/** * Verify whether an {@link org.picketlink.identity.federation.saml.v2.assertion.AssertionType} has expired * @param assertionType * @return * @throws ConfigurationException */ public boolean hasExpired(AssertionType assertionType) throws ConfigurationException { return AssertionUtil.hasExpired(assertionType); } }
/** * Creates a SAML Assertion that can be used as a bearer token when invoking REST * services. The REST service must be configured to accept SAML Assertion bearer * tokens. * * In JBoss this means protecting the REST services with {@link org.overlord.commons.auth.jboss7.SAMLBearerTokenLoginModule}. * In Tomcat7 this means protecting the REST services with {@link org.overlord.commons.auth.tomcat7.SAMLBearerTokenAuthenticator}. * * @param principal * @param roles * @param issuerName * @param forService * @param timeValidInMillis */ public static String createSAMLAssertion(Principal principal, Set<String> roles, String issuerName, String forService, int timeValidInMillis) { try { NameIDType issuer = SAMLAssertionFactory.createNameID(null, null, issuerName); SubjectType subject = AssertionUtil.createAssertionSubject(principal.getName()); AssertionType assertion = AssertionUtil.createAssertion(UUID.randomUUID().toString(), issuer); assertion.setSubject(subject); AssertionUtil.createTimedConditions(assertion, timeValidInMillis); ConditionAbstractType restriction = SAMLAssertionFactory.createAudienceRestriction(forService); assertion.getConditions().addCondition(restriction); addRoleStatements(roles, assertion, principal); return AssertionUtil.asString(assertion); } catch (Exception e) { throw new RuntimeException(e); } }
/** * This method validates SAML Credential in following steps: <ol> <li>Validate the signing key embedded in SAML token is still * valid, not expired</li> <li>Validate the signing key embedded in SAML token is trusted against a local truststore, such as * certpath validation</li> <li>Validate SAML token is still valid, not expired</li> <li>Validate the SAML signature using the * embedded signing key in SAML token itself as you indicated below</li> </ol> * * If something goes wrong throws LoginException. * * @throws LoginException */ private void validateSAMLCredential() throws LoginException, ConfigurationException, CertificateExpiredException, CertificateNotYetValidException { X509Certificate cert = getX509Certificate(); // public certificate validation validateCertPath(cert); // check time validity of the certificate cert.checkValidity(); boolean sigValid = false; try { sigValid = AssertionUtil.isSignatureValid(credential.getAssertionAsElement(), cert.getPublicKey()); } catch (ProcessingException e) { logger.processingError(e); } if (!sigValid) { throw logger.authSAMLInvalidSignatureError(); } if (AssertionUtil.hasExpired(assertion)) { throw logger.authSAMLAssertionExpiredError(); } }
if(AssertionUtil.hasExpired(assertionType)) throw new RuntimeException(ErrorCodes.EXPIRED_ASSERTION + "Assertion has expired"); log.trace("Inbound::Rolekeys to extract roles from the assertion:" + roleKeys); List<String> roles = AssertionUtil.getRoles(assertionType, roleKeys); if(roles.size() > 0 )
XMLGregorianCalendar expiry = AssertionUtil.getExpiration(assertion); if (expiry != null) roleKeys.addAll(StringUtil.tokenize(roleKey)); List<String> roles = AssertionUtil.getRoles(assertion, roleKeys); if (roles.size() > 0) List<String> roles = AssertionUtil.getRoles(assertion, null); for (String role : roles)
List<String> roles = AssertionUtil.getRoles(assertion, null); Group roleGroup = new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER); for(String role: roles)
@Override protected Group[] getRoleSets() throws LoginException { if (this.assertion == null) { try { this.assertion = SAMLUtil.fromElement(this.credential.getAssertionAsElement()); } catch (Exception e) { throw logger.authFailedToParseSAMLAssertion(e); } } if (logger.isTraceEnabled()) { try { logger.trace("Assertion from where roles will be sought = " + AssertionUtil.asString(assertion)); } catch (ProcessingException ignore) { } } List<String> roleKeys = new ArrayList<String>(); if (StringUtil.isNotNull(roleKey)) { roleKeys.addAll(StringUtil.tokenize(roleKey)); } String groupName = SecurityConstants.ROLES_IDENTIFIER; Group rolesGroup = new PicketLinkGroup(groupName); List<String> roles = AssertionUtil.getRoles(assertion, roleKeys); for (String role : roles) { rolesGroup.addMember(new SimplePrincipal(role)); } return new Group[]{rolesGroup}; }
/** * Add validity conditions to the SAML2 Assertion * @param assertion * @param durationInMilis * @throws ConfigurationException * @throws IssueInstantMissingException */ public void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException { AssertionUtil.createTimedConditions(assertion, durationInMilis); }
if (isNotNull(skew)) { long skewMilis = Long.parseLong(skew); expiredAssertion = AssertionUtil.hasExpired(assertion, skewMilis); } else expiredAssertion = AssertionUtil.hasExpired(assertion); } catch (ConfigurationException e) { throw new ProcessingException(e); if (!AssertionUtil.isAudience(assertion, getSPConfiguration())) { throw logger.samlAssertionWrongAudience(getSPConfiguration().getServiceURL());
