String encodedMessage = transport.getParameterValue("assertion");
@Test public void supports() throws Exception { HTTPInTransport transport = mock(HTTPInTransport.class); assertFalse(binding.supports(transport)); when(transport.getHTTPMethod()).thenReturn("POST"); assertFalse(binding.supports(transport)); when(transport.getParameterValue("assertion")).thenReturn("some assertion"); assertTrue(binding.supports(transport)); }
entityId = (String) inTransport.getAttribute(org.springframework.security.saml.SAMLConstants.LOCAL_ENTITY_ID); if (entityId != null) { log.debug("Using protocol specified IdP {}", entityId);
/** * First tries to find pre-configured IDP from the request attribute. If not found * loads the IDP_PARAMETER from the request and if it is not null verifies whether IDP with this value is valid * IDP in our circle of trust. Processing fails when IDP is not valid. IDP is set as PeerEntityId in the context. * <p> * If request parameter is null the default IDP is returned. * * @param context context to populate ID for * @throws MetadataProviderException in case provided IDP value is invalid */ protected void populatePeerEntityId(SAMLMessageContext context) throws MetadataProviderException { HTTPInTransport inTransport = (HTTPInTransport) context.getInboundMessageTransport(); String entityId; entityId = (String) inTransport.getAttribute(org.springframework.security.saml.SAMLConstants.PEER_ENTITY_ID); if (entityId != null) { // Pre-configured entity Id log.debug("Using protocol specified IDP {}", entityId); } else { entityId = inTransport.getParameterValue(SAMLEntryPoint.IDP_PARAMETER); if (entityId != null) { // IDP from request log.debug("Using user specified IDP {} from request", entityId); context.setPeerUserSelected(true); } else { // Default IDP entityId = metadata.getDefaultIDP(); log.debug("No IDP specified, using default {}", entityId); context.setPeerUserSelected(false); } } context.setPeerEntityId(entityId); context.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); }
if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); Envelope soapMessage = (Envelope) unmarshallMessage(inTransport.getIncomingStream()); samlMsgCtx.setInboundMessage(soapMessage);
/** {@inheritDoc} */ protected void doDecode(MessageContext messageContext) throws MessageDecodingException { if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); throw new MessageDecodingException( "Invalid inbound message transport type, this decoder only support HTTPInTransport"); } HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); } super.doDecode(messageContext); }
protected void verifyAuthenticationStatement(AuthnStatement auth, BasicSAMLMessageContext context) throws Exception { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(MAX_AUTHENTICATION_TIME, auth.getAuthnInstant())) { System.out.println("Authentication statement is too old to be used"+auth.getAuthnInstant()); throw new Exception("Users authentication data is too old"); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isAfter(new Date().getTime())) { System.out.println("Authentication session is not valid anymore"+auth.getSessionNotOnOrAfter()); throw new Exception("Users authentication is expired"); } if (auth.getSubjectLocality() != null) { HTTPInTransport httpInTransport = (HTTPInTransport) context.getInboundMessageTransport(); if (auth.getSubjectLocality().getAddress() != null) { if (!httpInTransport.getPeerAddress().equals(auth.getSubjectLocality().getAddress())) { throw new Exception("User is accessing the service from invalid address"); } } } }
/** * Process the incoming artifacts by decoding the artifacts, dereferencing them from the artifact source and * storing the resulting response (with assertions) in the message context. * * @param samlMsgCtx current message context * * @throws MessageDecodingException thrown if there is a problem decoding or dereferencing the artifacts */ protected void processArtifacts(SAMLMessageContext samlMsgCtx) throws MessageDecodingException { HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); List<String> encodedArtifacts = inTransport.getParameterValues("SAMLart"); if (encodedArtifacts == null || encodedArtifacts.size() == 0) { log.error("URL SAMLart parameter was missing or did not contain a value."); throw new MessageDecodingException("URL SAMLart parameter was missing or did not contain a value."); } // TODO decode artifact(s); resolve issuer resolution endpoint; dereference using // Request/AssertionArtifact(s) over synchronous backchannel binding; // store response as the inbound SAML message. }
if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); Envelope soapMessage = (Envelope) unmarshallMessage(inTransport.getIncomingStream()); samlMsgCtx.setInboundMessage(soapMessage);
