You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2019/09/02 09:36:16 UTC
Re: STS incoming SAML validation with custom certificate
I guess you could do something like override verifySignedAssertion, to
retrieve the certs from your DB using the SAML Assertion:
https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205
and then override the verifyTrustInCerts method in the underlying
SignatureTrustValidator:
https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97
Colm.
On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote:
> Hello!
> The request contains a SAML in the security header.
> This SAML contains a
> <saml2:Subject>
> <saml2:NameID
>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData
> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> In the request is an attribute in the claims:
> <ns:Claims Dialect="myDialect">
> <saml-a:Attribute
> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <saml-a:AttributeValue
> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
> </saml-a:Attribute>
>
> </ns:Claims>
>
> the certification with which the incomming SAML signed is stored in a
> database and for the query I need the saml2:NameID value (MyUserID) and
> the "urn:oasis:names:tc:xspa:1.0:subject:organization-id" organisationID
> (myOrganizationID).
>
> I can do this query, but only after the SAML validation is done.
>
> Somehow i need to run the SAML signature validation after I can get the
> data (inside the
> org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle() function)
>
> or get the data from the request at the
> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
> org.apache.wss4j.dom.validate.SamlAssertionValidator
>
>
> Thanx
>
> Csaba
>
> the request:
>
> ---------------------------------------
>
>
> <soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
> xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> <soapenv:Header>
> <wsse:Security soapenv:mustUnderstand="1"
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>
> <saml2:Assertion
> ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
> IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xs="http://www.w3.org/2001/XMLSchema">
> <saml2:Issuer>....</saml2:Issuer>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference
> URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces
> PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>....</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>....</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>......</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID
>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData
> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2018-02-06T18:29:56.647Z"
> NotOnOrAfter="2018-02-06T18:39:56.647Z">
> <saml2:AudienceRestriction>
> <saml2:Audience>.....</saml2:Audience>
> </saml2:AudienceRestriction>
> </saml2:Conditions>
> <saml2:AuthnStatement
> AuthnInstant="2018-02-06T18:29:56.647Z"
> SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> ....
> </saml2:AttributeStatement>
> </saml2:Assertion>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <ns:RequestSecurityToken>
> <ns:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> </ns:TokenType>
> <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </ns:RequestType>
> <ns:Claims Dialect="MyDialect">
> <saml-a:Attribute
> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <saml-a:AttributeValue
> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
> </saml-a:Attribute>
> ...
> </ns:Claims>
> </ns:RequestSecurityToken>
> </soapenv:Body>
> </soapenv:Envelope>
>
>
> On 2019-08-30 12:14, Colm O hEigeartaigh wrote:
> > Can you post what the request looks like? Even a redacted version of it?
> >
> > Colm.
> >
> > On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote:
> >
> >> Hello!
> >>
> >> I study the WSS4J SAML Validator, but not help much, my problem is need
> >> to get the certificate based of the content of the request and header
> >> SAML (get out the subject, do an query and the query give back the
> >> certificate), and need to validate the SAML with this certificate.
> >>
> >> In this case (SamlAssertionValidator) is running before i able to parse
> >> the request. I can create a dummy validate() function, but after I need
> >> to somehow call it again.
> >>
> >> Any help will welcome.
> >>
> >> Thanx
> >>
> >> Csaba
> >>
> >>
> >>> Does the SAML assertion appear in the security header of the request or
> >> in
> >>> the body of the request? For the former, you will need to implement
> your
> >>> own WSS4J SAML Validator, or subclass the existing one in some way:
> >>>
> >>>
> >>
> https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
> >>> If the SAML assertion is in the SOAP Body then it's handled by the STS
> >>> code, so you will need to either replace or override this class:
> >>>
> >>>
> >>
> https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
> >>> Colm.
> >>>
> >>> On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote:
> >>>
> >>>> Hello!
> >>>>
> >>>> I have a request with the STS to validate a incoming SAML with a
> >>>> certificate what come from another source: example need to query it
> >> from
> >>>> a database, based on the data in the request.
> >>>>
> >>>> How start it? I know the SAML validation is in the deep and need the
> >>>> certificate to be in a truststore. Can I give directly the certificate
> >>>> as an attribute or need to create a own, custom truststore manager?
> >>>>
> >>>> Thanx.
> >>>>
> >>>> Csaba
> >>>>
> >>>>
> >>> --
> >>> Colm O hEigeartaigh
> >>>
> >>> Talend Community Coder
> >>> http://coders.talend.com
> >>>
> >>
>
>
Re: STS incoming SAML validation with custom certificate
Posted by Tóth Csaba <ig...@domen.hu>.
Thanx!
You saved my day!
Csaba
On 2020-02-19 12:54, Colm O hEigeartaigh wrote:
> See here:
> https://github.com/apache/cxf/blob/540bb76f6f3d3d23944c566905f9f395c6f86b79/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom/CustomUTValidator.java
>
> SOAPMessage soapMessage = getSOAPMessage((SoapMessage)data.getMsgContext());
> try {
> Element soapBody = SAAJUtils.getBody(soapMessage);
>
> if (soapBody != null) {
> // Find custom Element in the SOAP Body
> Element realm = XMLUtils.findElement(soapBody, "realm", "
> http://cxf.apache.org/custom");
> ...
>
> Colm.
>
> On Tue, Feb 18, 2020 at 7:12 PM Tóth Csaba <ig...@domen.hu> wrote:
>
>> Hello!
>> I have problem with my SAML validation.
>> - I already did, that inside the validation i can call an LDAP request,
>> get the given cert from the LDAP, and check agains the cert in the SAML.
>> BUT
>> I need data from the request too. special one of the given claims. I
>> need that value to giv it into the LDAP query.
>> How can I get the full request, or at least the SOAP body from the (it
>> can be any form: stream, string, dom, object...)
>> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.validate()
>> function?
>>
>> Thanx
>> Csaba
>>
>> On 2019-09-02 12:17, Tóth Csaba wrote:
>>> Thanx!
>>> It's look like good, just I need data from the request too (a claims)
>>> for the query.
>>>
>>> Csaba
>>>
>>> On 2019-09-02 11:36, Colm O hEigeartaigh wrote:
>>>> I guess you could do something like override verifySignedAssertion, to
>>>> retrieve the certs from your DB using the SAML Assertion:
>>>>
>>>>
>> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205
>>>>
>>>> and then override the verifyTrustInCerts method in the underlying
>>>> SignatureTrustValidator:
>>>>
>>>>
>> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97
>>>>
>>>> Colm.
>>>>
>>>>
>>>> On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote:
>>>>
>>>>> Hello!
>>>>> The request contains a SAML in the security header.
>>>>> This SAML contains a
>>>>> <saml2:Subject>
>>>>> <saml2:NameID
>>>>>
>>>>>
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>>
>>>>> <saml2:SubjectConfirmation
>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>>>> <saml2:SubjectConfirmationData
>>>>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
>>>>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
>>>>> </saml2:SubjectConfirmation>
>>>>> </saml2:Subject>
>>>>> In the request is an attribute in the claims:
>>>>> <ns:Claims Dialect="myDialect">
>>>>> <saml-a:Attribute
>>>>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>>>>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>>>> <saml-a:AttributeValue
>>>>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
>>>>> </saml-a:Attribute>
>>>>>
>>>>> </ns:Claims>
>>>>>
>>>>> the certification with which the incomming SAML signed is stored in a
>>>>> database and for the query I need the saml2:NameID value (MyUserID) and
>>>>> the "urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>>>>> organisationID
>>>>> (myOrganizationID).
>>>>>
>>>>> I can do this query, but only after the SAML validation is done.
>>>>>
>>>>> Somehow i need to run the SAML signature validation after I can get the
>>>>> data (inside the
>>>>> org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle()
>>>>> function)
>>>>>
>>>>> or get the data from the request at the
>>>>> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
>>>>> org.apache.wss4j.dom.validate.SamlAssertionValidator
>>>>>
>>>>>
>>>>> Thanx
>>>>>
>>>>> Csaba
>>>>>
>>>>> the request:
>>>>>
>>>>> ---------------------------------------
>>>>>
>>>>>
>>>>> <soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
>>>>> xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
>>>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
>>>>> <soapenv:Header>
>>>>> <wsse:Security soapenv:mustUnderstand="1"
>>>>> xmlns:wsse="
>>>>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>
>>>>>
>>>>> xmlns:wsu="
>>>>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>>>>>
>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>>>>>
>>>>> <saml2:Assertion
>>>>> ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
>>>>> IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>>> xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>>>> <saml2:Issuer>....</saml2:Issuer>
>>>>> <ds:Signature
>>>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>>> <ds:SignedInfo>
>>>>> <ds:CanonicalizationMethod
>>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>>> <ds:SignatureMethod
