Commit c8088bae authored by michael.simon's avatar michael.simon
Browse files

make some saml auth errors more exact

parent 0635393e
......@@ -25,6 +25,7 @@ import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Response;
import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException;
import edu.kit.scc.webreg.service.saml.exc.SamlInvalidPostException;
@ApplicationScoped
public class Saml2DecoderService {
......@@ -42,7 +43,7 @@ public class Saml2DecoderService {
if (obj instanceof Response)
return (Response) obj;
else
throw new SamlAuthenticationException("Not a valid SAML2 Post Response");
throw new SamlInvalidPostException("Not a valid SAML2 Post Response");
}
public AttributeQuery decodeAttributeQuery(HttpServletRequest request)
......
......@@ -20,8 +20,8 @@ import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver;
import org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response;
......@@ -42,7 +42,12 @@ import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity;
import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException;
import edu.kit.scc.webreg.service.saml.exc.SamlInvalidIssuerException;
import edu.kit.scc.webreg.service.saml.exc.SamlMissingIssuerException;
import edu.kit.scc.webreg.service.saml.exc.SamlMissingStatusException;
import edu.kit.scc.webreg.service.saml.exc.SamlResponseExpiredException;
import edu.kit.scc.webreg.service.saml.exc.SamlUnknownPrincipalException;
import edu.kit.scc.webreg.service.saml.exc.SamlUnsuccessfulStatusException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
......@@ -69,11 +74,11 @@ public class Saml2ResponseValidationService {
Issuer issuer) throws SamlAuthenticationException {
if (issuer == null)
throw new SamlAuthenticationException("Response issuer is not set");
throw new SamlMissingIssuerException("Response issuer is not set");
String issuerString = issuer.getValue();
if (! issuerString.equals(metadataEntity.getEntityId()))
throw new SamlAuthenticationException("Response issuer " + issuerString +
throw new SamlInvalidIssuerException("Response issuer " + issuerString +
" differs from excpected " + metadataEntity.getEntityId());
}
......@@ -83,14 +88,14 @@ public class Saml2ResponseValidationService {
Duration duration = new Duration(samlResponse.getIssueInstant(), new Instant());
if (duration.isLongerThan(new Duration(expiryMillis)))
throw new SamlAuthenticationException("Response is already expired after " + duration.getStandardSeconds() + " seconds");
throw new SamlResponseExpiredException("Response is already expired after " + duration.getStandardSeconds() + " seconds");
}
public void verifyStatus(Response samlResponse)
throws SamlAuthenticationException {
if (samlResponse.getStatus() == null || samlResponse.getStatus().getStatusCode() == null)
throw new SamlAuthenticationException("SAML Response does not contain a status code");
throw new SamlMissingStatusException("SAML Response does not contain a status code");
Status status = samlResponse.getStatus();
if (status.getStatusCode().getStatusCode() != null &&
......@@ -102,7 +107,7 @@ public class Saml2ResponseValidationService {
else if (! status.getStatusCode().getValue().equals(StatusCode.SUCCESS)) {
String s = samlHelper.prettyPrint(status);
logger.info("SAML Response Status: {}", s);
throw new SamlAuthenticationException("SAML Response: Login was not successful " + status.getStatusCode().getValue());
throw new SamlUnsuccessfulStatusException("SAML Response: Login was not successful " + status.getStatusCode().getValue());
}
}
......@@ -130,7 +135,9 @@ public class Saml2ResponseValidationService {
DOMMetadataResolver mp = new DOMMetadataResolver(entityDescriptor.getDOM());
mp.setId(entityDescriptor.getEntityID() + "-resolver");
BasicRoleDescriptorResolver roleResolver = new BasicRoleDescriptorResolver(mp);
PredicateRoleDescriptorResolver roleResolver = new PredicateRoleDescriptorResolver(mp);
// deprecated
//BasicRoleDescriptorResolver roleResolver = new BasicRoleDescriptorResolver(mp);
KeyInfoCredentialResolver keyInfoCredResolver = DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver();
MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver();
......@@ -145,23 +152,14 @@ public class Saml2ResponseValidationService {
throw new SamlAuthenticationException("Cannot init MDCredResolver", e);
}
// DecryptionConfiguration dc = ConfigurationService.get(DecryptionConfiguration.class);
// KeyInfoCredentialResolver keyInfoCredResolver = dc.getDataKeyInfoCredentialResolver();
// KeyInfoCredentialResolver keyInfoCredResolver =
// ConfigurationService.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(mdCredResolver, keyInfoCredResolver);
SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
// try {
try {
sigValidator.validate(signableSamlObject.getSignature());
} catch (SignatureException e) {
throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
}
// } catch (ValidationException e) {
// throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
// }
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer.getValue()));
......
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlInvalidIssuerException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlInvalidIssuerException(String msg) {
super(msg);
}
public SamlInvalidIssuerException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlInvalidPostException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlInvalidPostException(String msg) {
super(msg);
}
public SamlInvalidPostException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlMissingIssuerException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlMissingIssuerException(String msg) {
super(msg);
}
public SamlMissingIssuerException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlMissingStatusException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlMissingStatusException(String msg) {
super(msg);
}
public SamlMissingStatusException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlPersistentIdMissingException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlPersistentIdMissingException(String msg) {
super(msg);
}
public SamlPersistentIdMissingException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlResponseExpiredException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlResponseExpiredException(String msg) {
super(msg);
}
public SamlResponseExpiredException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlUnsuccessfulStatusException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlUnsuccessfulStatusException(String msg) {
super(msg);
}
public SamlUnsuccessfulStatusException(String msg, Throwable t) {
super(msg, t);
}
}
......@@ -29,7 +29,6 @@ import edu.kit.scc.webreg.entity.SamlAAConfigurationEntity;
import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity;
import edu.kit.scc.webreg.service.SamlAAConfigurationService;
import edu.kit.scc.webreg.service.SamlSpConfigurationService;
import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException;
@Named
@WebServlet(urlPatterns = {"/Shibboleth.sso/*", "/saml/sp/*"})
......@@ -59,36 +58,34 @@ public class SamlSpDispatcherServlet implements Servlet {
public void service(ServletRequest servletRequest, ServletResponse servletResponse)
throws ServletException, IOException {
throw new ServletException(new SamlAuthenticationException("persistent id missing"));
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String context = request.getServletContext().getContextPath();
String path = request.getRequestURI().substring(
context.length());
logger.debug("Dispatching request context '{}' path '{}'", context, path);
SamlSpConfigurationEntity spConfig = spConfigService.findByHostname(request.getServerName());
// HttpServletRequest request = (HttpServletRequest) servletRequest;
// HttpServletResponse response = (HttpServletResponse) servletResponse;
//
// String context = request.getServletContext().getContextPath();
// String path = request.getRequestURI().substring(
// context.length());
//
// logger.debug("Dispatching request context '{}' path '{}'", context, path);
//
// SamlSpConfigurationEntity spConfig = spConfigService.findByHostname(request.getServerName());
//
// if (spConfig != null && spConfig.getAcs() != null &&
// spConfig.getAcs().endsWith(context + path)) {
// logger.debug("Executing POST Handler for entity {}", spConfig.getEntityId());
// postHandler.service(request, response, spConfig);
// return;
// }
//
// SamlAAConfigurationEntity aaConfig = aaConfigService.findByHostname(request.getServerName());
//
// if (aaConfig != null && aaConfig.getAq() != null &&
// aaConfig.getAq().endsWith(context + path)) {
// logger.debug("Executing AttributeQuery Handler for entity {}", aaConfig.getEntityId());
// attributeQueryServlet.service(request, response, aaConfig);
// return;
// }
//
// logger.info("No matching servlet for context '{}' path '{}'", context, path);
if (spConfig != null && spConfig.getAcs() != null &&
spConfig.getAcs().endsWith(context + path)) {
logger.debug("Executing POST Handler for entity {}", spConfig.getEntityId());
postHandler.service(request, response, spConfig);
return;
}
SamlAAConfigurationEntity aaConfig = aaConfigService.findByHostname(request.getServerName());
if (aaConfig != null && aaConfig.getAq() != null &&
aaConfig.getAq().endsWith(context + path)) {
logger.debug("Executing AttributeQuery Handler for entity {}", aaConfig.getEntityId());
attributeQueryServlet.service(request, response, aaConfig);
return;
}
logger.info("No matching servlet for context '{}' path '{}'", context, path);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment