/**
* Serializes the specified SAML 2.0 based XML content representation to its corresponding actual
* XML syntax representation.
*
* @param xmlObject the SAML 2.0 based XML content object
* @return a {@link String} representation of the actual XML representation of the SAML 2.0 based
* XML content representation
* @throws SSOException if an error occurs during the marshalling process
*/
public static String marshall(XMLObject xmlObject) throws SSOException {
try {
// Explicitly sets the special XML parser library to be used, in the global variables
System.setProperty(
"javax.xml.parsers.DocumentBuilderFactory",
"org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
MarshallerFactory marshallerFactory = Configuration.getMarshallerFactory();
Marshaller marshaller = marshallerFactory.getMarshaller(xmlObject);
Element element = marshaller.marshall(xmlObject);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
DOMImplementationRegistry registry = DOMImplementationRegistry.newInstance();
DOMImplementationLS implementation =
(DOMImplementationLS) registry.getDOMImplementation("LS");
LSSerializer writer = implementation.createLSSerializer();
LSOutput output = implementation.createLSOutput();
output.setByteStream(byteArrayOutputStream);
writer.write(element, output);
return new String(byteArrayOutputStream.toByteArray(), Charset.forName("UTF-8"));
} catch (ClassNotFoundException
| InstantiationException
| MarshallingException
| IllegalAccessException e) {
throw new SSOException("Error in marshalling SAML2 Assertion", e);
}
}
private XMLObject unmarshall(String samlString) throws SAMLSSOException {
try {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
org.apache.xerces.util.SecurityManager securityManager = new SecurityManager();
securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
docBuilder.setEntityResolver(new CarbonEntityResolver());
ByteArrayInputStream is = new ByteArrayInputStream(samlString.getBytes());
Document document = docBuilder.parse(is);
Element element = document.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
return unmarshaller.unmarshall(element);
} catch (ParserConfigurationException e) {
throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
} catch (UnmarshallingException e) {
throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
} catch (SAXException e) {
throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
} catch (IOException e) {
throw new SAMLSSOException("Error in unmarshalling SAML Request from the encoded String", e);
}
}
/**
* Serializes an authentication request into a string.
*
* @param request the request to serialize
* @return the serialized form of the string
* @throws MarshallingException thrown if the request can not be marshalled and serialized
*/
protected String serializeRequest(AuthnRequest request) throws MarshallingException {
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(request);
Element requestElem = marshaller.marshall(request);
StringWriter writer = new StringWriter();
XMLHelper.writeNode(requestElem, writer);
return writer.toString();
}
@BeforeClass
public static void initializeOpenSAML() throws Exception {
DocumentBuilderFactory newFactory = DocumentBuilderFactory.newInstance();
System.out.println(newFactory.getClass().getName());
DefaultBootstrap.bootstrap();
builderFactory = Configuration.getBuilderFactory();
}
/** {@inheritDoc} */
protected void marshallAttributes(XMLObject samlObject, Element domElement)
throws MarshallingException {
RequestAbstractType req = (RequestAbstractType) samlObject;
if (req.getVersion() != null) {
domElement.setAttributeNS(
null, RequestAbstractType.VERSION_ATTRIB_NAME, req.getVersion().toString());
}
if (req.getID() != null) {
domElement.setAttributeNS(null, RequestAbstractType.ID_ATTRIB_NAME, req.getID());
domElement.setIdAttributeNS(null, RequestAbstractType.ID_ATTRIB_NAME, true);
}
if (req.getVersion() != null) {
domElement.setAttributeNS(
null, RequestAbstractType.VERSION_ATTRIB_NAME, req.getVersion().toString());
}
if (req.getIssueInstant() != null) {
String iiStr = Configuration.getSAMLDateFormatter().print(req.getIssueInstant());
domElement.setAttributeNS(null, RequestAbstractType.ISSUE_INSTANT_ATTRIB_NAME, iiStr);
}
if (req.getDestination() != null) {
domElement.setAttributeNS(
null, RequestAbstractType.DESTINATION_ATTRIB_NAME, req.getDestination());
}
if (req.getConsent() != null) {
domElement.setAttributeNS(null, RequestAbstractType.CONSENT_ATTRIB_NAME, req.getConsent());
}
}
/**
* Gets the authentication request object.