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>>> <ds:Reference
>>>>> URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
>>>>> <ds:Transforms>
>>>>> <ds:Transform
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>>> <ds:Transform
>>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>>>> <ec:InclusiveNamespaces
>>>>> PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>>> </ds:Transform>
>>>>> </ds:Transforms>
>>>>> <ds:DigestMethod
>>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>>> <ds:DigestValue>....</ds:DigestValue>
>>>>> </ds:Reference>
>>>>> </ds:SignedInfo>
>>>>> <ds:SignatureValue>....</ds:SignatureValue>
>>>>> <ds:KeyInfo>
>>>>> <ds:X509Data>
>>>>> <ds:X509Certificate>......</ds:X509Certificate>
>>>>> </ds:X509Data>
>>>>> </ds:KeyInfo>
>>>>> </ds:Signature>
>>>>> <saml2:Subject>
>>>>> <saml2:NameID
>>>>>
>>>>>
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>>
>>>>> <saml2:SubjectConfirmation
>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>>>> <saml2:SubjectConfirmationData
>>>>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
>>>>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
>>>>> </saml2:SubjectConfirmation>
>>>>> </saml2:Subject>
>>>>> <saml2:Conditions
>>>>> NotBefore="2018-02-06T18:29:56.647Z"
>>>>> NotOnOrAfter="2018-02-06T18:39:56.647Z">
>>>>> <saml2:AudienceRestriction>
>>>>> <saml2:Audience>.....</saml2:Audience>
>>>>> </saml2:AudienceRestriction>
>>>>> </saml2:Conditions>
>>>>> <saml2:AuthnStatement
>>>>> AuthnInstant="2018-02-06T18:29:56.647Z"
>>>>> SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
>>>>> <saml2:AuthnContext>
>>>>>
>>>>>
>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
>>
>>>>> </saml2:AuthnContext>
>>>>> </saml2:AuthnStatement>
>>>>> <saml2:AttributeStatement>
>>>>> ....
>>>>> </saml2:AttributeStatement>
>>>>> </saml2:Assertion>
>>>>> </wsse:Security>
>>>>> </soapenv:Header>
>>>>> <soapenv:Body>
>>>>> <ns:RequestSecurityToken>
>>>>> <ns:TokenType>
>>>>>
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>>>>> </ns:TokenType>
>>>>> <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
>>>>> </ns:RequestType>
>>>>> <ns:Claims Dialect="MyDialect">
>>>>> <saml-a:Attribute
>>>>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>>>>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>>>> <saml-a:AttributeValue
>>>>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
>>>>> </saml-a:Attribute>
>>>>> ...
>>>>> </ns:Claims>
>>>>> </ns:RequestSecurityToken>
>>>>> </soapenv:Body>
>>>>> </soapenv:Envelope>
>>>>>
>>>>>
>>>>> On 2019-08-30 12:14, Colm O hEigeartaigh wrote:
>>>>>> Can you post what the request looks like? Even a redacted version
>>>>>> of it?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote:
>>>>>>
>>>>>>> Hello!
>>>>>>>
>>>>>>> I study the WSS4J SAML Validator, but not help much, my problem is
>>>>>>> need
>>>>>>> to get the certificate based of the content of the request and header
>>>>>>> SAML (get out the subject, do an query and the query give back the
>>>>>>> certificate), and need to validate the SAML with this certificate.
>>>>>>>
>>>>>>> In this case (SamlAssertionValidator) is running before i able to
>>>>>>> parse
>>>>>>> the request. I can create a dummy validate() function, but after I
>>>>>>> need
>>>>>>> to somehow call it again.
>>>>>>>
>>>>>>> Any help will welcome.
>>>>>>>
>>>>>>> Thanx
>>>>>>>
>>>>>>> Csaba
>>>>>>>
>>>>>>>
>>>>>>>> Does the SAML assertion appear in the security header of the
>>>>>>>> request or
>>>>>>> in
>>>>>>>> the body of the request? For the former, you will need to implement
>>>>> your
>>>>>>>> own WSS4J SAML Validator, or subclass the existing one in some way:
>>>>>>>>
>>>>>>>>
>> https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
>>>>>>>> If the SAML assertion is in the SOAP Body then it's handled by
>>>>>>>> the STS
>>>>>>>> code, so you will need to either replace or override this class:
>>>>>>>>
>>>>>>>>
>> https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote:
>>>>>>>>
>>>>>>>>> Hello!
>>>>>>>>>
>>>>>>>>> I have a request with the STS to validate a incoming SAML with a
>>>>>>>>> certificate what come from another source: example need to query it
>>>>>>> from
>>>>>>>>> a database, based on the data in the request.
>>>>>>>>>
>>>>>>>>> How start it? I know the SAML validation is in the deep and need
>>>>>>>>> the
>>>>>>>>> certificate to be in a truststore. Can I give directly the
>>>>>>>>> certificate
>>>>>>>>> as an attribute or need to create a own, custom truststore manager?
>>>>>>>>>
>>>>>>>>> Thanx.
>>>>>>>>>
>>>>>>>>> Csaba
>>>>>>>>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> Colm O hEigeartaigh
>>>>>>>>
>>>>>>>> Talend Community Coder
>>>>>>>> http://coders.talend.com
>>>>>>>>
>>
Re: STS incoming SAML validation with custom certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
See here:
https://github.com/apache/cxf/blob/540bb76f6f3d3d23944c566905f9f395c6f86b79/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom/CustomUTValidator.java
SOAPMessage soapMessage = getSOAPMessage((SoapMessage)data.getMsgContext());
try {
Element soapBody = SAAJUtils.getBody(soapMessage);
if (soapBody != null) {
// Find custom Element in the SOAP Body
Element realm = XMLUtils.findElement(soapBody, "realm", "
http://cxf.apache.org/custom");
...
Colm.
On Tue, Feb 18, 2020 at 7:12 PM Tóth Csaba <ig...@domen.hu> wrote:
> Hello!
> I have problem with my SAML validation.
> - I already did, that inside the validation i can call an LDAP request,
> get the given cert from the LDAP, and check agains the cert in the SAML.
> BUT
> I need data from the request too. special one of the given claims. I
> need that value to giv it into the LDAP query.
> How can I get the full request, or at least the SOAP body from the (it
> can be any form: stream, string, dom, object...)
> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.validate()
> function?
>
> Thanx
> Csaba
>
> On 2019-09-02 12:17, Tóth Csaba wrote:
> > Thanx!
> > It's look like good, just I need data from the request too (a claims)
> > for the query.
> >
> > Csaba
> >
> > On 2019-09-02 11:36, Colm O hEigeartaigh wrote:
> >> I guess you could do something like override verifySignedAssertion, to
> >> retrieve the certs from your DB using the SAML Assertion:
> >>
> >>
> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205
> >>
> >>
> >> and then override the verifyTrustInCerts method in the underlying
> >> SignatureTrustValidator:
> >>
> >>
> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97
> >>
> >>
> >> Colm.
> >>
> >>
> >> On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote:
> >>
> >>> Hello!
> >>> The request contains a SAML in the security header.
> >>> This SAML contains a
> >>> <saml2:Subject>
> >>> <saml2:NameID
> >>>
> >>>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>
> >>>
> >>> <saml2:SubjectConfirmation
> >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> >>> <saml2:SubjectConfirmationData
> >>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
> >>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
> >>> </saml2:SubjectConfirmation>
> >>> </saml2:Subject>
> >>> In the request is an attribute in the claims:
> >>> <ns:Claims Dialect="myDialect">
> >>> <saml-a:Attribute
> >>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> >>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> >>> <saml-a:AttributeValue
> >>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
> >>> </saml-a:Attribute>
> >>>
> >>> </ns:Claims>
> >>>
> >>> the certification with which the incomming SAML signed is stored in a
> >>> database and for the query I need the saml2:NameID value (MyUserID) and
> >>> the "urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> >>> organisationID
> >>> (myOrganizationID).
> >>>
> >>> I can do this query, but only after the SAML validation is done.
