Commit c48878ea authored by michael.simon's avatar michael.simon
Browse files

long story

parent a08b1ddf
......@@ -20,31 +20,29 @@ import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.inject.Named;
import net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.metadata.AttributeService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.ws.soap.client.BasicSOAPMessageContext;
import org.opensaml.ws.soap.client.http.HttpClientBuilder;
import org.opensaml.ws.soap.common.SOAPException;
import org.opensaml.ws.soap.soap11.Body;
import org.opensaml.ws.soap.soap11.Envelope;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.core.config.Configuration;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.metadata.AttributeService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.soap.common.SOAPException;
import org.opensaml.soap.soap11.Body;
import org.opensaml.soap.soap11.Envelope;
import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity;
......@@ -104,7 +102,7 @@ public class AttributeQueryHelper implements Serializable {
logger.info("Cannot spawn CustomSecureProtocolSocketFactory: {}", e.getMessage());
}
*/
Signature signature = (Signature) Configuration.getBuilderFactory()
Signature signature = (Signature) samlHelper.getBuilderFactory()
.getBuilder(Signature.DEFAULT_ELEMENT_NAME)
.buildObject(Signature.DEFAULT_ELEMENT_NAME);
X509KeyInfoGeneratorFactory keyInfoFac = (X509KeyInfoGeneratorFactory) Configuration
......
......@@ -15,20 +15,18 @@ import java.io.OutputStreamWriter;
import java.io.Serializable;
import java.nio.charset.Charset;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.ByteArrayRequestEntity;
import org.apache.commons.httpclient.methods.RequestEntity;
import org.opensaml.ws.soap.client.SOAPClientException;
import org.opensaml.ws.soap.client.http.HttpSOAPClient;
import org.opensaml.ws.soap.soap11.Envelope;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.util.XMLHelper;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.http.client.HttpClient;
import org.opensaml.core.config.Configuration;
import org.opensaml.core.xml.io.Marshaller;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.soap.client.SOAPClientException;
import org.opensaml.soap.client.http.HttpSOAPClient;
import org.opensaml.soap.soap11.Envelope;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.Signer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
......
......@@ -14,10 +14,12 @@ import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.joda.time.Duration;
import org.joda.time.Instant;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants;
......@@ -32,9 +34,13 @@ import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.DecryptionConfiguration;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity;
......@@ -123,20 +129,31 @@ public class Saml2ResponseValidationService {
throw new SamlAuthenticationException("No Signature on SignableSamlObject");
DOMMetadataResolver mp = new DOMMetadataResolver(entityDescriptor.getDOM());
mp.initialize();
try {
mp.initialize();
} catch (ComponentInitializationException e) {
throw new SamlAuthenticationException("ComponentInit Exception", e);
}
MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver();
KeyInfoCredentialResolver keyInfoCredResolver =
ConfigurationService.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
DecryptionConfiguration dc = ConfigurationService.get(DecryptionConfiguration.class);
KeyInfoCredentialResolver keyInfoCredResolver = dc.getDataKeyInfoCredentialResolver();
// KeyInfoCredentialResolver keyInfoCredResolver =
// ConfigurationService.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(mdCredResolver, keyInfoCredResolver);
SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
// try {
try {
sigValidator.validate(signableSamlObject.getSignature());
} catch (ValidationException e) {
} catch (SignatureException e) {
throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
}
// } catch (ValidationException e) {
// throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
// }
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer.getValue()));
......@@ -149,7 +166,7 @@ public class Saml2ResponseValidationService {
else {
throw new SamlAuthenticationException("SAMLSignableObject could not be validated.");
}
} catch (SecurityException e) {
} catch (org.opensaml.security.SecurityException e) {
throw new SamlAuthenticationException("SAMLSignableObject could not be validated.");
}
}
......
......@@ -208,4 +208,8 @@ public class SamlHelper implements Serializable {
public BasicParserPool getBasicParserPool() {
return basicParserPool;
}
public XMLObjectBuilderFactory getBuilderFactory() {
return builderFactory;
}
}
......@@ -23,13 +23,13 @@ import javax.faces.bean.ManagedBean;
import javax.faces.event.ComponentSystemEvent;
import javax.inject.Inject;
import org.apache.commons.ssl.Base64;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.X509Certificate;
import org.opensaml.xml.signature.X509Data;
import org.apache.commons.codec.binary.Base64;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.X509Certificate;
import org.opensaml.xmlsec.signature.X509Data;
import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlIdpMetadataEntity;
......
......@@ -20,29 +20,28 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.soap.soap11.Body;
import org.opensaml.ws.soap.soap11.Envelope;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.schema.XSAny;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.schema.XSString;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AttributeValue;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.StatusMessage;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.soap.soap11.Body;
import org.opensaml.soap.soap11.Envelope;
import org.slf4j.Logger;
import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
......@@ -108,7 +107,7 @@ public class Saml2AttributeQueryServlet {
saml2ValidationService.verifyIssuer(spEntity, query);
saml2ValidationService.validateSpSignature(query, issuer, spEntityDescriptor);
Response samlResponse = buildSamlRespone(StatusCode.SUCCESS_URI, null);
Response samlResponse = buildSamlRespone(StatusCode.SUCCESS, null);
samlResponse.setIssuer(buildIssuser(aaConfig.getEntityId()));
samlResponse.setIssueInstant(new DateTime());
......@@ -132,13 +131,16 @@ public class Saml2AttributeQueryServlet {
} catch (MessageDecodingException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED_URI, e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
} catch (SecurityException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED_URI, e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
} catch (SamlAuthenticationException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED_URI, e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
} catch (ComponentInitializationException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
}
}
......@@ -151,7 +153,7 @@ public class Saml2AttributeQueryServlet {
}
private Envelope buildSoapEnvelope(XMLObject xmlObject) {
XMLObjectBuilderFactory bf = Configuration.getBuilderFactory();
XMLObjectBuilderFactory bf = samlHelper.getBuilderFactory();
Envelope envelope = (Envelope) bf.getBuilder(
Envelope.DEFAULT_ELEMENT_NAME).buildObject(
Envelope.DEFAULT_ELEMENT_NAME);
......
......@@ -22,6 +22,8 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
......@@ -104,7 +106,7 @@ public class Saml2PostHandlerServlet {
persistentId = saml2AssertionService.extractPersistentId(assertion, spConfig);
} catch (Exception e1) {
/*
* Catch Exception here for a probabyl faulty IDP. Register Exception and rethrow.
* Catch Exception here for a probably faulty IDP. Register Exception and rethrow.
*/
idpService.updateIdpStatus(SamlIdpMetadataEntityStatus.FAULTY, idpEntity);
throw e1;
......@@ -170,6 +172,8 @@ public class Saml2PostHandlerServlet {
throw new ServletException("Authentication problem", e);
} catch (SamlAuthenticationException e) {
throw new ServletException("Authentication problem", e);
} catch (ComponentInitializationException e) {
throw new ServletException("Authentication problem", e);
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment