protected boolean checkBearer(SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts) { List<String> confirmationMethods = assertionWrapper.getConfirmationMethods(); for (String confirmationMethod : confirmationMethods) { boolean isBearer = isMethodBearer(confirmationMethod); if (isBearer && !assertionWrapper.isSigned() && (tlsCerts == null || tlsCerts.length == 0)) { return false; } // do some more validation - time based, etc } return true; }
protected boolean checkBearer(SamlAssertionWrapper assertionWrapper, Certificate[] tlsCerts) { List<String> confirmationMethods = assertionWrapper.getConfirmationMethods(); for (String confirmationMethod : confirmationMethods) { boolean isBearer = isMethodBearer(confirmationMethod); if (isBearer && !assertionWrapper.isSigned() && (tlsCerts == null || tlsCerts.length == 0)) { return false; } // do some more validation - time based, etc } return true; }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { super.validate(credential, data); log.debug("Entering OJB saml assertion validator"); SamlAssertionWrapper assertion = credential.getSamlAssertion(); if (assertion == null) { log.error("Error: Unable to find assertion."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } //Confirm that the assertion is signed, the framework confirms the validity of the signature if (!assertion.isSigned()) { log.error("Error: Assertion is not signed."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } return credential; }
/** * A method to create a Principal from a SAML Assertion * @param samlAssertion An SamlAssertionWrapper object * @return A principal */ private Principal createPrincipalFromSAML( SamlAssertionWrapper samlAssertion, STRParserResult parserResult ) { SAMLTokenPrincipalImpl samlPrincipal = new SAMLTokenPrincipalImpl(samlAssertion); String confirmMethod = null; List<String> methods = samlAssertion.getConfirmationMethods(); if (methods != null && !methods.isEmpty()) { confirmMethod = methods.get(0); } if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod) && samlAssertion.isSigned()) { parserResult.setTrustedCredential(true); } return samlPrincipal; }
boolean signed = samlAssertion.isSigned(); boolean requiredMethodFound = false; boolean standardMethodFound = false;
public SecurityContext getSecurityContext(Message message, SamlAssertionWrapper wrapper) { // First check to see if we are allowed to set up a security context // The SAML Assertion must be signed, or we must explicitly allow unsigned String allowUnsigned = (String)SecurityUtils.getSecurityPropertyValue( SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, message ); boolean allowUnsignedSamlPrincipals = Boolean.parseBoolean(allowUnsigned); if (!(wrapper.isSigned() || allowUnsignedSamlPrincipals)) { return null; } ClaimCollection claims = getClaims(wrapper); Subject subject = getSubject(message, wrapper, claims); SecurityContext securityContext = doGetSecurityContext(message, subject, claims); if (securityContext instanceof SAMLSecurityContext) { Element assertionElement = wrapper.getElement(); ((SAMLSecurityContext)securityContext).setAssertionElement(assertionElement); } return securityContext; }
public SecurityContext getSecurityContext(Message message, SamlAssertionWrapper wrapper) { // First check to see if we are allowed to set up a security context // The SAML Assertion must be signed, or we must explicitly allow unsigned String allowUnsigned = (String)SecurityUtils.getSecurityPropertyValue( SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, message ); boolean allowUnsignedSamlPrincipals = Boolean.parseBoolean(allowUnsigned); if (!(wrapper.isSigned() || allowUnsignedSamlPrincipals)) { return null; } ClaimCollection claims = getClaims(wrapper); Subject subject = getSubject(message, wrapper, claims); SecurityContext securityContext = doGetSecurityContext(message, subject, claims); if (securityContext instanceof SAMLSecurityContext) { Element assertionElement = wrapper.getElement(); ((SAMLSecurityContext)securityContext).setAssertionElement(assertionElement); } return securityContext; }
boolean signed = samlAssertion.isSigned(); boolean requiredMethodFound = false; boolean standardMethodFound = false;
private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) { if (event == null) { return false; } boolean allowUnsignedSamlPrincipals = SecurityUtils.getSecurityPropertyBoolean( SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false ); // The SAML Assertion must be signed by default return event.getSecurityToken() != null && event.getSecurityToken().getSamlAssertionWrapper() != null && (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned()); }
private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) { if (event == null) { return false; } boolean allowUnsignedSamlPrincipals = SecurityUtils.getSecurityPropertyBoolean( SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false ); // The SAML Assertion must be signed by default return event.getSecurityToken() != null && event.getSecurityToken().getSamlAssertionWrapper() != null && (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned()); }
if (!OpenSAMLUtil.isMethodHolderOfKey(confirmMethod) && !samlAssertionWrapper.isSigned()) { X509Certificate[] x509Certificates = getX509Certificates(); if (x509Certificates != null && x509Certificates.length > 0) {
/** * Validate the credential argument. It must contain a non-null SamlAssertionWrapper. * A Crypto and a CallbackHandler implementation is also required to be set. * * @param credential the Credential to be validated * @param data the RequestData associated with the request * @throws WSSecurityException on a failed validation */ public Credential validate(Credential credential, RequestData data) throws WSSecurityException { if (credential == null || credential.getSamlAssertion() == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential"); } SamlAssertionWrapper samlAssertion = credential.getSamlAssertion(); // Check the Subject Confirmation requirements verifySubjectConfirmationMethod(samlAssertion); // Check conditions checkConditions(samlAssertion, data.getAudienceRestrictions()); // Check the AuthnStatements of the assertion (if any) checkAuthnStatements(samlAssertion); // Check OneTimeUse Condition checkOneTimeUse(samlAssertion, data); // Validate the assertion against schemas/profiles validateAssertion(samlAssertion); // Verify trust on the signature if (samlAssertion.isSigned()) { verifySignedAssertion(samlAssertion, data); } return credential; }
requestData.setCallbackHandler(callbackHandler); if (assertion.isSigned()) { if (assertion.getSaml1() != null) { assertion.getSaml1().getDOM().setIdAttributeNS(null, "AssertionID", true);
protected void validateToken(Message message, SamlAssertionWrapper assertion) { try { RequestData data = new RequestData(); if (assertion.isSigned()) { WSSConfig cfg = WSSConfig.getNewInstance(); data.setWssConfig(cfg);
protected void validateToken(Message message, SamlAssertionWrapper assertion) { try { RequestData data = new RequestData(); if (assertion.isSigned()) { WSSConfig cfg = WSSConfig.getNewInstance(); data.setWssConfig(cfg);
if (assertion.isSigned()) { WSSConfig cfg = WSSConfig.getNewInstance(); data.setWssConfig(cfg);
if (samlAssertionWrapper.isSigned()) { sigVerCrypto = tokenContext.getWssSecurityProperties().getSignatureVerificationCrypto();
if (assertion.isSigned()) { WSSConfig cfg = WSSConfig.getNewInstance(); data.setWssConfig(cfg);
if (samlAssertionWrapper.isSigned()) { sigVerCrypto = tokenContext.getWssSecurityProperties().getSignatureVerificationCrypto();
if (samlAssertionWrapper.isSigned()) { sigVerCrypto = tokenContext.getWssSecurityProperties().getSignatureVerificationCrypto();