> >>>
> >>> Somehow i need to run the SAML signature validation after I can get the
> >>> data (inside the
> >>> org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle()
> >>> function)
> >>>
> >>> or get the data from the request at the
> >>> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
> >>> org.apache.wss4j.dom.validate.SamlAssertionValidator
> >>>
> >>>
> >>> Thanx
> >>>
> >>> Csaba
> >>>
> >>> the request:
> >>>
> >>> ---------------------------------------
> >>>
> >>>
> >>> <soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
> >>> xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> >>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> >>> <soapenv:Header>
> >>> <wsse:Security soapenv:mustUnderstand="1"
> >>> xmlns:wsse="
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>
> >>>
> >>>
> >>> xmlns:wsu="
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> >>>
> >>>
> >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> >>>
> >>> <saml2:Assertion
> >>> ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
> >>> IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
> >>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> >>> xmlns:xs="http://www.w3.org/2001/XMLSchema">
> >>> <saml2:Issuer>....</saml2:Issuer>
> >>> <ds:Signature
> >>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >>> <ds:SignedInfo>
> >>> <ds:CanonicalizationMethod
> >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >>> <ds:SignatureMethod
> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >>> <ds:Reference
> >>> URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
> >>> <ds:Transforms>
> >>> <ds:Transform
> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >>> <ds:Transform
> >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> >>> <ec:InclusiveNamespaces
> >>> PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >>> </ds:Transform>
> >>> </ds:Transforms>
> >>> <ds:DigestMethod
> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >>> <ds:DigestValue>....</ds:DigestValue>
> >>> </ds:Reference>
> >>> </ds:SignedInfo>
> >>> <ds:SignatureValue>....</ds:SignatureValue>
> >>> <ds:KeyInfo>
> >>> <ds:X509Data>
> >>> <ds:X509Certificate>......</ds:X509Certificate>
> >>> </ds:X509Data>
> >>> </ds:KeyInfo>
> >>> </ds:Signature>
> >>> <saml2:Subject>
> >>> <saml2:NameID
> >>>
> >>>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>
> >>>
> >>> <saml2:SubjectConfirmation
> >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> >>> <saml2:SubjectConfirmationData
> >>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
> >>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
> >>> </saml2:SubjectConfirmation>
> >>> </saml2:Subject>
> >>> <saml2:Conditions
> >>> NotBefore="2018-02-06T18:29:56.647Z"
> >>> NotOnOrAfter="2018-02-06T18:39:56.647Z">
> >>> <saml2:AudienceRestriction>
> >>> <saml2:Audience>.....</saml2:Audience>
> >>> </saml2:AudienceRestriction>
> >>> </saml2:Conditions>
> >>> <saml2:AuthnStatement
> >>> AuthnInstant="2018-02-06T18:29:56.647Z"
> >>> SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
> >>> <saml2:AuthnContext>
> >>>
> >>>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
>
> >>>
> >>> </saml2:AuthnContext>
> >>> </saml2:AuthnStatement>
> >>> <saml2:AttributeStatement>
> >>> ....
> >>> </saml2:AttributeStatement>
> >>> </saml2:Assertion>
> >>> </wsse:Security>
> >>> </soapenv:Header>
> >>> <soapenv:Body>
> >>> <ns:RequestSecurityToken>
> >>> <ns:TokenType>
> >>>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> >>>
> >>> </ns:TokenType>
> >>> <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> >>> </ns:RequestType>
> >>> <ns:Claims Dialect="MyDialect">
> >>> <saml-a:Attribute
> >>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> >>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> >>> <saml-a:AttributeValue
> >>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
> >>> </saml-a:Attribute>
> >>> ...
> >>> </ns:Claims>
> >>> </ns:RequestSecurityToken>
> >>> </soapenv:Body>
> >>> </soapenv:Envelope>
> >>>
> >>>
> >>> On 2019-08-30 12:14, Colm O hEigeartaigh wrote:
> >>>> Can you post what the request looks like? Even a redacted version
> >>>> of it?
> >>>>
> >>>> Colm.
> >>>>
> >>>> On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote:
> >>>>
> >>>>> Hello!
> >>>>>
> >>>>> I study the WSS4J SAML Validator, but not help much, my problem is
> >>>>> need
> >>>>> to get the certificate based of the content of the request and header
> >>>>> SAML (get out the subject, do an query and the query give back the
> >>>>> certificate), and need to validate the SAML with this certificate.
> >>>>>
> >>>>> In this case (SamlAssertionValidator) is running before i able to
> >>>>> parse
> >>>>> the request. I can create a dummy validate() function, but after I
> >>>>> need
> >>>>> to somehow call it again.
> >>>>>
> >>>>> Any help will welcome.
> >>>>>
> >>>>> Thanx
> >>>>>
> >>>>> Csaba
> >>>>>
> >>>>>
> >>>>>> Does the SAML assertion appear in the security header of the
> >>>>>> request or
> >>>>> in
> >>>>>> the body of the request? For the former, you will need to implement
> >>> your
> >>>>>> own WSS4J SAML Validator, or subclass the existing one in some way:
> >>>>>>
> >>>>>>
> >>>
> https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
> >>>
> >>>>>> If the SAML assertion is in the SOAP Body then it's handled by
> >>>>>> the STS
> >>>>>> code, so you will need to either replace or override this class:
> >>>>>>
> >>>>>>
> >>>
> https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
> >>>
> >>>>>> Colm.
> >>>>>>
> >>>>>> On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote:
> >>>>>>
> >>>>>>> Hello!
> >>>>>>>
> >>>>>>> I have a request with the STS to validate a incoming SAML with a
> >>>>>>> certificate what come from another source: example need to query it
> >>>>> from
> >>>>>>> a database, based on the data in the request.
