/** Creates the SAML Bearer Token that will be used to authenticate to the S-RAMP Atom API. */ private static String createSAMLBearerTokenAssertion() { String issuer = SrampUIConfig.config.getString(SrampUIConfig.SRAMP_API_SAML_AUTH_ISSUER); String service = SrampUIConfig.config.getString(SrampUIConfig.SRAMP_API_SAML_AUTH_SERVICE); String samlAssertion = SAMLAssertionUtil.createSAMLAssertion(issuer, service); boolean signAssertion = "true" .equals( SrampUIConfig.config.getString( SrampUIConfig.SRAMP_API_SAML_AUTH_SIGN_ASSERTIONS)); // $NON-NLS-1$ if (signAssertion) { String keystorePath = SrampUIConfig.config.getString(SrampUIConfig.SRAMP_API_SAML_AUTH_KEYSTORE); String keystorePassword = SrampUIConfig.config.getString(SrampUIConfig.SRAMP_API_SAML_AUTH_KEYSTORE_PASSWORD); String keyAlias = SrampUIConfig.config.getString(SrampUIConfig.SRAMP_API_SAML_AUTH_KEY_ALIAS); String keyAliasPassword = SrampUIConfig.config.getString(SrampUIConfig.SRAMP_API_SAML_AUTH_KEY_PASSWORD); try { KeyStore keystore = SAMLBearerTokenUtil.loadKeystore(keystorePath, keystorePassword); KeyPair keyPair = SAMLBearerTokenUtil.getKeyPair(keystore, keyAlias, keyAliasPassword); samlAssertion = SAMLBearerTokenUtil.signSAMLAssertion(samlAssertion, keyPair); } catch (Exception e) { throw new RuntimeException(e); } } return samlAssertion; }
/** * Loads the keystore. * * @throws IOException */ private KeyStore loadKeystore() throws IOException { try { return SAMLBearerTokenUtil.loadKeystore(keystorePath, keystorePassword); } catch (Exception e) { e.printStackTrace(); throw new IOException( Messages.getString("SamlBearerTokenAuthFilter.ErrorLoadingKeystore") + e.getMessage()); // $NON-NLS-1$ } }
/** * Gets the key pair to use to validate the assertion's signature. The key pair is retrieved from * the keystore. * * @param assertion * @throws IOException */ private KeyPair getKeyPair(AssertionType assertion) throws IOException { KeyStore keystore = loadKeystore(); try { return SAMLBearerTokenUtil.getKeyPair(keystore, keyAlias, keyPassword); } catch (Exception e) { e.printStackTrace(); throw new IOException( Messages.getString("SamlBearerTokenAuthFilter.FailedToGetKeyPair") + keyAlias); //$NON-NLS-1$ } }
/** * Handles SAML Bearer token authentication. Assumes the password is an encoded SAML assertion. * * @param assertionData * @param request * @throws IOException */ protected SimplePrincipal doSamlLogin(String assertionData, HttpServletRequest request) throws IOException { try { Document samlAssertion = DocumentUtil.getDocument(assertionData); SAMLAssertionParser parser = new SAMLAssertionParser(); XMLEventReader xmlEventReader = XMLInputFactory.newInstance().createXMLEventReader(new StringReader(assertionData)); Object parsed = parser.parse(xmlEventReader); AssertionType assertion = (AssertionType) parsed; SAMLBearerTokenUtil.validateAssertion(assertion, request, allowedIssuers); if (signatureRequired) { KeyPair keyPair = getKeyPair(assertion); if (!SAMLBearerTokenUtil.isSAMLAssertionSignatureValid(samlAssertion, keyPair)) { throw new IOException( Messages.getString("SamlBearerTokenAuthFilter.InvalidSig")); // $NON-NLS-1$ } } return consumeAssertion(assertion); } catch (IOException e) { throw e; } catch (Exception e) { throw new RuntimeException(e); } }
/** * @see org.overlord.commons.auth.util.SAMLAssertionFactory#createSAMLAssertion(java.lang.String, * java.lang.String, int) */ @Override public String createSAMLAssertion(String issuerName, String forService, int timeValidInMillis) { try { HttpServletRequest request = HttpRequestThreadLocalValve.TL_request.get(); Principal principal = request.getUserPrincipal(); if (principal instanceof GenericPrincipal) { GenericPrincipal gp = (GenericPrincipal) principal; String[] gpRoles = gp.getRoles(); Set<String> roles = new HashSet<String>(gpRoles.length); for (String role : gpRoles) { roles.add(role); } return SAMLBearerTokenUtil.createSAMLAssertion( principal, roles, issuerName, forService, timeValidInMillis); } throw new Exception( Messages.getString("TomcatSAMLAssertionFactory.UnexpectedPrincipalType") + principal.getClass()); // $NON-NLS-1$ } catch (Exception e) { throw new RuntimeException(e); } }