protected String guessPassiveRequestorURL(RequestContext context, String replyAddress, String realm) throws ProcessingException { String url = replyAddress; if (url != null) { try { //basic check if the url is correctly formed new URL(url); } catch (Exception e) { url = null; } } if (url == null) { url = realm; try { //basic check if the url is correctly formed new URL(url); } catch (Exception e) { throw new ProcessingException(e.getMessage(), e, ProcessingException.TYPE.INVALID_REQUEST); } } return url; } }
private void checkDestination(RequestContext context, RequestAbstractType request) throws ProcessingException { // Check destination String destination = request.getDestination(); LOG.debug("Validating destination: {}", destination); String localAddr = WebUtils.getHttpServletRequest(context).getRequestURL().toString(); if (destination == null || !localAddr.startsWith(destination)) { LOG.debug("The destination {} does not match the local address {}", destination, localAddr); throw new ProcessingException(TYPE.BAD_REQUEST); } }
public String createSAMLLogoutResponse(RequestContext context, Idp idp, String destination, String requestId) throws ProcessingException { try { Element response = createLogoutResponse(idp, "urn:oasis:names:tc:SAML:2.0:status:Success", destination, requestId); return encodeResponse(response); } catch (Exception ex) { LOG.warn("Error marshalling SAML Token: {}", ex.getMessage()); throw new ProcessingException(TYPE.BAD_REQUEST); } }
private SecurityToken getSecurityToken(RequestContext context, String homeRealm) throws ProcessingException { SecurityToken idpToken = (SecurityToken)WebUtils.getAttributeFromFlowScope(context, "idpToken"); if (idpToken != null) { LOG.debug("[IDP_TOKEN={} successfully retrieved from cache for home realm [{}]", idpToken.getId(), homeRealm); } else { LOG.error("IDP_TOKEN not found"); throw new ProcessingException(TYPE.BAD_REQUEST); } return idpToken; }
private void validateSeparateSignature(Idp idp, String sigAlg, String signature, String relayState, String samlRequest, String realm) throws Exception { // Check signature X509Certificate validatingCert = getValidatingCertificate(idp, realm); // Process the received SigAlg parameter - fall back to RSA SHA1 String processedSigAlg = null; if (sigAlg != null && SIG_ALGS.contains(sigAlg)) { processedSigAlg = sigAlg; } else { LOG.debug("Supplied SigAlg parameter is either null or not known, so falling back to use RSA-SHA1"); processedSigAlg = SSOConstants.RSA_SHA1; } java.security.Signature sig = java.security.Signature.getInstance(JCEMapper.translateURItoJCEID(processedSigAlg)); sig.initVerify(validatingCert); // Recreate request to sign String requestToSign = SSOConstants.SAML_REQUEST + "=" + URLEncoder.encode(samlRequest, StandardCharsets.UTF_8.name()) + "&" + SSOConstants.RELAY_STATE + "=" + URLEncoder.encode(relayState, StandardCharsets.UTF_8.name()) + "&" + SSOConstants.SIG_ALG + "=" + URLEncoder.encode(processedSigAlg, StandardCharsets.UTF_8.name()); sig.update(requestToSign.getBytes(StandardCharsets.UTF_8)); if (!sig.verify(Base64.decode(signature))) { LOG.debug("Signature validation failed"); throw new ProcessingException(TYPE.BAD_REQUEST); } }
throw new ProcessingException( "No signing certs were found to insert into the metadata using name: " + keyAlias);
public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken, String consumerURL, String requestId, String requestIssuer) throws ProcessingException { List<Element> samlTokens = DOMUtils.findAllElementsByTagNameNS(rpToken, WSConstants.SAML2_NS, "Assertion"); if (samlTokens.isEmpty() || samlTokens.size() != 1) { throw new ProcessingException(TYPE.BAD_REQUEST); } try { SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlTokens.get(0)); if (wrapper.getSaml2() == null) { throw new ProcessingException(TYPE.BAD_REQUEST); } String remoteAddr = WebUtils.getHttpServletRequest(context).getRemoteAddr(); Assertion saml2Assertion = createSAML2Assertion(context, idp, wrapper, requestId, requestIssuer, remoteAddr, consumerURL); Element response = createResponse(idp, requestId, saml2Assertion); return encodeResponse(response); } catch (Exception ex) { LOG.warn("Error marshalling SAML Token: {}", ex.getMessage()); throw new ProcessingException(TYPE.BAD_REQUEST); } }
private void validateRequest(RequestAbstractType parsedRequest) throws ProcessingException { if (parsedRequest.getIssuer() == null) { LOG.debug("No Issuer is present in the AuthnRequest/LogoutRequest"); throw new ProcessingException(TYPE.BAD_REQUEST); } String format = parsedRequest.getIssuer().getFormat(); if (format != null && !"urn:oasis:names:tc:SAML:2.0:nameid-format:entity".equals(format)) { LOG.debug("An invalid Format attribute was received: {}", format); throw new ProcessingException(TYPE.BAD_REQUEST); } if (parsedRequest instanceof AuthnRequest) { // No SubjectConfirmation Elements are allowed AuthnRequest authnRequest = (AuthnRequest)parsedRequest; if (authnRequest.getSubject() != null && authnRequest.getSubject().getSubjectConfirmations() != null && !authnRequest.getSubject().getSubjectConfirmations().isEmpty()) { LOG.debug("An invalid SubjectConfirmation Element was received"); throw new ProcessingException(TYPE.BAD_REQUEST); } } }
private X509Certificate getValidatingCertificate(Idp idp, String realm) throws Exception { Application serviceConfig = idp.findApplication(realm); if (serviceConfig == null || serviceConfig.getValidatingCertificate() == null) { LOG.debug("No validating certificate found for realm {}", realm); throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED); } return CertsUtils.parseX509Certificate(serviceConfig.getValidatingCertificate()); }
public String createSAMLResponse(RequestContext context, boolean logout, boolean requestor, Idp idp, String requestID, String destination) throws ProcessingException { Document doc = DOMUtils.newDocument(); String statusValue = "urn:oasis:names:tc:SAML:2.0:status:Responder"; if (requestor) { statusValue = "urn:oasis:names:tc:SAML:2.0:status:Requester"; } Status status = SAML2PResponseComponentBuilder.createStatus(statusValue, null); Element responseElement = null; try { if (logout) { responseElement = createLogoutResponse(idp, statusValue, destination, requestID); } else { Response response = SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getRealm(), status); Element policyElement = OpenSAMLUtil.toDom(response, doc); doc.appendChild(policyElement); responseElement = policyElement; } return encodeResponse(responseElement); } catch (Exception e) { LOG.warn("Error marshalling SAML Token: {}", e.getMessage()); throw new ProcessingException(TYPE.BAD_REQUEST); } }
throw new ProcessingException(TYPE.BAD_REQUEST); } else { RequestAbstractType parsedRequest = null; } catch (Exception ex) { LOG.warn("Error parsing request: {}", ex.getMessage()); throw new ProcessingException(TYPE.BAD_REQUEST); if (logoutRequest.getNotOnOrAfter() != null && (new Date()).after(logoutRequest.getNotOnOrAfter())) { LOG.debug("The LogoutRequest is expired"); throw new ProcessingException(TYPE.BAD_REQUEST); } else if (requireSignature) { LOG.debug("No signature is present, therefore the request is rejected"); throw new ProcessingException(TYPE.BAD_REQUEST); } else { LOG.debug("No signature is present, but this is allowed by configuration"); throw new ProcessingException(TYPE.BAD_REQUEST);
if (idpToken == null || idpToken.getToken() == null) { LOG.warn("No IdPToken is found"); throw new ProcessingException(TYPE.BAD_REQUEST); if (serviceConfig == null) { LOG.warn("No service config found for " + realm); throw new ProcessingException(TYPE.BAD_REQUEST); throw new ProcessingException(TYPE.BAD_REQUEST); LOG.error("Error in retrieving a token", ex.getMessage()); if (ex.getFaultCode() != null && "RequestFailed".equals(ex.getFaultCode().getLocalPart())) { throw new ProcessingException(TYPE.BAD_REQUEST);
} catch (Exception e) { LOG.error("Error creating service metadata information ", e); throw new ProcessingException("Error creating service metadata information: " + e.getMessage());
} catch (Exception ex) { LOG.error("Failed to parse trusted certificate", ex); throw new ProcessingException("Failed to parse trusted certificate");
LOG.debug("Received NameID value of {} does not match issued value {}", authnRequest.getSubjectNameId(), issuedNameId.getValue()); throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);