XMLGregorianCalendar expiry = AssertionUtil.getExpiration(assertion); if (expiry != null) { Date expiryDate = expiry.toGregorianCalendar().getTime();
assertionType.addAllStatements(statements); try { AssertionUtil.createSAML11TimedConditions(assertionType, ASSERTION_VALIDITY, CLOCK_SKEW); } catch (Exception e) { throw logger.processingError(e);
/** * Create an assertion * @param id * @param issuer * @return */ public AssertionType createAssertion(String id, NameIDType issuer) { return AssertionUtil.createAssertion(id, issuer); }
@POST public Response generateAssertion(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { Principal principal = httpServletRequest.getUserPrincipal(); if (principal == null) { // Send Error Response return Response.status(403).build(); } SAMLProtocolContext samlProtocolContext = getSAMLProtocolContext(principal.getName()); AssertionType assertionType = issueSAMLAssertion(samlProtocolContext); // TODO: sign/encrypt String base64EncodedAssertion = PostBindingUtil.base64Encode(AssertionUtil.asString(assertionType)); return Response.status(200).entity(base64EncodedAssertion).build(); } }
try { assertionType = SAMLUtil.fromElement(assertion); if (AssertionUtil.hasExpired(assertionType)) { throw new RuntimeException(logger.samlAssertionExpiredError()); List<String> roles = AssertionUtil.getRoles(assertionType, roleKeys); if (roles.size() > 0) { logger.trace("Roles in the assertion: " + roles);
TimeCacheExpiry cacheExpiry = JBossAuthCacheInvalidationFactory.getCacheExpiry(); XMLGregorianCalendar expiry = AssertionUtil.getExpiration(assertion); if (expiry != null) { cacheExpiry.register(securityDomain, expiry.toGregorianCalendar().getTime(), principal); roleKeys.addAll(StringUtil.tokenize(roleKey)); List<String> roles = AssertionUtil.getRoles(assertion, roleKeys); if (roles.size() > 0) { SimpleGroup group = new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER); List<String> roles = AssertionUtil.getRoles(assertion, null); for (String role : roles) { callerPrincipal.addMember(new SimplePrincipal(role));
/** * This method validates SAML Credential in following steps: <ol> <li>Validate the signing key embedded in SAML token is still * valid, not expired</li> <li>Validate the signing key embedded in SAML token is trusted against a local truststore, such as * certpath validation</li> <li>Validate SAML token is still valid, not expired</li> <li>Validate the SAML signature using the * embedded signing key in SAML token itself as you indicated below</li> </ol> * * If something goes wrong throws LoginException. * * @throws LoginException */ private void validateSAMLCredential() throws LoginException, ConfigurationException, CertificateExpiredException, CertificateNotYetValidException { X509Certificate cert = getX509Certificate(); // public certificate validation validateCertPath(cert); // check time validity of the certificate cert.checkValidity(); boolean sigValid = false; try { sigValid = AssertionUtil.isSignatureValid(credential.getAssertionAsElement(), cert.getPublicKey()); } catch (ProcessingException e) { logger.processingError(e); } if (!sigValid) { throw logger.authSAMLInvalidSignatureError(); } if (AssertionUtil.hasExpired(assertion)) { throw logger.authSAMLAssertionExpiredError(); } }
roles = AssertionUtil.getRoles(assertion, null);
@Override protected Group[] getRoleSets() throws LoginException { if (this.assertion == null) { try { this.assertion = SAMLUtil.fromElement(this.credential.getAssertionAsElement()); } catch (Exception e) { throw logger.authFailedToParseSAMLAssertion(e); } } if (logger.isTraceEnabled()) { try { logger.trace("Assertion from where roles will be sought = " + AssertionUtil.asString(assertion)); } catch (ProcessingException ignore) { } } List<String> roleKeys = new ArrayList<String>(); if (StringUtil.isNotNull(roleKey)) { roleKeys.addAll(StringUtil.tokenize(roleKey)); } String groupName = SecurityConstants.ROLES_IDENTIFIER; Group rolesGroup = new PicketLinkGroup(groupName); List<String> roles = AssertionUtil.getRoles(assertion, roleKeys); for (String role : roles) { rolesGroup.addMember(new SimplePrincipal(role)); } return new Group[]{rolesGroup}; }
/** * Add validity conditions to the SAML2 Assertion * * @param assertion * @param durationInMilis * * @throws ConfigurationException * @throws IssueInstantMissingException */ public void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException { AssertionUtil.createTimedConditions(assertion, durationInMilis); }
if (isNotNull(skew)) { long skewMilis = Long.parseLong(skew); expiredAssertion = AssertionUtil.hasExpired(assertion, skewMilis); } else expiredAssertion = AssertionUtil.hasExpired(assertion); } catch (ConfigurationException e) { throw new ProcessingException(e); if (!AssertionUtil.isAudience(assertion, getSPConfiguration())) { throw logger.samlAssertionWrongAudience(getSPConfiguration().getServiceURL());