/** * Gets the audience restriction condition. * * @param assertion */ private Set<String> getAudienceRestrictions(AssertionType assertion) { Set<String> rval = new HashSet<String>(); if (assertion == null || assertion.getConditions() == null || assertion.getConditions().getConditions() == null) { return rval; } List<ConditionAbstractType> conditions = assertion.getConditions().getConditions(); for (ConditionAbstractType conditionAbstractType : conditions) { if (conditionAbstractType instanceof AudienceRestrictionType) { AudienceRestrictionType art = (AudienceRestrictionType) conditionAbstractType; List<URI> audiences = art.getAudience(); for (URI uri : audiences) { rval.add(uri.toString()); } } } return rval; }
/** * Extract the expiration time from an {@link AssertionType} * * @param assertion * @return */ public static XMLGregorianCalendar getExpiration(AssertionType assertion) { XMLGregorianCalendar expiry = null; ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { expiry = conditionsType.getNotOnOrAfter(); } return expiry; }
/** * <p> * Creates a {@code Conditions} instance with the specified values. * </p> * * @param notBefore a {@code XMLGregorianCalendar} representing the start of the token lifetime period. * @param notOnOrAfter a {@code XMLGregorianCalendar} representing the end of the token lifetime period. * @param restrictions an array containing the applicable restrictions. * @return the constructed {@code Conditions} instance. */ public static ConditionsType createConditions(XMLGregorianCalendar notBefore, XMLGregorianCalendar notOnOrAfter, ConditionAbstractType... restrictions) { ConditionsType conditions = new ConditionsType(); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notOnOrAfter); if (restrictions != null) { for (ConditionAbstractType condition : restrictions) { conditions.addCondition(condition); } } return conditions; }
/** * <p> * Add validity conditions to the SAML2 Assertion * </p> * <p> * There is no clock skew added. * * @see {{@link #createTimedConditions(AssertionType, long, long)} * </p> * @param assertion * @param durationInMilis * @throws ConfigurationException * @throws IssueInstantMissingException */ public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException { XMLGregorianCalendar issueInstant = assertion.getIssueInstant(); if (issueInstant == null) throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT); XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis); ConditionsType conditionsType = new ConditionsType(); conditionsType.setNotBefore(issueInstant); conditionsType.setNotOnOrAfter(assertionValidityLength); assertion.setConditions(conditionsType); }
/** * Check whether the assertion has expired * @param assertion * @return * @throws ConfigurationException */ public static boolean hasExpired(AssertionType assertion) throws ConfigurationException { boolean expiry = false; //Check for validity of assertion ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant(); XMLGregorianCalendar notBefore = conditionsType.getNotBefore(); XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter(); if (trace) log.trace("Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + "::notOnOrAfter=" + notOnOrAfter); expiry = !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter); if (expiry) { log.info("Assertion has expired with id=" + assertion.getID()); } } //TODO: if conditions do not exist, assume the assertion to be everlasting? return expiry; }
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.CONDITIONS.get(), ASSERTION_NSURI.get()); if (conditions.getNotBefore() != null) { StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(), conditions.getNotBefore().toString()); if (conditions.getNotOnOrAfter() != null) { StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(), conditions.getNotOnOrAfter().toString()); List<ConditionAbstractType> typeOfConditions = conditions.getConditions(); if (typeOfConditions != null) { for (ConditionAbstractType typeCondition : typeOfConditions) {
subjectConfirmationData.setNotOnOrAfter(conditions.getNotOnOrAfter()); conditions.addCondition(audience);
conditions.setNotBefore(context.getRequestSecurityToken().getLifetime().getCreated()); conditions.setNotOnOrAfter(context.getRequestSecurityToken().getLifetime().getExpires());
/** * Creates a SAML Assertion that can be used as a bearer token when invoking REST * services. The REST service must be configured to accept SAML Assertion bearer * tokens. * * In JBoss this means protecting the REST services with {@link org.overlord.commons.auth.jboss7.SAMLBearerTokenLoginModule}. * In Tomcat7 this means protecting the REST services with {@link org.overlord.commons.auth.tomcat7.SAMLBearerTokenAuthenticator}. * * @param principal * @param roles * @param issuerName * @param forService * @param timeValidInMillis */ public static String createSAMLAssertion(Principal principal, Set<String> roles, String issuerName, String forService, int timeValidInMillis) { try { NameIDType issuer = SAMLAssertionFactory.createNameID(null, null, issuerName); SubjectType subject = AssertionUtil.createAssertionSubject(principal.getName()); AssertionType assertion = AssertionUtil.createAssertion(UUID.randomUUID().toString(), issuer); assertion.setSubject(subject); AssertionUtil.createTimedConditions(assertion, timeValidInMillis); ConditionAbstractType restriction = SAMLAssertionFactory.createAudienceRestriction(forService); assertion.getConditions().addCondition(restriction); addRoleStatements(roles, assertion, principal); return AssertionUtil.asString(assertion); } catch (Exception e) { throw new RuntimeException(e); } }