*
* @return the authentication request object
* @throws UnmarshallingException thrown if there is a problem unmarshalling the serialized form
* of the request
*/
public synchronized AuthnRequest getAuthenticiationRequestXmlObject()
throws UnmarshallingException {
if (authnRequest == null) {
try {
ParserPool parser = Configuration.getParserPool();
Document requestDoc = parser.parse(new StringReader(serialAuthnRequest));
Unmarshaller requestUnmarshaller =
Configuration.getUnmarshallerFactory().getUnmarshaller(AuthnRequest.TYPE_NAME);
authnRequest =
(AuthnRequest) requestUnmarshaller.unmarshall(requestDoc.getDocumentElement());
} catch (XMLParserException e) {
throw new UnmarshallingException(
"Unable to unmarshall serialized authentication request", e);
}
}
return authnRequest;
}
/** {@inheritDoc} */
protected void marshallAttributes(XMLObject samlObject, Element domElement)
throws MarshallingException {
AuthnStatement authnStatement = (AuthnStatement) samlObject;
if (authnStatement.getAuthnInstant() != null) {
String authnInstantStr =
Configuration.getSAMLDateFormatter().print(authnStatement.getAuthnInstant());
domElement.setAttributeNS(null, AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME, authnInstantStr);
}
if (authnStatement.getSessionIndex() != null) {
domElement.setAttributeNS(
null, AuthnStatement.SESSION_INDEX_ATTRIB_NAME, authnStatement.getSessionIndex());
}
if (authnStatement.getSessionNotOnOrAfter() != null) {
String sessionNotOnOrAfterStr =
Configuration.getSAMLDateFormatter().print(authnStatement.getSessionNotOnOrAfter());
domElement.setAttributeNS(
null, AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME, sessionNotOnOrAfterStr);
}
}
/**
* Constructing the XMLObject Object from a String
*
* @param authReqStr
* @return Corresponding XMLObject which is a SAML2 object
* @throws Exception
*/
public static XMLObject unmarshall(String authReqStr) throws Exception {
try {
doBootstrap();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = docBuilder.parse(new ByteArrayInputStream(authReqStr.trim().getBytes()));
Element element = document.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
return unmarshaller.unmarshall(element);
} catch (Exception e) {
throw new Exception("Error in constructing AuthRequest from " + "the encoded String ", e);
}
}
/**
* Returns a SAML 2.0 based XML content representation from the {@code String} value representing
* the XML syntax.
*
* @param xmlString the {@link String} representation of the XML content
* @return an XML object from the {@link String} value representing the XML syntax
* @throws SSOException if an error occurs when unmarshalling the XML string representation
*/
public static XMLObject unmarshall(String xmlString) throws SSOException {
doBootstrap();
try {
DocumentBuilder docBuilder =
SSOUtils.getDocumentBuilder(false, true, Optional.of(new XMLEntityResolver()));
ByteArrayInputStream inputStream =
new ByteArrayInputStream(xmlString.getBytes(Charset.forName("UTF-8")));
Document document = docBuilder.parse(inputStream);
Element element = document.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
return unmarshaller.unmarshall(element);
} catch (UnmarshallingException | SAXException | IOException e) {
throw new SSOException("Error in unmarshalling the XML string representation", e);
}
}
/**
* Encodes the SAML 2.0 based request XML object into its corresponding Base64 notation, based on
* the type of SAML 2.0 binding.
*
* @param requestMessage the {@link RequestAbstractType} XML object to be encoded
* @param binding the SAML 2.0 binding type
* @return encoded {@link String} corresponding to the request XML object
* @throws SSOException if an error occurs while encoding SAML2 request
*/
protected static String encodeRequestMessage(RequestAbstractType requestMessage, String binding)
throws SSOException {
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(requestMessage);
Element authDOM;
try {
// Marshall this element, and its children, and root them in a newly created Document
authDOM = marshaller.marshall(requestMessage);
} catch (MarshallingException e) {
throw new SSOException(
"Error occurred while encoding SAML2 request, failed to marshall the SAML 2.0. "
+ "Request element XMLObject to its corresponding W3C DOM element",
e);
}
StringWriter writer = new StringWriter();
// Writes the node out to the writer using the DOM
XMLHelper.writeNode(authDOM, writer);
if (SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(binding)) {
// Compress the message, Base 64 encode and URL encode
Deflater deflater = new Deflater(Deflater.DEFLATED, true);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
try (DeflaterOutputStream deflaterOutputStream =
new DeflaterOutputStream(byteArrayOutputStream, deflater)) {
deflaterOutputStream.write(writer.toString().getBytes(Charset.forName("UTF-8")));
} catch (IOException e) {
throw new SSOException("Error occurred while deflate encoding SAML2 request", e);
}
String encodedRequestMessage =
Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);
try {
return URLEncoder.encode(encodedRequestMessage, "UTF-8").trim();
} catch (UnsupportedEncodingException e) {
throw new SSOException("Error occurred while encoding SAML2 request", e);
}
} else if (SAMLConstants.SAML2_POST_BINDING_URI.equals(binding)) {
return Base64.encodeBytes(
writer.toString().getBytes(Charset.forName("UTF-8")), Base64.DONT_BREAK_LINES);
} else {
logger.log(
Level.FINE,
"Unsupported SAML2 HTTP Binding. Defaulting to " + SAMLConstants.SAML2_POST_BINDING_URI);
return Base64.encodeBytes(
writer.toString().getBytes(Charset.forName("UTF-8")), Base64.DONT_BREAK_LINES);
}
}
private String encodeRequestMessage(RequestAbstractType requestMessage) throws SAMLSSOException {
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(requestMessage);
Element authDOM = null;
try {
authDOM = marshaller.marshall(requestMessage);
/* Compress the message */
Deflater deflater = new Deflater(Deflater.DEFLATED, true);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
DeflaterOutputStream deflaterOutputStream =
new DeflaterOutputStream(byteArrayOutputStream, deflater);
StringWriter rspWrt = new StringWriter();
XMLHelper.writeNode(authDOM, rspWrt);
deflaterOutputStream.write(rspWrt.toString().getBytes());
deflaterOutputStream.close();
/* Encoding the compressed message */
String encodedRequestMessage =
Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);
byteArrayOutputStream.write(byteArrayOutputStream.toByteArray());
byteArrayOutputStream.toString();
// log saml
if (log.isDebugEnabled()) {
log.debug("SAML Request : " + rspWrt.toString());
}
return URLEncoder.encode(encodedRequestMessage, "UTF-8").trim();
} catch (MarshallingException e) {
throw new SAMLSSOException("Error occurred while encoding SAML request", e);
} catch (UnsupportedEncodingException e) {
throw new SAMLSSOException("Error occurred while encoding SAML request", e);
} catch (IOException e) {
throw new SAMLSSOException("Error occurred while encoding SAML request", e);
}
}
private void init(InputStream inputStream) throws SAMLException {
BasicParserPool parsers = new BasicParserPool();
parsers.setNamespaceAware(true);
EntityDescriptor edesc;
try {
Document doc = parsers.parse(inputStream);
Element root = doc.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
edesc = (EntityDescriptor) unmarshallerFactory.getUnmarshaller(root).unmarshall(root);
} catch (org.opensaml.xml.parse.XMLParserException e) {
throw new SAMLException(e);
} catch (org.opensaml.xml.io.UnmarshallingException e) {
throw new SAMLException(e);
}
// fetch sp information
SPSSODescriptor spDesc = edesc.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
if (spDesc == null) throw new SAMLException("No SP SSO descriptor found");
// get first redirect or post binding
String acsUrl = null;
for (AssertionConsumerService svc : spDesc.getAssertionConsumerServices()) {
if (svc.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)
|| svc.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
acsUrl = svc.getLocation();
break;
}
}
if (acsUrl == null) throw new SAMLException("No acceptable Assertion Consumer Service found");
this.setEntityId(edesc.getEntityID());
this.setAcs(acsUrl);
}
private AttributeStatement buildAttributeStatement(Map<String, String> claims) {
AttributeStatement attStmt = null;
if (claims != null) {
attStmt = new AttributeStatementBuilder().buildObject();
Iterator<String> ite = claims.keySet().iterator();
for (int i = 0; i < claims.size(); i++) {
Attribute attrib = new AttributeBuilder().buildObject();
String claimUri = ite.next();
attrib.setName(claimUri);
// look
// https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaAnyTypes
XSStringBuilder stringBuilder =
(XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME);
XSString stringValue =
stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
stringValue.setValue(claims.get(claimUri));
attrib.getAttributeValues().add(stringValue);
attStmt.getAttributes().add(attrib);
}
}
return attStmt;
}
protected String encodeRequestMessage(RequestAbstractType requestMessage, String binding)
throws SSOAgentException {
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(requestMessage);
Element authDOM = null;
try {
authDOM = marshaller.marshall(requestMessage);
StringWriter rspWrt = new StringWriter();
XMLHelper.writeNode(authDOM, rspWrt);
if (SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(binding)) {
// Compress the message, Base 64 encode and URL encode
Deflater deflater = new Deflater(Deflater.DEFLATED, true);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
DeflaterOutputStream deflaterOutputStream =
new DeflaterOutputStream(byteArrayOutputStream, deflater);
deflaterOutputStream.write(rspWrt.toString().getBytes(Charset.forName("UTF-8")));
deflaterOutputStream.close();
String encodedRequestMessage =
Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);
return URLEncoder.encode(encodedRequestMessage, "UTF-8").trim();
} else if (SAMLConstants.SAML2_POST_BINDING_URI.equals(binding)) {
return Base64.encodeBytes(rspWrt.toString().getBytes(), Base64.DONT_BREAK_LINES);
} else {
LOGGER.log(
Level.FINE,
"Unsupported SAML2 HTTP Binding. Defaulting to "
+ SAMLConstants.SAML2_POST_BINDING_URI);
return Base64.encodeBytes(rspWrt.toString().getBytes(), Base64.DONT_BREAK_LINES);
}
} catch (MarshallingException e) {
throw new SSOAgentException("Error occurred while encoding SAML2 request", e);
} catch (UnsupportedEncodingException e) {
throw new SSOAgentException("Error occurred while encoding SAML2 request", e);
} catch (IOException e) {
throw new SSOAgentException("Error occurred while encoding SAML2 request", e);
}
}
@Override
protected void internalInit() {
CommonHelper.assertTrue(
CommonHelper.isNotBlank(this.idpMetadata) || CommonHelper.isNotBlank(this.idpMetadataPath),
"Either idpMetadata or idpMetadataPath must be provided");
CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
if (!this.callbackUrl.startsWith("http")) {
throw new TechnicalException("SAML callbackUrl must be absolute");
}
if (CommonHelper.isNotBlank(this.keystorePath)
|| CommonHelper.isNotBlank(this.keystorePassword)
|| CommonHelper.isNotBlank(this.privateKeyPassword)) {
CommonHelper.assertNotBlank("keystorePath", this.keystorePath);
CommonHelper.assertNotBlank("keystorePassword", this.keystorePassword);
CommonHelper.assertNotBlank("privateKeyPassword", this.privateKeyPassword);
// load private key from the keystore and provide it as OpenSAML credentials
this.credentialProvider =
new CredentialProvider(this.keystorePath, this.keystorePassword, this.privateKeyPassword);
this.decrypter = new EncryptionProvider(this.credentialProvider).buildDecrypter();
}
// Bootsrap OpenSAML
try {
DefaultBootstrap.bootstrap();
NamedKeyInfoGeneratorManager manager =
Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager();
X509KeyInfoGeneratorFactory generator = new X509KeyInfoGeneratorFactory();
generator.setEmitEntityCertificate(true);
generator.setEmitEntityCertificateChain(true);
manager.registerFactory(Saml2Client.SAML_METADATA_KEY_INFO_GENERATOR, generator);
} catch (ConfigurationException e) {
throw new SamlException("Error bootstrapping OpenSAML", e);
}
// required parserPool for XML processing
final StaticBasicParserPool parserPool = newStaticBasicParserPool();
final AbstractMetadataProvider idpMetadataProvider = idpMetadataProvider(parserPool);
final XMLObject md;
try {
md = idpMetadataProvider.getMetadata();
} catch (MetadataProviderException e) {
throw new SamlException("Error initializing idpMetadataProvider", e);
}
// If no idpEntityId declared, select first EntityDescriptor entityId as our IDP entityId
if (this.idpEntityId == null) {
this.idpEntityId = getIdpEntityId(md);
}
// Generate our Service Provider metadata
Saml2MetadataGenerator metadataGenerator = new Saml2MetadataGenerator();
if (this.credentialProvider != null) {
metadataGenerator.setCredentialProvider(this.credentialProvider);
metadataGenerator.setAuthnRequestSigned(true);
}
// If the spEntityId is blank, use the callback url
if (CommonHelper.isBlank(this.spEntityId)) {
this.spEntityId = getCallbackUrl();
}
metadataGenerator.setEntityId(this.spEntityId);
// Assertion consumer service url is the callback url
metadataGenerator.setAssertionConsumerServiceUrl(getCallbackUrl());
// for now same for logout url
metadataGenerator.setSingleLogoutServiceUrl(getCallbackUrl());
AbstractMetadataProvider spMetadataProvider = metadataGenerator.buildMetadataProvider();
// Initialize metadata provider for our SP and get the XML as a String
try {
spMetadataProvider.initialize();
this.spMetadata = metadataGenerator.printMetadata();
} catch (MetadataProviderException e) {
throw new TechnicalException("Error initializing spMetadataProvider", e);
} catch (MarshallingException e) {
logger.warn("Unable to print SP metadata", e);
}
// Put IDP and SP metadata together
ChainingMetadataProvider metadataManager = new ChainingMetadataProvider();
try {
metadataManager.addMetadataProvider(idpMetadataProvider);
metadataManager.addMetadataProvider(spMetadataProvider);
} catch (MetadataProviderException e) {
throw new TechnicalException("Error adding idp or sp metadatas to manager", e);
}
// Build the contextProvider
this.contextProvider =
new Saml2ContextProvider(metadataManager, this.idpEntityId, this.spEntityId);
// Get an AuthnRequest builder
this.authnRequestBuilder =
new Saml2AuthnRequestBuilder(forceAuth, comparisonType, destinationBindingType);
// Build the WebSSO handler for sending and receiving SAML2 messages
MessageEncoder encoder = null;
if (SAMLConstants.SAML2_POST_BINDING_URI.equals(destinationBindingType)) {
// Get a velocity engine for the HTTP-POST binding (building of an HTML document)
VelocityEngine velocityEngine = VelocityEngineFactory.getEngine();
encoder = new HTTPPostEncoder(velocityEngine, "/templates/saml2-post-binding.vm");
} else if (SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(destinationBindingType)) {
encoder = new HTTPRedirectDeflateEncoder();
} else {
throw new UnsupportedOperationException(
"Binding type - " + destinationBindingType + " is not supported");
}
// Do we need binding specific decoder?
MessageDecoder decoder = new Pac4jHTTPPostDecoder(parserPool);
this.handler =
new Saml2WebSSOProfileHandler(
this.credentialProvider, encoder, decoder, parserPool, destinationBindingType);
// Build provider for digital signature validation and encryption
this.signatureTrustEngineProvider = new SignatureTrustEngineProvider(metadataManager);
// Build the SAML response validator
this.responseValidator = new Saml2ResponseValidator();
if (this.maximumAuthenticationLifetime != null) {
this.responseValidator.setMaximumAuthenticationLifetime(this.maximumAuthenticationLifetime);
}
}
/**
* @param SAMLToken - SAML Assertion XML
* @param contextAttributeName - SAML Attribute name containing Context data
* @param verfiySignature
* @return a base64 encoded string containing the context
* @throws SAMLValidationException - if validation fails
*/
public static List<AttributeStatement> validate(byte[] SAMLToken, SAMLConfiguration samlConfig)
throws SAMLValidationException {
if (logger.isDebugEnabled()) {
logger.debug("validate(byte[], SAMLConfiguration) - start"); // $NON-NLS-1$
}
Decrypter samlDecrypter = samlConfig.getSamlDecrypter();
SignatureTrustEngine sigTrustEngine = samlConfig.getTrustEngine();
String myURI = samlConfig.getMyURI();
MessageReplayRule replayRule = samlConfig.getReplayRule();
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);
VerifySignatureType verfiySignature = samlConfig.getVerifySignature();
List<AttributeStatement> attrStatements = null;
if (SAMLToken != null) {
try {
InputStream in = new ByteArrayInputStream(SAMLToken);
Document SAMLDoc;
try {
SAMLDoc = ppMgr.parse(in);
} catch (XMLParserException e) {
logger.error(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Error parsing SAML XML", true, e);
}
Element responseElement = SAMLDoc.getDocumentElement();
SAMLType samlType = SAMLType.Response;
if (responseElement == null) {
throw createSAMLValidationException(
"Missing SAML Encrypted Assertion or Assertion or Assertion Response", true);
}
if (!"Response".equals(responseElement.getLocalName())
|| !SAMLConstants.SAML20P_NS.equals(responseElement.getNamespaceURI())) {
if (!"Assertion".equals(responseElement.getLocalName())
|| !SAMLConstants.SAML20_NS.equals(responseElement.getNamespaceURI())) {
if (!"EncryptedAssertion".equals(responseElement.getLocalName())
|| !SAMLConstants.SAML20_NS.equals(responseElement.getNamespaceURI())) {
throw createSAMLValidationException(
"Missing or invalid SAML Encrypted Assertion or Assertion or Assertion Response",
true);
} else {
samlType = SAMLType.EncryptedAssertion;
}
} else {
samlType = SAMLType.Assertion;
}
} else {
samlType = SAMLType.Response;
}
if (samlType == SAMLType.Response) {
// Unmarshall SAML Assertion Response into an OpenSAML Java object.
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(responseElement);
Response samlResponse;
try {
samlResponse = (Response) unmarshaller.unmarshall(responseElement);
} catch (UnmarshallingException e) {
logger.error(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Error in unmarshalling SAML XML Document", true, e);
}
// Check the replay attack for Response
if (replayRule != null) {
BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext();
// messageContext.setInboundMessage(samlResponse);
if (samlResponse.getIssuer() != null)
messageContext.setInboundMessageIssuer(samlResponse.getIssuer().getValue());
messageContext.setInboundSAMLMessageId(samlResponse.getID());
try {
replayRule.evaluate(messageContext);
} catch (SecurityPolicyException e) {
logger.error(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Possible Replay Attack for Response", false, e);
}
}
// Validate the status code
if (!StatusCode.SUCCESS_URI.equals(samlResponse.getStatus().getStatusCode().getValue())) {
throw createSAMLValidationException("Invalid Status Code.", true);
}
boolean responseSignatureVerified =
validateResponseSignature(samlResponse, sigTrustEngine, verfiySignature);
// Get first encrypted Assertion, if not present get first unencrypted assertion
int assertCount = samlResponse.getEncryptedAssertions().size();
if (assertCount == 0) {
assertCount = samlResponse.getAssertions().size();
if (assertCount == 0) {
throw createSAMLValidationException(
"No Assertion or EncryptedAssertion found in received response", true);
} else {
for (Assertion samlAssertion : samlResponse.getAssertions()) {
attrStatements =
validateAssertion(
samlAssertion,
sigTrustEngine,
myURI,
replayRule,
verfiySignature,
responseSignatureVerified);
break; // Use the first only
}
}
} else {
for (EncryptedAssertion samlEncryptedAssertion :
samlResponse.getEncryptedAssertions()) {
// Decryption
Assertion samlAssertion = null;
try {
samlAssertion = samlDecrypter.decrypt(samlEncryptedAssertion);
} catch (DecryptionException e) {
logger.error(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Error Decrypting Received Encrypted Assertion", true, e);
}
attrStatements =
validateAssertion(
samlAssertion,
sigTrustEngine,
myURI,
replayRule,
verfiySignature,
responseSignatureVerified);
break; // Use the first only
}
}
} else if (samlType == SAMLType.EncryptedAssertion) {
// Unmarshall SAML Encrypted Assertion into an OpenSAML Java object.
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(responseElement);
EncryptedAssertion encryptedAssertion = null;
try {
encryptedAssertion = (EncryptedAssertion) unmarshaller.unmarshall(responseElement);
} catch (UnmarshallingException e) {
logger.error(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Error in unmarshalling SAML XML Document", true, e);
}
boolean responseSignatureVerified = false;
// Decryption
Assertion samlAssertion = null;
try {
samlAssertion = samlDecrypter.decrypt(encryptedAssertion);
} catch (DecryptionException e) {
logger.error(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Error Decrypting Received Encrypted Assertion", true, e);
}
attrStatements =
validateAssertion(
samlAssertion,
sigTrustEngine,
myURI,
replayRule,
verfiySignature,
responseSignatureVerified);
} else if (samlType == SAMLType.Assertion) {
// Unmarshall SAML Assertion into an OpenSAML Java object.
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(responseElement);
Assertion samlAssertion = null;
try {
samlAssertion = (Assertion) unmarshaller.unmarshall(responseElement);
} catch (UnmarshallingException e) {
logger.error(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Error in unmarshalling SAML XML Document", true, e);
}
boolean responseSignatureVerified = false;
attrStatements =
validateAssertion(
samlAssertion,
sigTrustEngine,
myURI,
replayRule,
verfiySignature,
responseSignatureVerified);
}
} catch (SAMLValidationException e) {
throw e;
}
}
if (logger.isDebugEnabled()) {
logger.debug(
"validate(byte[], String, Decrypter, SignatureTrustEngine, String, MessageReplayRule, ParserPool, VerifySignatureType) - end"); //$NON-NLS-1$
}
return attrStatements;
}
/** Constructor. */
public SAML1ScopedStringAttributeEncoder() {
super();
attributeBuilder =
(SAMLObjectBuilder<Attribute>)
Configuration.getBuilderFactory().getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
}
/** Constructor. */
public SAML1NameIdentifierAttributeDefinition() {
super();
nameIdBuilder =
(SAMLObjectBuilder<NameIdentifier>)
Configuration.getBuilderFactory().getBuilder(NameIdentifier.DEFAULT_ELEMENT_NAME);
}