if (!"urn:oasis:names:tc:SAML:2.0:cm:bearer".equals(subjectConfirmation.getMethod())) { continue; final SubjectConfirmationData data = subjectConfirmation.getSubjectConfirmationData(); if (data == null) { continue;
data.setRecipient(recipient); subjectConfirmation.setSubjectConfirmationData(data); subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentObject, XMLObject childObject) throws UnmarshallingException { SubjectConfirmation subjectConfirmation = (SubjectConfirmation) parentObject; if (childObject instanceof BaseID) { subjectConfirmation.setBaseID((BaseID) childObject); } else if (childObject instanceof NameID) { subjectConfirmation.setNameID((NameID) childObject); } else if (childObject instanceof EncryptedID) { subjectConfirmation.setEncryptedID((EncryptedID) childObject); } else if (childObject instanceof SubjectConfirmationData) { subjectConfirmation.setSubjectConfirmationData((SubjectConfirmationData) childObject); } else { super.processChildElement(parentObject, childObject); } }
/** * Create an efficient field-wise copy of a {@link SubjectConfirmation}. * * @param confirmation the object to clone * * @return the copy */ @Nonnull private SubjectConfirmation cloneConfirmation(@Nonnull final SubjectConfirmation confirmation) { final SubjectConfirmation clone = confirmationBuilder.buildObject(); clone.setMethod(confirmation.getMethod()); final SubjectConfirmationData data = confirmation.getSubjectConfirmationData(); if (data != null) { final SubjectConfirmationData cloneData = confirmationDataBuilder.buildObject(); cloneData.setAddress(data.getAddress()); cloneData.setInResponseTo(data.getInResponseTo()); cloneData.setRecipient(data.getRecipient()); cloneData.setNotBefore(data.getNotBefore()); cloneData.setNotOnOrAfter(data.getNotOnOrAfter()); clone.setSubjectConfirmationData(cloneData); } return clone; }
protected List<SubjectConfirmation> getConfirmations( List<org.opensaml.saml.saml2.core .SubjectConfirmation> subjectConfirmations, List<SimpleKey> localKeys ) { List<SubjectConfirmation> result = new LinkedList<>(); for (org.opensaml.saml.saml2.core.SubjectConfirmation s : subjectConfirmations) { NameID nameID = getNameID(s.getNameID(), s.getEncryptedID(), localKeys); result.add( new SubjectConfirmation() .setNameId(nameID != null ? nameID.getValue() : null) .setFormat(nameID != null ? NameId.fromUrn(nameID.getFormat()) : null) .setMethod(SubjectConfirmationMethod.fromUrn(s.getMethod())) .setConfirmationData( new SubjectConfirmationData() .setRecipient(s.getSubjectConfirmationData().getRecipient()) .setNotOnOrAfter(s.getSubjectConfirmationData().getNotOnOrAfter()) .setNotBefore(s.getSubjectConfirmationData().getNotBefore()) .setInResponseTo(s.getSubjectConfirmationData().getInResponseTo()) ) ); } return result; }
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { SubjectConfirmation subjectConfirmation = (SubjectConfirmation) samlObject; if (subjectConfirmation.getMethod() != null) { domElement.setAttributeNS(null, SubjectConfirmation.METHOD_ATTRIB_NAME, subjectConfirmation.getMethod()); } } }
/** * Create a SubjectConfirmation object * One of the following subject confirmation methods MUST be used: * urn:oasis:names:tc:SAML:2.0:cm:holder-of-key * urn:oasis:names:tc:SAML:2.0:cm:sender-vouches * urn:oasis:names:tc:SAML:2.0:cm:bearer * * @param method of type String * @param subjectConfirmationData of type SubjectConfirmationData * @return a SubjectConfirmation object */ @SuppressWarnings("unchecked") public static SubjectConfirmation createSubjectConfirmation( String method, SubjectConfirmationData subjectConfirmationData, NameID subjectConfirmationNameId ) { if (subjectConfirmationBuilder == null) { subjectConfirmationBuilder = (SAMLObjectBuilder<SubjectConfirmation>) builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME); } SubjectConfirmation subjectConfirmation = subjectConfirmationBuilder.buildObject(); subjectConfirmation.setMethod(method); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subjectConfirmation.setNameID(subjectConfirmationNameId); return subjectConfirmation; }
