You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/01/05 14:39:11 UTC
svn commit: r1055456 [1/3] - in /webservices/wss4j/trunk: ./
src/main/java/org/apache/ws/security/
src/main/java/org/apache/ws/security/action/
src/main/java/org/apache/ws/security/handler/
src/main/java/org/apache/ws/security/message/ src/main/java/or...
Author: coheigea
Date: Wed Jan 5 13:39:09 2011
New Revision: 1055456
URL: http://svn.apache.org/viewvc?rev=1055456&view=rev
Log:
[WSS-146] - Applied SAML2 patch to trunk
- This patch consists of Todd's SAML2 patch with a lot of modifications.
- All HOK tests are failing, and are @Ignore'd for the moment.
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/OpenSAMLUtil.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/SAMLCallback.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/SAMLParms.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/ActionBean.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/AttributeBean.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/AttributeStatementBean.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/AuthDecisionStatementBean.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/AuthenticationStatementBean.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/ConditionsBean.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/bean/SubjectBean.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/builder/
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/builder/SAML1ComponentBuilder.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/builder/SAML1Constants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/builder/SAML2ComponentBuilder.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/builder/SAML2Constants.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAMLAuthnHolderOfKeyHandler.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/SAMLAuthnSenderVouchesHandler.java
Modified:
webservices/wss4j/trunk/pom.xml
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngine.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenUnsignedAction.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransformUtil.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignaturePartsTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlReferenceTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SamlTokenTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/SignedSamlTokenTest.java
webservices/wss4j/trunk/src/test/resources/saml.properties
webservices/wss4j/trunk/src/test/resources/saml3.properties
webservices/wss4j/trunk/src/test/resources/saml4.properties
webservices/wss4j/trunk/src/test/resources/saml4sendKeyValue.properties
Modified: webservices/wss4j/trunk/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/pom.xml?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/pom.xml (original)
+++ webservices/wss4j/trunk/pom.xml Wed Jan 5 13:39:09 2011
@@ -347,7 +347,7 @@
<properties>
<xmlsec.version>1.4.4</xmlsec.version>
- <opensaml.version>1.1</opensaml.version>
+ <opensaml.version>2.2.3</opensaml.version>
<xml.apis.version>1.3.04</xml.apis.version>
<bcprov.version>1.45</bcprov.version>
<commons.logging.version>1.1.1</commons.logging.version>
@@ -375,6 +375,16 @@
<artifactId>opensaml</artifactId>
<version>${opensaml.version}</version>
<scope>compile</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>log4j-over-slf4j</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-ext-jdk15</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>junit</groupId>
@@ -383,10 +393,16 @@
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ <version>1.4.3</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
- <scope>provided</scope>
+ <scope>test</scope>
</dependency>
<dependency>
<groupId>xalan</groupId>
@@ -406,12 +422,6 @@
<version>${xml.apis.version}</version>
<scope>provided</scope>
</dependency>
- <dependency>
- <groupId>commons-codec</groupId>
- <artifactId>commons-codec</artifactId>
- <version>1.3</version>
- <scope>provided</scope>
- </dependency>
</dependencies>
<reporting>
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java Wed Jan 5 13:39:09 2011
@@ -58,8 +58,12 @@ public class WSConstants {
public static final String SAML_NS = "urn:oasis:names:tc:SAML:1.0:assertion";
public static final String SAMLP_NS = "urn:oasis:names:tc:SAML:1.0:protocol";
+ public static final String SAML2_NS = "urn:oasis:names:tc:SAML:2.0:assertion";
+ public static final String SAMLP2_NS = "urn:oasis:names:tc:SAML:2.0:protocol";
public static final String WSS_SAML_NS =
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#";
+ public static final String WSS_SAML_NS11 =
+ "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#";
public static final String URI_SOAP11_ENV =
"http://schemas.xmlsoap.org/soap/envelope/";
@@ -123,6 +127,7 @@ public class WSConstants {
public static final String WSSE_LN = "Security";
public static final String THUMBPRINT ="ThumbprintSHA1";
public static final String SAML_ASSERTION_ID = "SAMLAssertionID";
