@Override public WSSecurityTokenConstants.TokenType getTokenType() { if (samlAssertionWrapper != null && samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_10) { return WSSecurityTokenConstants.SAML_10_TOKEN; } else if (samlAssertionWrapper != null && samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) { return WSSecurityTokenConstants.SAML_11_TOKEN; } return WSSecurityTokenConstants.SAML_20_TOKEN; }
/** * Check the policy version against the received assertion */ private boolean checkVersion( AssertionInfoMap aim, SamlToken samlToken, SamlAssertionWrapper assertionWrapper ) { SamlTokenType tokenType = samlToken.getSamlTokenType(); if ((tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) { return false; } else if (tokenType == SamlTokenType.WssSamlV20Token11 && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) { return false; } PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name())); return true; }
/** * Check the policy version against the received assertion */ private boolean checkVersion( AssertionInfoMap aim, SamlToken samlToken, SamlAssertionWrapper assertionWrapper ) { SamlTokenType tokenType = samlToken.getSamlTokenType(); if ((tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) { return false; } else if (tokenType == SamlTokenType.WssSamlV20Token11 && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) { return false; } PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name())); return true; }
/** * Check the policy version against the received assertion */ private boolean checkVersion( AssertionInfoMap aim, SamlToken samlToken, SamlAssertionWrapper assertionWrapper ) { SamlTokenType samlTokenType = samlToken.getSamlTokenType(); if ((samlTokenType == SamlTokenType.WssSamlV11Token10 || samlTokenType == SamlTokenType.WssSamlV11Token11) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) { return false; } else if (samlTokenType == SamlTokenType.WssSamlV20Token11 && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) { return false; } if (samlTokenType != null) { PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name())); } return true; }
public Instant getNotOnOrAfter() { DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validTill = getSaml2().getConditions().getNotOnOrAfter(); } else { validTill = getSaml1().getConditions().getNotOnOrAfter(); } // Now convert to a Java Instant Object if (validTill != null) { return validTill.toDate().toInstant(); } return null; }
public Instant getNotBefore() { DateTime validFrom = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = getSaml2().getConditions().getNotBefore(); } else { validFrom = getSaml1().getConditions().getNotBefore(); } // Now convert to a Java Instant Object if (validFrom != null) { return validFrom.toDate().toInstant(); } return null; }
/** * Check the policy version against the received assertion */ private boolean checkVersion( AssertionInfoMap aim, SamlToken samlToken, SamlAssertionWrapper assertionWrapper ) { SamlTokenType samlTokenType = samlToken.getSamlTokenType(); if ((samlTokenType == SamlTokenType.WssSamlV11Token10 || samlTokenType == SamlTokenType.WssSamlV11Token11) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) { return false; } else if (samlTokenType == SamlTokenType.WssSamlV20Token11 && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) { return false; } if (samlTokenType != null) { PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name())); } return true; }
String content = child.getTextContent(); if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(content) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) { return false; } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(content) && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) { return false;
private void outputSecurityTokenReference( OutputProcessorChain outputProcessorChain, SamlAssertionWrapper samlAssertionWrapper, String referenceId, String tokenId) throws XMLStreamException, XMLSecurityException { List<XMLSecAttribute> attributes = new ArrayList<>(2); WSSecurityTokenConstants.TokenType tokenType = WSSecurityTokenConstants.SAML_11_TOKEN; if (samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) { attributes.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE)); } else { tokenType = WSSecurityTokenConstants.SAML_20_TOKEN; attributes.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE)); } attributes.add(createAttribute(WSSConstants.ATT_WSU_ID, referenceId)); createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_WSSE_SECURITY_TOKEN_REFERENCE, false, attributes); WSSUtils.createSAMLKeyIdentifierStructure(this, outputProcessorChain, tokenType, tokenId); createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_WSSE_SECURITY_TOKEN_REFERENCE); }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, ReplayCache replayCache ) throws WSSecurityException { if (replayCache != null && samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null) { String identifier = samlAssertion.getId(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); replayCache.add(identifier, 1L + Duration.between(currentTime, expires.toDate().toInstant()).getSeconds()); } else { replayCache.add(identifier); } } }
DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validTill = getSaml2().getConditions().getNotOnOrAfter(); issueInstant = getSaml2().getIssueInstant(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validTill = getSaml1().getConditions().getNotOnOrAfter();
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertion.getSaml2().getConditions() != null) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11) && assertion.getSaml1().getConditions() != null) { validFrom = assertion.getSaml1().getConditions().getNotBefore();
/** * Check the Conditions of the Assertion. */ public void checkConditions(int futureTTL) throws WSSecurityException { DateTime validFrom = null; DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validFrom = getSaml2().getConditions().getNotBefore(); validTill = getSaml2().getConditions().getNotOnOrAfter(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validFrom = getSaml1().getConditions().getNotBefore(); validTill = getSaml1().getConditions().getNotOnOrAfter(); } if (validFrom != null) { DateTime currentTime = new DateTime(); currentTime = currentTime.plusSeconds(futureTTL); if (validFrom.isAfter(currentTime)) { LOG.debug("SAML Token condition (Not Before) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } if (validTill != null && validTill.isBeforeNow()) { LOG.debug("SAML Token condition (Not On Or After) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, RequestData data ) throws WSSecurityException { if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); ReplayCache replayCache = data.getSamlOneTimeUseReplayCache(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); Instant zonedExpires = Instant.ofEpochMilli(expires.getMillis()); replayCache.add(identifier, 1L + Duration.between(currentTime, zonedExpires).getSeconds()); } else { replayCache.add(identifier); } replayCache.add(identifier); } }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
if (samlAssertion.getSamlVersion() == SAMLVersion.VERSION_20) { tempTok.setTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE); } else {
if (samlAssertion.getSamlVersion() == SAMLVersion.VERSION_20) { tempTok.setTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE); } else {