/** * Checks to see whether the schema type of the subject confirmation data, if present, is the required * {@link KeyInfoConfirmationDataType#TYPE_NAME}. * * @param confirmation subject confirmation bearing the confirmation data to be checked * * @return true if the confirmation data's schema type is correct, false otherwise * * @throws AssertionValidationException thrown if there is a problem validating the confirmation data type */ protected boolean isValidConfirmationDataType(@Nonnull final SubjectConfirmation confirmation) throws AssertionValidationException { QName confirmationDataSchemaType = confirmation.getSubjectConfirmationData().getSchemaType(); if (confirmationDataSchemaType != null && !confirmationDataSchemaType.equals(KeyInfoConfirmationDataType.TYPE_NAME)) { log.debug("SubjectConfirmationData xsi:type was non-null and did not match {}", KeyInfoConfirmationDataType.TYPE_NAME); return false; } log.debug("SubjectConfirmationData xsi:type was either null or matched {}", KeyInfoConfirmationDataType.TYPE_NAME); return true; }
/** * Encrypt any {@link NameID}s found in a subject and replace them with the result. * * @param subject subject to operate on * * @throws EncryptionException if an error occurs */ private void processSubject(@Nullable final Subject subject) throws EncryptionException { if (subject != null) { if (shouldEncrypt(subject.getNameID())) { log.debug("{} Encrypt NameID in Subject", getLogPrefix()); final EncryptedID encrypted = getEncrypter().encrypt(subject.getNameID()); subject.setEncryptedID(encrypted); subject.setNameID(null); } for (final SubjectConfirmation sc : subject.getSubjectConfirmations()) { if (shouldEncrypt(sc.getNameID())) { log.debug("{} Encrypt NameID in SubjectConfirmation", getLogPrefix()); final EncryptedID encrypted = getEncrypter().encrypt(sc.getNameID()); sc.setEncryptedID(encrypted); sc.setNameID(null); } } } }
if (sc.getEncryptedID() != null) { log.debug("{} Decrypting EncryptedID in SubjectConfirmation", getLogPrefix()); try { final NameID decrypted = processEncryptedID(profileRequestContext, subject.getEncryptedID()); if (decrypted != null) { sc.setNameID(decrypted); sc.setEncryptedID(null);
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { SubjectConfirmation subjectConfirmation = (SubjectConfirmation) samlObject; if (attribute.getLocalName().equals(SubjectConfirmation.METHOD_ATTRIB_NAME)) { subjectConfirmation.setMethod(attribute.getValue()); } else { super.processAttribute(samlObject, attribute); } } }
subject.getSubjectConfirmations().forEach(c -> c.setNameID(null)); subject.getSubjectConfirmations().forEach(c -> c.setEncryptedID(encryptedConfId));
if (SubjectConfirmation.METHOD_BEARER.equals(confirmation.getMethod()) && isValidBearerSubjectConfirmationData(confirmation.getSubjectConfirmationData(), context)) { NameID nameIDFromConfirmation = confirmation.getNameID(); final BaseID baseIDFromConfirmation = confirmation.getBaseID(); final EncryptedID encryptedIDFromConfirmation = confirmation.getEncryptedID();
/** {@inheritDoc} */ @Nonnull protected ValidationResult doValidate(@Nonnull final SubjectConfirmation confirmation, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { if (Objects.equals(confirmation.getMethod(), SubjectConfirmation.METHOD_SENDER_VOUCHES)) { return ValidationResult.VALID; } else { return ValidationResult.INDETERMINATE; } } }
sc.setMethod(SubjectConfirmation.METHOD_HOLDER_OF_KEY); sc.setNameID(nameID); sc.setSubjectConfirmationData(scData);
/** * Extracts the {@link KeyInfo}s from the given subject confirmation data. * * @param confirmation subject confirmation data * @param assertion assertion bearing the subject to be confirmed * @param context current message processing context * * @return list of key informations available in the subject confirmation data, never null * * @throws AssertionValidationException if there is a problem processing the SubjectConfirmation * */ @Nonnull protected List<KeyInfo> getSubjectConfirmationKeyInformation( @Nonnull final SubjectConfirmation confirmation, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { SubjectConfirmationData confirmationData = confirmation.getSubjectConfirmationData(); List<KeyInfo> keyInfos = new LazyList<>(); for (XMLObject object : confirmationData.getUnknownXMLObjects(KeyInfo.DEFAULT_ELEMENT_NAME)) { if (object != null) { keyInfos.add((KeyInfo) object); } } log.debug("Found '{}' KeyInfo children of SubjectConfirmationData", keyInfos.size()); return keyInfos; }
private boolean validateAuthenticationSubject(Message m, Conditions cs, org.opensaml.saml.saml2.core.Subject subject) { // We need to find a Bearer Subject Confirmation method boolean bearerSubjectConfFound = false; if (subject.getSubjectConfirmations() != null) { for (SubjectConfirmation subjectConf : subject.getSubjectConfirmations()) { if (SAML2Constants.CONF_BEARER.equals(subjectConf.getMethod())) { validateSubjectConfirmation(m, cs, subjectConf.getSubjectConfirmationData()); bearerSubjectConfFound = true; } } } return bearerSubjectConfFound; }
/** * New subject element. * * @param nameIdFormat the name id format * @param nameIdValue the name id value * @param recipient the recipient * @param notOnOrAfter the not on or after * @param inResponseTo the in response to * @return the subject */ public Subject newSubject(final String nameIdFormat, final String nameIdValue, final String recipient, final DateTime notOnOrAfter, final String inResponseTo) { final SubjectConfirmation confirmation = newSamlObject(SubjectConfirmation.class); confirmation.setMethod(SubjectConfirmation.METHOD_BEARER); final SubjectConfirmationData data = newSamlObject(SubjectConfirmationData.class); data.setRecipient(recipient); data.setNotOnOrAfter(notOnOrAfter); data.setInResponseTo(inResponseTo); confirmation.setSubjectConfirmationData(data); final Subject subject = newSamlObject(Subject.class); subject.setNameID(getNameID(nameIdFormat, nameIdValue)); subject.getSubjectConfirmations().add(confirmation); return subject; }
/** {@inheritDoc} */ @Nonnull protected ValidationResult doValidate(@Nonnull final SubjectConfirmation confirmation, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { if (Objects.equals(confirmation.getMethod(), SubjectConfirmation.METHOD_BEARER)) { return ValidationResult.VALID; } else { return ValidationResult.INDETERMINATE; } } }
/** * Validates the <code>NotBefore</code> condition of the {@link SubjectConfirmationData}, if any is present. * * @param confirmation confirmation method, with {@link SubjectConfirmationData}, being validated * @param assertion assertion bearing the confirmation method * @param context current validation context * * @return the result of the validation evaluation * * @throws AssertionValidationException thrown if there is a problem determining the validity of the NotBefore */ @Nonnull protected ValidationResult validateNotBefore(@Nonnull final SubjectConfirmation confirmation, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { DateTime skewedNow = new DateTime(ISOChronology.getInstanceUTC()).plus(SAML20AssertionValidator .getClockSkew(context)); DateTime notBefore = confirmation.getSubjectConfirmationData().getNotBefore(); log.debug("Evaluating SubjectConfirmationData NotBefore '{}' against 'skewed now' time '{}'", notBefore, skewedNow); if (notBefore != null && notBefore.isAfter(skewedNow)) { context.setValidationFailureMessage(String.format( "Subject confirmation, in assertion '%s', with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore)); return ValidationResult.INVALID; } return ValidationResult.VALID; }