Java Code Examples for org.apache.wss4j.common.saml.bean.ConditionsBean#setAudienceRestrictions()

The following examples show how to use org.apache.wss4j.common.saml.bean.ConditionsBean#setAudienceRestrictions() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SAMLResponseTest.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
                                     String requestId) throws Exception {
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    saml2CallbackHandler.setConditions(cp);

    // Subject Confirmation Data
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
    subjectConfirmationData.setInResponseTo(requestId);
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
    saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    Element response = createSamlResponse(assertion, "mystskey", true, requestId);
    return encodeResponse(response);
}
 
Example 2
Source File: SAMLEncryptedResponseTest.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
                                     String requestId,
                                     boolean signAssertion) throws Exception {
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    saml2CallbackHandler.setConditions(cp);

    // Subject Confirmation Data
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
    subjectConfirmationData.setInResponseTo(requestId);
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
    saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    Element response = createEncryptedSamlResponse(assertion, "mystskey", signAssertion, requestId);
    return encodeResponse(response);
}
 
Example 3
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 2 token which includes the role attribute with 2 values
 * The configured subject of the trusted issuer doesn't match with
 * the issuer of the SAML token
 */
@org.junit.Test
public void validateUnsignedSAML2Token() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    String rstr = createSamlToken(assertion, "mystskey", false);
    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    // Load and update the config to enforce an error
    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    FedizProcessor wfProc = new FederationProcessorImpl();
    try {
        wfProc.processRequest(wfReq, config);
        Assert.fail("Processing must fail because of missing signature");
    } catch (ProcessingException ex) {
        if (!TYPE.TOKEN_NO_SIGNATURE.equals(ex.getType())) {
            fail("Expected ProcessingException with TOKEN_NO_SIGNATURE type");
        }
    }
}
 
Example 4
Source File: SAMLTokenValidatorOldTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 2 token where role information is provided
 * within another SAML attribute
 */
@org.junit.Test
public void validateSAML2TokenDifferentRoleURI() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
    callbackHandler.setCountryClaimName("country");
    callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");

    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    String rstr = createSamlToken(assertion, "mystskey", true);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
    Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
    assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
 
Example 5
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 1.1 token which includes the role attribute with 2 values
 * Roles are encoded as a multi-value saml attribute
 */
@org.junit.Test
public void validateSAML1Token() throws Exception {
    SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
    callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    String rstr = createSamlToken(assertion, "mystskey", true);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER,
                        wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                        .size());
    Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
    assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
 
Example 6
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 1 token where role information is provided
 * within another SAML attribute
 */
@org.junit.Test
public void validateSAML1TokenDifferentRoleURI() throws Exception {
    SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
    callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    String rstr = createSamlToken(assertion, "mystskey", true);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
    Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
    assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
 
Example 7
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 1.1 token which includes the role attribute with 2 values
 * Roles are encoded as a multi-value saml attribute
 * Token embedded in RSTR 2005/02 - WS Federation 1.0
 */
@org.junit.Test
public void validateSAML1TokenWSFed10() throws Exception {
    SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
    callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_2005_02_MSG);
    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER,
                        wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                        .size());
    Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
}
 
Example 8
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 2 token which includes the role attribute with 2 values
 * Roles are encoded as a multi-value saml attribute
 */
@org.junit.Test
public void validateSAML2Token() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    String rstr = createSamlToken(assertion, "mystskey", true);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER,
                        wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                        .size());
    Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
    assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());

}
 
Example 9
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 2 token which includes the role attribute with 2 values
 * The configured subject of the trusted issuer doesn't match with
 * the issuer of the SAML token
 */
@org.junit.Test
public void validateSAML2TokenSeveralCertStore() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    String rstr = createSamlToken(assertion, "mystskey", true);
    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    // Load and update the config to enforce an error
    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT2");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER,
                        wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                        .size());
}
 
Example 10
Source File: JMSWSSecurityTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Test
public void testUnsignedSAML2AudienceRestrictionTokenBadURI() throws Exception {
    QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
    QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
    URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
    HelloWorldService service = new HelloWorldService(wsdl, serviceName);

    HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);

    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setSignAssertion(true);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);

    ConditionsBean conditions = new ConditionsBean();
    conditions.setTokenPeriodMinutes(5);
    List<String> audiences = new ArrayList<>();
    audiences.add("jms:jndi:dynamicQueues/test.jmstransport.text.bad");
    AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
    audienceRestrictionBean.setAudienceURIs(audiences);
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));

    callbackHandler.setConditions(conditions);

    Map<String, Object> outProperties = new HashMap<>();
    outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
    outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);

    WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
    Client client = ClientProxy.getClient(greeter);
    client.getOutInterceptors().add(outInterceptor);

    try {
        greeter.sayHi();
        fail("Failure expected on a bad audience restriction");
    } catch (SOAPFaultException ex) {
        // expected
    }

    ((java.io.Closeable)greeter).close();
}
 
Example 11
Source File: SAMLTokenValidatorOldTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
/**
 * Validate SAML 2 token where role information is provided
 * within another SAML attribute
 */
@org.junit.Test
public void validateSAML1TokenDifferentRoleURI() throws Exception {
    SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
    callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    callbackHandler.setUseNameFormatAsNamespace(true);
    callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
    callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    String rstr = createSamlToken(assertion, "mystskey", true);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
    Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
    assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
 
Example 12
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void testChainTrust() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    String rstr = createSamlToken(assertion, "mystskey", true);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    // Test successful trust validation (subject cert constraint)
    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("CHAIN_TRUST");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, config);

    Assert.assertEquals("Principal name wrong", TEST_USER,
                        wfRes.getUsername());
    Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
    Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());

    // Test unsuccessful trust validation (bad subject cert constraint)
    configurator = null;
    config = getFederationConfigurator().getFedizContext("CHAIN_TRUST2");

    wfProc = new FederationProcessorImpl();
    try {
        wfRes = wfProc.processRequest(wfReq, config);
        Assert.fail("Processing must fail because of invalid subject cert constraint");
    } catch (ProcessingException ex) {
        // expected
    }
}
 
Example 13
Source File: AudienceRestrictionTest.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void validateAudienceThatIsRequiredAgainstMultipleAudiences() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    String rstr = createSamlToken(assertion, "mystskey", true);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("AUD2");

    // Mock up the servet request/response
    HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
    EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
    EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
    EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
    EasyMock.expect(req.getMethod()).andReturn("POST");
    EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
    EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
        .andReturn(FederationConstants.ACTION_SIGNIN);
    EasyMock.expect(req.getParameter("RelayState")).andReturn(null);
    EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
    EasyMock.expect(req.getQueryString()).andReturn(null);
    EasyMock.replay(req);

    HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
    EasyMock.replay(resp);

    // Now validate the request
    TestSigninHandler signinHandler = new TestSigninHandler(config);
    Assert.assertNotNull(signinHandler.handleRequest(req, resp));
}
 
Example 14
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void testModifiedSignature() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    WSPasswordCallback[] cb = {
        new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE)
    };
    cbPasswordHandler.handle(cb);
    String password = cb[0].getPassword();

    assertion.signAssertion("mystskey", password, crypto, false);
    Document doc = STSUtil.toSOAPPart(STSUtil.SAMPLE_RSTR_COLL_MSG);
    Element token = assertion.toDOM(doc);

    // Change IssueInstant attribute
    String issueInstance = token.getAttributeNS(null, "IssueInstant");
    DateTime issueDateTime = new DateTime(issueInstance, DateTimeZone.UTC);
    issueDateTime = issueDateTime.plusSeconds(1);
    token.setAttributeNS(null, "IssueInstant", issueDateTime.toString());

    Element e = XMLUtils.findElement(doc, "RequestedSecurityToken",
                                                   FederationConstants.WS_TRUST_13_NS);
    if (e == null) {
        e = XMLUtils.findElement(doc, "RequestedSecurityToken",
                                               FederationConstants.WS_TRUST_2005_02_NS);
    }
    e.appendChild(token);
    String rstr = DOM2Writer.nodeToString(doc);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    FedizProcessor wfProc = new FederationProcessorImpl();
    try {
        wfProc.processRequest(wfReq, config);
        fail("Failure expected on signature validation");
    } catch (ProcessingException ex) {
        // expected
    }
}
 
Example 15
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void testWrappingAttack() throws Exception {
    // First assertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion1 = new SamlAssertionWrapper(samlCallback);

    // Second assertion
    SAML2CallbackHandler callbackHandler2 = new SAML2CallbackHandler();
    callbackHandler2.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler2.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler2.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler2.setSubjectName("bob");
    ConditionsBean cp2 = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction2 = new AudienceRestrictionBean();
    audienceRestriction2.getAudienceURIs().add(TEST_AUDIENCE);
    cp2.setAudienceRestrictions(Collections.singletonList(audienceRestriction2));
    callbackHandler2.setConditions(cp2);

    SAMLCallback samlCallback2 = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler2, samlCallback2);
    SamlAssertionWrapper assertion2 = new SamlAssertionWrapper(samlCallback2);

    WSPasswordCallback[] cb = {
        new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE)
    };
    cbPasswordHandler.handle(cb);
    String password = cb[0].getPassword();

    assertion1.signAssertion("mystskey", password, crypto, false);
    assertion2.signAssertion("mystskey", password, crypto, false);

    Document doc = STSUtil.toSOAPPart(SAMPLE_MULTIPLE_RSTR_COLL_MSG);
    Element token1 = assertion2.toDOM(doc);
    Element token2 = assertion1.toDOM(doc);

    // Now modify the first Signature to point to the other Element
    Element sig1 = XMLUtils.findElement(token1, "Signature", WSConstants.SIG_NS);
    Element sig2 = XMLUtils.findElement(token2, "Signature", WSConstants.SIG_NS);
    sig1.getParentNode().replaceChild(sig2.cloneNode(true), sig1);

    List<Element> requestedTokenElements =
        XMLUtils.findElements(doc, "RequestedSecurityToken", FederationConstants.WS_TRUST_13_NS);
    Assert.assertEquals(2, requestedTokenElements.size());
    requestedTokenElements.get(0).appendChild(token1);
    requestedTokenElements.get(1).appendChild(token2);

    Element rstrElement = doc.getDocumentElement();

    String rstr = DOM2Writer.nodeToString(rstrElement);
    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    // Load and update the config to enforce an error
    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    FedizProcessor wfProc = new FederationProcessorImpl();
    try {
        wfProc.processRequest(wfReq, config);
        Assert.fail("Processing must fail because of bad signature");
    } catch (ProcessingException ex) {
        // expected
    }
}
 
Example 16
Source File: SAMLSSOResponseValidatorTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
private Response createResponse(
    SubjectConfirmationDataBean subjectConfirmationData,
    List<AudienceRestrictionBean> audienceRestrictions,
    String authnClassRef
) throws Exception {
    Document doc = DOMUtils.createDocument();

    Status status =
        SAML2PResponseComponentBuilder.createStatus(
            SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
        );
    Response response =
        SAML2PResponseComponentBuilder.createSAMLResponse(
            "http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
        );

    // Create an AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
    callbackHandler.setIssuer("http://cxf.apache.org/issuer");
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);

    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);

    ConditionsBean conditions = new ConditionsBean();
    conditions.setNotBefore(new DateTime());
    conditions.setNotAfter(new DateTime().plusMinutes(5));

    if (audienceRestrictions == null) {
        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
        audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
        conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    } else {
        conditions.setAudienceRestrictions(audienceRestrictions);
    }
    callbackHandler.setConditions(conditions);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    response.getAssertions().add(assertion.getSaml2());

    if (authnClassRef != null) {
        AuthnStatement authnStatement =
            response.getAssertions().get(0).getAuthnStatements().get(0);
        authnStatement.getAuthnContext().setAuthnContextClassRef(
            SAML2PResponseComponentBuilder.createAuthnContextClassRef(authnClassRef));
    }

    Element policyElement = OpenSAMLUtil.toDom(response, doc);
    doc.appendChild(policyElement);
    assertNotNull(policyElement);

    return (Response)OpenSAMLUtil.fromDom(policyElement);
}
 
Example 17
Source File: RequestedClaimsTest.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void testRequiredClaimIncluded() throws Exception {
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(ISSUER);
    callbackHandler.setSubjectName("alice");
    callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
    callbackHandler.setCountryClaimName("country");
    callbackHandler.setRoleAttributeName("role");
    callbackHandler.setCustomClaimName(CLAIM_TYPE_1);
    callbackHandler.setCustomAttributeValues(Collections.singletonList("xyz"));

    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(AUDIENCE_URI_1);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    String rstr = createSamlToken(assertion, "mystskey", true);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    FedizConfig config = createConfiguration();
    StringWriter writer = new StringWriter();
    final JAXBContext jaxbContext = JAXBContext.newInstance(FedizConfig.class);
    jaxbContext.createMarshaller().marshal(config, writer);
    StringReader reader = new StringReader(writer.toString());

    FedizConfigurator configurator = new FedizConfigurator();
    configurator.loadConfig(reader);
    FedizContext context = configurator.getFedizContext(CONFIG_NAME);

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse wfRes = wfProc.processRequest(wfReq, context);

    Object claimValue = null;
    for (Claim c : wfRes.getClaims()) {
        if (CLAIM_TYPE_1.equals(c.getClaimType().toString())) {
            claimValue = c.getValue();
        }
    }

    Assert.assertEquals("xyz", claimValue);
}
 
Example 18
Source File: SamlResponseCreator.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
private Assertion createSAML2Assertion(RequestContext context, Idp idp, SamlAssertionWrapper receivedToken,
                                       String requestID, String requestIssuer,
                                       String remoteAddr, String racs) throws Exception {
    // Create an AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    String issuer = isUseRealmForIssuer() ? idp.getRealm() : idp.getIdpUrl().toString();
    callbackHandler.setIssuer(issuer);
    callbackHandler.setSubject(receivedToken.getSaml2().getSubject());

    // Test Subject against received Subject (if applicable)
    SAMLAuthnRequest authnRequest =
        (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
    if (authnRequest.getSubjectNameId() != null && receivedToken.getSaml2().getSubject().getNameID() != null) {
        NameID issuedNameId = receivedToken.getSaml2().getSubject().getNameID();
        if (!authnRequest.getSubjectNameId().equals(issuedNameId.getValue())) {
            LOG.debug("Received NameID value of {} does not match issued value {}",
                      authnRequest.getSubjectNameId(), issuedNameId.getValue());
            throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
        }
    }

    // Subject Confirmation Data
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress(remoteAddr);
    subjectConfirmationData.setInResponseTo(requestID);
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient(racs);
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);

    // Audience Restriction
    ConditionsBean conditions = new ConditionsBean();
    conditions.setTokenPeriodMinutes(5);

    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList(requestIssuer));
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(conditions);

    // Attributes
    callbackHandler.setAttributeStatements(receivedToken.getSaml2().getAttributeStatements());

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

    Crypto issuerCrypto = CertsUtils.getCryptoFromCertificate(idp.getCertificate());
    assertion.signAssertion(issuerCrypto.getDefaultX509Identifier(), idp.getCertificatePassword(),
                            issuerCrypto, false);

    return assertion.getSaml2();
}
 
Example 19
Source File: FederationResponseTest.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void testUnsignedAssertionAfterSignedAssertion() throws Exception {
    // First assertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);
    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion1 = new SamlAssertionWrapper(samlCallback);

    // Second assertion
    SAML2CallbackHandler callbackHandler2 = new SAML2CallbackHandler();
    callbackHandler2.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler2.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler2.setIssuer(TEST_RSTR_ISSUER);
    callbackHandler2.setSubjectName("bob");
    ConditionsBean cp2 = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction2 = new AudienceRestrictionBean();
    audienceRestriction2.getAudienceURIs().add(TEST_AUDIENCE);
    cp2.setAudienceRestrictions(Collections.singletonList(audienceRestriction2));
    callbackHandler2.setConditions(cp2);

    SAMLCallback samlCallback2 = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler2, samlCallback2);
    SamlAssertionWrapper assertion2 = new SamlAssertionWrapper(samlCallback2);

    Element rstrElement =
        createResponseWithMultipleAssertions(assertion1, true, assertion2, false, "mystskey");
    String rstr = DOM2Writer.nodeToString(rstrElement);
    FedizRequest wfReq = new FedizRequest();
    wfReq.setAction(FederationConstants.ACTION_SIGNIN);
    wfReq.setResponseToken(rstr);

    // Load and update the config to enforce an error
    configurator = null;
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    FedizProcessor wfProc = new FederationProcessorImpl();
    FedizResponse fedizResponse = wfProc.processRequest(wfReq, config);
    Assert.assertEquals(TEST_USER, fedizResponse.getUsername());
}
 
Example 20
Source File: SAMLResponseTest.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
/**
 * Validate SAML 2 token which includes the role attribute with 2 values
 * The configured subject of the trusted issuer doesn't match with
 * the issuer of the SAML token
 */
@org.junit.Test
public void validateUnsignedSAML2Token() throws Exception {
    // Mock up a Request
    FedizContext config = getFederationConfigurator().getFedizContext("ROOT");

    String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");

    String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
    RequestState requestState = new RequestState(TEST_REQUEST_URL,
                                                 TEST_IDP_ISSUER,
                                                 requestId,
                                                 TEST_REQUEST_URL,
                                                 (String)config.getProtocol().getIssuer(),
                                                 null,
                                                 relayState,
                                                 System.currentTimeMillis());

    // Create SAML Response
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setAlsoAddAuthnStatement(true);
    callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    callbackHandler.setIssuer(TEST_IDP_ISSUER);
    callbackHandler.setSubjectName(TEST_USER);

    ConditionsBean cp = new ConditionsBean();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
    cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(cp);

    // Subject Confirmation Data
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
    subjectConfirmationData.setInResponseTo(requestId);
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);

    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    Element response = createSamlResponse(assertion, "mystskey", false, requestId);
    String responseStr = encodeResponse(response);

    HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
    EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
    EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
    EasyMock.replay(req);

    FedizRequest wfReq = new FedizRequest();
    wfReq.setResponseToken(responseStr);
    wfReq.setState(relayState);
    wfReq.setRequest(req);
    wfReq.setRequestState(requestState);

    FedizProcessor wfProc = new SAMLProcessorImpl();
    try {
        wfProc.processRequest(wfReq, config);
        Assert.fail("Processing must fail because of missing signature");
    } catch (ProcessingException ex) {
        // expected
    }
}