Refine search
final DateTime now = new DateTime(); final DateTime issueInstant = response.getIssueInstant(); if (issueInstant == null) { throw new SamlException("failed to get IssueInstant attribute"); if (Math.abs(now.getMillis() - issueInstant.getMillis()) > MILLIS_IN_MINUTE) { final Issuer issuer = assertion.getIssuer(); if (issuer == null || issuer.getValue() == null) { throw new SamlException("failed to get an Issuer element from the assertion"); validateSignature(idp.signingCredential(), assertion); final List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); if (authnStatements.isEmpty()) { continue; final Subject subject = assertion.getSubject(); if (subject == null) { continue; conditions.getAudienceRestrictions().stream() .flatMap(r -> r.getAudiences().stream()) .filter(audience -> entityId.equals(audience.getAudienceURI()))
data.setNotOnOrAfter(DateTime.now().plusMinutes(1)); data.setRecipient(recipient); assertion.setSubject(subject); assertion.setIssuer(XMLObjectSupport.cloneXMLObject(issuer)); assertion.setIssueInstant(DateTime.now()); assertion.setID(requestIdManager.newId()); conditions.setNotBefore(DateTime.now().minusMinutes(1)); conditions.setNotOnOrAfter(DateTime.now().plusMinutes(1)); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions);
throws IdentitySAML2QueryException { DateTime currentTime = new DateTime(); DateTime notOnOrAfter = new DateTime(currentTime.getMillis() + (long) SAMLSSOUtil.getSAMLResponseValidityPeriod() * 60 * 1000); Assertion samlAssertion = new AssertionBuilder().buildObject(); samlAssertion.setID(SAMLSSOUtil.createID()); samlAssertion.setVersion(SAMLVersion.VERSION_20); samlAssertion.setIssuer(OpenSAML3Util.getIssuer("carbon.super")); samlAssertion.setIssueInstant(currentTime); Subject subject = new SubjectBuilder().buildObject(); conditions.setNotBefore(currentTime); conditions.setNotOnOrAfter(notOnOrAfter); conditions.getAudienceRestrictions().add(audienceRestriction); samlAssertion.setConditions(conditions);
DateTime currentDate = new DateTime(); if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) { LOG.log(Level.WARNING, "The token expired too long ago to be renewed"); throw new STSException( assertion.parseSubject( new WSSSAMLKeyInfoProcessor(requestData), sigCrypto, callbackHandler ); SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo(); if (keyInfo == null) { keyInfo = new SAMLKeyInfo((byte[])null); if (assertion.getSaml1() != null) { List<AudienceRestrictionCondition> restrConditions = assertion.getSaml1().getConditions().getAudienceRestrictionConditions(); assertion.getSaml2().getConditions().getAudienceRestrictions(); if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) { LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
DateTime newNotBefore = new DateTime(); conditions.setNotBefore(newNotBefore); conditions.setNotOnOrAfter(newNotBefore.plusMinutes(5)); return conditions; conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notAfter); } else { DateTime newNotBefore = new DateTime(); conditions.setNotBefore(newNotBefore); if (tokenPeriodSeconds <= 0) { tokenPeriodSeconds = 5L * 60L; new DateTime(newNotBefore.getMillis() + tokenPeriodSeconds * 1000L); conditions.setNotOnOrAfter(notOnOrAfter); AudienceRestriction audienceRestriction = createAudienceRestriction(audienceRestrictionBean); conditions.getAudienceRestrictions().add(audienceRestriction); conditions.getConditions().add(createOneTimeUse()); conditions.getConditions().add(createProxyRestriction(conditionsBean.getProxyRestriction())); DelegationRestrictionType delegationRestriction = createDelegationRestriction(conditionsBean.getDelegates()); conditions.getConditions().add(delegationRestriction);
