You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by co...@apache.org on 2017/08/11 12:39:54 UTC
[3/5] syncope git commit: Take the valid SAML Assertion from the
validator response instead.
Take the valid SAML Assertion from the validator response instead.
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/fecfc6ff
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/fecfc6ff
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/fecfc6ff
Branch: refs/heads/2_0_X
Commit: fecfc6ff37e71b5eedf7f86be429205d9dd1715e
Parents: 1d8b6c6
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Aug 11 12:51:22 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Aug 11 13:16:36 2017 +0100
----------------------------------------------------------------------
.../apache/syncope/core/logic/SAML2SPLogic.java | 65 ++++++++++----------
.../core/logic/saml2/SAML2ReaderWriter.java | 8 ++-
2 files changed, 39 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/fecfc6ff/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 31ef8c4..03576ab 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -37,6 +37,7 @@ import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.lang3.tuple.Triple;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
import org.apache.syncope.common.lib.AbstractBaseBean;
import org.apache.syncope.common.lib.SyncopeClientException;
import org.apache.syncope.common.lib.to.AttrTO;
@@ -371,8 +372,10 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
if (idp.getConnObjectKeyItem() == null) {
throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'");
}
+
+ SSOValidatorResponse validatorResponse = null;
try {
- saml2rw.validate(
+ validatorResponse = saml2rw.validate(
samlResponse,
idp,
getAssertionConsumerURL(response.getSpEntityID(), response.getUrlContext()),
@@ -390,47 +393,45 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
responseTO.setIdp(idp.getId());
responseTO.setSloSupported(idp.getSLOLocation(idp.getBindingType()) != null);
- NameID nameID = null;
+ Assertion assertion = validatorResponse.getOpensamlAssertion();
+ NameID nameID = assertion.getSubject().getNameID();
String keyValue = null;
- for (Assertion assertion : samlResponse.getAssertions()) {
- nameID = assertion.getSubject().getNameID();
- if (StringUtils.isNotBlank(nameID.getValue())
- && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) {
+ if (StringUtils.isNotBlank(nameID.getValue())
+ && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) {
- keyValue = nameID.getValue();
- }
+ keyValue = nameID.getValue();
+ }
- if (assertion.getConditions().getNotOnOrAfter() != null) {
- responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate());
- }
- for (AuthnStatement authnStmt : assertion.getAuthnStatements()) {
- responseTO.setSessionIndex(authnStmt.getSessionIndex());
+ if (assertion.getConditions().getNotOnOrAfter() != null) {
+ responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate());
+ }
+ for (AuthnStatement authnStmt : assertion.getAuthnStatements()) {
+ responseTO.setSessionIndex(authnStmt.getSessionIndex());
- responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate());
- if (authnStmt.getSessionNotOnOrAfter() != null) {
- responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
- }
+ responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate());
+ if (authnStmt.getSessionNotOnOrAfter() != null) {
+ responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
}
+ }
- for (AttributeStatement attrStmt : assertion.getAttributeStatements()) {
- for (Attribute attr : attrStmt.getAttributes()) {
- if (!attr.getAttributeValues().isEmpty()) {
- String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName();
- if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName())
- && attr.getAttributeValues().get(0) instanceof XSString) {
+ for (AttributeStatement attrStmt : assertion.getAttributeStatements()) {
+ for (Attribute attr : attrStmt.getAttributes()) {
+ if (!attr.getAttributeValues().isEmpty()) {
+ String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName();
+ if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName())
+ && attr.getAttributeValues().get(0) instanceof XSString) {
- keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue();
- }
+ keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue();
+ }
- AttrTO attrTO = new AttrTO();
- attrTO.setSchema(attrName);
- for (XMLObject value : attr.getAttributeValues()) {
- if (value.getDOM() != null) {
- attrTO.getValues().add(value.getDOM().getTextContent());
- }
+ AttrTO attrTO = new AttrTO();
+ attrTO.setSchema(attrName);
+ for (XMLObject value : attr.getAttributeValues()) {
+ if (value.getDOM() != null) {
+ attrTO.getValues().add(value.getDOM().getTextContent());
}
- responseTO.getAttrs().add(attrTO);
}
+ responseTO.getAttrs().add(attrTO);
}
}
}
http://git-wip-us.apache.org/repos/asf/syncope/blob/fecfc6ff/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
index 22b0fd1..dba63cc 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -43,6 +43,7 @@ import javax.xml.transform.stream.StreamResult;
import org.apache.commons.codec.binary.Base64;
import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator;
+import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.syncope.common.lib.SSOConstants;
import org.apache.syncope.common.lib.types.SAML2BindingType;
@@ -202,7 +203,7 @@ public class SAML2ReaderWriter {
return Base64.encodeBase64String(deflatedBytes);
}
- public void validate(
+ public SSOValidatorResponse validate(
final Response samlResponse,
final SAML2IdPEntity idp,
final String assertionConsumerURL,
@@ -224,7 +225,8 @@ public class SAML2ReaderWriter {
ssoResponseValidator.setIssuerIDP(idp.getId());
ssoResponseValidator.setRequestId(requestId);
ssoResponseValidator.setSpIdentifier(spEntityID);
- ssoResponseValidator.validateSamlResponse(samlResponse, idp.getBindingType() == SAML2BindingType.POST);
+ SSOValidatorResponse validatorResponse =
+ ssoResponseValidator.validateSamlResponse(samlResponse, idp.getBindingType() == SAML2BindingType.POST);
if (LOG.isDebugEnabled()) {
try {
@@ -237,5 +239,7 @@ public class SAML2ReaderWriter {
LOG.error("Could not log the SAML response with decrypted assertions", e);
}
}
+
+ return validatorResponse;
}
}