/** * Check whether the assertion has expired * @param assertion * @return * @throws ConfigurationException */ public static boolean hasExpired(AssertionType assertion) throws ConfigurationException { boolean expiry = false; //Check for validity of assertion ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant(); XMLGregorianCalendar notBefore = conditionsType.getNotBefore(); XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter(); if (trace) log.trace("Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + "::notOnOrAfter=" + notOnOrAfter); expiry = !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter); if (expiry) { log.info("Assertion has expired with id=" + assertion.getID()); } } //TODO: if conditions do not exist, assume the assertion to be everlasting? return expiry; }
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.CONDITIONS.get(), ASSERTION_NSURI.get()); if (conditions.getNotBefore() != null) { StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(), conditions.getNotBefore().toString()); if (conditions.getNotOnOrAfter() != null) { StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(), conditions.getNotOnOrAfter().toString()); List<ConditionAbstractType> typeOfConditions = conditions.getConditions(); if (typeOfConditions != null) { for (ConditionAbstractType typeCondition : typeOfConditions) {
/** * <p> * Add validity conditions to the SAML2 Assertion * </p> * <p> * There is no clock skew added. * @see {{@link #createTimedConditions(AssertionType, long, long)} * </p> * @param assertion * @param durationInMilis * @throws ConfigurationException * @throws IssueInstantMissingException */ public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException { XMLGregorianCalendar issueInstant = assertion.getIssueInstant(); if (issueInstant == null) throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT); XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis); ConditionsType conditionsType = new ConditionsType(); conditionsType.setNotBefore(issueInstant); conditionsType.setNotOnOrAfter(assertionValidityLength); assertion.setConditions(conditionsType); }
subjectConfirmationData.setNotOnOrAfter(conditions.getNotOnOrAfter()); conditions.addCondition(audience);
conditions.setNotBefore(lifetime.getCreated()); conditions.setNotOnOrAfter(lifetime.getExpires());
/** * <p> * Creates a {@code Conditions} instance with the specified values. * </p> * * @param notBefore a {@code XMLGregorianCalendar} representing the start of the token lifetime period. * @param notOnOrAfter a {@code XMLGregorianCalendar} representing the end of the token lifetime period. * @param restrictions an array containing the applicable restrictions. * * @return the constructed {@code Conditions} instance. */ public static ConditionsType createConditions(XMLGregorianCalendar notBefore, XMLGregorianCalendar notOnOrAfter, ConditionAbstractType... restrictions) { ConditionsType conditions = new ConditionsType(); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notOnOrAfter); if (restrictions != null) { for (ConditionAbstractType condition : restrictions) { conditions.addCondition(condition); } } return conditions; }
if (conditionsType != null) { XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant(); XMLGregorianCalendar notBefore = conditionsType.getNotBefore(); XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter(); if (!XMLTimeUtil.isValid(now, notBefore, notOnOrAfter)) { String msg = "SAML Assertion has expired: " + "Now=" + now.toXMLFormat() + " ::notBefore="
ASSERTION_NSURI.get()); StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(), conditions.getNotBefore().toString()); StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(), conditions.getNotOnOrAfter() .toString()); List<ConditionAbstractType> typeOfConditions = conditions.getConditions(); if (typeOfConditions != null)
/** * <p> * Add validity conditions to the SAML2 Assertion * </p> * <p> * There is no clock skew added. * @see {{@link #createTimedConditions(AssertionType, long, long)} * </p> * @param assertion * @param durationInMilis * @throws ConfigurationException * @throws IssueInstantMissingException */ public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException { XMLGregorianCalendar issueInstant = assertion.getIssueInstant(); if (issueInstant == null) throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT); XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis); ConditionsType conditionsType = new ConditionsType(); conditionsType.setNotBefore(issueInstant); conditionsType.setNotOnOrAfter(assertionValidityLength); assertion.setConditions(conditionsType); }
subjectConfirmationData.setNotOnOrAfter(conditions.getNotOnOrAfter()); conditions.addCondition(audience);
/** * Extract the expiration time from an {@link AssertionType} * @param assertion * @return */ public static XMLGregorianCalendar getExpiration(AssertionType assertion) { XMLGregorianCalendar expiry = null; ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { expiry = conditionsType.getNotOnOrAfter(); } return expiry; }