+ public static final String SAML2_ASSERTION_ID = "SAMLID";
public static final String ENC_KEY_VALUE_TYPE = "EncryptedKey";
public static final String ENC_KEY_SHA1_URI = "EncryptedKeySHA1";
public static final String SIG_LN = "Signature";
@@ -142,7 +147,6 @@ public class WSConstants {
public static final String SALT_LN = "Salt";
public static final String ITERATION_LN = "Iteration";
public static final String ASSERTION_LN = "Assertion";
- public static final String WSS_SAML_ASSERTION = "SAMLAssertion-1.1";
public static final String PW_DIGEST = "PasswordDigest";
public static final String PW_TEXT = "PasswordText";
public static final String PW_NONE = "PasswordNone";
@@ -231,6 +235,7 @@ public class WSConstants {
// Misc
//
public static final String WSS_SAML_KI_VALUE_TYPE = WSS_SAML_NS + SAML_ASSERTION_ID;
+ public static final String WSS_SAML2_KI_VALUE_TYPE = WSS_SAML_NS11 + SAML2_ASSERTION_ID;
public static final String PASSWORD_DIGEST = USERNAMETOKEN_NS + "#PasswordDigest";
public static final String PASSWORD_TEXT = USERNAMETOKEN_NS + "#PasswordText";
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java Wed Jan 5 13:39:09 2011
@@ -109,6 +109,10 @@ public class WSSConfig {
org.apache.ws.security.processor.SAMLTokenProcessor.class
);
tmp.put(
+ WSSecurityEngine.SAML2_TOKEN,
+ org.apache.ws.security.processor.SAMLTokenProcessor.class
+ );
+ tmp.put(
WSSecurityEngine.ENCRYPTED_KEY,
org.apache.ws.security.processor.EncryptedKeyProcessor.class
);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngine.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngine.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngine.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSecurityEngine.java Wed Jan 5 13:39:09 2011
@@ -96,10 +96,16 @@ public class WSSecurityEngine {
public static final QName REFERENCE_LIST =
new QName(WSConstants.ENC_NS, WSConstants.REF_LIST_LN);
/**
- * <code>saml:Assertion</code> as defined by SAML specification
+ * <code>saml:Assertion</code> as defined by SAML v1.1 specification
*/
public static final QName SAML_TOKEN =
new QName(WSConstants.SAML_NS, WSConstants.ASSERTION_LN);
+
+ /**
+ * <code>saml:Assertion</code> as defined by SAML v2.0 specification
+ */
+ public static final QName SAML2_TOKEN =
+ new QName(WSConstants.SAML2_NS, WSConstants.ASSERTION_LN);
/**
* <code>wsc:DerivedKeyToken</code> as defined by WS-SecureConversation specification
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenSignedAction.java Wed Jan 5 13:39:09 2011
@@ -21,6 +21,7 @@ package org.apache.ws.security.action;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
@@ -29,7 +30,8 @@ import org.apache.ws.security.handler.WS
import org.apache.ws.security.saml.SAMLIssuer;
import org.apache.ws.security.saml.SAMLIssuerFactory;
import org.apache.ws.security.saml.WSSecSignatureSAML;
-import org.opensaml.SAMLAssertion;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
import org.w3c.dom.Document;
public class SAMLTokenSignedAction implements Action {
@@ -54,11 +56,9 @@ public class SAMLTokenSignedAction imple
}
SAMLIssuer saml = loadSamlIssuer(handler, reqData);
- saml.setUsername(reqData.getUsername());
- saml.setUserCrypto(crypto);
saml.setInstanceDoc(doc);
- SAMLAssertion assertion = saml.newAssertion();
+ AssertionWrapper assertion = saml.newAssertion();
if (assertion == null) {
throw new WSSecurityException("WSHandler: Signed SAML: no SAML token received");
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenUnsignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenUnsignedAction.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenUnsignedAction.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/SAMLTokenUnsignedAction.java Wed Jan 5 13:39:09 2011
@@ -24,7 +24,7 @@ import org.apache.ws.security.handler.Re
import org.apache.ws.security.handler.WSHandler;
import org.apache.ws.security.message.WSSecSAMLToken;
import org.apache.ws.security.saml.SAMLIssuer;
-import org.opensaml.SAMLAssertion;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.w3c.dom.Document;
public class SAMLTokenUnsignedAction extends SAMLTokenSignedAction {
@@ -35,8 +35,7 @@ public class SAMLTokenUnsignedAction ext
builder.setWsConfig(reqData.getWssConfig());
SAMLIssuer saml = loadSamlIssuer(handler, reqData);
- saml.setUsername(reqData.getUsername());
- SAMLAssertion assertion = saml.newAssertion();
+ AssertionWrapper assertion = saml.newAssertion();
// add the SAMLAssertion Token to the SOAP Envelope
builder.build(doc, assertion, reqData.getSecHeader());
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java Wed Jan 5 13:39:09 2011
@@ -139,7 +139,7 @@ public abstract class WSHandler {
decodeSignatureParameter(reqData);
}
/*
- * If we need to handle signed SAML token then we may need the
+ * If we need to handle zsigned SAML token then we may need the
* Signature parameters. The handle procedure loads the signature crypto
* file on demand, thus don't do it here.
