org.apache.wss4j.common.saml.SAMLCallback Java Examples
The following examples show how to use
org.apache.wss4j.common.saml.SAMLCallback.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: AbstractTrustedIdpOAuth2ProtocolHandler.java From cxf-fediz with Apache License 2.0 | 6 votes |
|
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof SAMLCallback) {
SAMLCallback samlCallback = (SAMLCallback) callback;
// Set the Subject
if (subjectBean != null) {
samlCallback.setSubject(subjectBean);
}
samlCallback.setSamlVersion(Version.SAML_20);
// Set the issuer
samlCallback.setIssuer(issuer);
// Set the conditions
samlCallback.setConditions(conditionsBean);
// Set the attributes
if (attrBean != null) {
samlCallback.setAttributeStatementData(Collections.singletonList(attrBean));
}
}
}
}
Example #2
| Source File: SCTSAMLTokenProvider.java From cxf with Apache License 2.0 | 6 votes |
|
private SamlAssertionWrapper createSamlToken(
TokenProviderParameters tokenParameters, byte[] secret, Document doc
) throws Exception {
SamlCallbackHandler handler = createCallbackHandler(tokenParameters, secret, doc);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(handler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (signToken) {
STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
// Get the password
String alias = stsProperties.getSignatureUsername();
WSPasswordCallback[] cb = {new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)};
LOG.fine("Creating SAML Token");
stsProperties.getCallbackHandler().handle(cb);
String password = cb[0].getPassword();
LOG.fine("Signing SAML Token");
boolean useKeyValue = stsProperties.getSignatureProperties().isUseKeyValue();
assertion.signAssertion(alias, password, stsProperties.getSignatureCrypto(), useKeyValue);
}
return assertion;
}
Example #3
| Source File: SAMLUtils.java From cxf with Apache License 2.0 | 6 votes |
|
public static SamlAssertionWrapper createAssertion(CallbackHandler handler,
SelfSignInfo info) throws Fault {
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(handler, samlCallback);
try {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
assertion.signAssertion(info.getUser(),
info.getPassword(),
info.getCrypto(),
false);
return assertion;
} catch (Exception ex) {
StringWriter sw = new StringWriter();
ex.printStackTrace(new PrintWriter(sw));
LOG.warning(sw.toString());
throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString()));
}
}
Example #4
| Source File: SAMLResponseTest.java From cxf-fediz with Apache License 2.0 | 6 votes |
|
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
String requestId) throws Exception {
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
saml2CallbackHandler.setConditions(cp);
// Subject Confirmation Data
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
subjectConfirmationData.setInResponseTo(requestId);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Element response = createSamlResponse(assertion, "mystskey", true, requestId);
return encodeResponse(response);
}
Example #5
| Source File: OAuth2TestUtils.java From cxf with Apache License 2.0 | 6 votes |
|
public static String createToken(String audRestr, boolean saml2, boolean sign)
throws WSSecurityException {
SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(sign);
samlCallbackHandler.setAudience(audRestr);
if (!saml2) {
samlCallbackHandler.setSaml2(false);
samlCallbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
}
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
if (samlCallback.isSignAssertion()) {
samlAssertion.signAssertion(
samlCallback.getIssuerKeyName(),
samlCallback.getIssuerKeyPassword(),
samlCallback.getIssuerCrypto(),
samlCallback.isSendKeyValue(),
samlCallback.getCanonicalizationAlgorithm(),
samlCallback.getSignatureAlgorithm()
);
}
return samlAssertion.assertionToString();
}
Example #6
| Source File: SAML2CallbackHandler.java From syncope with Apache License 2.0 | 6 votes |
|
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof SAMLCallback) {
SAMLCallback samlCallback = (SAMLCallback) callback;
samlCallback.setSamlVersion(Version.SAML_20);
samlCallback.setIssuer(issuer);
if (conditions != null) {
samlCallback.setConditions(conditions);
}
SubjectBean subjectBean = new SubjectBean(subjectName, subjectQualifier, subjectConfirmationMethod);
subjectBean.setSubjectConfirmationData(subjectConfirmationData);
samlCallback.setSubject(subjectBean);
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setAuthenticationMethod("Password");
samlCallback.setAuthenticationStatementData(List.of(authBean));
} else {
throw new UnsupportedCallbackException(callback, "Unrecognized Callback");
}
}
}
Example #7
| Source File: SAMLEncryptedResponseTest.java From cxf-fediz with Apache License 2.0 | 6 votes |
|
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
String requestId,
boolean signAssertion) throws Exception {
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
saml2CallbackHandler.setConditions(cp);
// Subject Confirmation Data
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
subjectConfirmationData.setInResponseTo(requestId);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Element response = createEncryptedSamlResponse(assertion, "mystskey", signAssertion, requestId);
return encodeResponse(response);
}
Example #8
| Source File: SAML2CallbackHandler.java From cxf-fediz with Apache License 2.0 | 6 votes |
|
private void createAndSetStatement(SAMLCallback callback) {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setAuthenticationMethod("Password");
callback.setAuthenticationStatementData(Collections.singletonList(authBean));
// Add roles for certain users
List<Object> roles = new ArrayList<>();
if ("alice".equals(subjectName)) {
roles.add("boss");
roles.add("employee");
roles.add("User");
} else if ("bob".equals(subjectName)) {
roles.add("employee");
}
if (!roles.isEmpty()) {
AttributeStatementBean attrBean = new AttributeStatementBean();
AttributeBean attributeBean = new AttributeBean();
attributeBean.setQualifiedName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
attributeBean.setNameFormat(SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
attributeBean.setAttributeValues(roles);
attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
callback.setAttributeStatementData(Collections.singletonList(attrBean));
}
}
Example #9
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token which doesn't include the role SAML attribute
*/
@org.junit.Test
public void validateSAML2TokenWithoutRoles() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setRoles(null);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("No roles must be found", null, wfRes.getRoles());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
}
Example #10
| Source File: Saml2CallbackHandler.java From cxf with Apache License 2.0 | 5 votes |
|
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
callback.setSamlVersion(Version.SAML_20);
callback.setIssuer("sts");
String subjectName = "uid=alice";
String confirmationMethod = SAML2Constants.CONF_BEARER;
SubjectBean subjectBean =
new SubjectBean(subjectName, null, confirmationMethod);
callback.setSubject(subjectBean);
AttributeStatementBean attrBean = new AttributeStatementBean();
if (subjectBean != null) {
attrBean.setSubject(subjectBean);
}
AttributeBean attributeBean = new AttributeBean();
attributeBean.setQualifiedName("role");
attributeBean.addAttributeValue("user");
attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
callback.setAttributeStatementData(Collections.singletonList(attrBean));
}
}
}
Example #11
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 1.1 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
* Token embedded in RSTR 2005/02 - WS Federation 1.0
*/
@org.junit.Test
public void validateSAML1TokenWSFed10() throws Exception {
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_2005_02_MSG);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
}
Example #12
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* "Validate" SAML 2 token with a custom token validator
* If a validator is configured it precedes the SAMLTokenValidator as part of Fediz
*/
@org.junit.Test
public void validateSAML2TokenCustomValidator() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("CUSTTOK");
Protocol protocol = config.getProtocol();
List<TokenValidator> validators = protocol.getTokenValidators();
Assert.assertEquals("Two validators must be found", 2, validators.size());
Assert.assertEquals("First validator must be custom validator",
CustomValidator.class.getName(), validators.get(0).getClass().getName());
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
}
Example #13
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* Roles are encoded as a multiple saml attributes with the same name
*/
@org.junit.Test
public void validateSAML2TokenRoleMultiAttributes() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setMultiValueType(MultiValue.MULTI_ATTR);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example #14
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* "Validate" SAML 2 token with a custom token validator
* If a validator is configured it precedes the SAMLTokenValidator as part of Fediz
*/
@org.junit.Test
public void validateSAML2TokenMaxClockSkewNotDefined() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("NOCLOCKSKEW");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
}
Example #15
| Source File: SAMLClaimsTest.java From cxf with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void testSAML1Claims() throws Exception {
AttributeBean attributeBean = new AttributeBean();
attributeBean.setSimpleName("role");
attributeBean.setQualifiedName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims");
attributeBean.addAttributeValue("employee");
SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(false);
samlCallbackHandler.setAttributes(Collections.singletonList(attributeBean));
// Create the SAML Assertion via the CallbackHandler
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback);
SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
Document doc = DOMUtils.newDocument();
samlAssertion.toDOM(doc);
ClaimCollection claims = SAMLUtils.getClaims(samlAssertion);
assertEquals(claims.getDialect().toString(),
"http://schemas.xmlsoap.org/ws/2005/05/identity");
assertEquals(1, claims.size());
// Check Claim values
Claim claim = claims.get(0);
assertEquals(claim.getClaimType(), SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT);
assertEquals(1, claim.getValues().size());
assertTrue(claim.getValues().contains("employee"));
// Check SAMLClaim values
assertTrue(claim instanceof SAMLClaim);
assertEquals("role", ((SAMLClaim)claim).getName());
// Check roles
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, "role", null);
assertEquals(1, roles.size());
Principal p = roles.iterator().next();
assertEquals("employee", p.getName());
}
Example #16
| Source File: SAMLUtils.java From cxf with Apache License 2.0 | 5 votes |
|
public static SamlAssertionWrapper createAssertion(Message message,
CallbackHandler handler) throws Fault {
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(handler, samlCallback);
try {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (samlCallback.isSignAssertion()) {
//--- This code will be moved to a common utility class
Crypto crypto = new CryptoLoader().getCrypto(message,
SecurityConstants.SIGNATURE_CRYPTO,
SecurityConstants.SIGNATURE_PROPERTIES);
String user =
RSSecurityUtils.getUserName(message, crypto, SecurityConstants.SIGNATURE_USERNAME);
if (StringUtils.isEmpty(user)) {
return assertion;
}
String password =
RSSecurityUtils.getSignaturePassword(message, user, SAMLUtils.class);
assertion.signAssertion(user, password, crypto, false,
samlCallback.getCanonicalizationAlgorithm(),
samlCallback.getSignatureAlgorithm(),
samlCallback.getSignatureDigestAlgorithm());
}
return assertion;
} catch (Exception ex) {
StringWriter sw = new StringWriter();
ex.printStackTrace(new PrintWriter(sw));
LOG.warning(sw.toString());
throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString()));
}
}
Example #17
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void validateSAML2TokenNoRoleValue() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setAddRoleValue(false);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
Protocol protocol = config.getProtocol();
protocol.setRoleDelimiter(",");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals(null, wfRes.getRoles());
}
Example #18
| Source File: SAMLResponseValidatorTest.java From cxf with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void testCreateAndValidateResponse() throws Exception {
Document doc = DOMUtils.createDocument();
Status status =
SAML2PResponseComponentBuilder.createStatus(
SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
);
Response response =
SAML2PResponseComponentBuilder.createSAMLResponse(
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
validator.validateSamlResponse(marshalledResponse, null, null);
}
Example #19
| Source File: SAMLResponseValidatorTest.java From cxf with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void testInvalidStatusCode() throws Exception {
Document doc = DOMUtils.createDocument();
Status status =
SAML2PResponseComponentBuilder.createStatus(
SAMLProtocolResponseValidator.SAML1_STATUSCODE_SUCCESS, null
);
Response response =
SAML2PResponseComponentBuilder.createSAMLResponse(
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
try {
validator.validateSamlResponse(marshalledResponse, null, null);
fail("Expected failure on an invalid SAML code");
} catch (WSSecurityException ex) {
// expected
}
}
Example #20
| Source File: SAMLResponseValidatorTest.java From cxf with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void testRequestDeniedStatusCode() throws Exception {
Document doc = DOMUtils.createDocument();
Status status =
SAML2PResponseComponentBuilder.createStatus(
"urn:oasis:names:tc:SAML:2.0:status:RequestDenied", null
);
Response response =
SAML2PResponseComponentBuilder.createSAMLResponse(
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
try {
validator.validateSamlResponse(marshalledResponse, null, null);
fail("Expected failure on an invalid SAML code");
} catch (WSSecurityException ex) {
// expected
}
}
Example #21
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
@org.junit.Test
public void validateSAML2TokenSubjectWithComment() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
String subject = "alice<!---->o=example.com";
callbackHandler.setSubjectName(subject);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_MSG);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", subject,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
}
Example #22
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
* Not RequestedSecurityTokenCollection in this test, default in all others
*/
@org.junit.Test
public void validateSAML2TokenRSTR() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_MSG);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
}
Example #23
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate an encrypted SAML 2 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
*/
@org.junit.Test
public void validateEncryptedSAML2Token() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = encryptAndSignToken(assertion);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config =
getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example #24
| Source File: FederationResponseTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
*/
@org.junit.Test
public void validateSAML2Token() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER,
wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
.size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example #25
| Source File: SAMLTokenValidatorOldTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token where role information is provided
* within another SAML attribute
*/
@org.junit.Test
public void validateSAML1TokenDifferentRoleURI() throws Exception {
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setUseNameFormatAsNamespace(true);
callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example #26
| Source File: SAMLResponseValidatorTest.java From cxf with Apache License 2.0 | 5 votes |
|
private Response createResponse(
SubjectConfirmationDataBean subjectConfirmationData,
SAML2CallbackHandler callbackHandler
) throws Exception {
Document doc = DOMUtils.createDocument();
Status status =
SAML2PResponseComponentBuilder.createStatus(
SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
);
Response response =
SAML2PResponseComponentBuilder.createSAMLResponse(
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
// Create an AuthenticationAssertion
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
return (Response)OpenSAMLUtil.fromDom(policyElement);
}
Example #27
| Source File: SAMLTokenValidatorOldTest.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
/**
* Validate SAML 2 token where role information is provided
* within another SAML attribute
*/
@org.junit.Test
public void validateSAML2TokenDifferentRoleURI() throws Exception {
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
callbackHandler.setIssuer(TEST_RSTR_ISSUER);
callbackHandler.setSubjectName(TEST_USER);
callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
callbackHandler.setCountryClaimName("country");
callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
ConditionsBean cp = new ConditionsBean();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(cp);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
String rstr = createSamlToken(assertion, "mystskey", true);
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(FederationConstants.ACTION_SIGNIN);
wfReq.setResponseToken(rstr);
configurator = null;
FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
FedizProcessor wfProc = new FederationProcessorImpl();
FedizResponse wfRes = wfProc.processRequest(wfReq, config);
Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
}
Example #28
| Source File: SAML1CallbackHandler.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback callback = (SAMLCallback) callbacks[i];
callback.setSamlVersion(Version.SAML_11);
callback.setIssuer(issuer);
if (conditions != null) {
callback.setConditions(conditions);
}
SubjectBean subjectBean =
new SubjectBean(
subjectName, subjectQualifier, confirmationMethod
);
if (subjectNameIDFormat != null) {
subjectBean.setSubjectNameIDFormat(subjectNameIDFormat);
}
if (SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
try {
KeyInfoBean keyInfo = createKeyInfo();
subjectBean.setKeyInfo(keyInfo);
} catch (Exception ex) {
throw new IOException("Problem creating KeyInfo: " + ex.getMessage());
}
}
createAndSetStatement(subjectBean, callback);
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
Example #29
| Source File: SAMLSSOResponseValidatorTest.java From cxf with Apache License 2.0 | 5 votes |
|
private Response createResponse(
SubjectConfirmationDataBean subjectConfirmationData,
SAML2CallbackHandler callbackHandler
) throws Exception {
Document doc = DOMUtils.createDocument();
Status status =
SAML2PResponseComponentBuilder.createStatus(
SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
);
Response response =
SAML2PResponseComponentBuilder.createSAMLResponse(
"http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
);
// Create an AuthenticationAssertion
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
return (Response)OpenSAMLUtil.fromDom(policyElement);
}
Example #30
| Source File: SAML2CallbackHandler.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
private void createAndSetStatement(SAMLCallback callback) {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setAuthenticationMethod("Password");
callback.setAuthenticationStatementData(Collections.singletonList(authBean));
if (attributeStatements != null && !attributeStatements.isEmpty()) {
List<AttributeStatementBean> attrStatementBeans = new ArrayList<>();
for (AttributeStatement attrStatement : attributeStatements) {
AttributeStatementBean attrStatementBean = new AttributeStatementBean();
List<AttributeBean> attrBeans = new ArrayList<>();
for (Attribute attribute : attrStatement.getAttributes()) {
AttributeBean attributeBean = new AttributeBean();
attributeBean.setQualifiedName(attribute.getName());
attributeBean.setNameFormat(attribute.getNameFormat());
List<Object> attributeValues = new ArrayList<>();
for (XMLObject attrVal : attribute.getAttributeValues()) {
attributeValues.add(attrVal.getDOM().getTextContent());
}
attributeBean.setAttributeValues(attributeValues);
attrBeans.add(attributeBean);
}
attrStatementBean.setSamlAttributes(attrBeans);
attrStatementBeans.add(attrStatementBean);
}
callback.setAttributeStatementData(attrStatementBeans);
}
}