if (context.getInboundMessageTransport() != null) { HTTPInTransport transport = (HTTPInTransport) context.getInboundMessageTransport(); sb.append(transport.getPeerAddress());
public boolean supports(InTransport transport) { if (transport instanceof HTTPInTransport) { HTTPInTransport t = (HTTPInTransport) transport; return t.getParameterValue("SAMLart") != null; } else { return false; } }
/** {@inheritDoc} */ protected void doDecode(MessageContext messageContext) throws MessageDecodingException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Invalid message context type, this decoder only support SAMLMessageContext"); throw new MessageDecodingException( "Invalid message context type, this decoder only support SAMLMessageContext"); } if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); throw new MessageDecodingException( "Invalid inbound message transport type, this decoder only support HTTPInTransport"); } SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); } String relayState = inTransport.getParameterValue("RelayState"); samlMsgCtx.setRelayState(relayState); log.debug("Decoded SAML relay state of: {}", relayState); InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); Assertion inboundMessage = (Assertion) unmarshallMessage(base64DecodedMessage); Response response = SamlRedirectUtils.wrapAssertionIntoResponse(inboundMessage, inboundMessage.getIssuer().getValue()); samlMsgCtx.setInboundMessage(response); samlMsgCtx.setInboundSAMLMessage(response); log.debug("Decoded SAML message"); populateMessageContext(samlMsgCtx); }
entityId = (String) inTransport.getAttribute(org.springframework.security.saml.SAMLConstants.LOCAL_ENTITY_ID); if (entityId != null) {
/** * True value indicates that request is a response from the discovery profile. We use the value to * prevent repeated invocation of the discovery service upon failure. * * @param context context with request and response included * @return true if this HttpRequest is a response from IDP discovery profile. */ private boolean isDiscoResponse(SAMLMessageContext context) { HTTPInTransport request = (HTTPInTransport) context.getInboundMessageTransport(); String disco = request.getParameterValue(DISCOVERY_RESPONSE_PARAMETER); return (disco != null && disco.toLowerCase().trim().equals("true")); }
if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); String relayState = inTransport.getParameterValue("TARGET"); samlMsgCtx.setRelayState(relayState); log.debug("Decoded SAML relay state (TARGET parameter) of: {}", relayState); String base64Message = inTransport.getParameterValue("SAMLResponse"); byte[] decodedBytes = Base64.decode(base64Message); if (decodedBytes == null) {
entityId = (String) inTransport.getAttribute(org.springframework.security.saml.SAMLConstants.LOCAL_ENTITY_ID); if (entityId != null) { log.debug("Using protocol specified SP {}", entityId);
String encodedMessage = transport.getParameterValue("SAMLRequest"); if (DatatypeHelper.isEmpty(encodedMessage)) { encodedMessage = transport.getParameterValue("SAMLResponse");
/** {@inheritDoc} */ protected void doDecode(MessageContext messageContext) throws MessageDecodingException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Invalid message context type, this decoder only support SAMLMessageContext"); throw new MessageDecodingException( "Invalid message context type, this decoder only support SAMLMessageContext"); } if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); throw new MessageDecodingException( "Invalid inbound message transport type, this decoder only support HTTPInTransport"); } SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); } String relayState = inTransport.getParameterValue("RelayState"); samlMsgCtx.setRelayState(relayState); log.debug("Decoded SAML relay state of: {}", relayState); InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); SAMLObject inboundMessage = (SAMLObject) unmarshallMessage(base64DecodedMessage); samlMsgCtx.setInboundMessage(inboundMessage); samlMsgCtx.setInboundSAMLMessage(inboundMessage); log.debug("Decoded SAML message"); populateMessageContext(samlMsgCtx); }
/** {@inheritDoc} */ protected boolean isMessageSigned(SAMLMessageContext messageContext) { HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); String sigParam = inTransport.getParameterValue("Signature"); return (!DatatypeHelper.isEmpty(sigParam)) || super.isMessageSigned(messageContext); }
/** {@inheritDoc} */ protected boolean isMessageSigned(SAMLMessageContext messageContext) { HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); String sigParam = inTransport.getParameterValue("Signature"); return (!DatatypeHelper.isEmpty(sigParam)) || super.isMessageSigned(messageContext); }