*/
@@ -270,7 +270,8 @@ public abstract class WSHandler {
decodeSignatureParameter2(reqData);
}
- if ((doAction & WSConstants.ST_SIGNED) == WSConstants.ST_SIGNED) {
+ if (((doAction & WSConstants.ST_SIGNED) == WSConstants.ST_SIGNED)
+ || ((doAction & WSConstants.ST_UNSIGNED) == WSConstants.ST_UNSIGNED)) {
decodeSignatureParameter2(reqData);
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java Wed Jan 5 13:39:09 2011
@@ -511,9 +511,12 @@ public class WSSecEncrypt extends WSSecE
keyInfo.addUnknownElement(secToken.getElement());
} else if (keyIdentifierType == WSConstants.EMBEDDED_KEYNAME) {
keyInfo.addKeyName(embeddedKeyName == null ? user : embeddedKeyName);
- } else if (SecurityTokenReference.SAML_ID_URI.equals(customReferenceValue)) {
+ // TODO Support SAML2 here
+ } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(customReferenceValue)) {
SecurityTokenReference secToken = new SecurityTokenReference(document);
- secToken.setSAMLKeyIdentifier((encKeyIdDirectId ? "":"#") + encKeyId);
+ secToken.setKeyIdentifier(
+ WSConstants.WSS_SAML_KI_VALUE_TYPE, (encKeyIdDirectId ? "":"#") + encKeyId
+ );
keyInfo.addUnknownElement(secToken.getElement());
} else if (securityTokenReference != null) {
Element tmpE = securityTokenReference.getElement();
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSAMLToken.java Wed Jan 5 13:39:09 2011
@@ -21,9 +21,13 @@ package org.apache.ws.security.message;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLException;
+
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.signature.SignatureException;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -39,7 +43,7 @@ public class WSSecSAMLToken extends WSSe
private Document document = null;
- private SAMLAssertion saml = null;
+ private AssertionWrapper saml = null;
/**
* Creates a SAML token.
@@ -53,7 +57,7 @@ public class WSSecSAMLToken extends WSSe
* @param doc
* The SOAP envelope as W3C document
*/
- public void prepare(Document doc, SAMLAssertion assertion) {
+ public void prepare(Document doc, AssertionWrapper assertion) {
document = doc;
saml = assertion;
}
@@ -73,7 +77,9 @@ public class WSSecSAMLToken extends WSSe
try {
Element element = (Element) saml.toDOM(document);
WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), element);
- } catch (SAMLException ex) {
+ } catch (SignatureException ex) {
+ throw new RuntimeException(ex.toString(), ex);
+ } catch (MarshallingException ex) {
throw new RuntimeException(ex.toString(), ex);
}
}
@@ -103,7 +109,7 @@ public class WSSecSAMLToken extends WSSe
* @param assertion TODO
* @return Document with UsernameToken added
*/
- public Document build(Document doc, SAMLAssertion assertion, WSSecHeader secHeader) {
+ public Document build(Document doc, AssertionWrapper assertion, WSSecHeader secHeader) {
log.debug("Begin add SAMLAssertion token...");
prepare(doc, assertion);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java Wed Jan 5 13:39:09 2011
@@ -56,8 +56,6 @@ public class SecurityTokenReference {
WSConstants.X509TOKEN_NS + "#X509SubjectKeyIdentifier";
public static final String THUMB_URI =
WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.THUMBPRINT;
- public static final String SAML_ID_URI =
- WSConstants.SAMLTOKEN_NS + "#" + WSConstants.SAML_ASSERTION_ID;
public static final String ENC_KEY_SHA1_URI =
WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_SHA1_URI;
private static Log log =
@@ -242,8 +240,8 @@ public class SecurityTokenReference {
//
// Try to find a SAML Assertion by searching the DOM tree
//
- String assertionStr = WSConstants.WSS_SAML_NS + WSConstants.ASSERTION_LN;
- if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type) || assertionStr.equals(type)) {
+ if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type)
+ || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type)) {
Element assertion =
WSSecurityUtil.findSAMLAssertionElementById(
doc.getDocumentElement(),
@@ -261,8 +259,9 @@ public class SecurityTokenReference {
//
// Try to find a custom token
//
- if (cb != null && (WSConstants.WSC_SCT.equals(type) ||
- WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type) || assertionStr.equals(type))) {
+ if (cb != null && (WSConstants.WSC_SCT.equals(type))
+ || WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type)
+ || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type)) {
//try to find a custom token
WSPasswordCallback pwcb =
new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
@@ -369,17 +368,12 @@ public class SecurityTokenReference {
}
}
-
public void setKeyIdentifierEncKeySHA1(String value) throws WSSecurityException {
Document doc = element.getOwnerDocument();
org.w3c.dom.Text text = doc.createTextNode(value);
createKeyIdentifier(doc, ENC_KEY_SHA1_URI, text, true);
}
- public void setSAMLKeyIdentifier(String keyIdVal) throws WSSecurityException {
- Document doc = element.getOwnerDocument();
- createKeyIdentifier(doc, SAML_ID_URI, doc.createTextNode(keyIdVal), false);
- }
public void setKeyIdentifier(String valueType, String keyIdVal) throws WSSecurityException {
Document doc = element.getOwnerDocument();
createKeyIdentifier(doc, valueType, doc.createTextNode(keyIdVal), false);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SAMLTokenProcessor.java Wed Jan 5 13:39:09 2011
@@ -27,8 +27,10 @@ import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLException;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+import org.opensaml.xml.io.UnmarshallingException;
+
import org.w3c.dom.Element;
import java.util.List;
@@ -48,7 +50,7 @@ public class SAMLTokenProcessor implemen
if (log.isDebugEnabled()) {
log.debug("Found SAML Assertion element");
}
- SAMLAssertion assertion = handleSAMLToken(elem);
+ AssertionWrapper assertion = handleSAMLToken(elem);
wsDocInfo.addTokenElement(elem);
WSSecurityEngineResult result =
new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, assertion);
@@ -58,16 +60,16 @@ public class SAMLTokenProcessor implemen
return java.util.Collections.singletonList(result);
}
- public SAMLAssertion handleSAMLToken(Element token) throws WSSecurityException {
+ public AssertionWrapper handleSAMLToken(Element token) throws WSSecurityException {
boolean result = false;
- SAMLAssertion assertion = null;
+ AssertionWrapper assertion = null;
try {
- assertion = new SAMLAssertion(token);
+ assertion = new AssertionWrapper(token);
result = true;
if (log.isDebugEnabled()) {
- log.debug("SAML Assertion issuer " + assertion.getIssuer());
+ log.debug("SAML Assertion issuer " + assertion.getIssuerString());
}
- } catch (SAMLException e) {
+ } catch (UnmarshallingException e) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e
);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuer.java Wed Jan 5 13:39:09 2011
@@ -19,8 +19,9 @@
package org.apache.ws.security.saml;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
-import org.opensaml.SAMLAssertion;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.w3c.dom.Document;
/**
@@ -33,23 +34,14 @@ import org.w3c.dom.Document;
public interface SAMLIssuer {
/**
- * Creates a new <code>SAMLAssertion</code>.
+ * Creates a new <code>AssertionWrapper</code>.
* <p/>
- * A complete <code>SAMLAssertion</code> is constructed.
+ * A complete <code>AssertionWrapper</code> is constructed.
*
- * @return SAMLAssertion
+ * @return AssertionWrapper
+ * @throws WSSecurityException
*/
- public SAMLAssertion newAssertion();
-
- /**
- * @param userCrypto The userCrypto to set.
- */
- public void setUserCrypto(Crypto userCrypto);
-
- /**
- * @param username The username to set.
- */
- public void setUsername(String username);
+ public AssertionWrapper newAssertion() throws WSSecurityException;
/**
* @return Returns the issuerCrypto.
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLIssuerImpl.java Wed Jan 5 13:39:09 2011
@@ -26,16 +26,25 @@ import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAuthenticationStatement;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
+
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.saml.ext.SAMLParms;
+import org.apache.ws.security.saml.ext.builder.SAML1Constants;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
+import org.apache.ws.security.util.Loader;
+
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.KeyInfo;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.security.KeyException;
+import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
