protected boolean isValidatedLocally(Credential credential, RequestData data) throws WSSecurityException { if (!alwaysValidateToSts && credential.getSamlAssertion() != null) { try { samlValidator.validate(credential, data); return samlValidator.isTrustVerificationSucceeded(); } catch (RuntimeException e) { throw e; } catch (Exception e) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "invalidSAMLsecurity"); } } return false; }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { super.validate(credential, data); log.debug("Entering OJB saml assertion validator"); SamlAssertionWrapper assertion = credential.getSamlAssertion(); if (assertion == null) { log.error("Error: Unable to find assertion."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } //Confirm that the assertion is signed, the framework confirms the validity of the signature if (!assertion.isSigned()) { log.error("Error: Assertion is not signed."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } return credential; }
protected boolean isValidatedLocally(Credential credential, RequestData data) throws WSSecurityException { if (!alwaysValidateToSts && credential.getSamlAssertion() != null) { try { samlValidator.validate(credential, data); return samlValidator.isTrustVerificationSucceeded(); } catch (RuntimeException e) { throw e; } catch (Exception e) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "invalidSAMLsecurity"); } } return false; }
private Set<Principal> getRoles(Message msg, Credential credential) { SamlAssertionWrapper samlAssertion = credential.getTransformedToken(); if (samlAssertion == null) { samlAssertion = credential.getSamlAssertion(); } if (samlAssertion != null) { String roleAttributeName = null; if (msg != null) { roleAttributeName = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg); } if (roleAttributeName == null || roleAttributeName.length() == 0) { roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT; } ClaimCollection claims = SAMLUtils.getClaims(samlAssertion); return SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null); } return Collections.emptySet(); }
private Set<Principal> getRoles(Message msg, Credential credential) { SamlAssertionWrapper samlAssertion = credential.getTransformedToken(); if (samlAssertion == null) { samlAssertion = credential.getSamlAssertion(); } if (samlAssertion != null) { String roleAttributeName = null; if (msg != null) { roleAttributeName = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg); } if (roleAttributeName == null || roleAttributeName.length() == 0) { roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT; } ClaimCollection claims = SAMLUtils.getClaims(samlAssertion); return SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null); } return Collections.emptySet(); }
/** * Validate the credential argument. It must contain a non-null SamlAssertionWrapper. * A Crypto and a CallbackHandler implementation is also required to be set. * * @param credential the Credential to be validated * @param data the RequestData associated with the request * @throws WSSecurityException on a failed validation */ public Credential validate(Credential credential, RequestData data) throws WSSecurityException { if (credential == null || credential.getSamlAssertion() == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential"); } SamlAssertionWrapper samlAssertion = credential.getSamlAssertion(); // Check the Subject Confirmation requirements verifySubjectConfirmationMethod(samlAssertion); // Check conditions checkConditions(samlAssertion, data.getAudienceRestrictions()); // Check the AuthnStatements of the assertion (if any) checkAuthnStatements(samlAssertion); // Check OneTimeUse Condition checkOneTimeUse(samlAssertion, data); // Validate the assertion against schemas/profiles validateAssertion(samlAssertion); // Verify trust on the signature if (samlAssertion.isSigned()) { verifySignedAssertion(samlAssertion, data); } return credential; }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { Credential validatedCredential = super.validate(credential, data); SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { Credential validatedCredential = super.validate(credential, data); SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion(); if (!"sts".equals(assertion.getIssuerString())) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } Assertion saml2Assertion = assertion.getSaml2(); if (saml2Assertion == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } return validatedCredential; }
protected SecurityContext createSecurityContext(Message msg, Credential credential) { SamlAssertionWrapper samlAssertion = credential.getTransformedToken(); if (samlAssertion == null) { samlAssertion = credential.getSamlAssertion(); } if (samlAssertion != null) { String roleAttributeName = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg); if (roleAttributeName == null || roleAttributeName.length() == 0) { roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT; } ClaimCollection claims = SAMLUtils.getClaims(samlAssertion); Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null); SAMLSecurityContext context = new SAMLSecurityContext(credential.getPrincipal(), roles, claims); context.setIssuer(SAMLUtils.getIssuer(samlAssertion)); context.setAssertionElement(SAMLUtils.getAssertionElement(samlAssertion)); return context; } return createSecurityContext(credential.getPrincipal()); }
samlAssertion = credential.getSamlAssertion(); if (LOG.isDebugEnabled()) { LOG.debug("SAML Assertion issuer " + samlAssertion.getIssuerString());
Element tokenElement = null; int hash = 0; if (credential.getSamlAssertion() != null) { SamlAssertionWrapper assertion = credential.getSamlAssertion(); byte[] signatureValue = assertion.getSignatureValue(); if (signatureValue != null && signatureValue.length > 0) { hash = Arrays.hashCode(signatureValue); tokenElement = credential.getSamlAssertion().getElement(); } else if (credential.getUsernametoken() != null) { tokenElement = credential.getUsernametoken().getElement();
Element tokenElement = null; int hash = 0; if (credential.getSamlAssertion() != null) { SamlAssertionWrapper assertion = credential.getSamlAssertion(); byte[] signatureValue = assertion.getSignatureValue(); if (signatureValue != null && signatureValue.length > 0) { hash = Arrays.hashCode(signatureValue); tokenElement = credential.getSamlAssertion().getElement(); } else if (credential.getUsernametoken() != null) { tokenElement = credential.getUsernametoken().getElement();