private void buildAssertionConditions(Assertion assertion, int assertionTtlSeconds, String audienceURI) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Conditions> conditionsBuilder = (SAMLObjectBuilder<Conditions>) builderFactory .getBuilder(Conditions.DEFAULT_ELEMENT_NAME); Conditions conditions = conditionsBuilder.buildObject(); conditions.setNotBefore(new DateTime()); conditions.setNotOnOrAfter(new DateTime().plusSeconds(assertionTtlSeconds)); @SuppressWarnings("unchecked") SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory .getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); @SuppressWarnings("unchecked") SAMLObjectBuilder<Audience> audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory .getBuilder(Audience.DEFAULT_ELEMENT_NAME); Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions); }
DateTime until = new DateTime().plusHours(1); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setRecipient(spEndpoint); assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).setAudienceURI(audienceEntityID); assertion.getIssuer().setValue(issuerEntityId); assertion.getSubject().getNameID().setValue(username); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setInResponseTo(null); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setNotOnOrAfter(until); assertion.getConditions().setNotOnOrAfter(until); SamlConfig config = new SamlConfig(); config.addAndActivateKey("active-key", new SamlKey(privateKey, keyPassword, certificate));
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { Conditions conditions = (Conditions) samlObject; if (conditions.getNotBefore() != null) { String notBeforeStr = Configuration.getSAMLDateFormatter().print(conditions.getNotBefore()); domElement.setAttributeNS(null, Conditions.NOT_BEFORE_ATTRIB_NAME, notBeforeStr); } if (conditions.getNotOnOrAfter() != null) { String notOnOrAfterStr = Configuration.getSAMLDateFormatter().print(conditions.getNotOnOrAfter()); domElement.setAttributeNS(null, Conditions.NOT_ON_OR_AFTER_ATTRIB_NAME, notOnOrAfterStr); } } }
public Conditions(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); org.opensaml.saml2.core.Conditions conditions = assertion.getConditions(); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); List<Audience> audiences = audienceRestrictions.get(0).getAudiences(); notBefore = conditions.getNotBefore(); notOnOrAfter = conditions.getNotOnOrAfter(); audienceRestriction = new ArrayList<>(); for(Audience audience : audiences){ audienceRestriction.add(audience.getAudienceURI()); } }
conditions.setNotBefore(newNotBefore); conditions.setNotOnOrAfter(newNotBefore.plusMinutes(5)); return conditions; ); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notAfter); } else { DateTime newNotBefore = new DateTime(); conditions.setNotBefore(newNotBefore); if (tokenPeriodMinutes <= 0) { tokenPeriodMinutes = 5; conditions.setNotOnOrAfter(newNotBefore.plusMinutes(tokenPeriodMinutes)); AudienceRestriction audienceRestriction = createAudienceRestriction(conditionsBean.getAudienceURI()); conditions.getAudienceRestrictions().add(audienceRestriction); AudienceRestriction audienceRestriction = createAudienceRestriction(audienceRestrictionBean); conditions.getAudienceRestrictions().add(audienceRestriction); conditions.getConditions().add(createOneTimeUse()); conditions.getConditions().add(createProxyRestriction(conditionsBean.getProxyRestriction()));
/** * Get Audiences of SAML2 Response. * * @param samlResponse SAML2 Response * @return audiences */ private List<String> getAudiencesFromSAMLResponse(ResponseImpl samlResponse) { Assertion assertion = samlResponse.getAssertions().get(0); List<String> audiences = new ArrayList<>(); if (assertion != null) { Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (CollectionUtils.isNotEmpty(audienceRestrictions)) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { audiences.add(audience.getAudienceURI()); } } } } } } return audiences; }
protected void verifyAssertionConditions(Conditions conditions, SAMLMessageContext context, boolean audienceRequired) throws SAMLException { if (audienceRequired && (conditions == null || conditions.getAudienceRestrictions().size() == 0)) { throw new SAMLException("Assertion invalidated by missing Audience Restriction"); if (conditions.getNotBefore() != null) { if (conditions.getNotBefore().minusSeconds(getResponseSkew()).isAfterNow()) { throw new SAMLException("Assertion is not yet valid, invalidated by condition notBefore " + conditions.getNotBefore()); if (conditions.getNotOnOrAfter() != null) { if (conditions.getNotOnOrAfter().plusSeconds(getResponseSkew()).isBeforeNow()) { throw new SAMLException("Assertion is no longer valid, invalidated by condition notOnOrAfter " + conditions.getNotOnOrAfter()); for (Condition condition : conditions.getConditions()) { verifyAudience(context, conditions.getAudienceRestrictions());