@@ -43,11 +52,10 @@ import java.util.Collection;
import java.util.Date;
import java.util.Properties;
+import javax.security.auth.callback.CallbackHandler;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
-import javax.xml.crypto.dsig.keyinfo.KeyInfo;
-import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
@@ -61,7 +69,7 @@ public class SAMLIssuerImpl implements S
private static final Log log = LogFactory.getLog(SAMLIssuerImpl.class.getName());
- private SAMLAssertion sa = null;
+ private AssertionWrapper sa = null;
private Document instanceDoc = null;
@@ -74,12 +82,10 @@ public class SAMLIssuerImpl implements S
private boolean senderVouches = true;
private String[] confirmationMethods = new String[1];
- private Crypto userCrypto = null;
- private String username = null;
private WSSConfig wssConfig = WSSConfig.getNewInstance();
- private KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");
+ private String samlVersion = null;
/**
* Flag indicating what format to put the subject's key material in when
@@ -121,170 +127,134 @@ public class SAMLIssuerImpl implements S
if (sendKeyValueProp != null) {
sendKeyValue = Boolean.valueOf(sendKeyValueProp).booleanValue();
}
+
+ samlVersion = properties.getProperty("org.apache.ws.security.saml.version");
- if ("senderVouches"
- .equals(properties.getProperty("org.apache.ws.security.saml.confirmationMethod"))) {
- confirmationMethods[0] = SAMLSubject.CONF_SENDER_VOUCHES;
- } else if (
- "keyHolder".equals(properties.getProperty("org.apache.ws.security.saml.confirmationMethod"))) {
- confirmationMethods[0] = SAMLSubject.CONF_HOLDER_KEY;
- senderVouches = false;
+ String confMethod = properties.getProperty("org.apache.ws.security.saml.confirmationMethod");
+ if ("senderVouches".equals(confMethod)) {
+ if ("1.1".equalsIgnoreCase(samlVersion)) {
+ confirmationMethods[0] = SAML1Constants.CONF_SENDER_VOUCHES;
+ } else if ("2.0".equalsIgnoreCase(samlVersion)) {
+ confirmationMethods[0] = SAML2Constants.SBJ_CONFIRMATION_SENDER_VOUCHES;
+ } else {
+ // Default to SAML 1.1
+ confirmationMethods[0] = SAML1Constants.CONF_SENDER_VOUCHES;
+ }
+ } else if ("keyHolder".equals(confMethod)) {
+ if ("1.1".equalsIgnoreCase(samlVersion)) {
+ confirmationMethods[0] = SAML1Constants.CONF_HOLDER_KEY;
+ senderVouches = false;
+ } else if ("2.0".equalsIgnoreCase(samlVersion)) {
+ confirmationMethods[0] = SAML2Constants.SBJ_CONFIRMATION_HOLDER_OF_KEY;
+ } else {
+ // Default to SAML 1.1
+ confirmationMethods[0] = SAML1Constants.CONF_HOLDER_KEY;
+ senderVouches = false;
+ }
} else {
// throw something here - this is a mandatory property
+ throw new IllegalStateException(
+ "No value provided in saml configuration for confirmation method"
+ );
}
}
/**
- * Creates a new <code>SAMLAssertion</code>.
- * <p/>
- * <p/>
- * A complete <code>SAMLAssertion</code> is constructed.
+ * Creates a new AssertionWrapper.
*
- * @return SAMLAssertion
+ * @return a new AssertionWrapper.
*/
- public SAMLAssertion newAssertion() { // throws Exception {
- log.debug("Begin add SAMLAssertion token...");
+ public AssertionWrapper newAssertion() throws WSSecurityException {
+
+ log.debug(
+ "Entering AssertionWrapper.newAssertion() ... creating SAML v"
+ + samlVersion + " token"
+ );
+
+ String issuer = properties.getProperty("org.apache.ws.security.saml.issuer");
+ String samlCallbackClassname =
+ properties.getProperty("org.apache.ws.security.saml.callback");
+ Class<?> callbackClass = null;
+ try {
+ callbackClass = Loader.loadClass(samlCallbackClassname);
+ } catch (ClassNotFoundException ex) {
+ throw new WSSecurityException(ex.getMessage(), ex);
+ }
- /*
- * if (senderVouches == false && userCrypto == null) { throw
- * exception("need user crypto data to insert key") }
- */
- // Issuer must enable crypto functions to get the issuer's certificate
- String issuer =
- properties.getProperty("org.apache.ws.security.saml.issuer");
- String name =
- properties.getProperty("org.apache.ws.security.saml.subjectNameId.name");
- String qualifier =
- properties.getProperty("org.apache.ws.security.saml.subjectNameId.qualifier");
+ // Create a new SAMLParms with all of the information from the properties file.
