Commit c8088bae authored by michael.simon's avatar michael.simon
Browse files

make some saml auth errors more exact

parent 0635393e
...@@ -25,6 +25,7 @@ import org.opensaml.saml.saml2.core.AuthnRequest; ...@@ -25,6 +25,7 @@ import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.Response;
import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException; import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException;
import edu.kit.scc.webreg.service.saml.exc.SamlInvalidPostException;
@ApplicationScoped @ApplicationScoped
public class Saml2DecoderService { public class Saml2DecoderService {
...@@ -42,7 +43,7 @@ public class Saml2DecoderService { ...@@ -42,7 +43,7 @@ public class Saml2DecoderService {
if (obj instanceof Response) if (obj instanceof Response)
return (Response) obj; return (Response) obj;
else else
throw new SamlAuthenticationException("Not a valid SAML2 Post Response"); throw new SamlInvalidPostException("Not a valid SAML2 Post Response");
} }
public AttributeQuery decodeAttributeQuery(HttpServletRequest request) public AttributeQuery decodeAttributeQuery(HttpServletRequest request)
......
...@@ -20,8 +20,8 @@ import org.opensaml.core.criterion.EntityIdCriterion; ...@@ -20,8 +20,8 @@ import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.criterion.EntityRoleCriterion; import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver;
import org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver; import org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.AttributeQuery; import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.Issuer; import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.Response;
...@@ -42,7 +42,12 @@ import org.slf4j.Logger; ...@@ -42,7 +42,12 @@ import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity; import edu.kit.scc.webreg.entity.SamlMetadataEntity;
import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException; import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException;
import edu.kit.scc.webreg.service.saml.exc.SamlInvalidIssuerException;
import edu.kit.scc.webreg.service.saml.exc.SamlMissingIssuerException;
import edu.kit.scc.webreg.service.saml.exc.SamlMissingStatusException;
import edu.kit.scc.webreg.service.saml.exc.SamlResponseExpiredException;
import edu.kit.scc.webreg.service.saml.exc.SamlUnknownPrincipalException; import edu.kit.scc.webreg.service.saml.exc.SamlUnknownPrincipalException;
import edu.kit.scc.webreg.service.saml.exc.SamlUnsuccessfulStatusException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
...@@ -69,11 +74,11 @@ public class Saml2ResponseValidationService { ...@@ -69,11 +74,11 @@ public class Saml2ResponseValidationService {
Issuer issuer) throws SamlAuthenticationException { Issuer issuer) throws SamlAuthenticationException {
if (issuer == null) if (issuer == null)
throw new SamlAuthenticationException("Response issuer is not set"); throw new SamlMissingIssuerException("Response issuer is not set");
String issuerString = issuer.getValue(); String issuerString = issuer.getValue();
if (! issuerString.equals(metadataEntity.getEntityId())) if (! issuerString.equals(metadataEntity.getEntityId()))
throw new SamlAuthenticationException("Response issuer " + issuerString + throw new SamlInvalidIssuerException("Response issuer " + issuerString +
" differs from excpected " + metadataEntity.getEntityId()); " differs from excpected " + metadataEntity.getEntityId());
} }
...@@ -83,14 +88,14 @@ public class Saml2ResponseValidationService { ...@@ -83,14 +88,14 @@ public class Saml2ResponseValidationService {
Duration duration = new Duration(samlResponse.getIssueInstant(), new Instant()); Duration duration = new Duration(samlResponse.getIssueInstant(), new Instant());
if (duration.isLongerThan(new Duration(expiryMillis))) if (duration.isLongerThan(new Duration(expiryMillis)))
throw new SamlAuthenticationException("Response is already expired after " + duration.getStandardSeconds() + " seconds"); throw new SamlResponseExpiredException("Response is already expired after " + duration.getStandardSeconds() + " seconds");
} }
public void verifyStatus(Response samlResponse) public void verifyStatus(Response samlResponse)
throws SamlAuthenticationException { throws SamlAuthenticationException {
if (samlResponse.getStatus() == null || samlResponse.getStatus().getStatusCode() == null) if (samlResponse.getStatus() == null || samlResponse.getStatus().getStatusCode() == null)
throw new SamlAuthenticationException("SAML Response does not contain a status code"); throw new SamlMissingStatusException("SAML Response does not contain a status code");
Status status = samlResponse.getStatus(); Status status = samlResponse.getStatus();
if (status.getStatusCode().getStatusCode() != null && if (status.getStatusCode().getStatusCode() != null &&
...@@ -102,7 +107,7 @@ public class Saml2ResponseValidationService { ...@@ -102,7 +107,7 @@ public class Saml2ResponseValidationService {
else if (! status.getStatusCode().getValue().equals(StatusCode.SUCCESS)) { else if (! status.getStatusCode().getValue().equals(StatusCode.SUCCESS)) {
String s = samlHelper.prettyPrint(status); String s = samlHelper.prettyPrint(status);
logger.info("SAML Response Status: {}", s); logger.info("SAML Response Status: {}", s);
throw new SamlAuthenticationException("SAML Response: Login was not successful " + status.getStatusCode().getValue()); throw new SamlUnsuccessfulStatusException("SAML Response: Login was not successful " + status.getStatusCode().getValue());
} }
} }
...@@ -130,7 +135,9 @@ public class Saml2ResponseValidationService { ...@@ -130,7 +135,9 @@ public class Saml2ResponseValidationService {
DOMMetadataResolver mp = new DOMMetadataResolver(entityDescriptor.getDOM()); DOMMetadataResolver mp = new DOMMetadataResolver(entityDescriptor.getDOM());
mp.setId(entityDescriptor.getEntityID() + "-resolver"); mp.setId(entityDescriptor.getEntityID() + "-resolver");
BasicRoleDescriptorResolver roleResolver = new BasicRoleDescriptorResolver(mp); PredicateRoleDescriptorResolver roleResolver = new PredicateRoleDescriptorResolver(mp);
// deprecated
//BasicRoleDescriptorResolver roleResolver = new BasicRoleDescriptorResolver(mp);
KeyInfoCredentialResolver keyInfoCredResolver = DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver(); KeyInfoCredentialResolver keyInfoCredResolver = DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver();
MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver(); MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver();
...@@ -145,23 +152,14 @@ public class Saml2ResponseValidationService { ...@@ -145,23 +152,14 @@ public class Saml2ResponseValidationService {
throw new SamlAuthenticationException("Cannot init MDCredResolver", e); throw new SamlAuthenticationException("Cannot init MDCredResolver", e);
} }
// DecryptionConfiguration dc = ConfigurationService.get(DecryptionConfiguration.class);
// KeyInfoCredentialResolver keyInfoCredResolver = dc.getDataKeyInfoCredentialResolver();
// KeyInfoCredentialResolver keyInfoCredResolver =
// ConfigurationService.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(mdCredResolver, keyInfoCredResolver); ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(mdCredResolver, keyInfoCredResolver);
SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
// try {
try { try {
sigValidator.validate(signableSamlObject.getSignature()); sigValidator.validate(signableSamlObject.getSignature());
} catch (SignatureException e) { } catch (SignatureException e) {
throw new SamlAuthenticationException("SAMLSignableObject signature is not valid"); throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
} }
// } catch (ValidationException e) {
// throw new SamlAuthenticationException("SAMLSignableObject signature is not valid");
// }
CriteriaSet criteriaSet = new CriteriaSet(); CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer.getValue())); criteriaSet.add(new EntityIdCriterion(issuer.getValue()));
......
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlInvalidIssuerException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlInvalidIssuerException(String msg) {
super(msg);
}
public SamlInvalidIssuerException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlInvalidPostException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlInvalidPostException(String msg) {
super(msg);
}
public SamlInvalidPostException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlMissingIssuerException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlMissingIssuerException(String msg) {
super(msg);
}
public SamlMissingIssuerException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlMissingStatusException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlMissingStatusException(String msg) {
super(msg);
}
public SamlMissingStatusException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlPersistentIdMissingException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlPersistentIdMissingException(String msg) {
super(msg);
}
public SamlPersistentIdMissingException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlResponseExpiredException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlResponseExpiredException(String msg) {
super(msg);
}
public SamlResponseExpiredException(String msg, Throwable t) {
super(msg, t);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.service.saml.exc;
import java.io.Serializable;
public class SamlUnsuccessfulStatusException extends SamlAuthenticationException implements Serializable {
private static final long serialVersionUID = 1L;
public SamlUnsuccessfulStatusException(String msg) {
super(msg);
}
public SamlUnsuccessfulStatusException(String msg, Throwable t) {
super(msg, t);
}
}
...@@ -29,7 +29,6 @@ import edu.kit.scc.webreg.entity.SamlAAConfigurationEntity; ...@@ -29,7 +29,6 @@ import edu.kit.scc.webreg.entity.SamlAAConfigurationEntity;
import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity; import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity;
import edu.kit.scc.webreg.service.SamlAAConfigurationService; import edu.kit.scc.webreg.service.SamlAAConfigurationService;
import edu.kit.scc.webreg.service.SamlSpConfigurationService; import edu.kit.scc.webreg.service.SamlSpConfigurationService;
import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException;
@Named @Named
@WebServlet(urlPatterns = {"/Shibboleth.sso/*", "/saml/sp/*"}) @WebServlet(urlPatterns = {"/Shibboleth.sso/*", "/saml/sp/*"})
...@@ -59,36 +58,34 @@ public class SamlSpDispatcherServlet implements Servlet { ...@@ -59,36 +58,34 @@ public class SamlSpDispatcherServlet implements Servlet {
public void service(ServletRequest servletRequest, ServletResponse servletResponse) public void service(ServletRequest servletRequest, ServletResponse servletResponse)
throws ServletException, IOException { throws ServletException, IOException {
throw new ServletException(new SamlAuthenticationException("persistent id missing")); HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String context = request.getServletContext().getContextPath();
String path = request.getRequestURI().substring(
context.length());
logger.debug("Dispatching request context '{}' path '{}'", context, path);
SamlSpConfigurationEntity spConfig = spConfigService.findByHostname(request.getServerName());
// HttpServletRequest request = (HttpServletRequest) servletRequest; if (spConfig != null && spConfig.getAcs() != null &&
// HttpServletResponse response = (HttpServletResponse) servletResponse; spConfig.getAcs().endsWith(context + path)) {
// logger.debug("Executing POST Handler for entity {}", spConfig.getEntityId());
// String context = request.getServletContext().getContextPath(); postHandler.service(request, response, spConfig);
// String path = request.getRequestURI().substring( return;
// context.length()); }
//
// logger.debug("Dispatching request context '{}' path '{}'", context, path); SamlAAConfigurationEntity aaConfig = aaConfigService.findByHostname(request.getServerName());
//
// SamlSpConfigurationEntity spConfig = spConfigService.findByHostname(request.getServerName()); if (aaConfig != null && aaConfig.getAq() != null &&
// aaConfig.getAq().endsWith(context + path)) {
// if (spConfig != null && spConfig.getAcs() != null && logger.debug("Executing AttributeQuery Handler for entity {}", aaConfig.getEntityId());
// spConfig.getAcs().endsWith(context + path)) { attributeQueryServlet.service(request, response, aaConfig);
// logger.debug("Executing POST Handler for entity {}", spConfig.getEntityId()); return;
// postHandler.service(request, response, spConfig); }
// return;
// } logger.info("No matching servlet for context '{}' path '{}'", context, path);
//
// SamlAAConfigurationEntity aaConfig = aaConfigService.findByHostname(request.getServerName());
//
// if (aaConfig != null && aaConfig.getAq() != null &&
// aaConfig.getAq().endsWith(context + path)) {
// logger.debug("Executing AttributeQuery Handler for entity {}", aaConfig.getEntityId());
// attributeQueryServlet.service(request, response, aaConfig);
// return;
// }
//
// logger.info("No matching servlet for context '{}' path '{}'", context, path);
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment