/** * A method to create a Principal from a SAML Assertion * @param assertion An AssertionWrapper object * @return A principal */ private Principal createPrincipalFromSAML( AssertionWrapper assertion ) { SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipal(assertion); String confirmMethod = null; List<String> methods = assertion.getConfirmationMethods(); if (methods != null && methods.size() > 0) { confirmMethod = methods.get(0); } if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod) && assertion.isSigned()) { trustedCredential = true; } return samlPrincipal; }
public WSSecurityEngineResult( int act, AssertionWrapper ass ) { put(TAG_ACTION, Integer.valueOf(act)); put(TAG_SAML_ASSERTION, ass); put(TAG_VALIDATED_TOKEN, Boolean.FALSE); put(TAG_TOKEN_ELEMENT, ass.getElement()); }
public String getId() { if (assertion != null) { return assertion.getId(); } return null; }
/** * Parse a SAML Assertion to obtain a SAMLKeyInfo object from * the Subject of the assertion * * @param assertion The SAML Assertion * @param data The RequestData instance used to obtain configuration * @param docInfo A WSDocInfo instance * @param bspCompliant Whether to process tokens in compliance with the BSP spec or not * @return a SAMLKeyInfo object * @throws WSSecurityException */ public static SAMLKeyInfo getCredentialFromSubject( AssertionWrapper assertion, RequestData data, WSDocInfo docInfo, boolean bspCompliant ) throws WSSecurityException { if (assertion.getSaml1() != null) { return getCredentialFromSubject(assertion.getSaml1(), data, docInfo, bspCompliant); } else { return getCredentialFromSubject(assertion.getSaml2(), data, docInfo, bspCompliant); } }
assertion.validateSignatureAgainstProfile(); if (assertion.getSaml1() != null) { ValidatorSuite schemaValidators = org.opensaml.Configuration.getValidatorSuite("saml1-schema-validator"); org.opensaml.Configuration.getValidatorSuite("saml1-spec-validator"); try { schemaValidators.validate(assertion.getSaml1()); specValidators.validate(assertion.getSaml1()); } catch (ValidationException e) { LOG.debug("Saml Validation error: " + e.getMessage(), e); ); } else if (assertion.getSaml2() != null) { ValidatorSuite schemaValidators = org.opensaml.Configuration.getValidatorSuite("saml2-core-schema-validator"); org.opensaml.Configuration.getValidatorSuite("saml2-core-spec-validator"); try { schemaValidators.validate(assertion.getSaml2()); specValidators.validate(assertion.getSaml2()); } catch (ValidationException e) { LOG.debug("Saml Validation error: " + e.getMessage(), e);
DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertion.getSaml2().getConditions() != null) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11) && assertion.getSaml1().getConditions() != null) { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant();
samlToken = (Element) assertion.toDOM(doc); List<String> methods = assertion.getConfirmationMethods(); if (methods != null && methods.size() > 0) { confirmMethod = methods.get(0); if (userCrypto == null || !assertion.isSigned()) { throw new WSSecurityException( WSSecurityException.FAILURE, ref.setURI("#" + assertion.getId()); if (assertion.getSaml1() != null) { ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE); secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); } else if (assertion.getSaml2() != null) { secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier"); String valueType = null; if (assertion.getSaml1() != null) { valueType = WSConstants.WSS_SAML_KI_VALUE_TYPE; secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); } else if (assertion.getSaml2() != null) { valueType = WSConstants.WSS_SAML2_KI_VALUE_TYPE; secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); null, "ValueType", valueType ); keyId.appendChild(doc.createTextNode(assertion.getId()));
data.getValidator(new QName(elem.getNamespaceURI(), elem.getLocalName())); AssertionWrapper samlAssertion = new AssertionWrapper(elem); XMLSignature xmlSignature = verifySignatureKeysAndAlgorithms(samlAssertion, data, wsDocInfo); samlAssertion = credential.getAssertion(); if (log.isDebugEnabled()) { log.debug("SAML Assertion issuer " + samlAssertion.getIssuerString()); log.debug(DOM2Writer.nodeToString(elem)); String id = samlAssertion.getId(); Element foundElement = wsDocInfo.getTokenElement(id); if (elem.equals(foundElement)) { if (samlAssertion.isSigned()) { result = new WSSecurityEngineResult(WSConstants.ST_SIGNED, samlAssertion); result.put(WSSecurityEngineResult.TAG_DATA_REF_URIS, dataRefs);
AssertionWrapper samlAssertion, RequestData data ) throws WSSecurityException { if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Date rightNow = new Date();
WSDocInfo wsDocInfo ) throws WSSecurityException { if (samlAssertion.isSigned()) { Signature sig = samlAssertion.getSignature(); KeyInfo keyInfo = sig.getKeyInfo(); if (keyInfo == null) { samlAssertion.verifySignature(samlKeyInfo);
) throws WSSecurityException { List<String> methods = samlAssertion.getConfirmationMethods(); if (methods == null || methods.isEmpty()) { if (requiredSubjectConfirmationMethod != null) { boolean signed = samlAssertion.isSigned(); boolean requiredMethodFound = false; boolean standardMethodFound = false; for (String method : methods) { if (OpenSAMLUtil.isMethodHolderOfKey(method)) { if (samlAssertion.getSubjectKeyInfo() == null) { LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject conf method"); throw new WSSecurityException(WSSecurityException.FAILURE, "noKeyInSAMLToken");
); } else { assertion = new AssertionWrapper(processedToken); assertion.parseHOKSubject(data, wsDocInfo); SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo(); X509Certificate[] foundCerts = keyInfo.getCerts(); if (foundCerts != null && foundCerts.length > 0) {
/** * Verify the signature of this assertion * * @throws ValidationException */ public void verifySignature( RequestData data, WSDocInfo docInfo ) throws WSSecurityException { Signature sig = getSignature(); if (sig != null) { KeyInfo keyInfo = sig.getKeyInfo(); if (keyInfo == null) { throw new WSSecurityException( WSSecurityException.FAILURE, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"} ); } SAMLKeyInfo samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), data, docInfo, data.getWssConfig().isWsiBSPCompliant()); verifySignature(samlKeyInfo); } else { LOG.debug("AssertionWrapper: no signature to validate"); } }
samlParms.setCallbackHandler(callbackHandler); AssertionWrapper sa = new AssertionWrapper(samlParms); if (signAssertion) { sa.signAssertion(issuerKeyName, issuerKeyPassword, issuerCrypto, sendKeyValue);
/** * Validate the signature of the Assertion against the Profile. This does not actually * verify the signature itself (see the verifySignature method for this) * @throws WSSecurityException */ public void validateSignatureAgainstProfile() throws WSSecurityException { Signature sig = getSignature(); if (sig != null) { SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); try { validator.validate(sig); } catch (ValidationException ex) { throw new WSSecurityException("SAML signature validation failed", ex); } } }
/** * Verify trust in the signature of a signed Assertion. This method is separate so that * the user can override if if they want. * @param assertion The signed Assertion * @param data The RequestData context * @return A Credential instance * @throws WSSecurityException */ protected Credential verifySignedAssertion( AssertionWrapper assertion, RequestData data ) throws WSSecurityException { Credential trustCredential = new Credential(); SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo(); trustCredential.setPublicKey(samlKeyInfo.getPublicKey()); trustCredential.setCertificates(samlKeyInfo.getCerts()); return super.validate(trustCredential, data); }
/** * This method parses the KeyInfo of the Subject for the holder-of-key confirmation * method, as required by the SAML Token spec. It then stores the SAMLKeyInfo object that * has been obtained for future processing by the SignatureProcessor. * @throws WSSecurityException */ public void parseHOKSubject( RequestData data, WSDocInfo docInfo ) throws WSSecurityException { String confirmMethod = null; List<String> methods = getConfirmationMethods(); if (methods != null && methods.size() > 0) { confirmMethod = methods.get(0); } if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) { if (saml1 != null) { subjectKeyInfo = SAMLUtil.getCredentialFromSubject(saml1, data, docInfo, data.getWssConfig().isWsiBSPCompliant()); } else if (saml2 != null) { subjectKeyInfo = SAMLUtil.getCredentialFromSubject(saml2, data, docInfo, data.getWssConfig().isWsiBSPCompliant()); } } }
); return new AssertionWrapper(token);
DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertion.getSaml2().getConditions() != null) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11) && assertion.getSaml1().getConditions() != null) { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant();
samlToken = (Element) assertion.toDOM(doc); List<String> methods = assertion.getConfirmationMethods(); if (methods != null && methods.size() > 0) { confirmMethod = methods.get(0); if (userCrypto == null || !assertion.isSigned()) { throw new WSSecurityException( WSSecurityException.FAILURE, ref.setURI("#" + assertion.getId()); if (assertion.getSaml1() != null) { ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE); secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); } else if (assertion.getSaml2() != null) { secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier"); String valueType = null; if (assertion.getSaml1() != null) { valueType = WSConstants.WSS_SAML_KI_VALUE_TYPE; secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); } else if (assertion.getSaml2() != null) { valueType = WSConstants.WSS_SAML2_KI_VALUE_TYPE; secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); null, "ValueType", valueType ); keyId.appendChild(doc.createTextNode(assertion.getId()));