/** * New conditions element. * * @param issuedAt the issued at * @param audienceUri the service id * @param issueLength the issue length * @return the conditions */ public Conditions newConditions(final DateTime issuedAt, final String audienceUri, final long issueLength) { final Conditions conditions = newSamlObject(Conditions.class); conditions.setNotBefore(issuedAt); conditions.setNotOnOrAfter(issuedAt.plus(issueLength)); final AudienceRestrictionCondition audienceRestriction = newSamlObject(AudienceRestrictionCondition.class); final Audience audience = newSamlObject(Audience.class); audience.setUri(audienceUri); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictionConditions().add(audienceRestriction); return conditions; }
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlElement, Element domElement) throws MarshallingException { Conditions conditions = (Conditions) samlElement; if (conditions.getNotBefore() != null) { String date = SAMLConfigurationSupport.getSAMLDateFormatter().print(conditions.getNotBefore()); domElement.setAttributeNS(null, Conditions.NOTBEFORE_ATTRIB_NAME, date); } if (conditions.getNotOnOrAfter() != null) { String date = SAMLConfigurationSupport.getSAMLDateFormatter().print(conditions.getNotOnOrAfter()); domElement.setAttributeNS(null, Conditions.NOTONORAFTER_ATTRIB_NAME, date); } } }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { Conditions conditions = (Conditions) samlObject; if (Conditions.NOTBEFORE_ATTRIB_NAME.equals(attribute.getLocalName()) && !Strings.isNullOrEmpty(attribute.getValue())) { conditions.setNotBefore(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (Conditions.NOTONORAFTER_ATTRIB_NAME.equals(attribute.getLocalName()) && !Strings.isNullOrEmpty(attribute.getValue())) { conditions.setNotOnOrAfter(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else { processAttribute(samlObject, attribute); } } }
val conditions = assertion.getConditions(); if (conditions != null) { credential.setNotBefore(ZonedDateTime.parse(conditions.getNotBefore().toDateTimeISO().toString())); credential.setNotOnOrAfter(ZonedDateTime.parse(conditions.getNotOnOrAfter().toDateTimeISO().toString())); if (!conditions.getAudienceRestrictionConditions().isEmpty()) { credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri());
/** * Get the {@link AudienceRestrictionCondition} to which audiences will be added. * * @param conditions existing set of conditions * * @return the condition to which audiences will be added */ @Nonnull private AudienceRestrictionCondition getAudienceRestrictionCondition( @Nonnull final org.opensaml.saml.saml1.core.Conditions conditions) { final AudienceRestrictionCondition condition; if (!addingAudiencesToExistingRestriction || conditions.getAudienceRestrictionConditions().isEmpty()) { final SAMLObjectBuilder<AudienceRestrictionCondition> conditionBuilder = (SAMLObjectBuilder<AudienceRestrictionCondition>) XMLObjectProviderRegistrySupport .getBuilderFactory().<AudienceRestrictionCondition>getBuilderOrThrow( AudienceRestrictionCondition.DEFAULT_ELEMENT_NAME); log.debug("{} Adding new AudienceRestrictionCondition", getLogPrefix()); condition = conditionBuilder.buildObject(); conditions.getAudienceRestrictionConditions().add(condition); } else { log.debug("{} Conditions already contained an AudienceRestrictionCondition, using it", getLogPrefix()); condition = conditions.getAudienceRestrictionConditions().get(0); } return condition; }
public Instant getNotOnOrAfter() { DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validTill = getSaml2().getConditions().getNotOnOrAfter(); } else { validTill = getSaml1().getConditions().getNotOnOrAfter(); } // Now convert to a Java Instant Object if (validTill != null) { return validTill.toDate().toInstant(); } return null; }
public Instant getNotBefore() { DateTime validFrom = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = getSaml2().getConditions().getNotBefore(); } else { validFrom = getSaml1().getConditions().getNotBefore(); } // Now convert to a Java Instant Object if (validFrom != null) { return validFrom.toDate().toInstant(); } return null; }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final Long lifetime = assertionLifetimeStrategy != null ? assertionLifetimeStrategy.apply(profileRequestContext) : null; if (lifetime == null) { log.debug("{} No assertion lifetime supplied, using default", getLogPrefix()); } if (response instanceof org.opensaml.saml.saml1.core.Response) { for (final org.opensaml.saml.saml1.core.Assertion assertion : ((org.opensaml.saml.saml1.core.Response) response).getAssertions()) { final DateTime expiration = new