validateTime(now, conditions.getNotBefore(), conditions.getNotOnOrAfter(), maxTimeOffset); if (conditions.getAudienceRestrictions().isEmpty() || conditions.getAudienceRestrictions().size() != 1) { .getAudienceRestrictions().get(0); if (audienceRestriction.getAudiences().isEmpty() || audienceRestriction.getAudiences().size() != 1) { if (null == conditions.getOneTimeUse() && null != requestId) {
tokReqMsgCtx.setValidityPeriod(conditions.getNotOnOrAfter().getMillis() - curTimeInMillis); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { boolean audienceFound = false; List<String> recipientURLS = new ArrayList<>(); if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) { notOnOrAfterFromConditions = assertion.getConditions().getNotOnOrAfter();
public static Conditions createConditions(DateTime creationTime, DateTime expirationTime) throws TrustException { try { Conditions conditions = (Conditions)CommonUtil.buildXMLObject(Conditions.DEFAULT_ELEMENT_NAME); conditions.setNotBefore(creationTime); conditions.setNotOnOrAfter(expirationTime); return conditions; } catch (TrustException e) { throw new TrustException("Unable to create an Conditions object"); } }
@Override public Conditions build() { Conditions conditions = new ConditionsBuilder().buildObject(); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notOnOrAfter); for (Condition condition : conditionsList) { conditions.getConditions().add(condition); } return conditions; } }
private DateTime getNotBefore(Assertion assertion) { return assertion.getConditions().getNotBefore(); }
if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Date rightNow = new Date();
private DateTime getNotOnOrAfter(Assertion assertion) { return assertion.getConditions().getNotOnOrAfter(); }
protected void validateProxyRestrictionCondition(Conditions conditions) throws ValidationException { int proxyRestrictionCount = 0; for (int i = 0; i < conditions.getConditions().size(); i++) { if (conditions.getConditions().get(i) instanceof ProxyRestriction) { proxyRestrictionCount++; } } if (proxyRestrictionCount > 1) { throw new ValidationException("At most one instance of ProxyRestriction allowed"); } } }
private void validateDateTime(Assertion assertion) throws ValidationException{ DateTime now = new DateTime(); Conditions conditions = assertion.getConditions(); DateTime notBefore = conditions.getNotBefore(); DateTime notAfter = conditions.getNotOnOrAfter(); if (now.getMillis() < notBefore.getMillis()){ throw new ValidationException("notBefore validation failed!"); } if (now.getMillis() > notAfter.getMillis()){ throw new ValidationException("notOnOrAfter validation failed!"); } }
if (conditions.getNotBefore() != null) { if (conditions.getNotBefore().isAfterNow()) { System.out.println("Assertion is not yet valid, invalidated by condition notBefore"+ conditions.getNotBefore()); throw new SAMLException("SAML response is not valid"); if (conditions.getNotOnOrAfter() != null) { if (conditions.getNotOnOrAfter().isBeforeNow()) { System.out.println("Assertion is no longer valid, invalidated by condition notOnOrAfter"+ conditions.getNotOnOrAfter()); throw new SAMLException("SAML response is not valid"); if (audienceRequired && conditions.getAudienceRestrictions().size() == 0) { System.out.println("Assertion invalidated by missing audience restriction"); throw new SAMLException("SAML response is not valid"); for (AudienceRestriction rest : conditions.getAudienceRestrictions()) { if (rest.getAudiences().size() == 0) { System.out.println("No audit audience specified for the assertion");
conditions.setNotBefore(newNotBefore); conditions.setNotOnOrAfter(newNotBefore.plusMinutes(5)); return conditions; ); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notAfter); } else { DateTime newNotBefore = new DateTime(); conditions.setNotBefore(newNotBefore); if (tokenPeriodMinutes <= 0) { tokenPeriodMinutes = 5; conditions.setNotOnOrAfter(newNotBefore.plusMinutes(tokenPeriodMinutes)); AudienceRestriction audienceRestriction = createAudienceRestriction(conditionsBean.getAudienceURI()); conditions.getAudienceRestrictions().add(audienceRestriction); AudienceRestriction audienceRestriction = createAudienceRestriction(audienceRestrictionBean); conditions.getAudienceRestrictions().add(audienceRestriction); conditions.getConditions().add(createOneTimeUse()); conditions.getConditions().add(createProxyRestriction(conditionsBean.getProxyRestriction()));
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) {
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { Conditions conditions = (Conditions) samlObject; if (attribute.getLocalName().equals(Conditions.NOT_BEFORE_ATTRIB_NAME) && !DatatypeHelper.isEmpty(attribute.getValue())) { conditions.setNotBefore(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(Conditions.NOT_ON_OR_AFTER_ATTRIB_NAME) && !DatatypeHelper.isEmpty(attribute.getValue())) { conditions.setNotOnOrAfter(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else { super.processAttribute(samlObject, attribute); } } }