@Nonnull final ValidationContext context) throws AssertionValidationException { Conditions conditions = assertion.getConditions(); if (conditions == null) { return ValidationResult.VALID; DateTime now = new DateTime(ISOChronology.getInstanceUTC()); long clockSkew = getClockSkew(context); DateTime notBefore = conditions.getNotBefore(); log.debug("Evaluating Conditions NotBefore '{}' against 'skewed now' time '{}'", notBefore, now.plus(clockSkew)); if (notBefore != null && notBefore.isAfter(now.plus(clockSkew))) { context.setValidationFailureMessage(String.format( "Assertion '%s' with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore)); return ValidationResult.INVALID; DateTime notOnOrAfter = conditions.getNotOnOrAfter(); log.debug("Evaluating Conditions NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, now.minus(clockSkew)); if (notOnOrAfter != null && notOnOrAfter.isBefore(now.minus(clockSkew))) { context.setValidationFailureMessage(String.format( "Assertion '%s' with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter)); return ValidationResult.INVALID;
DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validTill = getSaml2().getConditions().getNotOnOrAfter(); issueInstant = getSaml2().getIssueInstant(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { DateTime currentTime = new DateTime().plusSeconds(futureTTL); if (issueInstant.isAfter(currentTime)) { LOG.debug("SAML Token IssueInstant not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
/** * Check the Conditions of the Assertion. */ public void checkConditions(int futureTTL) throws WSSecurityException { DateTime validFrom = null; DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validFrom = getSaml2().getConditions().getNotBefore(); validTill = getSaml2().getConditions().getNotOnOrAfter(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validFrom = getSaml1().getConditions().getNotBefore(); validTill = getSaml1().getConditions().getNotOnOrAfter(); } if (validFrom != null) { DateTime currentTime = new DateTime(); currentTime = currentTime.plusSeconds(futureTTL); if (validFrom.isAfter(currentTime)) { LOG.debug("SAML Token condition (Not Before) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } if (validTill != null && validTill.isBeforeNow()) { LOG.debug("SAML Token condition (Not On Or After) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
DateTime now = new DateTime(); confirmationMethod.setNotBefore(now); confirmationMethod.setNotOnOrAfter(now.plusMinutes(2)); DateTime now2 = new DateTime(); authnStatement.setAuthnInstant(now2); authnStatement.setSessionIndex(input.getSessionId()); conditions.getConditions().add(condition);
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final Long lifetime = assertionLifetimeStrategy != null ? assertionLifetimeStrategy.apply(profileRequestContext) : null; if (lifetime == null) { log.debug("{} No assertion lifetime supplied, using default", getLogPrefix()); } if (response instanceof org.opensaml.saml.saml1.core.Response) { for (final org.opensaml.saml.saml1.core.Assertion assertion : ((org.opensaml.saml.saml1.core.Response) response).getAssertions()) { final DateTime expiration = new DateTime(assertion.getIssueInstant()).plus( lifetime != null ? lifetime : defaultAssertionLifetime); log.debug("{} Added NotOnOrAfter condition, indicating an expiration of {}, to Assertion {}", new Object[] {getLogPrefix(), expiration, assertion.getID()}); SAML1ActionSupport.addConditionsToAssertion(this, assertion).setNotOnOrAfter(expiration); } } else if (response instanceof org.opensaml.saml.saml2.core.Response) { for (final org.opensaml.saml.saml2.core.Assertion assertion : ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { final DateTime expiration = new DateTime(assertion.getIssueInstant()).plus( lifetime != null ? lifetime : defaultAssertionLifetime); log.debug("{} Added NotOnOrAfter condition, indicating an expiration of {}, to Assertion {}", new Object[] {getLogPrefix(), expiration, assertion.getID()}); SAML2ActionSupport.addConditionsToAssertion(this, assertion).setNotOnOrAfter(expiration); } } }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { Conditions conditions = (Conditions) samlObject; if (attribute.getLocalName().equals(Conditions.NOT_BEFORE_ATTRIB_NAME) && !Strings.isNullOrEmpty(attribute.getValue())) { conditions.setNotBefore(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(Conditions.NOT_ON_OR_AFTER_ATTRIB_NAME) && !Strings.isNullOrEmpty(attribute.getValue())) { conditions.setNotOnOrAfter(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else { super.processAttribute(samlObject, attribute); } } }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
