/** * Validate the credential argument. It must contain a non-null SamlAssertionWrapper. * A Crypto and a CallbackHandler implementation is also required to be set. * * @param credential the Credential to be validated * @param data the RequestData associated with the request * @throws WSSecurityException on a failed validation */ public Credential validate(Credential credential, RequestData data) throws WSSecurityException { if (credential == null || credential.getSamlAssertion() == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential"); } SamlAssertionWrapper samlAssertion = credential.getSamlAssertion(); // Check the Subject Confirmation requirements verifySubjectConfirmationMethod(samlAssertion); // Check conditions checkConditions(samlAssertion, data.getAudienceRestrictions()); // Check the AuthnStatements of the assertion (if any) checkAuthnStatements(samlAssertion); // Check OneTimeUse Condition checkOneTimeUse(samlAssertion, data); // Validate the assertion against schemas/profiles validateAssertion(samlAssertion); // Verify trust on the signature if (samlAssertion.isSigned()) { verifySignedAssertion(samlAssertion, data); } return credential; }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { super.validate(credential, data); log.debug("Entering OJB saml assertion validator"); SamlAssertionWrapper assertion = credential.getSamlAssertion(); if (assertion == null) { log.error("Error: Unable to find assertion."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } //Confirm that the assertion is signed, the framework confirms the validity of the signature if (!assertion.isSigned()) { log.error("Error: Assertion is not signed."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } return credential; }
if (super.getRequiredSubjectConfirmationMethod() != null) { LOG.fine("A required subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } else if (super.isRequireStandardSubjectConfirmationMethod()) { LOG.fine("A standard subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, if (method.equals(super.getRequiredSubjectConfirmationMethod())) { requiredMethodFound = true; || SAML1Constants.CONF_BEARER.equals(method)) { standardMethodFound = true; if (super.isRequireBearerSignature() && !signed && !signedResponse) { LOG.fine("A Bearer Assertion was not signed"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, if (!requiredMethodFound && super.getRequiredSubjectConfirmationMethod() != null) { LOG.fine("A required subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, if (!standardMethodFound && super.isRequireStandardSubjectConfirmationMethod()) { LOG.fine("A standard subject confirmation method was not present"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
/** * Try to verify trust on the assertion. If it fails, then set a boolean and return. * @param assertion The signed Assertion * @param data The RequestData context * @return A Credential instance * @throws WSSecurityException */ @Override protected Credential verifySignedAssertion( SamlAssertionWrapper assertion, RequestData data ) throws WSSecurityException { try { Credential credential = super.verifySignedAssertion(assertion, data); trustVerificationSucceeded = true; return credential; } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Local trust verification of SAML assertion failed: " + ex.getMessage(), ex); trustVerificationSucceeded = false; return null; } }
/** * Check the Conditions of the Assertion. */ protected void checkConditions( SamlAssertionWrapper samlAssertion, List<String> audienceRestrictions ) throws WSSecurityException { checkConditions(samlAssertion); samlAssertion.checkAudienceRestrictions(audienceRestrictions); }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { Credential validatedCredential = super.validate(credential, data); SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
/** * Try to verify trust on the assertion. If it fails, then set a boolean and return. * @param assertion The signed Assertion * @param data The RequestData context * @return A Credential instance * @throws WSSecurityException */ @Override protected Credential verifySignedAssertion( SamlAssertionWrapper assertion, RequestData data ) throws WSSecurityException { try { Credential credential = super.verifySignedAssertion(assertion, data); trustVerificationSucceeded = true; return credential; } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Local trust verification of SAML assertion failed: " + ex.getMessage(), ex); trustVerificationSucceeded = false; return null; } }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { Credential validatedCredential = super.validate(credential, data); SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion(); if (!"sts".equals(assertion.getIssuerString())) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } Assertion saml2Assertion = assertion.getSaml2(); if (saml2Assertion == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } return validatedCredential; }