Commit c48878ea authored by michael.simon's avatar michael.simon
Browse files

long story

parent a08b1ddf
...@@ -20,31 +20,29 @@ import javax.enterprise.context.ApplicationScoped; ...@@ -20,31 +20,29 @@ import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject; import javax.inject.Inject;
import javax.inject.Named; import javax.inject.Named;
import net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder;
import org.joda.time.DateTime; import org.joda.time.DateTime;
import org.opensaml.Configuration; import org.opensaml.core.config.Configuration;
import org.opensaml.common.SAMLVersion; import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.saml2.core.Issuer; import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml2.core.NameID; import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Response; import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml2.core.Subject; import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml2.metadata.AttributeService; import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.ws.soap.client.BasicSOAPMessageContext; import org.opensaml.saml.saml2.metadata.AttributeService;
import org.opensaml.ws.soap.client.http.HttpClientBuilder; import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.ws.soap.soap11.Body; import org.opensaml.soap.common.SOAPException;
import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.soap.soap11.Body;
import org.opensaml.xml.XMLObject; import org.opensaml.soap.soap11.Envelope;
import org.opensaml.xml.XMLObjectBuilderFactory; import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.opensaml.xml.security.SecurityException; import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.security.SecurityHelper; import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.slf4j.Logger; import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity; import edu.kit.scc.webreg.entity.SamlMetadataEntity;
...@@ -104,7 +102,7 @@ public class AttributeQueryHelper implements Serializable { ...@@ -104,7 +102,7 @@ public class AttributeQueryHelper implements Serializable {
logger.info("Cannot spawn CustomSecureProtocolSocketFactory: {}", e.getMessage()); logger.info("Cannot spawn CustomSecureProtocolSocketFactory: {}", e.getMessage());
} }
*/ */
Signature signature = (Signature) Configuration.getBuilderFactory() Signature signature = (Signature) samlHelper.getBuilderFactory()
.getBuilder(Signature.DEFAULT_ELEMENT_NAME) .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
.buildObject(Signature.DEFAULT_ELEMENT_NAME); .buildObject(Signature.DEFAULT_ELEMENT_NAME);
X509KeyInfoGeneratorFactory keyInfoFac = (X509KeyInfoGeneratorFactory) Configuration X509KeyInfoGeneratorFactory keyInfoFac = (X509KeyInfoGeneratorFactory) Configuration
......
...@@ -15,20 +15,18 @@ import java.io.OutputStreamWriter; ...@@ -15,20 +15,18 @@ import java.io.OutputStreamWriter;
import java.io.Serializable; import java.io.Serializable;
import java.nio.charset.Charset; import java.nio.charset.Charset;
import org.apache.commons.httpclient.HttpClient; import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.commons.httpclient.methods.ByteArrayRequestEntity;
import org.apache.commons.httpclient.methods.RequestEntity; import org.apache.http.client.HttpClient;
import org.opensaml.ws.soap.client.SOAPClientException; import org.opensaml.core.config.Configuration;
import org.opensaml.ws.soap.client.http.HttpSOAPClient; import org.opensaml.core.xml.io.Marshaller;
import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.xml.Configuration; import org.opensaml.soap.client.SOAPClientException;
import org.opensaml.xml.io.Marshaller; import org.opensaml.soap.client.http.HttpSOAPClient;
import org.opensaml.xml.io.MarshallingException; import org.opensaml.soap.soap11.Envelope;
import org.opensaml.xml.parse.ParserPool; import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xml.signature.Signature; import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xml.signature.SignatureException; import org.opensaml.xmlsec.signature.support.Signer;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.util.XMLHelper;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.w3c.dom.Element; import org.w3c.dom.Element;
......
...@@ -14,10 +14,12 @@ import javax.enterprise.context.ApplicationScoped; ...@@ -14,10 +14,12 @@ import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject; import javax.inject.Inject;
import javax.xml.namespace.QName; import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.joda.time.Duration; import org.joda.time.Duration;
import org.joda.time.Instant; import org.joda.time.Instant;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.criterion.EntityIdCriterion; import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.common.xml.SAMLConstants;
...@@ -32,9 +34,13 @@ import org.opensaml.saml.saml2.metadata.EntityDescriptor; ...@@ -32,9 +34,13 @@ import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver; import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.UsageType; import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion; import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.DecryptionConfiguration;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver; import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger; import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity; import edu.kit.scc.webreg.entity.SamlMetadataEntity;
...@@ -123,20 +129,31 @@ public class Saml2ResponseValidationService { ...@@ -123,20 +129,31 @@ public class Saml2ResponseValidationService {
throw new SamlAuthenticationException("No Signature on SignableSamlObject"); throw new SamlAuthenticationException("No Signature on SignableSamlObject");
DOMMetadataResolver mp = new DOMMetadataResolver(entityDescriptor.getDOM()); DOMMetadataResolver mp = new DOMMetadataResolver(entityDescriptor.getDOM());
mp.initialize(); try {
mp.initialize();
} catch (ComponentInitializationException e) {
throw new SamlAuthenticationException("ComponentInit Exception", e);
}
MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver(); MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver();
KeyInfoCredentialResolver keyInfoCredResolver = DecryptionConfiguration dc = ConfigurationService.get(DecryptionConfiguration.class);
ConfigurationService.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(); KeyInfoCredentialResolver keyInfoCredResolver = dc.getDataKeyInfoCredentialResolver();
// KeyInfoCredentialResolver keyInfoCredResolver =
// ConfigurationService.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(mdCredResolver, keyInfoCredResolver); ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(mdCredResolver, keyInfoCredResolver);
SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
// try {
try { try {
sigValidator.validate(signableSamlObject.getSignature()); sigValidator.validate(signableSamlObject.getSignature());
} catch (ValidationException e) { } catch (SignatureException e) {
throw new SamlAuthenticationException("SAMLSignableObject signature is not valid"); throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
} }
// } catch (ValidationException e) {
// throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
// }
CriteriaSet criteriaSet = new CriteriaSet(); CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer.getValue())); criteriaSet.add(new EntityIdCriterion(issuer.getValue()));
...@@ -149,7 +166,7 @@ public class Saml2ResponseValidationService { ...@@ -149,7 +166,7 @@ public class Saml2ResponseValidationService {
else { else {
throw new SamlAuthenticationException("SAMLSignableObject could not be validated."); throw new SamlAuthenticationException("SAMLSignableObject could not be validated.");
} }
} catch (SecurityException e) { } catch (org.opensaml.security.SecurityException e) {
throw new SamlAuthenticationException("SAMLSignableObject could not be validated."); throw new SamlAuthenticationException("SAMLSignableObject could not be validated.");
} }
} }
......
...@@ -208,4 +208,8 @@ public class SamlHelper implements Serializable { ...@@ -208,4 +208,8 @@ public class SamlHelper implements Serializable {
public BasicParserPool getBasicParserPool() { public BasicParserPool getBasicParserPool() {
return basicParserPool; return basicParserPool;
} }
public XMLObjectBuilderFactory getBuilderFactory() {
return builderFactory;
}
} }
...@@ -23,13 +23,13 @@ import javax.faces.bean.ManagedBean; ...@@ -23,13 +23,13 @@ import javax.faces.bean.ManagedBean;
import javax.faces.event.ComponentSystemEvent; import javax.faces.event.ComponentSystemEvent;
import javax.inject.Inject; import javax.inject.Inject;
import org.apache.commons.ssl.Base64; import org.apache.commons.codec.binary.Base64;
import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.xml.signature.KeyInfo; import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xml.signature.X509Certificate; import org.opensaml.xmlsec.signature.X509Certificate;
import org.opensaml.xml.signature.X509Data; import org.opensaml.xmlsec.signature.X509Data;
import org.slf4j.Logger; import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlIdpMetadataEntity; import edu.kit.scc.webreg.entity.SamlIdpMetadataEntity;
......
...@@ -20,29 +20,28 @@ import javax.servlet.ServletResponse; ...@@ -20,29 +20,28 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.joda.time.DateTime; import org.joda.time.DateTime;
import org.opensaml.Configuration; import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml2.core.Assertion; import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.saml2.core.Attribute; import org.opensaml.core.xml.schema.XSString;
import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml2.core.AttributeValue; import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml2.core.Issuer; import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.NameID; import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Response; import org.opensaml.saml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.Status; import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml2.core.StatusMessage; import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml2.core.Subject; import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.saml.saml2.core.StatusMessage;
import org.opensaml.ws.soap.soap11.Body; import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.xml.XMLObject; import org.opensaml.soap.soap11.Body;
import org.opensaml.xml.XMLObjectBuilderFactory; import org.opensaml.soap.soap11.Envelope;
import org.opensaml.xml.schema.XSAny;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.security.SecurityException;
import org.slf4j.Logger; import org.slf4j.Logger;
import edu.kit.scc.webreg.bootstrap.ApplicationConfig; import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
...@@ -108,7 +107,7 @@ public class Saml2AttributeQueryServlet { ...@@ -108,7 +107,7 @@ public class Saml2AttributeQueryServlet {
saml2ValidationService.verifyIssuer(spEntity, query); saml2ValidationService.verifyIssuer(spEntity, query);
saml2ValidationService.validateSpSignature(query, issuer, spEntityDescriptor); saml2ValidationService.validateSpSignature(query, issuer, spEntityDescriptor);
Response samlResponse = buildSamlRespone(StatusCode.SUCCESS_URI, null); Response samlResponse = buildSamlRespone(StatusCode.SUCCESS, null);
samlResponse.setIssuer(buildIssuser(aaConfig.getEntityId())); samlResponse.setIssuer(buildIssuser(aaConfig.getEntityId()));
samlResponse.setIssueInstant(new DateTime()); samlResponse.setIssueInstant(new DateTime());
...@@ -132,13 +131,16 @@ public class Saml2AttributeQueryServlet { ...@@ -132,13 +131,16 @@ public class Saml2AttributeQueryServlet {
} catch (MessageDecodingException e) { } catch (MessageDecodingException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage()); logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED_URI, e.getMessage()); sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
} catch (SecurityException e) { } catch (SecurityException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage()); logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED_URI, e.getMessage()); sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
} catch (SamlAuthenticationException e) { } catch (SamlAuthenticationException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage()); logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED_URI, e.getMessage()); sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
} catch (ComponentInitializationException e) {
logger.info("Could not execute AttributeQuery: {}", e.getMessage());
sendErrorResponse(response, StatusCode.REQUEST_DENIED, e.getMessage());
} }
} }
...@@ -151,7 +153,7 @@ public class Saml2AttributeQueryServlet { ...@@ -151,7 +153,7 @@ public class Saml2AttributeQueryServlet {
} }
private Envelope buildSoapEnvelope(XMLObject xmlObject) { private Envelope buildSoapEnvelope(XMLObject xmlObject) {
XMLObjectBuilderFactory bf = Configuration.getBuilderFactory(); XMLObjectBuilderFactory bf = samlHelper.getBuilderFactory();
Envelope envelope = (Envelope) bf.getBuilder( Envelope envelope = (Envelope) bf.getBuilder(
Envelope.DEFAULT_ELEMENT_NAME).buildObject( Envelope.DEFAULT_ELEMENT_NAME).buildObject(
Envelope.DEFAULT_ELEMENT_NAME); Envelope.DEFAULT_ELEMENT_NAME);
......
...@@ -22,6 +22,8 @@ import javax.servlet.ServletResponse; ...@@ -22,6 +22,8 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.messaging.decoder.MessageDecodingException; import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.Response;
...@@ -104,7 +106,7 @@ public class Saml2PostHandlerServlet { ...@@ -104,7 +106,7 @@ public class Saml2PostHandlerServlet {
persistentId = saml2AssertionService.extractPersistentId(assertion, spConfig); persistentId = saml2AssertionService.extractPersistentId(assertion, spConfig);
} catch (Exception e1) { } catch (Exception e1) {
/* /*
* Catch Exception here for a probabyl faulty IDP. Register Exception and rethrow. * Catch Exception here for a probably faulty IDP. Register Exception and rethrow.
*/ */
idpService.updateIdpStatus(SamlIdpMetadataEntityStatus.FAULTY, idpEntity); idpService.updateIdpStatus(SamlIdpMetadataEntityStatus.FAULTY, idpEntity);
throw e1; throw e1;
...@@ -170,6 +172,8 @@ public class Saml2PostHandlerServlet { ...@@ -170,6 +172,8 @@ public class Saml2PostHandlerServlet {
throw new ServletException("Authentication problem", e); throw new ServletException("Authentication problem", e);
} catch (SamlAuthenticationException e) { } catch (SamlAuthenticationException e) {
throw new ServletException("Authentication problem", e); throw new ServletException("Authentication problem", e);
} catch (ComponentInitializationException e) {
throw new ServletException("Authentication problem", e);
} }
} }
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment