conditions.getAudienceRestrictions().stream() .flatMap(r -> r.getAudiences().stream()) .filter(audience -> entityId.equals(audience.getAudienceURI()))
conditions.getAudienceRestrictions().add(audienceRestriction);
/** * Get the {@link AudienceRestriction} to which audiences will be added. * * @param conditions existing set of conditions * * @return the condition to which audiences will be added */ @Nonnull private AudienceRestriction getAudienceRestriction( @Nonnull final org.opensaml.saml.saml2.core.Conditions conditions) { final AudienceRestriction condition; if (!addingAudiencesToExistingRestriction || conditions.getAudienceRestrictions().isEmpty()) { final SAMLObjectBuilder<AudienceRestriction> conditionBuilder = (SAMLObjectBuilder<AudienceRestriction>) XMLObjectProviderRegistrySupport .getBuilderFactory().<AudienceRestriction>getBuilderOrThrow( AudienceRestriction.DEFAULT_ELEMENT_NAME); log.debug("{} Adding new AudienceRestriction", getLogPrefix()); condition = conditionBuilder.buildObject(); conditions.getAudienceRestrictions().add(condition); } else { log.debug("{} Conditions already contained an AudienceRestriction, using it", getLogPrefix()); condition = conditions.getAudienceRestrictions().get(0); } return condition; }
private void validateAudienceRestrictionCondition( org.opensaml.saml.saml2.core.Conditions conditions ) throws WSSecurityException { if (conditions == null) { LOG.fine("Conditions are null"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } List<AudienceRestriction> audienceRestrs = conditions.getAudienceRestrictions(); if (!matchSaml2AudienceRestriction(spIdentifier, audienceRestrs)) { LOG.fine("Assertion does not contain unique subject provider identifier " + spIdentifier + " in the audience restriction conditions"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
final List<AudienceRestriction> audienceRestrictions = assertion.getConditions().getAudienceRestrictions(); AudienceRestriction audienceRestriction = null; if (audienceRestrictions.isEmpty()) { audienceRestriction = (AudienceRestriction) XMLObjectSupport.buildXMLObject( AudienceRestriction.DEFAULT_ELEMENT_NAME); assertion.getConditions().getAudienceRestrictions().add(audienceRestriction); } else { audienceRestriction = audienceRestrictions.get(0);
List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if ((audienceRestrictions == null) || (audienceRestrictions.isEmpty())) { throw new SSOException("SAML 2.0 Response doesn't contain AudienceRestrictions");
protected void addCondition(org.opensaml.saml.saml2.core.Conditions conditions, AssertionCondition c) { if (c instanceof AudienceRestriction) { org.opensaml.saml.saml2.core.AudienceRestriction ar = buildSAMLObject(org.opensaml.saml.saml2.core.AudienceRestriction.class); for (String audience : ((AudienceRestriction) c).getAudiences()) { Audience aud = buildSAMLObject(Audience.class); aud.setAudienceURI(audience); ar.getAudiences().add(aud); } conditions.getAudienceRestrictions().add(ar); } else if (c instanceof OneTimeUse) { org.opensaml.saml.saml2.core.OneTimeUse otu = buildSAMLObject(org.opensaml.saml.saml2.core.OneTimeUse.class); conditions.getConditions().add(otu); } }
/** * New conditions element. * * @param notBefore the not before * @param notOnOrAfter the not on or after * @param audienceUri the service id * @return the conditions */ public Conditions newConditions(final DateTime notBefore, final DateTime notOnOrAfter, final String audienceUri) { final Conditions conditions = newSamlObject(Conditions.class); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notOnOrAfter); final AudienceRestriction audienceRestriction = newSamlObject(AudienceRestriction.class); final Audience audience = newSamlObject(Audience.class); audience.setAudienceURI(audienceUri); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); return conditions; }
/** * Determine whether a delegation token was requested via the inbound AuthnRequest's * Conditions' AudienceRestriction. * * @param requestContext the current request context * @return true if the AudienceRestrictions condition contained the local entity Id, false otherwise */ private boolean isDelegationRequestedByAudience(@Nonnull final ProfileRequestContext requestContext) { if (!(requestContext.getInboundMessageContext().getMessage() instanceof AuthnRequest)) { log.debug("Inbound SAML message was not an AuthnRequest: {}", requestContext.getInboundMessageContext().getMessage().getClass().getName()); return false; } final AuthnRequest authnRequest = (AuthnRequest) requestContext.getInboundMessageContext().getMessage(); if (authnRequest.getConditions() != null) { final Conditions conditions = authnRequest.getConditions(); for (final AudienceRestriction ar : conditions.getAudienceRestrictions()) { for (final Audience audience : ar.getAudiences()) { final String audienceValue = StringSupport.trimOrNull(audience.getAudienceURI()); if (Objects.equals(audienceValue, responderId)) { log.debug("Saw an AuthnRequest/Conditions/AudienceRestriction/Audience with value of '{}'", responderId); return true; } } } } return false; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
if (conditions != null && conditions.getAudienceRestrictions() != null && !conditions.getAudienceRestrictions().isEmpty()) { boolean foundAddress = false; for (org.opensaml.saml.saml2.core.AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions()) { if (audienceRestriction.getAudiences() != null) { List<org.opensaml.saml.saml2.core.Audience> audiences =
AudienceRestriction audienceRestriction = createAudienceRestriction(audienceRestrictionBean); conditions.getAudienceRestrictions().add(audienceRestriction);
assertion.getSaml2().getConditions().getAudienceRestrictions(); if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) { LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
assertion.getSaml2().getConditions().getAudienceRestrictions(); if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) { LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
/** * Validate assertionConditions * - notBefore * - notOnOrAfter * * @param conditions the conditions * @param context the context */ protected final void validateAssertionConditions(final Conditions conditions, final SAML2MessageContext context) { if (conditions == null) { return; } if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(acceptedSkew).isAfterNow()) { throw new SAMLAssertionConditionException("Assertion condition notBefore is not valid"); } if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) { throw new SAMLAssertionConditionException("Assertion condition notOnOrAfter is not valid"); } final String entityId = context.getSAMLSelfEntityContext().getEntityId(); validateAudienceRestrictions(conditions.getAudienceRestrictions(), entityId); }
conditions.setNotBefore(currentTime); conditions.setNotOnOrAfter(notOnOrAfter); conditions.getAudienceRestrictions().add(audienceRestriction); samlAssertion.setConditions(conditions);
conditions.setNotBefore(currentTime); conditions.setNotOnOrAfter(notOnOrAfter); conditions.getAudienceRestrictions().add(audienceRestriction); samlAssertion.setConditions(conditions);