public Set<AttributeStatementType> getAttributeStatements() { Set<AttributeStatementType> attributeStatements = new HashSet<AttributeStatementType>(); Set<StatementAbstractType> statements = getStatements(); if (statements != null) { for (StatementAbstractType statement : statements) { if (AttributeStatementType.class.isInstance(statement)) { attributeStatements.add((AttributeStatementType) statement); } } } return attributeStatements; }
public RTChoiceType(AssertionType assertion) { this.assertion = assertion; this.id = assertion.getID(); }
/** * Extract the expiration time from an {@link AssertionType} * * @param assertion * @return */ public static XMLGregorianCalendar getExpiration(AssertionType assertion) { XMLGregorianCalendar expiry = null; ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { expiry = conditionsType.getNotOnOrAfter(); } return expiry; }
AssertionType assertion = new AssertionType(id, issueInstant); assertion.setIssuer(issuerID); if (conditions != null) assertion.setConditions(conditions); if (subject != null) assertion.setSubject(subject); assertion.addStatement(statement);
/** * Create an assertion * * @param id * @param issuer * @return */ public static AssertionType createAssertion(String id, NameIDType issuer) { XMLGregorianCalendar issueInstant = null; try { issueInstant = XMLTimeUtil.getIssueInstant(); } catch (ConfigurationException e) { throw new RuntimeException(e); } AssertionType assertion = new AssertionType(id, issueInstant); assertion.setIssuer(issuer); return assertion; }
StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), assertion.getID()); StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), assertion.getVersion()); StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), assertion.getIssueInstant().toString()); NameIDType issuer = assertion.getIssuer(); if (issuer != null) write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX)); Element sig = assertion.getSignature(); if (sig != null) StaxUtil.writeDOMElement(writer, sig); SubjectType subject = assertion.getSubject(); if (subject != null) ConditionsType conditions = assertion.getConditions(); if (conditions != null) AdviceType advice = assertion.getAdvice(); if (advice != null) throw new RuntimeException(ErrorCodes.NOT_IMPLEMENTED_YET + "Advice"); Set<StatementAbstractType> statements = assertion.getStatements(); if (statements != null)
if (this.revocationRegistry.isRevoked(SAMLUtil.SAML2_TOKEN_TYPE, oldAssertion.getID())) throw logger.samlAssertionRevokedCouldNotRenew(oldAssertion.getID()); ConditionsType conditions = oldAssertion.getConditions(); Lifetime lifetime = adjustLifetimeForClockSkew( context.getRequestSecurityToken().getLifetime() ); conditions.setNotBefore(lifetime.getCreated()); statements.addAll(oldAssertion.getStatements()); AssertionType newAssertion = SAMLAssertionFactory.createAssertion(assertionID, oldAssertion.getIssuer(), context .getRequestSecurityToken().getLifetime().getCreated(), conditions, oldAssertion.getSubject(), statements);
SubjectType samlSubjectType = assertion.getSubject(); String samlSubject = ((NameIDType) samlSubjectType.getSubType().getBaseID()).getValue(); Set<StatementAbstractType> statements = assertion.getStatements(); for (StatementAbstractType statement : statements) { if (statement instanceof AttributeStatementType) {
assertion.setSignature(StaxParserUtil.getDOMElement(xmlEventReader)); continue; issuer.setValue(issuerValue); assertion.setIssuer(issuer); } else if (JBossSAMLConstants.SUBJECT.get().equalsIgnoreCase(tag)) { SAMLSubjectParser subjectParser = new SAMLSubjectParser(); assertion.setSubject((SubjectType) subjectParser.parse(xmlEventReader)); } else if (JBossSAMLConstants.CONDITIONS.get().equalsIgnoreCase(tag)) { SAMLConditionsParser conditionsParser = new SAMLConditionsParser(); ConditionsType conditions = (ConditionsType) conditionsParser.parse(xmlEventReader); assertion.setConditions(conditions); } else if (JBossSAMLConstants.AUTHN_STATEMENT.get().equalsIgnoreCase(tag)) { AuthnStatementType authnStatementType = SAMLParserUtil.parseAuthnStatement(xmlEventReader); assertion.addStatement(authnStatementType); } else if (JBossSAMLConstants.ATTRIBUTE_STATEMENT.get().equalsIgnoreCase(tag)) { AttributeStatementType attributeStatementType = SAMLParserUtil.parseAttributeStatement(xmlEventReader); assertion.addStatement(attributeStatementType); } else if (JBossSAMLConstants.STATEMENT.get().equalsIgnoreCase(tag)) { startElement = StaxParserUtil.getNextStartElement(xmlEventReader); assertion.addStatement(authZStat); } else throw new RuntimeException(ErrorCodes.UNKNOWN_XSI + xsiTypeValue);
/** * Check whether the assertion has expired * @param assertion * @return * @throws ConfigurationException */ public static boolean hasExpired(AssertionType assertion) throws ConfigurationException { boolean expiry = false; //Check for validity of assertion ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant(); XMLGregorianCalendar notBefore = conditionsType.getNotBefore(); XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter(); if (trace) log.trace("Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + "::notOnOrAfter=" + notOnOrAfter); expiry = !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter); if (expiry) { log.info("Assertion has expired with id=" + assertion.getID()); } } //TODO: if conditions do not exist, assume the assertion to be everlasting? return expiry; }
/** * <p> * Add validity conditions to the SAML2 Assertion * </p> * <p> * There is no clock skew added. * @see {{@link #createTimedConditions(AssertionType, long, long)} * </p> * @param assertion * @param durationInMilis * @throws ConfigurationException * @throws IssueInstantMissingException */ public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException { XMLGregorianCalendar issueInstant = assertion.getIssueInstant(); if (issueInstant == null) throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT); XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis); ConditionsType conditionsType = new ConditionsType(); conditionsType.setNotBefore(issueInstant); conditionsType.setNotOnOrAfter(assertionValidityLength); assertion.setConditions(conditionsType); }
String issuer = assertion.getIssuer().getValue(); if (!allowedIssuers.contains(issuer)) { throw new LoginException("Dis-allowed SAML Assertion Issuer: " + issuer + " Allowed: " + allowedIssuers); ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
authContextRef); authnStatement.setSessionIndex(assertion.getID()); assertion.addStatement(authnStatement); assertion.addStatement(attrStatement); assertion.addStatement(attStatement);
boolean validConfirmationFound = false; for (JAXBElement<?> contentElement : assertion.getSubject().getContent())
/** * Creates a SAML Assertion that can be used as a bearer token when invoking REST * services. The REST service must be configured to accept SAML Assertion bearer * tokens. * * In JBoss this means protecting the REST services with {@link org.overlord.commons.auth.jboss7.SAMLBearerTokenLoginModule}. * In Tomcat7 this means protecting the REST services with {@link org.overlord.commons.auth.tomcat7.SAMLBearerTokenAuthenticator}. * * @param principal * @param roles * @param issuerName * @param forService * @param timeValidInMillis */ public static String createSAMLAssertion(Principal principal, Set<String> roles, String issuerName, String forService, int timeValidInMillis) { try { NameIDType issuer = SAMLAssertionFactory.createNameID(null, null, issuerName); SubjectType subject = AssertionUtil.createAssertionSubject(principal.getName()); AssertionType assertion = AssertionUtil.createAssertion(UUID.randomUUID().toString(), issuer); assertion.setSubject(subject); AssertionUtil.createTimedConditions(assertion, timeValidInMillis); ConditionAbstractType restriction = SAMLAssertionFactory.createAudienceRestriction(forService); assertion.getConditions().addCondition(restriction); addRoleStatements(roles, assertion, principal); return AssertionUtil.asString(assertion); } catch (Exception e) { throw new RuntimeException(e); } }
/** * Add the user's current roles as attribute statement(s) on the SAML Assertion. * @param roles * @param assertion * @param principal */ private static void addRoleStatements(Set<String> roles, AssertionType assertion, Principal principal) { AttributeType attribute = new AttributeType("Role"); //$NON-NLS-1$ ASTChoiceType attributeAST = new ASTChoiceType(attribute); AttributeStatementType roleStatement = new AttributeStatementType(); roleStatement.addAttribute(attributeAST); if (roles != null) { for (String role : roles) { attribute.addAttributeValue(role); } } assertion.addStatement(roleStatement); }
private AssertionType parseBaseAttributes(StartElement nextElement) throws ParsingException { Attribute idAttribute = nextElement.getAttributeByName(new QName(JBossSAMLConstants.ID.get())); String id = StaxParserUtil.getAttributeValue(idAttribute); Attribute versionAttribute = nextElement.getAttributeByName(new QName(JBossSAMLConstants.VERSION.get())); String version = StaxParserUtil.getAttributeValue(versionAttribute); StringUtil.match(JBossSAMLConstants.VERSION_2_0.get(), version); Attribute issueInstantAttribute = nextElement.getAttributeByName(new QName(JBossSAMLConstants.ISSUE_INSTANT.get())); XMLGregorianCalendar issueInstant = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(issueInstantAttribute)); return new AssertionType(id, issueInstant); }
StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), assertion.getID()); StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), assertion.getVersion()); StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), assertion.getIssueInstant().toString()); NameIDType issuer = assertion.getIssuer(); if (issuer != null) write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX)); Element sig = assertion.getSignature(); if (sig != null) StaxUtil.writeDOMElement(writer, sig); SubjectType subject = assertion.getSubject(); if (subject != null) ConditionsType conditions = assertion.getConditions(); if (conditions != null) AdviceType advice = assertion.getAdvice(); if (advice != null) throw new RuntimeException(ErrorCodes.NOT_IMPLEMENTED_YET + "Advice"); Set<StatementAbstractType> statements = assertion.getStatements(); if (statements != null)
if (this.revocationRegistry.isRevoked(SAMLUtil.SAML2_TOKEN_TYPE, oldAssertion.getID())) throw logger.samlAssertionRevokedCouldNotRenew(oldAssertion.getID()); ConditionsType conditions = oldAssertion.getConditions(); conditions.setNotBefore(context.getRequestSecurityToken().getLifetime().getCreated()); conditions.setNotOnOrAfter(context.getRequestSecurityToken().getLifetime().getExpires()); statements.addAll(oldAssertion.getStatements()); AssertionType newAssertion = SAMLAssertionFactory.createAssertion(assertionID, oldAssertion.getIssuer(), context .getRequestSecurityToken().getLifetime().getCreated(), conditions, oldAssertion.getSubject(), statements);
throw new AssertionExpiredException(ErrorCodes.EXPIRED_ASSERTION); SubjectType subject = assertion.getSubject(); AttributeStatementType attributeStatement = (AttributeStatementType) assertion.getStatements().iterator().next(); List<ASTChoiceType> attList = attributeStatement.getAttributes(); for (ASTChoiceType obj : attList) {