> >>>>>>>
> >>>>>>> How start it? I know the SAML validation is in the deep and need
> >>>>>>> the
> >>>>>>> certificate to be in a truststore. Can I give directly the
> >>>>>>> certificate
> >>>>>>> as an attribute or need to create a own, custom truststore manager?
> >>>>>>>
> >>>>>>> Thanx.
> >>>>>>>
> >>>>>>> Csaba
> >>>>>>>
> >>>>>>>
> >>>>>> --
> >>>>>> Colm O hEigeartaigh
> >>>>>>
> >>>>>> Talend Community Coder
> >>>>>> http://coders.talend.com
> >>>>>>
> >>>
> >
>
>
Re: STS incoming SAML validation with custom certificate
Posted by Tóth Csaba <ig...@domen.hu>.
Hello!
I have problem with my SAML validation.
- I already did, that inside the validation i can call an LDAP request,
get the given cert from the LDAP, and check agains the cert in the SAML.
BUT
I need data from the request too. special one of the given claims. I
need that value to giv it into the LDAP query.
How can I get the full request, or at least the SOAP body from the (it
can be any form: stream, string, dom, object...)
org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.validate()
function?
Thanx
Csaba
On 2019-09-02 12:17, Tóth Csaba wrote:
> Thanx!
> It's look like good, just I need data from the request too (a claims)
> for the query.
>
> Csaba
>
> On 2019-09-02 11:36, Colm O hEigeartaigh wrote:
>> I guess you could do something like override verifySignedAssertion, to
>> retrieve the certs from your DB using the SAML Assertion:
>>
>> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205
>>
>>
>> and then override the verifyTrustInCerts method in the underlying
>> SignatureTrustValidator:
>>
>> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97
>>
>>
>> Colm.
>>
>>
>> On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote:
>>
>>> Hello!
>>> The request contains a SAML in the security header.
>>> This SAML contains a
>>> <saml2:Subject>
>>> <saml2:NameID
>>>
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>>>
>>> <saml2:SubjectConfirmation
>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>> <saml2:SubjectConfirmationData
>>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
>>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
>>> </saml2:SubjectConfirmation>
>>> </saml2:Subject>
>>> In the request is an attribute in the claims:
>>> <ns:Claims Dialect="myDialect">
>>> <saml-a:Attribute
>>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>> <saml-a:AttributeValue
>>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
>>> </saml-a:Attribute>
>>>
>>> </ns:Claims>
>>>
>>> the certification with which the incomming SAML signed is stored in a
>>> database and for the query I need the saml2:NameID value (MyUserID) and
>>> the "urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>>> organisationID
>>> (myOrganizationID).
>>>
>>> I can do this query, but only after the SAML validation is done.
>>>
>>> Somehow i need to run the SAML signature validation after I can get the
>>> data (inside the
>>> org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle()
>>> function)
>>>
>>> or get the data from the request at the
>>> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
>>> org.apache.wss4j.dom.validate.SamlAssertionValidator
>>>
>>>
>>> Thanx
>>>
>>> Csaba
>>>
>>> the request:
>>>
>>> ---------------------------------------
>>>
>>>
>>> <soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
>>> xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
>>> <soapenv:Header>
>>> <wsse:Security soapenv:mustUnderstand="1"
>>> xmlns:wsse="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>
>>>
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>
>>>
>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>>>
>>> <saml2:Assertion
>>> ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
>>> IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>> xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>> <saml2:Issuer>....</saml2:Issuer>
>>> <ds:Signature
>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <ds:SignedInfo>
>>> <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <ds:Reference
>>> URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
>>> <ds:Transforms>
>>> <ds:Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>> <ds:Transform
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>> <ec:InclusiveNamespaces
>>> PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> </ds:Transform>
>>> </ds:Transforms>
>>> <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <ds:DigestValue>....</ds:DigestValue>
>>> </ds:Reference>
>>> </ds:SignedInfo>
>>> <ds:SignatureValue>....</ds:SignatureValue>
>>> <ds:KeyInfo>
>>> <ds:X509Data>
>>> <ds:X509Certificate>......</ds:X509Certificate>
>>> </ds:X509Data>
>>> </ds:KeyInfo>
>>> </ds:Signature>
>>> <saml2:Subject>
>>> <saml2:NameID
>>>
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>>>
>>> <saml2:SubjectConfirmation
>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>> <saml2:SubjectConfirmationData
>>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
>>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
>>> </saml2:SubjectConfirmation>
>>> </saml2:Subject>
>>> <saml2:Conditions
>>> NotBefore="2018-02-06T18:29:56.647Z"
>>> NotOnOrAfter="2018-02-06T18:39:56.647Z">
>>> <saml2:AudienceRestriction>
>>> <saml2:Audience>.....</saml2:Audience>
>>> </saml2:AudienceRestriction>
>>> </saml2:Conditions>
>>> <saml2:AuthnStatement
>>> AuthnInstant="2018-02-06T18:29:56.647Z"
>>> SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
>>> <saml2:AuthnContext>
>>>
>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
>>>
>>> </saml2:AuthnContext>
>>> </saml2:AuthnStatement>
>>> <saml2:AttributeStatement>
>>> ....