SamlAssertionWrapper assertion = new SamlAssertionWrapper((Element)tokenToRenew.getToken()); byte[] oldSignature = assertion.getSignatureValue(); int hash = Arrays.hashCode(oldSignature); SecurityToken cachedToken = tokenStore.getToken(Integer.toString(hash)); SamlAssertionWrapper renewedAssertion = new SamlAssertionWrapper(assertion.getSamlObject()); String oldId = createNewId(renewedAssertion); DateTime validTill = null; if (renewedAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = renewedAssertion.getSaml2().getConditions().getNotBefore(); validTill = renewedAssertion.getSaml2().getConditions().getNotOnOrAfter(); } else { validFrom = renewedAssertion.getSaml1().getConditions().getNotBefore(); validTill = renewedAssertion.getSaml1().getConditions().getNotOnOrAfter(); response.setCreated(validFrom.toDate().toInstant()); response.setExpires(validTill.toDate().toInstant());
Document doc = DOMUtils.createDocument(); SamlAssertionWrapper assertion = createSamlToken(tokenParameters, secret, doc); Element token = assertion.toDOM(doc); byte[] signatureValue = assertion.getSignatureValue(); if (tokenParameters.getTokenStore() != null && signatureValue != null && signatureValue.length > 0) { CacheUtils.createSecurityTokenForStorage(token, assertion.getId(), assertion.getNotOnOrAfter(), tokenParameters.getPrincipal(), tokenParameters.getRealm(), tokenParameters.getTokenRequirements().getRenewing()); DateTime validTill = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); response.setCreated(validFrom.toDate().toInstant()); response.setExpires(validTill.toDate().toInstant());
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, RequestData data ) throws WSSecurityException { if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); ReplayCache replayCache = data.getSamlOneTimeUseReplayCache(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); Instant zonedExpires = Instant.ofEpochMilli(expires.getMillis()); replayCache.add(identifier, 1L + Duration.between(currentTime, zonedExpires).getSeconds()); } else { replayCache.add(identifier); } replayCache.add(identifier); } }
NameID nameID = assertion.getSubject().getNameID(); if (nameID == null) { throw new IllegalArgumentException("NameID not found"); if (assertion.getConditions().getNotOnOrAfter() != null) { responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate()); assertion.getAuthnStatements().forEach(authnStmt -> { responseTO.setSessionIndex(authnStmt.getSessionIndex()); responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate()); if (authnStmt.getSessionNotOnOrAfter() != null) { responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, ReplayCache replayCache ) throws WSSecurityException { if (replayCache != null && samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null) { String identifier = samlAssertion.getId(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); replayCache.add(identifier, 1L + Duration.between(currentTime, expires.toDate().toInstant()).getSeconds()); } else { replayCache.add(identifier); } } }
public Instant getNotBefore() { DateTime validFrom = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = getSaml2().getConditions().getNotBefore(); } else { validFrom = getSaml1().getConditions().getNotBefore(); } // Now convert to a Java Instant Object if (validFrom != null) { return validFrom.toDate().toInstant(); } return null; }
/** * Validate assertionConditions * - notBefore * - notOnOrAfter * * @param conditions the conditions * @param context the context */ protected final void validateAssertionConditions(final Conditions conditions, final SAML2MessageContext context) { if (conditions == null) { return; } if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(acceptedSkew).isAfterNow()) { throw new SAMLAssertionConditionException("Assertion condition notBefore is not valid"); } if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) { throw new SAMLAssertionConditionException("Assertion condition notOnOrAfter is not valid"); } final String entityId = context.getSAMLSelfEntityContext().getEntityId(); validateAudienceRestrictions(conditions.getAudienceRestrictions(), entityId); }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }