute
*/
@org.junit.Test
public void validateSAML1TokenDifferentRoleURI() throws Exception {
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example 7
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 1.1 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
* Token embedded in RSTR 2005/02 - WS Federation 1.0
*/
@org.junit.Test
public void validateSAML1TokenWSFed10() throws Exception {
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_2005_02_MSG);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
}
Example 8
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
*/
@org.junit.Test
public void validateSAML2Token() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example 9
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* The configured subject of the trusted issuer doesn't match with
* the issuer of the SAML token
*/
@org.junit.Test
public void validateSAML2TokenSeveralCertStore() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
// Load and update the config to enforce an error
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT2");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
}
Example 10
| Source File: JMSWSSecurityTest.java From cxf with Apache License 2.0 | 5 votes |
|
@Test
public void testUnsignedSAML2AudienceRestrictionTokenBadURI() throws Exception {
QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
HelloWorldService service = new HelloWorldService(wsdl, serviceName);
HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setSignAssertion(true);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setTokenPeriodMinutes(5);
List<String> audiences = new ArrayList<>();
audiences.add("jms:jndi:dynamicQueues/test.jmstransport.text.bad");
AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
audienceRestrictionBean.setAudienceURIs(audiences);
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
callbackHandler.setConditions(conditions);
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
Client client = ClientProxy.getClient(greeter);
client.getOutInterceptors().add(outInterceptor);
try {
greeter.sayHi();
fail("Failure expected on a bad audience restriction");
} catch (SOAPFaultException ex) {
// expected
}
((java.io.Closeable)greeter).close();
}
Example 11
| Source File: SAMLTokenValidatorOldTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token where role information is provided
* within another SAML attribute
*/
@org.junit.Test
public void validateSAML1TokenDifferentRoleURI() throws Exception {
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setUseNameFormatAsNamespace(true);
callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example 12
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@org.junit.Test
public void testChainTrust() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
// Test successful trust validation (subject cert constraint)
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("CHAIN_TRUST");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
// Test unsuccessful trust validation (bad subject cert constraint)
configurator = null;
config = getFederationConfigurator().getFedizContext("CHAIN_TRUST2");
wfProc = new FederationProcessorImpl();
try {
wfRes = wfProc.processRequest(wfReq, config);
Assert.fail("Processing must fail because of invalid subject cert constraint");
} catch (ProcessingException ex) {
// expected
}
}
Example 13
| Source File: AudienceRestrictionTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@org.junit.Test
public void validateAudienceThatIsRequiredAgainstMultipleAudiences() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("AUD2");
// Mock up the servet request/response
HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
EasyMock.expect(req.getMethod()).andReturn("POST");
EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
.andReturn(FederationConstants.ACTION_SIGNIN);
EasyMock.expect(req.getParameter("RelayState")).andReturn(null);
EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
EasyMock.expect(req.getQueryString()).andReturn(null);
EasyMock.replay(req);
HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
EasyMock.replay(resp);
// Now validate the request
TestSigninHandler signinHandler = new TestSigninHandler(config);
Assert.assertNotNull(signinHandler.handleRequest(req, resp));
}
Example 14
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@org.junit.Test
public void testModifiedSignature() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
WSPasswordCallback[] cb = {
new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE)
};
cbPasswordHandler.handle(cb);
String password = cb[0].getPassword();
assertion.signAssertion("mystskey", password, crypto, false);
Document doc = STSUtil.toSOAPPart(STSUtil.SAMPLE_RSTR_COLL_MSG);
Element token = assertion.toDOM(doc);
// Change IssueInstant attribute
String issueInstance = token.getAttributeNS(null, "IssueInstant");
DateTime issueDateTime = new DateTime(issueInstance, DateTimeZone.UTC);
issueDateTime = issueDateTime.plusSeconds(1);
token.setAttributeNS(null, "IssueInstant", issueDateTime.toString());
Element e = XMLUtils.findElement(doc, "RequestedSecurityToken",
FederationConstants.WS_TRUST_13_NS);
if (e == null) {
e = XMLUtils.findElement(doc, "RequestedSecurityToken",
FederationConstants.WS_TRUST_2005_02_NS);
}
e.appendChild(token);
String rstr = DOM2Writer.nodeToString(doc);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
try {
wfProc.processRequest(wfReq, config);
fail("Failure expected on signature validation");
} catch (ProcessingException ex) {
// expected
}
}
Example 15
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@org.junit.Test
public void testWrappingAttack() throws Exception {
// First assertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion1 = new SamlAssertionWrapper(samlCallback);
// Second assertion
SAML2CallbackHandler callbackHandler2 = new SAML2CallbackHandler();
callbackHandler2.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler2.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler2.setIssuer(TEST_RSTR_ISSUER);
callbackHandler2.setSubjectName("bob");
ConditionsBean cp2 = new ConditionsBean();
AudienceRestrictionBean audienceRestriction2 = new AudienceRestrictionBean();
audienceRestriction2.getAudienceURIs().add(TEST_AUDIENCE);
cp2.setAudienceRestrictions(Collections.singletonList(audienceRestriction2));
callbackHandler2.setConditions(cp2);
SAMLCallback samlCallback2 = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler2, samlCallback2);
SamlAssertionWrapper assertion2 = new SamlAssertionWrapper(samlCallback2);
WSPasswordCallback[] cb = {
new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE)
};
cbPasswordHandler.handle(cb);
String password = cb[0].getPassword();
assertion1.signAssertion("mystskey", password, crypto, false);
assertion2.signAssertion("mystskey", password, crypto, false);
Document doc = STSUtil.toSOAPPart(SAMPLE_MULTIPLE_RSTR_COLL_MSG);
Element token1 = assertion2.toDOM(doc);
Element token2 = assertion1.toDOM(doc);
// Now modify the first Signature to point to the other Element
Element sig1 = XMLUtils.findElement(token1, "Signature", WSConstants.SIG_NS);
Element sig2 = XMLUtils.findElement(token2, "Signature", WSConstants.SIG_NS);
sig1.getParentNode().replaceChild(sig2.cloneNode(true), sig1);
List<Element> requestedTokenElements =
XMLUtils.findElements(doc, "RequestedSecurityToken", FederationConstants.WS_TRUST_13_NS);
Assert.assertEquals(2, requestedTokenElements.size());
requestedTokenElements.get(0).appendChild(token1);
requestedTokenElements.get(1).appendChild(token2);
Element rstrElement = doc.getDocumentElement();
String rstr = DOM2Writer.nodeToString(rstrElement);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
// Load and update the config to enforce an error
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
try {
wfProc.processRequest(wfReq, config);
Assert.fail("Processing must fail because of bad signature");
} catch (ProcessingException ex) {
// expected
}
}
Example 16
| Source File: SAMLSSOResponseValidatorTest.java From cxf with Apache License 2.0 | 4 votes |
|
private Response createResponse(
SubjectConfirmationDataBean subjectConfirmationData,
List<AudienceRestrictionBean> audienceRestrictions,
String authnClassRef
) throws Exception {
Document doc = DOMUtils.createDocument();
Status status =
SAML2PResponseComponentBuilder.createStatus(
SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
);
Response response =
SAML2PResponseComponentBuilder.createSAMLResponse(
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
if (audienceRestrictions == null) {
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
} else {
conditions.setAudienceRestrictions(audienceRestrictions);
}
callbackHandler.setConditions(conditions);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
if (authnClassRef != null) {
AuthnStatement authnStatement =
response.getAssertions().get(0).getAuthnStatements().get(0);
authnStatement.getAuthnContext().setAuthnContextClassRef(
SAML2PResponseComponentBuilder.createAuthnContextClassRef(authnClassRef));
}
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
return (Response)OpenSAMLUtil.fromDom(policyElement);
}
Example 17
| Source File: RequestedClaimsTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@org.junit.Test
public void testRequiredClaimIncluded() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(ISSUER);
callbackHandler.setSubjectName("alice");
callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
callbackHandler.setCountryClaimName("country");
callbackHandler.setRoleAttributeName("role");
callbackHandler.setCustomClaimName(CLAIM_TYPE_1);
callbackHandler.setCustomAttributeValues(Collections.singletonList("xyz"));
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(AUDIENCE_URI_1);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
FedizConfig config = createConfiguration();
StringWriter writer = new StringWriter();
final JAXBContext jaxbContext = JAXBContext.newInstance(FedizConfig.class);
jaxbContext.createMarshaller().marshal(config, writer);
StringReader reader = new StringReader(writer.toString());
FedizConfigurator configurator = new FedizConfigurator();
configurator.loadConfig(reader);
FedizContext context = configurator.getFedizContext(CONFIG_NAME);
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, context);
Object claimValue = null;
for (Claim c : wfRes.getClaims()) {
if (CLAIM_TYPE_1.equals(c.getClaimType().toString())) {
claimValue = c.getValue();
}
}
Assert.assertEquals("xyz", claimValue);
}
Example 18
| Source File: SamlResponseCreator.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
private Assertion createSAML2Assertion(RequestContext context, Idp idp, SamlAssertionWrapper receivedToken,
String requestID, String requestIssuer,
String remoteAddr, String racs) throws Exception {
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
String issuer = isUseRealmForIssuer() ? idp.getRealm() : idp.getIdpUrl().toString();
callbackHandler.setIssuer(issuer);
callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
// Test Subject against received Subject (if applicable)
SAMLAuthnRequest authnRequest =
(SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
if (authnRequest.getSubjectNameId() != null && receivedToken.getSaml2().getSubject().getNameID() != null) {
NameID issuedNameId = receivedToken.getSaml2().getSubject().getNameID();
if (!authnRequest.getSubjectNameId().equals(issuedNameId.getValue())) {
LOG.debug("Received NameID value of {} does not match issued value {}",
authnRequest.getSubjectNameId(), issuedNameId.getValue());
throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
}
}
// Subject Confirmation Data
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress(remoteAddr);
subjectConfirmationData.setInResponseTo(requestID);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient(racs);
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
// Audience Restriction
ConditionsBean conditions = new ConditionsBean();
conditions.setTokenPeriodMinutes(5);
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(requestIssuer));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
// Attributes
callbackHandler.setAttributeStatements(receivedToken.getSaml2().getAttributeStatements());
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Crypto issuerCrypto = CertsUtils.getCryptoFromCertificate(idp.getCertificate());
assertion.signAssertion(issuerCrypto.getDefaultX509Identifier(), idp.getCertificatePassword(),
issuerCrypto, false);
return assertion.getSaml2();
}
Example 19
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
@org.junit.Test
public void testUnsignedAssertionAfterSignedAssertion() throws Exception {
// First assertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion1 = new SamlAssertionWrapper(samlCallback);
// Second assertion
SAML2CallbackHandler callbackHandler2 = new SAML2CallbackHandler();
callbackHandler2.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler2.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler2.setIssuer(TEST_RSTR_ISSUER);
callbackHandler2.setSubjectName("bob");
ConditionsBean cp2 = new ConditionsBean();
AudienceRestrictionBean audienceRestriction2 = new AudienceRestrictionBean();
audienceRestriction2.getAudienceURIs().add(TEST_AUDIENCE);
cp2.setAudienceRestrictions(Collections.singletonList(audienceRestriction2));
callbackHandler2.setConditions(cp2);
SAMLCallback samlCallback2 = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler2, samlCallback2);
SamlAssertionWrapper assertion2 = new SamlAssertionWrapper(samlCallback2);
Element rstrElement =
createResponseWithMultipleAssertions(assertion1, true, assertion2, false, "mystskey");
String rstr = DOM2Writer.nodeToString(rstrElement);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
// Load and update the config to enforce an error
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse fedizResponse = wfProc.processRequest(wfReq, config);
Assert.assertEquals(TEST_USER, fedizResponse.getUsername());
}
Example 20
| Source File: SAMLResponseTest.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* The configured subject of the trusted issuer doesn't match with
* the issuer of the SAML token
*/
@org.junit.Test
public void validateUnsignedSAML2Token() throws Exception {
// Mock up a Request
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
RequestState requestState = new RequestState(TEST_REQUEST_URL,
TEST_IDP_ISSUER,
requestId,
TEST_REQUEST_URL,
(String)config.getProtocol().getIssuer(),
null,
relayState,
System.currentTimeMillis());
// Create SAML Response
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setAlsoAddAuthnStatement(true);
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_IDP_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
// Subject Confirmation Data
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
subjectConfirmationData.setInResponseTo(requestId);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Element response = createSamlResponse(assertion, "mystskey", false, requestId);
String responseStr = encodeResponse(response);
HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
EasyMock.replay(req);
FedizRequest wfReq = new FedizRequest();
wfReq.setResponseToken(responseStr);
wfReq.setState(relayState);
wfReq.setRequest(req);
wfReq.setRequestState(requestState);
FedizProcessor wfProc = new SAMLProcessorImpl();
try {
wfProc.processRequest(wfReq, config);
Assert.fail("Processing must fail because of missing signature");
} catch (ProcessingException ex) {
// expected
}
}