>>> </saml2:AttributeStatement>
>>> </saml2:Assertion>
>>> </wsse:Security>
>>> </soapenv:Header>
>>> <soapenv:Body>
>>> <ns:RequestSecurityToken>
>>> <ns:TokenType>
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>>>
>>> </ns:TokenType>
>>> <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
>>> </ns:RequestType>
>>> <ns:Claims Dialect="MyDialect">
>>> <saml-a:Attribute
>>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>> <saml-a:AttributeValue
>>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
>>> </saml-a:Attribute>
>>> ...
>>> </ns:Claims>
>>> </ns:RequestSecurityToken>
>>> </soapenv:Body>
>>> </soapenv:Envelope>
>>>
>>>
>>> On 2019-08-30 12:14, Colm O hEigeartaigh wrote:
>>>> Can you post what the request looks like? Even a redacted version
>>>> of it?
>>>>
>>>> Colm.
>>>>
>>>> On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote:
>>>>
>>>>> Hello!
>>>>>
>>>>> I study the WSS4J SAML Validator, but not help much, my problem is
>>>>> need
>>>>> to get the certificate based of the content of the request and header
>>>>> SAML (get out the subject, do an query and the query give back the
>>>>> certificate), and need to validate the SAML with this certificate.
>>>>>
>>>>> In this case (SamlAssertionValidator) is running before i able to
>>>>> parse
>>>>> the request. I can create a dummy validate() function, but after I
>>>>> need
>>>>> to somehow call it again.
>>>>>
>>>>> Any help will welcome.
>>>>>
>>>>> Thanx
>>>>>
>>>>> Csaba
>>>>>
>>>>>
>>>>>> Does the SAML assertion appear in the security header of the
>>>>>> request or
>>>>> in
>>>>>> the body of the request? For the former, you will need to implement
>>> your
>>>>>> own WSS4J SAML Validator, or subclass the existing one in some way:
>>>>>>
>>>>>>
>>> https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
>>>
>>>>>> If the SAML assertion is in the SOAP Body then it's handled by
>>>>>> the STS
>>>>>> code, so you will need to either replace or override this class:
>>>>>>
>>>>>>
>>> https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote:
>>>>>>
>>>>>>> Hello!
>>>>>>>
>>>>>>> I have a request with the STS to validate a incoming SAML with a
>>>>>>> certificate what come from another source: example need to query it
>>>>> from
>>>>>>> a database, based on the data in the request.
>>>>>>>
>>>>>>> How start it? I know the SAML validation is in the deep and need
>>>>>>> the
>>>>>>> certificate to be in a truststore. Can I give directly the
>>>>>>> certificate
>>>>>>> as an attribute or need to create a own, custom truststore manager?
>>>>>>>
>>>>>>> Thanx.
>>>>>>>
>>>>>>> Csaba
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Colm O hEigeartaigh
>>>>>>
>>>>>> Talend Community Coder
>>>>>> http://coders.talend.com
>>>>>>
>>>
>
Re: STS incoming SAML validation with custom certificate
Posted by Tóth Csaba <ig...@domen.hu>.
Thanx!
It's look like good, just I need data from the request too (a claims)
for the query.
Csaba
On 2019-09-02 11:36, Colm O hEigeartaigh wrote:
> I guess you could do something like override verifySignedAssertion, to
> retrieve the certs from your DB using the SAML Assertion:
>
> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205
>
> and then override the verifyTrustInCerts method in the underlying
> SignatureTrustValidator:
>
> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97
>
> Colm.
>
>
> On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote:
>
>> Hello!
>> The request contains a SAML in the security header.
>> This SAML contains a
>> <saml2:Subject>
>> <saml2:NameID
>>
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>> <saml2:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>> <saml2:SubjectConfirmationData
>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
>> </saml2:SubjectConfirmation>
>> </saml2:Subject>
>> In the request is an attribute in the claims:
>> <ns:Claims Dialect="myDialect">
>> <saml-a:Attribute
>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>> <saml-a:AttributeValue
>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
>> </saml-a:Attribute>
>>
>> </ns:Claims>
>>
>> the certification with which the incomming SAML signed is stored in a
>> database and for the query I need the saml2:NameID value (MyUserID) and
>> the "urn:oasis:names:tc:xspa:1.0:subject:organization-id" organisationID
>> (myOrganizationID).
