/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { Conditions conditions = (Conditions) samlObject; if (conditions.getNotBefore() != null) { String notBeforeStr = SAMLConfigurationSupport.getSAMLDateFormatter().print(conditions.getNotBefore()); domElement.setAttributeNS(null, Conditions.NOT_BEFORE_ATTRIB_NAME, notBeforeStr); } if (conditions.getNotOnOrAfter() != null) { String notOnOrAfterStr = SAMLConfigurationSupport.getSAMLDateFormatter().print( conditions.getNotOnOrAfter()); domElement.setAttributeNS(null, Conditions.NOT_ON_OR_AFTER_ATTRIB_NAME, notOnOrAfterStr); } } }
public Instant getNotOnOrAfter() { DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20)) { validTill = getSaml2().getConditions().getNotOnOrAfter(); } else { validTill = getSaml1().getConditions().getNotOnOrAfter(); } // Now convert to a Java Instant Object if (validTill != null) { return validTill.toDate().toInstant(); } return null; }
DateTime notOnOrAfter = conditions.getNotOnOrAfter(); log.debug("Evaluating Conditions NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, now.minus(clockSkew));
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
private DateTime getExpiryDate(SamlAssertionWrapper assertion) { if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { return assertion.getSaml2().getConditions().getNotOnOrAfter(); } return assertion.getSaml1().getConditions().getNotOnOrAfter(); }
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, ReplayCache replayCache ) throws WSSecurityException { if (replayCache != null && samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null) { String identifier = samlAssertion.getId(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); replayCache.add(identifier, 1L + Duration.between(currentTime, expires.toDate().toInstant()).getSeconds()); } else { replayCache.add(identifier); } } }
/** * Validate a (Bearer) Subject Confirmation */ private void validateSubjectConfirmation(Message m, Conditions cs, SubjectConfirmationData subjectConfData) { if (subjectConfData == null) { if (!subjectConfirmationDataRequired && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBeforeNow()) { return; } throw ExceptionUtils.toNotAuthorizedException(null, null); } // Recipient must match assertion consumer URL String recipient = subjectConfData.getRecipient(); if (recipient == null || !recipient.equals(getAbsoluteTargetAddress(m))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } // We must have a NotOnOrAfter timestamp if (subjectConfData.getNotOnOrAfter() == null || subjectConfData.getNotOnOrAfter().isBeforeNow()) { throw ExceptionUtils.toNotAuthorizedException(null, null); } //TODO: replay cache, same as with SAML SSO case // Check address if (subjectConfData.getAddress() != null && (clientAddress == null || !subjectConfData.getAddress().equals(clientAddress))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
protected Conditions getConditions(org.opensaml.saml.saml2.core.Conditions conditions) { return new Conditions() .setNotBefore(conditions.getNotBefore()) .setNotOnOrAfter(conditions.getNotOnOrAfter()) .setCriteria(getCriteria(conditions.getConditions())); }
/** * Validate a (Bearer) Subject Confirmation */ private void validateSubjectConfirmation(Message m, Conditions cs, SubjectConfirmationData subjectConfData) { if (subjectConfData == null) { if (!subjectConfirmationDataRequired && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBeforeNow()) { return; } throw ExceptionUtils.toNotAuthorizedException(null, null); } // Recipient must match assertion consumer URL String recipient = subjectConfData.getRecipient(); if (recipient == null || !recipient.equals(getAbsoluteTargetAddress(m))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } // We must have a NotOnOrAfter timestamp if (subjectConfData.getNotOnOrAfter() == null || subjectConfData.getNotOnOrAfter().isBeforeNow()) { throw ExceptionUtils.toNotAuthorizedException(null, null); } //TODO: replay cache, same as with SAML SSO case // Check address if (subjectConfData.getAddress() != null && (clientAddress == null || !subjectConfData.getAddress().equals(clientAddress))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, RequestData data ) throws WSSecurityException { if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); ReplayCache replayCache = data.getSamlOneTimeUseReplayCache(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); Instant zonedExpires = Instant.ofEpochMilli(expires.getMillis()); replayCache.add(identifier, 1L + Duration.between(currentTime, zonedExpires).getSeconds()); } else { replayCache.add(identifier); } replayCache.add(identifier); } }
validTill = getSaml2().getConditions().getNotOnOrAfter(); issueInstant = getSaml2().getIssueInstant(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11)
/** * Validate assertionConditions * - notBefore * - notOnOrAfter * * @param conditions the conditions * @param context the context */ protected final void validateAssertionConditions(final Conditions conditions, final SAML2MessageContext context) { if (conditions == null) { return; } if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(acceptedSkew).isAfterNow()) { throw new SAMLAssertionConditionException("Assertion condition notBefore is not valid"); } if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) { throw new SAMLAssertionConditionException("Assertion condition notOnOrAfter is not valid"); } final String entityId = context.getSAMLSelfEntityContext().getEntityId(); validateAudienceRestrictions(conditions.getAudienceRestrictions(), entityId); }
/** * Check the Conditions of the Assertion. */ public void checkConditions(int futureTTL) throws WSSecurityException { DateTime validFrom = null; DateTime validTill = null; if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) { validFrom = getSaml2().getConditions().getNotBefore(); validTill = getSaml2().getConditions().getNotOnOrAfter(); } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) { validFrom = getSaml1().getConditions().getNotBefore(); validTill = getSaml1().getConditions().getNotOnOrAfter(); } if (validFrom != null) { DateTime currentTime = new DateTime(); currentTime = currentTime.plusSeconds(futureTTL); if (validFrom.isAfter(currentTime)) { LOG.debug("SAML Token condition (Not Before) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } } if (validTill != null && validTill.isBeforeNow()) { LOG.debug("SAML Token condition (Not On Or After) not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
this.conditions = new SAMLConditions(); this.conditions.setNotBefore(conditions.getNotBefore()); this.conditions.setNotOnOrAfter(conditions.getNotOnOrAfter()); this.authnContexts = authnContexts;
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
protected boolean validateConditions( SamlAssertionWrapper assertion, ReceivedToken validateTarget ) { DateTime validFrom = null; DateTime validTill = null; DateTime issueInstant = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml2().getIssueInstant(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore(); validTill = assertion.getSaml1().getConditions().getNotOnOrAfter(); issueInstant = assertion.getSaml1().getIssueInstant(); } if (validFrom != null && validFrom.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); return false; } else if (validTill != null && validTill.isBeforeNow()) { LOG.log(Level.WARNING, "SAML Token condition not met"); validateTarget.setState(STATE.EXPIRED); return false; } if (issueInstant != null && issueInstant.isAfterNow()) { LOG.log(Level.WARNING, "SAML Token IssueInstant not met"); return false; } return true; }
if (renewedAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = renewedAssertion.getSaml2().getConditions().getNotBefore(); validTill = renewedAssertion.getSaml2().getConditions().getNotOnOrAfter(); } else { validFrom = renewedAssertion.getSaml1().getConditions().getNotBefore();
if (renewedAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = renewedAssertion.getSaml2().getConditions().getNotBefore(); validTill = renewedAssertion.getSaml2().getConditions().getNotOnOrAfter(); } else { validFrom = renewedAssertion.getSaml1().getConditions().getNotBefore();
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore();
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); } else { validFrom = assertion.getSaml1().getConditions().getNotBefore();