protected SamlAssertionWrapper toWrapper(Element tokenElement) { try { return new SamlAssertionWrapper(tokenElement); } catch (Exception ex) { throwFault("Assertion can not be validated", ex); } return null; }
protected SamlAssertionWrapper toWrapper(Element tokenElement) { try { return new SamlAssertionWrapper(tokenElement); } catch (Exception ex) { throwFault("Assertion can not be validated", ex); } return null; }
public static SamlAssertionWrapper createAssertion(Message message) throws Fault { try { // Check if the token is already available in the current context; // For example, STS Client can set it up. Element samlToken = (Element)MessageUtils.getContextualProperty(message, SAMLConstants.WS_SAML_TOKEN_ELEMENT, SAMLConstants.SAML_TOKEN_ELEMENT); if (samlToken != null) { return new SamlAssertionWrapper(samlToken); } // Finally try to get a self-signed assertion CallbackHandler handler = RSSecurityUtils.getCallbackHandler( message, SAMLUtils.class, SecurityConstants.SAML_CALLBACK_HANDLER); return createAssertion(message, handler); } catch (Exception ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); LOG.warning(sw.toString()); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } }
/** * Is Delegation allowed for a particular token */ protected boolean isDelegationAllowed( ReceivedToken receivedToken, String appliesToAddress ) { Element validateTargetElement = (Element)receivedToken.getToken(); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(validateTargetElement); for (String confirmationMethod : assertion.getConfirmationMethods()) { if (!(SAML1Constants.CONF_BEARER.equals(confirmationMethod) || SAML2Constants.CONF_BEARER.equals(confirmationMethod))) { LOG.fine("An unsupported Confirmation Method was used: " + confirmationMethod); return false; } } if (checkAudienceRestriction && appliesToAddress != null) { List<String> addresses = getAudienceRestrictions(assertion); if (!(addresses.isEmpty() || addresses.contains(appliesToAddress))) { LOG.fine("The AppliesTo address " + appliesToAddress + " is not contained" + " in the Audience Restriction addresses in the assertion"); return false; } } } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Error in ascertaining whether delegation is allowed", ex); return false; } return true; }
public static SamlAssertionWrapper createAssertion(Message message) throws Fault { try { // Check if the token is already available in the current context; // For example, STS Client can set it up. Element samlToken = (Element)MessageUtils.getContextualProperty(message, SAMLConstants.WS_SAML_TOKEN_ELEMENT, SAMLConstants.SAML_TOKEN_ELEMENT); if (samlToken != null) { return new SamlAssertionWrapper(samlToken); } // Finally try to get a self-signed assertion CallbackHandler handler = RSSecurityUtils.getCallbackHandler( message, SAMLUtils.class, SecurityConstants.SAML_CALLBACK_HANDLER); return createAssertion(message, handler); } catch (Exception ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); LOG.warning(sw.toString()); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } }
/** * Is Delegation allowed for a particular token */ @Override protected boolean isDelegationAllowed( ReceivedToken receivedToken, String appliesToAddress ) { Element validateTargetElement = (Element)receivedToken.getToken(); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(validateTargetElement); for (String confirmationMethod : assertion.getConfirmationMethods()) { if (!(SAML1Constants.CONF_BEARER.equals(confirmationMethod) || SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod) || SAML2Constants.CONF_BEARER.equals(confirmationMethod) || SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod))) { return false; } } if (isCheckAudienceRestriction() && appliesToAddress != null) { List<String> addresses = getAudienceRestrictions(assertion); if (!(addresses.isEmpty() || addresses.contains(appliesToAddress))) { return false; } } } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Error in ascertaining whether delegation is allowed", ex); return false; } return true; }
public static SamlAssertionWrapper createAssertion(CallbackHandler handler, SelfSignInfo info) throws Fault { SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(handler, samlCallback); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); assertion.signAssertion(info.getUser(), info.getPassword(), info.getCrypto(), false); return assertion; } catch (Exception ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); LOG.warning(sw.toString()); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } }
public static SamlAssertionWrapper createAssertion(CallbackHandler handler, SelfSignInfo info) throws Fault { SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(handler, samlCallback); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); assertion.signAssertion(info.getUser(), info.getPassword(), info.getCrypto(), false); return assertion; } catch (Exception ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); LOG.warning(sw.toString()); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } }
/** * Get the Issuer of the SAML Assertion */ public String getIssuer() throws WSSecurityException { SecurityContext sc = message.get(SecurityContext.class); if (sc instanceof SAMLSecurityContext) { Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement(); if (assertionElement != null) { SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement); return wrapper.getIssuerString(); } } return null; } }
private static boolean isOneTimeUse(SecurityToken issuedToken) { Element token = issuedToken.getToken(); if (token != null && "Assertion".equals(token.getLocalName()) && WSS4JConstants.SAML2_NS.equals(token.getNamespaceURI())) { try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); if (assertion.getSaml2().getConditions() != null && assertion.getSaml2().getConditions().getOneTimeUse() != null) { return true; } } catch (WSSecurityException ex) { throw new Fault(ex); } } return false; }
private static boolean isOneTimeUse(SecurityToken issuedToken) { Element token = issuedToken.getToken(); if (token != null && "Assertion".equals(token.getLocalName()) && WSS4JConstants.SAML2_NS.equals(token.getNamespaceURI())) { try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); if (assertion.getSaml2().getConditions() != null && assertion.getSaml2().getConditions().getOneTimeUse() != null) { return true; } } catch (WSSecurityException ex) { throw new Fault(ex); } } return false; }
public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken, String consumerURL, String requestId, String requestIssuer) throws ProcessingException { List<Element> samlTokens = DOMUtils.findAllElementsByTagNameNS(rpToken, WSConstants.SAML2_NS, "Assertion"); if (samlTokens.isEmpty() || samlTokens.size() != 1) { throw new ProcessingException(TYPE.BAD_REQUEST); } try { SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlTokens.get(0)); if (wrapper.getSaml2() == null) { throw new ProcessingException(TYPE.BAD_REQUEST); } String remoteAddr = WebUtils.getHttpServletRequest(context).getRemoteAddr(); Assertion saml2Assertion = createSAML2Assertion(context, idp, wrapper, requestId, requestIssuer, remoteAddr, consumerURL); Element response = createResponse(idp, requestId, saml2Assertion); return encodeResponse(response); } catch (Exception ex) { LOG.warn("Error marshalling SAML Token: {}", ex.getMessage()); throw new ProcessingException(TYPE.BAD_REQUEST); } }
public static Response createResponse( Issuer issuer, Status status, String requestId, Element samlAssertion) throws WSSecurityException { Response response = responseSAMLObjectBuilder.buildObject(); response.setIssuer(issuer); response.setStatus(status); response.setID("_" + UUID.randomUUID().toString()); response.setIssueInstant(new DateTime()); response.setInResponseTo(requestId); response.setVersion(SAMLVersion.VERSION_20); if (samlAssertion != null) { SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(samlAssertion); response.getAssertions().add(samlAssertionWrapper.getSaml2()); } return response; }
private SamlAssertionWrapper createSamlToken( TokenProviderParameters tokenParameters, byte[] secret, Document doc ) throws Exception { String realm = tokenParameters.getRealm(); RealmProperties samlRealm = null; if (realm != null && realmMap.containsKey(realm)) { samlRealm = realmMap.get(realm); } SamlCallbackHandler handler = createCallbackHandler(tokenParameters, secret, samlRealm, doc); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(handler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); if (samlCustomHandler != null) { samlCustomHandler.handle(assertion, tokenParameters); } if (signToken) { STSPropertiesMBean stsProperties = tokenParameters.getStsProperties(); signToken(assertion, samlRealm, stsProperties, tokenParameters.getKeyRequirements()); } return assertion; }
private SamlAssertionWrapper createSamlToken( TokenProviderParameters tokenParameters, byte[] secret, Document doc ) throws Exception { String realm = tokenParameters.getRealm(); RealmProperties samlRealm = null; if (realm != null && realmMap.containsKey(realm)) { samlRealm = realmMap.get(realm); } SamlCallbackHandler handler = createCallbackHandler(tokenParameters, secret, samlRealm, doc); SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(handler, samlCallback); SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); if (samlCustomHandler != null) { samlCustomHandler.handle(assertion, tokenParameters); } if (signToken) { STSPropertiesMBean stsProperties = tokenParameters.getStsProperties(); signToken(assertion, samlRealm, stsProperties, tokenParameters.getKeyRequirements()); } return assertion; }
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException { String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM); if (assertion == null) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } try { InputStream tokenStream = decodeAssertion(assertion); Element token = readToken(tokenStream); SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(token); Message message = PhaseInterceptorChain.getCurrentMessage(); validateToken(message, assertionWrapper); UserSubject grantSubject = getGrantSubject(message, assertionWrapper); return doCreateAccessToken(client, grantSubject, Constants.SAML2_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE))); } catch (OAuthServiceException ex) { throw ex; } catch (Exception ex) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex); } }
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException { String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM); if (assertion == null) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } try { InputStream tokenStream = decodeAssertion(assertion); Element token = readToken(tokenStream); SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(token); Message message = PhaseInterceptorChain.getCurrentMessage(); validateToken(message, assertionWrapper); UserSubject grantSubject = getGrantSubject(message, assertionWrapper); return doCreateAccessToken(client, grantSubject, Constants.SAML2_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE))); } catch (OAuthServiceException ex) { throw ex; } catch (Exception ex) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex); } }
/** * Mock up a SAML Assertion by using another SAMLCallbackHandler * @throws Exception */ private Element getSAMLAssertion(Document doc) throws Exception { SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(new SamlCallbackHandler(saml2), samlCallback); SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(samlCallback); return assertionWrapper.toDOM(doc); }
@Override public void handleMessage(Message message) throws Fault { // Create a SAML Token SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(new SamlCallbackHandler(), samlCallback); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Document doc = DOMUtils.createDocument(); Element token = assertion.toDOM(doc); message.put(SAMLConstants.SAML_TOKEN_ELEMENT, token); } catch (WSSecurityException ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } } }
public static String createToken(String audRestr, boolean saml2, boolean sign) throws WSSecurityException { SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(sign); samlCallbackHandler.setAudience(audRestr); if (!saml2) { samlCallbackHandler.setSaml2(false); samlCallbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER); } SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback); SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback); if (samlCallback.isSignAssertion()) { samlAssertion.signAssertion( samlCallback.getIssuerKeyName(), samlCallback.getIssuerKeyPassword(), samlCallback.getIssuerCrypto(), samlCallback.isSendKeyValue(), samlCallback.getCanonicalizationAlgorithm(), samlCallback.getSignatureAlgorithm() ); } return samlAssertion.assertionToString(); }