private static boolean isOneTimeUse(SecurityToken issuedToken) { Element token = issuedToken.getToken(); if (token != null && "Assertion".equals(token.getLocalName()) && WSS4JConstants.SAML2_NS.equals(token.getNamespaceURI())) { try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); if (assertion.getSaml2().getConditions() != null && assertion.getSaml2().getConditions().getOneTimeUse() != null) { return true; } } catch (WSSecurityException ex) { throw new Fault(ex); } } return false; }
/** * Check the Conditions of the Assertion. */ public void checkConditions(int futureTTL) throws WSSecurityException { DateTime validFrom = null; DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validFrom = getSaml2().getConditions().getNotBefore(); validTill = getSaml2().getConditions().getNotOnOrAfter(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validFrom = getSaml1().getConditions().getNotBefore(); validTill = getSaml1().getConditions().getNotOnOrAfter(); } if (validFrom != null) { DateTime currentTime = new DateTime(); currentTime = currentTime.plusSeconds(futureTTL); if (validFrom.isAfter(currentTime)) { LOG.debug("SAML Token condition (Not Before) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } if (validTill != null && validTill.isBeforeNow()) { LOG.debug("SAML Token condition (Not On Or After) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
public Element getElement() throws WSSecurityException { if (samlElement != null) { return samlElement; } if (saml == null) { return null; } samlElement = saml.toDOM(getDocument()); return samlElement; }
protected boolean checkBearer(SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts) { List<String> confirmationMethods = assertionWrapper.getConfirmationMethods(); for (String confirmationMethod : confirmationMethods) { boolean isBearer = isMethodBearer(confirmationMethod); if (isBearer && !assertionWrapper.isSigned() && (tlsCerts == null || tlsCerts.length == 0)) { return false; } // do some more validation - time based, etc } return true; }
private boolean findClaimInAssertion(SamlAssertionWrapper assertion, URI claimURI) { if (assertion.getSaml1() != null) { return findClaimInAssertion(assertion.getSaml1(), claimURI); } else if (assertion.getSaml2() != null) { return findClaimInAssertion(assertion.getSaml2(), claimURI); } return false; }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
protected void addToken(SoapMessage message) { WSSConfig.init(); SamlToken tok = (SamlToken)assertTokens(message); Header h = findSecurityHeader(message, true); try { SamlAssertionWrapper wrapper = addSamlToken(tok, message); if (wrapper == null) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN); for (AssertionInfo ai : ais) { if (ai.isAsserted()) { ai.setAsserted(false); } } return; } Element el = (Element)h.getObject(); el = (Element)DOMUtils.getDomElement(el); el.appendChild(wrapper.toDOM(el.getOwnerDocument())); } catch (WSSecurityException ex) { policyNotAsserted(tok, ex.getMessage(), message); } }
Element child = DOMUtils.getFirstElement(template); while (child != null) { if ("TokenType".equals(child.getLocalName())) { String content = child.getTextContent(); if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(content) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) { return false; } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(content) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) { return false; } else if ("KeyType".equals(child.getLocalName())) { String content = child.getTextContent(); if (content.endsWith("SymmetricKey")) { SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); if (subjectKeyInfo == null || subjectKeyInfo.getSecret() == null) { return false; SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); if (subjectKeyInfo == null || (subjectKeyInfo.getPublicKey() == null && subjectKeyInfo.getCerts() == null)) { child = DOMUtils.getNextElement(child);
SamlAssertionWrapper assertion = SAMLUtils.createAssertion(message); QName rootName = DOMUtils.getElementQName(payloadDoc.getDocumentElement()); if (rootName.equals(envelopeQName)) { docEl.appendChild(assertion.toDOM(payloadDoc)); return payloadDoc; Document newDoc = DOMUtils.createDocument(); newDoc.appendChild(root); Element assertionEl = assertion.toDOM(newDoc); root.appendChild(assertionEl); root.appendChild(docEl);
final WSInboundSecurityContext wsInboundSecurityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext(); final Element samlElement = samlTokenDocument.getDocumentElement(); final SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(samlElement); wssSecurityProperties.getValidator(new QName(samlElement.getNamespaceURI(), samlElement.getLocalName())); if (samlTokenValidator == null) { samlTokenValidator = new SamlTokenValidatorImpl(); if (samlAssertionWrapper.isSigned()) { Signature signature = samlAssertionWrapper.getSignature(); if (signature == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "empty", new Object[] {"no signature to validate"}); throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken"); throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken"); List<String> methods = samlAssertionWrapper.getConfirmationMethods(); boolean holderOfKey = false; if (methods != null) { wsInboundSecurityContext.registerSecurityTokenProvider(samlAssertionWrapper.getId(), subjectSecurityTokenProvider); samlTokenSecurityEvent.setCorrelationID(samlAssertionWrapper.getId()); wsInboundSecurityContext.registerSecurityEvent(samlTokenSecurityEvent);
protected void validateToken(Message message, SamlAssertionWrapper assertion) { try { RequestData data = new RequestData(); if (assertion.isSigned()) { WSSConfig cfg = WSSConfig.getNewInstance(); data.setWssConfig(cfg); Signature sig = assertion.getSignature(); WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument()); data.setWsDocInfo(docInfo); KeyInfo keyInfo = sig.getKeyInfo(); data.getSigVerCrypto() ); assertion.verifySignature(samlKeyInfo); assertion.parseSubject( new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler()
if (assertionWrapper != null) { Element envelope = saaj.getSOAPPart().getEnvelope(); envelope = (Element)DOMUtils.getDomElement(envelope); addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion(); if (!"alice".equals(assertion.getIssuerString())) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); String confirmationMethod = assertion.getConfirmationMethods().get(0); if (!OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); Assertion saml2Assertion = assertion.getSaml2(); if (saml2Assertion == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); for (AttributeStatement attributeStatement : saml2Assertion.getAttributeStatements()) { for (Attribute attribute : attributeStatement.getAttributes()) { if (!"attribute-role".equals(attribute.getName())) { String text = attributeValueElement.getTextContent(); if ("authenticated-client".equals(text)) { authenticatedClient = true;
private String getRoleFromAssertion(SamlAssertionWrapper assertion) { Assertion saml2Assertion = assertion.getSaml2(); if (saml2Assertion == null) { return null; } List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { return null; } String nameFormat = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; for (AttributeStatement statement : attributeStatements) { List<Attribute> attributes = statement.getAttributes(); for (Attribute attribute : attributes) { if ("role".equals(attribute.getName()) && nameFormat.equals(attribute.getNameFormat())) { Element attributeValueElement = attribute.getAttributeValues().get(0).getDOM(); return attributeValueElement.getTextContent(); } } } return null; }
requestData.setCallbackHandler(callbackHandler); if (assertion.isSigned()) { if (assertion.getSaml1() != null) { assertion.getSaml1().getDOM().setIdAttributeNS(null, "AssertionID", true); } else { assertion.getSaml2().getDOM().setIdAttributeNS(null, "ID", true); Signature sig = assertion.getSignature(); WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument()); requestData.setWsDocInfo(docInfo); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); assertion.verifySignature(samlKeyInfo); assertion.parseSubject( new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), assertionValidator.validate(credential, requestData); } catch (WSSecurityException ex) { LOG.log(Level.FINE, "Assertion validation failed: " + ex.getMessage(), ex); throw ex;
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, ReplayCache replayCache ) throws WSSecurityException { if (replayCache != null && samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null) { String identifier = samlAssertion.getId(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); replayCache.add(identifier, 1L + Duration.between(currentTime, expires.toDate().toInstant()).getSeconds()); } else { replayCache.add(identifier); } } }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
public Instant getNotBefore() { DateTime validFrom = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = getSaml2().getConditions().getNotBefore(); } else { validFrom = getSaml1().getConditions().getNotBefore(); } // Now convert to a Java Instant Object if (validFrom != null) { return validFrom.toDate().toInstant(); } return null; }
@Override public void handleMessage(Message message) throws Fault { // Create a SAML Token SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(new SamlCallbackHandler(), samlCallback); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Document doc = DOMUtils.createDocument(); Element token = assertion.toDOM(doc); message.put(SAMLConstants.SAML_TOKEN_ELEMENT, token); } catch (WSSecurityException ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } } }