final Conditions conditions = assertion.getConditions(); if (conditions == null) { throw new SamlException("no condition found from the assertion");
private static boolean isOneTimeUse(SecurityToken issuedToken) { Element token = issuedToken.getToken(); if (token != null && "Assertion".equals(token.getLocalName()) && WSS4JConstants.SAML2_NS.equals(token.getNamespaceURI())) { try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); if (assertion.getSaml2().getConditions() != null && assertion.getSaml2().getConditions().getOneTimeUse() != null) { return true; } } catch (WSSecurityException ex) { throw new Fault(ex); } } return false; }
/** * Get the length of the delegation chain in the presented token. * * @param token the token to evaluate * @return the token delegation chain length */ protected Long getTokenDelegationChainLength(@Nonnull final Assertion token) { final DelegationRestrictionType delRestrict = getDelegationRestrictionCondition(token.getConditions()); if (delRestrict != null && delRestrict.getDelegates() != null) { return (long) delRestrict.getDelegates().size(); } return null; }
private static boolean isOneTimeUse(SecurityToken issuedToken) { Element token = issuedToken.getToken(); if (token != null && "Assertion".equals(token.getLocalName()) && WSS4JConstants.SAML2_NS.equals(token.getNamespaceURI())) { try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); if (assertion.getSaml2().getConditions() != null && assertion.getSaml2().getConditions().getOneTimeUse() != null) { return true; } } catch (WSSecurityException ex) { throw new Fault(ex); } } return false; }
public Instant getNotOnOrAfter() { DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validTill = getSaml2().getConditions().getNotOnOrAfter(); } else { validTill = getSaml1().getConditions().getNotOnOrAfter(); } // Now convert to a Java Instant Object if (validTill != null) { return validTill.toDate().toInstant(); } return null; }
public Instant getNotBefore() { DateTime validFrom = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = getSaml2().getConditions().getNotBefore(); } else { validFrom = getSaml1().getConditions().getNotBefore(); } // Now convert to a Java Instant Object if (validFrom != null) { return validFrom.toDate().toInstant(); } return null; }
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, ReplayCache replayCache ) throws WSSecurityException { if (replayCache != null && samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null) { String identifier = samlAssertion.getId(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); replayCache.add(identifier, 1L + Duration.between(currentTime, expires.toDate().toInstant()).getSeconds()); } else { replayCache.add(identifier); } } }
final List<AudienceRestriction> audienceRestrictions = assertion.getConditions().getAudienceRestrictions(); AudienceRestriction audienceRestriction = null; if (audienceRestrictions.isEmpty()) { audienceRestriction = (AudienceRestriction) XMLObjectSupport.buildXMLObject( AudienceRestriction.DEFAULT_ELEMENT_NAME); assertion.getConditions().getAudienceRestrictions().add(audienceRestriction); } else { audienceRestriction = audienceRestrictions.get(0);
Conditions conditions = assertion.getConditions(); if (conditions == null) { throw new SSOException("SAML 2.0 Response doesn't contain Conditions");
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
/** * Check the Conditions of the Assertion. */ public void checkConditions(int futureTTL) throws WSSecurityException { DateTime validFrom = null; DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validFrom = getSaml2().getConditions().getNotBefore(); validTill = getSaml2().getConditions().getNotOnOrAfter(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validFrom = getSaml1().getConditions().getNotBefore(); validTill = getSaml1().getConditions().getNotOnOrAfter(); } if (validFrom != null) { DateTime currentTime = new DateTime(); currentTime = currentTime.plusSeconds(futureTTL); if (validFrom.isAfter(currentTime)) { LOG.debug("SAML Token condition (Not Before) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } if (validTill != null && validTill.isBeforeNow()) { LOG.debug("SAML Token condition (Not On Or After) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
/** * Decrypt any {@link EncryptedID} found in an assertion and replace it with the result. * * @param assertion assertion to operate on * * @throws EncryptionException if an error occurs */ private void processAssertion(@Nonnull final Assertion assertion) throws EncryptionException { processSubject(assertion.getSubject()); if (assertion.getConditions() != null) { for (final Condition c : assertion.getConditions().getConditions()) { if (!(c instanceof DelegationRestrictionType)) { continue; } for (final Delegate d : ((DelegationRestrictionType) c).getDelegates()) { if (shouldEncrypt(d.getNameID())) { log.debug("{} Encrypting NameID in Delegate", getLogPrefix()); final EncryptedID encrypted = getEncrypter().encrypt(d.getNameID()); d.setEncryptedID(encrypted); d.setNameID(null); } } } } }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
public void validate(Message message, SamlAssertionWrapper wrapper) { validateSAMLVersion(wrapper); Conditions cs = wrapper.getSaml2().getConditions(); validateAudience(message, cs); if (issuer != null) { String actualIssuer = getIssuer(wrapper); String expectedIssuer = OAuthConstants.CLIENT_ID.equals(issuer) ? wrapper.getSaml2().getSubject().getNameID().getValue() : issuer; if (actualIssuer == null || !actualIssuer.equals(expectedIssuer)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } } if (!validateAuthenticationSubject(message, cs, wrapper.getSaml2().getSubject())) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
public void validate(Message message, SamlAssertionWrapper wrapper) { validateSAMLVersion(wrapper); Conditions cs = wrapper.getSaml2().getConditions(); validateAudience(message, cs); if (issuer != null) { String actualIssuer = getIssuer(wrapper); String expectedIssuer = OAuthConstants.CLIENT_ID.equals(issuer) ? wrapper.getSaml2().getSubject().getNameID().getValue() : issuer; if (actualIssuer == null || !actualIssuer.equals(expectedIssuer)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } } if (!validateAuthenticationSubject(message, cs, wrapper.getSaml2().getSubject())) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
protected Assertion resolveAssertion( org.opensaml.saml.saml2.core.Assertion parsed, List<SimpleKey> verificationKeys, List<SimpleKey> localKeys ) { Signature signature = validateSignature(parsed, verificationKeys); return new Assertion() .setSignature(signature) .setId(parsed.getID()) .setIssueInstant(parsed.getIssueInstant()) .setVersion(parsed.getVersion().toString()) .setIssuer(getIssuer(parsed.getIssuer())) .setSubject(getSubject(parsed.getSubject(), localKeys)) .setConditions(getConditions(parsed.getConditions())) .setAuthenticationStatements(getAuthenticationStatements(parsed.getAuthnStatements())) .setAttributes(getAttributes(parsed.getAttributeStatements(), localKeys)) ; }