コード例 #1
0
  /**
   * Validate the AudienceRestriction of SAML2 Response
   *
   * @param assertion SAML2 Assertion
   * @return validity
   */
  protected void validateAudienceRestriction(Assertion assertion) throws SSOAgentException {

    if (assertion != null) {
      Conditions conditions = assertion.getConditions();
      if (conditions != null) {
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
          boolean audienceFound = false;
          for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (audienceRestriction.getAudiences() != null
                && !audienceRestriction.getAudiences().isEmpty()) {
              for (Audience audience : audienceRestriction.getAudiences()) {
                if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) {
                  audienceFound = true;
                  break;
                }
              }
            }
            if (audienceFound) {
              break;
            }
          }
          if (!audienceFound) {
            throw new SSOAgentException("SAML2 Assertion Audience Restriction validation failed");
          }
        } else {
          throw new SSOAgentException("SAML2 Response doesn't contain AudienceRestrictions");
        }
      } else {
        throw new SSOAgentException("SAML2 Response doesn't contain Conditions");
      }
    }
  }
コード例 #2
0
  /**
   * Validate the AudienceRestriction of SAML2 Response
   *
   * @param assertion SAML2 Assertion
   * @return validity
   */
  private void validateAudienceRestriction(Assertion assertion) throws SAMLSSOException {

    if (assertion != null) {
      Conditions conditions = assertion.getConditions();
      if (conditions != null) {
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
          for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
              boolean audienceFound = false;
              for (Audience audience : audienceRestriction.getAudiences()) {
                if (properties
                    .get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID)
                    .equals(audience.getAudienceURI())) {
                  audienceFound = true;
                  break;
                }
              }
              if (!audienceFound) {
                throw new SAMLSSOException("SAML Assertion Audience Restriction validation failed");
              }
            } else {
              throw new SAMLSSOException(
                  "SAML Response's AudienceRestriction doesn't contain Audiences");
            }
          }
        } else {
          throw new SAMLSSOException("SAML Response doesn't contain AudienceRestrictions");
        }
      } else {
        throw new SAMLSSOException("SAML Response doesn't contain Conditions");
      }
    }
  }
コード例 #3
0
  private static List<AttributeStatement> validateAssertion(
      Assertion samlAssertion,
      SignatureTrustEngine sigTrustEngine,
      String myURI,
      MessageReplayRule replayRule,
      VerifySignatureType verifySignature,
      boolean responseSignatureVerified)
      throws SAMLValidationException {
    if (logger.isDebugEnabled()) {
      logger.debug(
          "validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - start"); //$NON-NLS-1$
    }

    // Check the replay attack
    if (replayRule != null) {
      BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext();
      // messageContext.setInboundMessage(samlResponse);
      if (samlAssertion.getIssuer() != null)
        messageContext.setInboundMessageIssuer(samlAssertion.getIssuer().getValue());
      messageContext.setInboundSAMLMessageId(samlAssertion.getID());

      try {
        replayRule.evaluate(messageContext);
      } catch (SecurityPolicyException e) {
        logger.error(
            "validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
            e); //$NON-NLS-1$

        throw createSAMLValidationException("Possible Replay Attack for Assertion", false, e);
      }
    }

    if (verifySignature != VerifySignatureType.never) {
      Signature signature = samlAssertion.getSignature();
      if (signature == null) {
        if (verifySignature == VerifySignatureType.force && !responseSignatureVerified) {
          throw createSAMLValidationException("Signature does exist in Assertion", true);
        }
      } else {
        verifySignature(signature, samlAssertion.getIssuer().getValue(), sigTrustEngine);
      }
    }
    DateTime dt = new DateTime();

    // get subject (code below only processes first Subject confirmation)
    Subject subject = samlAssertion.getSubject();
    SubjectSchemaValidator subjectSchemaValidator = new SubjectSchemaValidator();
    try {
      subjectSchemaValidator.validate(subject);
    } catch (ValidationException e) {
      logger.error(
          "validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
          e); //$NON-NLS-1$

      throw createSAMLValidationException("Subject validation failed: " + e.getMessage(), true, e);
    }
    List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmations();
    for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
      SubjectConfirmationSchemaValidator subjectConfirmationSchemaValidator =
          new SubjectConfirmationSchemaValidator();
      try {
        subjectConfirmationSchemaValidator.validate(subjectConfirmation);
      } catch (ValidationException e) {
        logger.error(
            "validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
            e); //$NON-NLS-1$

        throw createSAMLValidationException(
            "Subject Confirmation validation failed: " + e.getMessage(), true, e);
      }
      SubjectConfirmationData subjectConfirmationData =
          subjectConfirmation.getSubjectConfirmationData();
      try {
        subjectConfirmationSchemaValidator.validate(subjectConfirmation);
      } catch (ValidationException e) {
        logger.error(
            "validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
            e); //$NON-NLS-1$

        throw createSAMLValidationException(
            "Subject Confirmation validation failed: " + e.getMessage(), true, e);
      }

      // verify the validity of time using clock skew, subjectConfirmationData.getNotBefore() and
      // subjectConfirmationData.getNotOnOrAfter()@
      DateTime notBefore = subjectConfirmationData.getNotBefore();
      DateTime notAfter = subjectConfirmationData.getNotOnOrAfter();

      if (notBefore != null && dt.isBefore(notBefore)) {
        throw createSAMLValidationException("Subject confirmation expired.", true);
      }

      if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
        throw createSAMLValidationException("Subject confirmation expired.", true);
      }
    }

    //		 validate conditions
    Conditions conditions = samlAssertion.getConditions();

    // Validate the spec

    ConditionsSpecValidator conditionValidator = new ConditionsSpecValidator();
    try {
      conditionValidator.validate(conditions);
    } catch (ValidationException e) {
      logger.error(
          "validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
          e); //$NON-NLS-1$

      throw createSAMLValidationException("Condition Validity Failed.", true, e);
    }

    // verify the validity of time using clock skew, conditions.getNotBefore() and
    // conditions.getNotOnOrAfter()@
    DateTime notBefore = conditions.getNotBefore();
    DateTime notAfter = conditions.getNotOnOrAfter();
    if (notBefore != null && dt.isBefore(notBefore)) {
      throw createSAMLValidationException("Assertion expired.", true);
    }

    if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
      throw createSAMLValidationException("Assertion expired.", true);
    }

    for (Condition condition : conditions.getConditions()) {
      if (condition instanceof AudienceRestriction) {
        if (myURI != null && myURI.length() > 0) {
          boolean audiencePresent = false;
          boolean iAmOneOfTheAudience = false;
          AudienceRestriction audienceRestriction = (AudienceRestriction) condition;
          for (Audience audience : audienceRestriction.getAudiences()) {
            audiencePresent = true;
            String audienceURI = audience.getAudienceURI();
            if (myURI.equals(audienceURI)) {
              iAmOneOfTheAudience = true;
              break;
            }
          }
          if (!(audiencePresent && iAmOneOfTheAudience)) {
            throw createSAMLValidationException(
                "None of the audience is intended for me: " + myURI, false);
          }
        }
      }
    }

    List<AttributeStatement> asList = samlAssertion.getAttributeStatements();

    if (logger.isDebugEnabled()) {
      logger.debug(
          "validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - end"); //$NON-NLS-1$
    }
    return asList;
  }