>>
>> I can do this query, but only after the SAML validation is done.
>>
>> Somehow i need to run the SAML signature validation after I can get the
>> data (inside the
>> org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle() function)
>>
>> or get the data from the request at the
>> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
>> org.apache.wss4j.dom.validate.SamlAssertionValidator
>>
>>
>> Thanx
>>
>> Csaba
>>
>> the request:
>>
>> ---------------------------------------
>>
>>
>> <soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
>> xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
>> <soapenv:Header>
>> <wsse:Security soapenv:mustUnderstand="1"
>> xmlns:wsse="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>
>> xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>>
>> <saml2:Assertion
>> ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
>> IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> xmlns:xs="http://www.w3.org/2001/XMLSchema">
>> <saml2:Issuer>....</saml2:Issuer>
>> <ds:Signature
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference
>> URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>> <ec:InclusiveNamespaces
>> PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>....</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>....</ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>> <ds:X509Certificate>......</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </ds:Signature>
>> <saml2:Subject>
>> <saml2:NameID
>>
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>> <saml2:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>> <saml2:SubjectConfirmationData
>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
>> </saml2:SubjectConfirmation>
>> </saml2:Subject>
>> <saml2:Conditions NotBefore="2018-02-06T18:29:56.647Z"
>> NotOnOrAfter="2018-02-06T18:39:56.647Z">
>> <saml2:AudienceRestriction>
>> <saml2:Audience>.....</saml2:Audience>
>> </saml2:AudienceRestriction>
>> </saml2:Conditions>
>> <saml2:AuthnStatement
>> AuthnInstant="2018-02-06T18:29:56.647Z"
>> SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
>> <saml2:AuthnContext>
>>
>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
>> </saml2:AuthnContext>
>> </saml2:AuthnStatement>
>> <saml2:AttributeStatement>
>> ....
>> </saml2:AttributeStatement>
>> </saml2:Assertion>
>> </wsse:Security>
>> </soapenv:Header>
>> <soapenv:Body>
>> <ns:RequestSecurityToken>
>> <ns:TokenType>
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>> </ns:TokenType>
>> <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
>> </ns:RequestType>
>> <ns:Claims Dialect="MyDialect">
>> <saml-a:Attribute
>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>> <saml-a:AttributeValue
>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
>> </saml-a:Attribute>
>> ...
>> </ns:Claims>
>> </ns:RequestSecurityToken>
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>>
>> On 2019-08-30 12:14, Colm O hEigeartaigh wrote:
>>> Can you post what the request looks like? Even a redacted version of it?
>>>
>>> Colm.
>>>
>>> On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote:
>>>
>>>> Hello!
>>>>
>>>> I study the WSS4J SAML Validator, but not help much, my problem is need
>>>> to get the certificate based of the content of the request and header
>>>> SAML (get out the subject, do an query and the query give back the
>>>> certificate), and need to validate the SAML with this certificate.
>>>>
>>>> In this case (SamlAssertionValidator) is running before i able to parse
>>>> the request. I can create a dummy validate() function, but after I need
>>>> to somehow call it again.
>>>>
>>>> Any help will welcome.
>>>>
>>>> Thanx
>>>>
>>>> Csaba
>>>>
>>>>
>>>>> Does the SAML assertion appear in the security header of the request or
>>>> in
>>>>> the body of the request? For the former, you will need to implement
>> your
>>>>> own WSS4J SAML Validator, or subclass the existing one in some way:
>>>>>
>>>>>
>> https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
>>>>> If the SAML assertion is in the SOAP Body then it's handled by the STS
>>>>> code, so you will need to either replace or override this class:
>>>>>
>>>>>
>> https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
>>>>> Colm.
>>>>>
>>>>> On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote:
>>>>>
>>>>>> Hello!
>>>>>>
>>>>>> I have a request with the STS to validate a incoming SAML with a
>>>>>> certificate what come from another source: example need to query it
>>>> from
>>>>>> a database, based on the data in the request.
>>>>>>
>>>>>> How start it? I know the SAML validation is in the deep and need the
>>>>>> certificate to be in a truststore. Can I give directly the certificate
>>>>>> as an attribute or need to create a own, custom truststore manager?
>>>>>>
>>>>>> Thanx.
>>>>>>
>>>>>> Csaba
>>>>>>
>>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>>>
>>