/** * Construct SAML response. <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a> * * @param service the service * @return the SAML response */ protected String constructSamlResponse(final GoogleAccountsService service) { final DateTime currentDateTime = DateTime.parse(new ISOStandardDateFormat().getCurrentDateAndTime()); final DateTime notBeforeIssueInstant = DateTime.parse("2003-04-17T00:46:02Z"); /* * Must be looked up directly from the context * because the services manager is not serializable * and cannot be class field. */ final ApplicationContext context = ApplicationContextProvider.getApplicationContext(); final ServicesManager servicesManager = context.getBean("servicesManager", ServicesManager.class); final RegisteredService registeredService = servicesManager.findServiceBy(service); final String userId = registeredService .getUsernameAttributeProvider() .resolveUsername(service.getPrincipal(), service); final org.opensaml.saml.saml2.core.Response response = samlObjectBuilder.newResponse( samlObjectBuilder.generateSecureRandomId(), currentDateTime, service.getId(), service); response.setStatus(samlObjectBuilder.newStatus(StatusCode.SUCCESS, null)); final AuthnStatement authnStatement = samlObjectBuilder.newAuthnStatement(AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime); final Assertion assertion = samlObjectBuilder.newAssertion( authnStatement, "https://www.opensaml.org/IDP", notBeforeIssueInstant, samlObjectBuilder.generateSecureRandomId()); final Conditions conditions = samlObjectBuilder.newConditions(notBeforeIssueInstant, currentDateTime, service.getId()); assertion.setConditions(conditions); final Subject subject = samlObjectBuilder.newSubject( NameID.EMAIL, userId, service.getId(), currentDateTime, service.getRequestId()); assertion.setSubject(subject); response.getAssertions().add(assertion); final StringWriter writer = new StringWriter(); samlObjectBuilder.marshalSamlXmlObject(response, writer); final String result = writer.toString(); logger.debug("Generated Google SAML response: {}", result); return result; }
@Before public void setUp() { final HttpClient client = mock(HttpClient.class); when(client.isValidEndPoint(any(String.class))).thenReturn(true); when(client.isValidEndPoint(any(URL.class))).thenReturn(true); when(client.sendMessageToEndPoint(any(HttpMessage.class))).thenReturn(true); final ServicesManager servicesManager = mock(ServicesManager.class); this.logoutManager = new LogoutManagerImpl(servicesManager, client, new SamlCompliantLogoutMessageCreator()); this.tgt = mock(TicketGrantingTicket.class); this.services = new HashMap<String, Service>(); this.simpleWebApplicationServiceImpl = new SimpleWebApplicationServiceImpl(URL); this.services.put(ID, this.simpleWebApplicationServiceImpl); when(this.tgt.getServices()).thenReturn(this.services); this.registeredService = new RegisteredServiceImpl(); when(servicesManager.findServiceBy(this.simpleWebApplicationServiceImpl)) .thenReturn(this.registeredService); }
public CasShibRegisteredService findService(Service service) throws CasShibServiceRegistrarException { if (!isInitialized) { // this shouldn't happen here, but just in case initialize(); } RegisteredService registeredService = servicesManager.findServiceBy(service); if (registeredService instanceof CasShibRegisteredService) { return (CasShibRegisteredService) registeredService; } return null; }
public CasShibRegisteredService findServiceByAppName(String appName) throws CasShibServiceRegistrarException { if (!isInitialized) { // this shouldn't happen here, but just in case initialize(); } for (RegisteredService entry : servicesManager.getAllServices()) { if (entry instanceof CasShibRegisteredService && entry.getName().equals(appName)) { return ((CasShibRegisteredService) entry); } } return null; }
/** * Gets chaining metadata resolver for all saml services. * * @param servicesManager the services manager * @param entityID the entity id * @param resolver the resolver * @return the chaining metadata resolver for all saml services * @throws Exception the exception */ public static MetadataResolver getMetadataResolverForAllSamlServices( final ServicesManager servicesManager, final String entityID, final SamlRegisteredServiceCachingMetadataResolver resolver) throws Exception { final Predicate p = Predicates.instanceOf(SamlRegisteredService.class); final Collection<RegisteredService> registeredServices = servicesManager.findServiceBy(p); final List<MetadataResolver> resolvers = new ArrayList<>(); final ChainingMetadataResolver chainingMetadataResolver = new ChainingMetadataResolver(); for (final RegisteredService registeredService : registeredServices) { final SamlRegisteredService samlRegisteredService = SamlRegisteredService.class.cast(registeredService); final SamlRegisteredServiceServiceProviderMetadataFacade adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get( resolver, samlRegisteredService, entityID); resolvers.add(adaptor.getMetadataResolver()); } chainingMetadataResolver.setResolvers(resolvers); chainingMetadataResolver.setId(entityID); chainingMetadataResolver.initialize(); return chainingMetadataResolver; }
public void registerServiceWithCAS(String id, String appName, String passcode) { CasShibRegisteredService rs = new CasShibRegisteredService(); rs.setServiceId(id); rs.setName(appName); rs.setPasscode(passcode); rs.setEnabled(true); rs.setDescription(appName); rs.setSsoEnabled(true); // ? rs.setAnonymousAccess(false); rs.setAllowedToProxy(true); // ? // don't let ServicesManager manage attribute release policy. Shibboleth // is doing this for us. rs.setIgnoreAttributes(true); // other attributes: // allowedAttributes - not relevant because of IgnoreAttributes // id - autogenerated // theme, evaluationOrder- can be left at default servicesManager.save(rs); }
@Audit( action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER") @Timed(name = "GRANT_SERVICE_TICKET_TIMER") @Metered(name = "GRANT_SERVICE_TICKET_METER") @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true) @Transactional(readOnly = false) @Override public ServiceTicket grantServiceTicket( final String ticketGrantingTicketId, final Service service, final Credential... credentials) throws AuthenticationException, TicketException { final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class); final RegisteredService registeredService = this.servicesManager.findServiceBy(service); verifyRegisteredServiceProperties(registeredService, service); final Set<Credential> sanitizedCredentials = sanitizeCredentials(credentials); Authentication currentAuthentication = null; if (sanitizedCredentials.size() > 0) { currentAuthentication = this.authenticationManager.authenticate( sanitizedCredentials.toArray(new Credential[] {})); final Authentication original = ticketGrantingTicket.getAuthentication(); if (!currentAuthentication.getPrincipal().equals(original.getPrincipal())) { throw new MixedPrincipalException( currentAuthentication, currentAuthentication.getPrincipal(), original.getPrincipal()); } ticketGrantingTicket.getSupplementalAuthentications().add(currentAuthentication); } if (currentAuthentication == null && !registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) { logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId()); throw new UnauthorizedSsoServiceException(); } final Service proxiedBy = ticketGrantingTicket.getProxiedBy(); if (proxiedBy != null) { logger.debug( "TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId()); final RegisteredService proxyingService = servicesManager.findServiceBy(proxiedBy); if (proxyingService != null) { logger.debug("Located proxying service [{}] in the service registry", proxyingService); if (!proxyingService.getProxyPolicy().isAllowedToProxy()) { logger.warn( "Found proxying service {}, but it is not authorized to fulfill the proxy attempt made by {}", proxyingService.getId(), service.getId()); throw new UnauthorizedProxyingException( "Proxying is not allowed for registered service " + registeredService.getId()); } } else { logger.warn( "No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.", service.getId(), registeredService.getId()); throw new UnauthorizedProxyingException( "Proxying is not allowed for registered service " + registeredService.getId()); } } else { logger.trace("TGT is not proxied by another service"); } // Perform security policy check by getting the authentication that satisfies the configured // policy // This throws if no suitable policy is found getAuthenticationSatisfiedByPolicy( ticketGrantingTicket, new ServiceContext(service, registeredService)); final List<Authentication> authentications = ticketGrantingTicket.getChainedAuthentications(); final Principal principal = authentications.get(authentications.size() - 1).getPrincipal(); final Map<String, Object> principalAttrs = registeredService.getAttributeReleasePolicy().getAttributes(principal); if (!registeredService .getAccessStrategy() .doPrincipalAttributesAllowServiceAccess(principalAttrs)) { logger.warn( "ServiceManagement: Cannot grant service ticket because Service [{}] is not authorized for use by [{}].", service.getId(), principal); throw new UnauthorizedServiceForPrincipalException(); } final String uniqueTicketIdGenKey = service.getClass().getName(); logger.debug("Looking up service ticket id generator for [{}]", uniqueTicketIdGenKey); UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey); if (serviceTicketUniqueTicketIdGenerator == null) { serviceTicketUniqueTicketIdGenerator = this.defaultServiceTicketIdGenerator; logger.debug( "Service ticket id generator not found for [{}]. Using the default generator...", uniqueTicketIdGenKey); } final String ticketPrefix = authentications.size() == 1 ? ServiceTicket.PREFIX : ServiceTicket.PROXY_TICKET_PREFIX; final String ticketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ticketPrefix); final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket( ticketId, service, this.serviceTicketExpirationPolicy, currentAuthentication != null); this.serviceTicketRegistry.addTicket(serviceTicket); logger.info( "Granted ticket [{}] for service [{}] for user [{}]", serviceTicket.getId(), service.getId(), principal.getId()); return serviceTicket; }
/** * Add registered service to services manager. * * @param svc the svc */ protected final void addRegisteredServiceToServicesManager(final RegisteredService svc) { logger.debug("Adding {} to application context services", svc); final ServicesManager manager = getServicesManager(); manager.save(svc); }