DateTime(assertion.getIssueInstant()).plus( lifetime != null ? lifetime : defaultAssertionLifetime); log.debug("{} Added NotOnOrAfter condition, indicating an expiration of {}, to Assertion {}", new Object[] {getLogPrefix(), expiration, assertion.getID()}); SAML1ActionSupport.addConditionsToAssertion(this, assertion).setNotOnOrAfter(expiration); } } else if (response instanceof org.opensaml.saml.saml2.core.Response) { for (final org.opensaml.saml.saml2.core.Assertion assertion : ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { final DateTime expiration = new DateTime(assertion.getIssueInstant()).plus( lifetime != null ? lifetime : defaultAssertionLifetime); log.debug("{} Added NotOnOrAfter condition, indicating an expiration of {}, to Assertion {}", new Object[] {getLogPrefix(), expiration, assertion.getID()}); SAML2ActionSupport.addConditionsToAssertion(this, assertion).setNotOnOrAfter(expiration); } } }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { if (response instanceof org.opensaml.saml.saml1.core.Response) { for (final org.opensaml.saml.saml1.core.Assertion assertion : ((org.opensaml.saml.saml1.core.Response) response).getAssertions()) { log.debug("{} Added NotBefore condition to Assertion {}", getLogPrefix(), assertion.getID()); SAML1ActionSupport.addConditionsToAssertion(this, assertion).setNotBefore( ((org.opensaml.saml.saml1.core.Response) response).getIssueInstant()); } } else if (response instanceof org.opensaml.saml.saml2.core.Response) { for (final org.opensaml.saml.saml2.core.Assertion assertion : ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { log.debug("{} Added NotBefore condition to Assertion {}", getLogPrefix(), assertion.getID()); SAML2ActionSupport.addConditionsToAssertion(this, assertion).setNotBefore( ((org.opensaml.saml.saml2.core.Response) response).getIssueInstant()); } } }
credential.setNotBefore(conditions.getNotBefore()); credential.setNotOnOrAfter(conditions.getNotOnOrAfter()); credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri());
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
/** * Check the Conditions of the Assertion. */ public void checkConditions(int futureTTL) throws WSSecurityException { DateTime validFrom = null; DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validFrom = getSaml2().getConditions().getNotBefore(); validTill = getSaml2().getConditions().getNotOnOrAfter(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validFrom = getSaml1().getConditions().getNotBefore(); validTill = getSaml1().getConditions().getNotOnOrAfter(); } if (validFrom != null) { DateTime currentTime = new DateTime(); currentTime = currentTime.plusSeconds(futureTTL); if (validFrom.isAfter(currentTime)) { LOG.debug("SAML Token condition (Not Before) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } if (validTill != null && validTill.isBeforeNow()) { LOG.debug("SAML Token condition (Not On Or After) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
conditions.setNotBefore(newNotBefore); conditions.setNotOnOrAfter(newNotBefore.plusMinutes(5)); return conditions; ); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notAfter); } else { DateTime newNotBefore = new DateTime(); conditions.setNotBefore(newNotBefore); if (tokenPeriodSeconds <= 0) { tokenPeriodSeconds = 5L * 60L; new DateTime(newNotBefore.getMillis() + tokenPeriodSeconds * 1000L); conditions.setNotOnOrAfter(notOnOrAfter); AudienceRestrictionCondition audienceRestriction = createSamlv1AudienceRestriction(audienceRestrictionBean); conditions.getAudienceRestrictionConditions().add(audienceRestriction);
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
conditions.setNotBefore(now); conditions.setNotOnOrAfter(now.plusSeconds(60)); final AudienceRestrictionCondition audienceRestriction = newSAMLObject( AudienceRestrictionCondition.class, AudienceRestrictionCondition.DEFAULT_ELEMENT_NAME); audience.setUri(request.getService()); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictionConditions().add(audienceRestriction); assertion.setConditions(conditions); assertion.getAuthenticationStatements().add(
if (conditions != null && conditions.getAudienceRestrictionConditions() != null && !conditions.getAudienceRestrictionConditions().isEmpty()) { boolean foundAddress = false; for (org.opensaml.saml.saml1.core.AudienceRestrictionCondition audienceRestriction : conditions.getAudienceRestrictionConditions()) { if (audienceRestriction.getAudiences() != null) { List<org.opensaml.saml.saml1.core.Audience> audiences =
} else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validTill = getSaml1().getConditions().getNotOnOrAfter(); issueInstant = getSaml1().getIssueInstant();