org.opensaml.xml.security.criteria.EntityIDCriteria Java Examples
The following examples show how to use
org.opensaml.xml.security.criteria.EntityIDCriteria.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: MetadataCredentialResolver.java From lams with GNU General Public License v2.0 | 6 votes |
|
/**
* Check that all necessary credential criteria are available.
*
* @param criteriaSet the credential set to evaluate
*/
protected void checkCriteriaRequirements(CriteriaSet criteriaSet) {
EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class);
MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class);
if (entityCriteria == null) {
throw new IllegalArgumentException("Entity criteria must be supplied");
}
if (mdCriteria == null) {
throw new IllegalArgumentException("SAML metadata criteria must be supplied");
}
if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) {
throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied");
}
if (mdCriteria.getRole() == null) {
throw new IllegalArgumentException("Credential metadata role criteria value must be supplied");
}
}
Example #2
| Source File: BaseSAMLSimpleSignatureSecurityPolicyRule.java From lams with GNU General Public License v2.0 | 6 votes |
|
/**
* Build a criteria set suitable for input to the trust engine.
*
* @param entityID the candidate issuer entity ID which is being evaluated
* @param samlContext the message context which is being evaluated
* @return a newly constructly set of criteria suitable for the configured trust engine
* @throws SecurityPolicyException thrown if criteria set can not be constructed
*/
protected CriteriaSet buildCriteriaSet(String entityID, SAMLMessageContext samlContext)
throws SecurityPolicyException {
CriteriaSet criteriaSet = new CriteriaSet();
if (!DatatypeHelper.isEmpty(entityID)) {
criteriaSet.add(new EntityIDCriteria(entityID));
}
MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext
.getInboundSAMLProtocol());
criteriaSet.add(mdCriteria);
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
return criteriaSet;
}
Example #3
| Source File: BaseSAMLXMLSignatureSecurityPolicyRule.java From lams with GNU General Public License v2.0 | 6 votes |
|
/** {@inheritDoc} */
protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
throws SecurityPolicyException {
if (!(messageContext instanceof SAMLMessageContext)) {
log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
}
SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;
CriteriaSet criteriaSet = new CriteriaSet();
if (! DatatypeHelper.isEmpty(entityID)) {
criteriaSet.add(new EntityIDCriteria(entityID) );
}
MetadataCriteria mdCriteria =
new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol());
criteriaSet.add(mdCriteria);
criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
return criteriaSet;
}
Example #4
| Source File: SignatureSecurityPolicyRule.java From MaxKey with Apache License 2.0 | 6 votes |
|
private void checkMessageSignature(MessageContext messageContext,SignableSAMLObject samlMessage) throws SecurityPolicyException {
CriteriaSet criteriaSet = new CriteriaSet();
logger.debug("Inbound issuer is {}", messageContext.getInboundMessageIssuer());
// System.out.println("Inbound issuer is {} "+ messageContext.getInboundMessageIssuer());
//https://localhost-dev-ed.my.salesforce.com
criteriaSet.add( new EntityIDCriteria(messageContext.getInboundMessageIssuer()));
//criteriaSet.add( new EntityIDCriteria("https://localhost-dev-ed.my.salesforce.com"));
criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
try {
if (!trustEngine.validate( samlMessage.getSignature(), criteriaSet)) {
throw new SecurityPolicyException("Signature was either invalid or signing key could not be established as trusted");
}
} catch (SecurityException se) {
// System.out.println("Error evaluating the signature"+se.toString());
throw new SecurityPolicyException("Error evaluating the signature",se);
}
}
Example #5
| Source File: ConsumerEndpoint.java From MaxKey with Apache License 2.0 | 6 votes |
|
public void afterPropertiesSet() throws Exception {
authnRequestGenerator = new AuthnRequestGenerator(keyStoreLoader.getEntityName(), timeService, idService);
endpointGenerator = new EndpointGenerator();
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(keyStoreLoader.getEntityName()));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
try {
signingCredential = credentialResolver.resolveSingle(criteriaSet);
} catch (SecurityException e) {
logger.error("证书解析出错", e);
throw new Exception(e);
}
Validate.notNull(signingCredential);
}
Example #6
| Source File: PostBindingAdapter.java From MaxKey with Apache License 2.0 | 6 votes |
|
public Credential buildSPSigningCredential() throws Exception{
KeyStore trustKeyStore = KeyStoreUtil.bytes2KeyStore(getSaml20Details().getKeyStore(),
getKeyStoreLoader().getKeyStore().getType(),
getKeyStoreLoader().getKeystorePassword());
TrustResolver trustResolver=new TrustResolver();
KeyStoreCredentialResolver credentialResolver =trustResolver.buildKeyStoreCredentialResolver(
trustKeyStore,
getSaml20Details().getEntityId(),
getKeyStoreLoader().getKeystorePassword());
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(getSaml20Details().getEntityId()));
criteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION));
try {
spSigningCredential = credentialResolver.resolveSingle(criteriaSet);
} catch (SecurityException e) {
logger.error("Credential Resolver error . ", e);
throw new Exception(e);
}
Validate.notNull(spSigningCredential);
return spSigningCredential;
}
Example #7
| Source File: CarbonKeyStoreCredentialResolver.java From carbon-identity with Apache License 2.0 | 6 votes |
|
@Override
public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException {
try {
credentialSet = new HashSet<Credential>();
Enumeration<String> en = keyStore.aliases();
while (en.hasMoreElements()) {
String alias = en.nextElement();
X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias);
Credential credential = new X509CredentialImpl(cert);
if (criteriaSet.get(EntityIDCriteria.class) != null) {
if (criteriaSet.get(EntityIDCriteria.class).getEntityID().equals(alias)) {
credentialSet.add(credential);
break;
}
} else {
credentialSet.add(credential);
}
}
return credentialSet;
} catch (KeyStoreException e) {
log.error(e);
throw new SecurityException("Error reading certificates from key store");
}
}
Example #8
| Source File: ClientCertAuthRule.java From lams with GNU General Public License v2.0 | 5 votes |
|
/** {@inheritDoc} */
protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
throws SecurityPolicyException {
CriteriaSet criteriaSet = new CriteriaSet();
if (!DatatypeHelper.isEmpty(entityID)) {
criteriaSet.add(new EntityIDCriteria(entityID));
}
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
return criteriaSet;
}
Example #9
| Source File: EvaluableEntityIDCredentialCriteria.java From lams with GNU General Public License v2.0 | 5 votes |
|
/**
* Constructor.
*
* @param criteria the criteria which is the basis for evaluation
*/
public EvaluableEntityIDCredentialCriteria(EntityIDCriteria criteria) {
if (criteria == null) {
throw new NullPointerException("Criteria instance may not be null");
}
entityID = criteria.getEntityID();
}
Example #10
| Source File: KeyStoreCredentialResolver.java From lams with GNU General Public License v2.0 | 5 votes |
|
/**
* Check that required credential criteria are available.
*
* @param criteriaSet the credential criteria set to evaluate
*/
protected void checkCriteriaRequirements(CriteriaSet criteriaSet) {
EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class);
if (entityCriteria == null) {
log.error("EntityIDCriteria was not specified in the criteria set, resolution can not be attempted");
throw new IllegalArgumentException("No EntityIDCriteria was available in criteria set");
}
}
Example #11
| Source File: MetadataCredentialResolver.java From lams with GNU General Public License v2.0 | 5 votes |
|
/** {@inheritDoc} */
protected Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException {
checkCriteriaRequirements(criteriaSet);
String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID();
MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class);
QName role = mdCriteria.getRole();
String protocol = mdCriteria.getProtocol();
UsageCriteria usageCriteria = criteriaSet.get(UsageCriteria.class);
UsageType usage = null;
if (usageCriteria != null) {
usage = usageCriteria.getUsage();
} else {
usage = UsageType.UNSPECIFIED;
}
// See Jira issue SIDP-229.
log.debug("Forcing on-demand metadata provider refresh if necessary");
try {
metadata.getMetadata();
} catch (MetadataProviderException e) {
// don't care about errors at this level
}
MetadataCacheKey cacheKey = new MetadataCacheKey(entityID, role, protocol, usage);
Collection<Credential> credentials = retrieveFromCache(cacheKey);
if (credentials == null) {
credentials = retrieveFromMetadata(entityID, role, protocol, usage);
cacheCredentials(cacheKey, credentials);
}
return credentials;
}
Example #12
| Source File: PostBindingAdapter.java From MaxKey with Apache License 2.0 | 5 votes |
|
public void buildCredentialResolver(CredentialResolver credentialResolver) throws Exception{
this.credentialResolver=credentialResolver;
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(getKeyStoreLoader().getEntityName()));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
try {
signingCredential = credentialResolver.resolveSingle(criteriaSet);
} catch (SecurityException e) {
logger.error("Credential Resolver error . ", e);
throw new Exception(e);
}
Validate.notNull(signingCredential);
}
Example #13
| Source File: SAML2HTTPRedirectDeflateSignatureValidator.java From carbon-identity with Apache License 2.0 | 5 votes |
|
/**
* Build a criteria set suitable for input to the trust engine.
*
* @param issuer
* @return
* @throws SecurityPolicyException
*/
private static CriteriaSet buildCriteriaSet(String issuer) {
CriteriaSet criteriaSet = new CriteriaSet();
if (!DatatypeHelper.isEmpty(issuer)) {
criteriaSet.add(new EntityIDCriteria(issuer));
}
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
return criteriaSet;
}
Example #14
| Source File: ConsumerEndpoint.java From MaxKey with Apache License 2.0 | 4 votes |
|
/**
* 初始化sp证书
*
* @throws Exception
*/
private void initCredential(String spId) throws Exception {
// 1. 获取 sp keyStore
AppsSAML20Details saml20Details = saml20DetailsService.get(spId);
if (saml20Details == null) {
// TODO
logger.error("spid[" + spId + "] not exists");
throw new Exception();
}
byte[] keyStoreBytes = saml20Details.getKeyStore();
InputStream keyStoreStream = new ByteArrayInputStream(keyStoreBytes);
try {
KeyStore keyStore = KeyStore.getInstance(keyStoreLoader.getKeystoreType());
keyStore.load(keyStoreStream, keyStoreLoader.getKeystorePassword().toCharArray());
Map<String, String> passwords = new HashMap<String, String>();
for (Enumeration<String> en = keyStore.aliases(); en.hasMoreElements();) {
String aliase = en.nextElement();
if (aliase.equalsIgnoreCase(keyStoreLoader.getEntityName())) {
passwords.put(aliase, keyStoreLoader.getKeystorePassword());
}
}
// TrustResolver trustResolver = new
// TrustResolver(keyStore,keyStoreLoader.getIdpIssuingEntityName(),keyStoreLoader.getKeystorePassword());
AuthnResponseGenerator authnResponseGenerator = new AuthnResponseGenerator(
keyStoreLoader.getEntityName(), timeService,
idService);
// endpointGenerator = new EndpointGenerator();
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(keyStoreLoader
.getEntityName()));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
KeyStoreCredentialResolver credentialResolver = new KeyStoreCredentialResolver(
keyStore, passwords);
signingCredential = credentialResolver.resolveSingle(criteriaSet);
Validate.notNull(signingCredential);
// adapter set resolver
TrustResolver trustResolver = new TrustResolver(keyStore,
keyStoreLoader.getEntityName(),
keyStoreLoader.getKeystorePassword(), issueInstantRule,
messageReplayRule,"POST");
extractBindingAdapter.setSecurityPolicyResolver(trustResolver
.getStaticSecurityPolicyResolver());
} catch (Exception e) {
logger.error("初始化sp证书出错");
throw new Exception(e);
}
}