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setIssuer(issuer);
+ samlParms.setSamlVersion(samlVersion);
try {
- SAMLNameIdentifier nameId =
- new SAMLNameIdentifier(name, qualifier, "");
- String subjectIP = null;
- String authMethod = null;
- if ("password"
- .equals(properties.getProperty("org.apache.ws.security.saml.authenticationMethod"))) {
- authMethod =
- SAMLAuthenticationStatement.AuthenticationMethod_Password;
+ samlParms.setCallbackHandler((CallbackHandler)callbackClass.newInstance());
+ } catch (InstantiationException ex) {
+ throw new WSSecurityException(ex.getMessage(), ex);
+ } catch (IllegalAccessException ex) {
+ throw new WSSecurityException(ex.getMessage(), ex);
+ }
+
+ sa = new AssertionWrapper(samlParms);
+
+ if (!senderVouches) {
+ //
+ // Create the signature
+ //
+ Signature signature = OpenSAMLUtil.buildSignature();
+ signature.setCanonicalizationAlgorithm(
+ SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS
+ );
+
+ // prepare to sign the SAML token
+ X509Certificate[] issuerCerts = issuerCrypto.getCertificates(issuerKeyName);
+
+ String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+ String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
+ log.debug("automatic sig algo detection: " + pubKeyAlgo);
+ if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
+ sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
+ }
+ PrivateKey privateKey = null;
+ try {
+ privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
+ } catch (Exception ex) {
+ throw new WSSecurityException(ex.getMessage(), ex);
+ }
+
+ signature.setSignatureAlgorithm(sigAlgo);
+
+ BasicX509Credential signingCredential = new BasicX509Credential();
+ if (issuerCerts.length == 1) {
+ signingCredential.setEntityCertificate(issuerCerts[0]);
+ } else {
+ signingCredential.setEntityCertificateChain(Arrays.asList(issuerCerts));
}
- Date authInstant = new Date();
- Collection<?> bindings = null;
+ signingCredential.setPrivateKey(privateKey);
+ signingCredential.setEntityId(issuer);
- SAMLSubject subject =
- new SAMLSubject(nameId,
- Arrays.asList(confirmationMethods),
- null,
- null);
- SAMLStatement[] statements =
- {
- new SAMLAuthenticationStatement(subject,
- authMethod,
- authInstant,
- subjectIP,
- null,
- bindings)};
- sa =
- new SAMLAssertion(issuer,
- null,
- null,
- null,
- null,
- Arrays.asList(statements));
-
- if (!senderVouches) {
- KeyInfo keyInfo = null;
- try {
- X509Certificate[] certs =
- userCrypto.getCertificates(username);
- String keyInfoUri =
- wssConfig.getIdAllocator().createSecureId("KI-", keyInfo);
- if (sendKeyValue) {
- PublicKey key = certs[0].getPublicKey();
- KeyValue keyValue = keyInfoFactory.newKeyValue(key);
- keyInfo =
- keyInfoFactory.newKeyInfo(
- java.util.Collections.singletonList(keyValue), keyInfoUri
- );
- } else {
- X509Data x509Data =
- keyInfoFactory.newX509Data(java.util.Collections.singletonList(certs[0]));
- keyInfo =
- keyInfoFactory.newKeyInfo(
- java.util.Collections.singletonList(x509Data), keyInfoUri
- );
- }
-
- Element keyInfoParent = instanceDoc.createElement("KeyInfoParent");
- XMLStructure structure = new DOMStructure(keyInfoParent);
- keyInfo.marshal(structure, null);
- Element keyInfoElement = (Element)keyInfoParent.getFirstChild();
- subject.setKeyInfo(keyInfoElement);
- } catch (WSSecurityException ex) {
- if (log.isDebugEnabled()) {
- log.debug(ex.getMessage(), ex);
- }
- return null;
- } catch (MarshalException ex) {
- if (log.isDebugEnabled()) {
- log.debug(ex.getMessage(), ex);
- }
- return null;
- } catch (KeyException ex) {
- if (log.isDebugEnabled()) {
- log.debug(ex.getMessage(), ex);
- }
- return null;
- }
- // prepare to sign the SAML token
- try {
- X509Certificate[] issuerCerts =
- issuerCrypto.getCertificates(issuerKeyName);
-
- String sigAlgo = WSConstants.RSA_SHA1;
- String pubKeyAlgo =
- issuerCerts[0].getPublicKey().getAlgorithm();
- log.debug("automatic sig algo detection: " + pubKeyAlgo);
- if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
- sigAlgo = WSConstants.DSA;
- }
- java.security.Key issuerPK =
- issuerCrypto.getPrivateKey(issuerKeyName,
- issuerKeyPassword);
- sa.sign(sigAlgo, issuerPK, Arrays.asList(issuerCerts));
- } catch (WSSecurityException ex) {
- if (log.isDebugEnabled()) {
- log.debug(ex.getMessage(), ex);
- }
- return null;
- } catch (Exception ex) {
- if (log.isDebugEnabled()) {
- log.debug(ex.getMessage(), ex);
- }
- return null;
- }
+ signature.setSigningCredential(signingCredential);
+
+ X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
+ if (sendKeyValue) {
+ kiFactory.setEmitPublicKeyValue(true);
+ } else {
+ kiFactory.setEmitEntityCertificate(true);
}
- } catch (SAMLException ex) {
- if (log.isDebugEnabled()) {
- log.debug(ex.getMessage(), ex);
+ try {
+ KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
+ signature.setKeyInfo(keyInfo);
+ } catch (org.opensaml.xml.security.SecurityException ex) {
+ throw new WSSecurityException(
+ "Error generating KeyInfo from signing credential", ex
+ );
}
- throw new RuntimeException(ex.toString(), ex);
- }
- return sa;
- }
- /**
- * @param userCrypto The userCrypto to set.
- */
- public void setUserCrypto(Crypto userCrypto) {
- this.userCrypto = userCrypto;
- }
+ // add the signature to the assertion
+ sa.setSignature(signature);
+ }
- /**
- * @param username The username to set.
- */
- public void setUsername(String username) {
- this.username = username;
+ return sa;
}
-
+
/**
* @return Returns the issuerCrypto.
*/
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLKeyInfo.java Wed Jan 5 13:39:09 2011
@@ -19,7 +19,7 @@
package org.apache.ws.security.saml;
-import org.opensaml.SAMLAssertion;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
@@ -45,23 +45,23 @@ public class SAMLKeyInfo {
private PublicKey publicKey;
/**
- * SAMLAssertion
+ * SAMLAssertion wrapper
*/
- SAMLAssertion assertion;
+ AssertionWrapper assertion;
- public SAMLKeyInfo(SAMLAssertion assertions, X509Certificate[] certs) {
+ public SAMLKeyInfo(AssertionWrapper assertion, X509Certificate[] certs) {
this.certs = certs;
- this.assertion = assertions;
+ this.assertion = assertion;
}
- public SAMLKeyInfo(SAMLAssertion assertions, byte[] secret) {
+ public SAMLKeyInfo(AssertionWrapper assertion, byte[] secret) {
this.secret = secret;
- this.assertion = assertions;
+ this.assertion = assertion;
}
- public SAMLKeyInfo(SAMLAssertion assertions, PublicKey publicKey) {
+ public SAMLKeyInfo(AssertionWrapper assertion, PublicKey publicKey) {
this.publicKey = publicKey;
- this.assertion = assertions;
+ this.assertion = assertion;
}
public X509Certificate[] getCerts() {
@@ -76,7 +76,7 @@ public class SAMLKeyInfo {
return this.publicKey;
}
- public SAMLAssertion getAssertion() {
+ public AssertionWrapper getAssertion() {
return assertion;
}
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/SAMLUtil.java Wed Jan 5 13:39:09 2011
@@ -21,6 +21,7 @@ package org.apache.ws.security.saml;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
@@ -29,16 +30,18 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.processor.EncryptedKeyProcessor;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttributeStatement;
-import org.opensaml.SAMLAuthenticationStatement;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLObject;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
-import org.opensaml.SAMLSubjectStatement;
+
+import org.opensaml.common.SAMLObject;
+import org.opensaml.saml1.core.AttributeStatement;
+import org.opensaml.saml1.core.AuthenticationStatement;
+import org.opensaml.saml1.core.Statement;
+import org.opensaml.saml1.core.Subject;
+import org.opensaml.saml1.core.SubjectStatement;
+import org.opensaml.xml.io.UnmarshallingException;
+
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;
@@ -65,28 +68,26 @@ import java.util.List;
public class SAMLUtil {
private static Log log = LogFactory.getLog(SAMLUtil.class.getName());
-
-
/**
- * Extract certificates or the key available in the SAMLAssertion
+ * Extract certificates or the key available in the AssertionWrapper
* @param elem
* @return the SAML Key Info
* @throws WSSecurityException
*/
public static SAMLKeyInfo getSAMLKeyInfo(Element elem, Crypto crypto,
CallbackHandler cb) throws WSSecurityException {
- SAMLAssertion assertion;
+ AssertionWrapper assertion;
try {
- assertion = new SAMLAssertion(elem);
+ assertion = new AssertionWrapper(elem);
return getSAMLKeyInfo(assertion, crypto, cb);
- } catch (SAMLException e) {
+ } catch (UnmarshallingException e) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLToken", new Object[]{"for Signature (cannot parse)"}, e);
}
}
- public static SAMLKeyInfo getSAMLKeyInfo(SAMLAssertion assertion, Crypto crypto,
+ public static SAMLKeyInfo getSAMLKeyInfo(AssertionWrapper assertion, Crypto crypto,
CallbackHandler cb) throws WSSecurityException {
//First ask the cb whether it can provide the secret
@@ -105,14 +106,16 @@ public class SAMLUtil {
if (key != null) {
return new SAMLKeyInfo(assertion, key);
} else {
- Iterator<?> statements = assertion.getStatements();
+ // WARNING! THIS IS HARD CODED TO SAML v1.1
+ org.opensaml.saml1.core.Assertion saml11Assertion = assertion.getSaml1();
+ Iterator<?> statements = saml11Assertion.getStatements().iterator();
while (statements.hasNext()) {
- SAMLStatement stmt = (SAMLStatement) statements.next();
- if (stmt instanceof SAMLAttributeStatement) {
- SAMLAttributeStatement attrStmt = (SAMLAttributeStatement) stmt;
- SAMLSubject samlSubject = attrStmt.getSubject();
- Element kiElem = samlSubject.getKeyInfo();
-
+ Statement stmt = (Statement) statements.next();
+ if (stmt instanceof AttributeStatement) {
+ AttributeStatement attrStmt = (AttributeStatement) stmt;
+ Subject samlSubject = attrStmt.getSubject();
+ Element kiElem = samlSubject.getSubjectConfirmation().getKeyInfo().getDOM();
+
Node node = kiElem.getFirstChild();
while (node != null) {
if (Node.ELEMENT_NODE == node.getNodeType()) {
@@ -134,16 +137,15 @@ public class SAMLUtil {
}
node = node.getNextSibling();
}
-
- } else if (stmt instanceof SAMLAuthenticationStatement) {
- SAMLAuthenticationStatement authStmt = (SAMLAuthenticationStatement)stmt;
- SAMLSubject samlSubj = authStmt.getSubject();
+ } else if (stmt instanceof AuthenticationStatement) {
+ AuthenticationStatement authStmt = (AuthenticationStatement) stmt;
+ Subject samlSubj = authStmt.getSubject();
if (samlSubj == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLToken", new Object[]{"for Signature (no Subject)"});
}
- Element e = samlSubj.getKeyInfo();
+ Element e = samlSubj.getSubjectConfirmation().getKeyInfo().getDOM();
X509Certificate[] certs = null;
KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");
XMLStructure keyInfoStructure = new DOMStructure(e);
@@ -207,29 +209,32 @@ public class SAMLUtil {
*/
public static X509Certificate[] getCertificatesFromSAML(Element elem)
throws WSSecurityException {
-
/*
* Get some information about the SAML token content. This controls how
* to deal with the whole stuff. First get the Authentication statement
* (includes Subject), then get the _first_ confirmation method only.
*/
- SAMLAssertion assertion;
+ AssertionWrapper assertion;
try {
- assertion = new SAMLAssertion(elem);
- } catch (SAMLException e) {
+ assertion = new AssertionWrapper(elem);
+ } catch (UnmarshallingException e) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAMLToken", new Object[]{"for Signature (cannot parse)"}, e);
}
- SAMLSubjectStatement samlSubjS = null;
- Iterator<?> it = assertion.getStatements();
+ SubjectStatement samlSubjS = null;
+
+ // WARNING! THIS IS HARD CODED TO SAML v1.1
+ org.opensaml.saml1.core.Assertion saml11Assertion = assertion.getSaml1();
+
+ Iterator it = saml11Assertion.getStatements().iterator();
while (it.hasNext()) {
SAMLObject so = (SAMLObject) it.next();
- if (so instanceof SAMLSubjectStatement) {
- samlSubjS = (SAMLSubjectStatement) so;
+ if (so instanceof SubjectStatement) {
+ samlSubjS = (SubjectStatement) so;
break;
}
}
- SAMLSubject samlSubj = null;
+ Subject samlSubj = null;
if (samlSubjS != null) {
samlSubj = samlSubjS.getSubject();
}
@@ -247,7 +252,8 @@ public class SAMLUtil {
// if (SAMLSubject.CONF_SENDER_VOUCHES.equals(confirmMethod)) {
// senderVouches = true;
// }
- Element e = samlSubj.getKeyInfo();
+
+ Element e = samlSubj.getSubjectConfirmation().getKeyInfo().getDOM();
X509Certificate[] certs = null;
KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");
XMLStructure keyInfoStructure = new DOMStructure(e);
@@ -279,17 +285,21 @@ public class SAMLUtil {
return certs;
}
-
- public static String getAssertionId(Element envelope, String elemName, String nmSpace) throws WSSecurityException {
+
+ public static String getAssertionId(
+ Element envelope,
+ String elemName,
+ String nmSpace
+ ) throws WSSecurityException {
String id;
// Make the AssertionID the wsu:Id and the signature reference the same
- SAMLAssertion assertion;
+ AssertionWrapper assertion;
- Element assertionElement = (Element) WSSecurityUtil
- .findElement(envelope, elemName, nmSpace);
+ Element assertionElement =
+ (Element)WSSecurityUtil.findElement(envelope, elemName, nmSpace);
try {
- assertion = new SAMLAssertion(assertionElement);
+ assertion = new AssertionWrapper(assertionElement);
id = assertion.getId();
} catch (Exception e1) {
log.error(e1);
@@ -299,5 +309,5 @@ public class SAMLUtil {
}
return id;
}
-
+
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java?rev=1055456&r1=1055455&r2=1055456&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java Wed Jan 5 13:39:09 2011
@@ -32,21 +32,20 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLObject;
-import org.opensaml.SAMLSubject;
-import org.opensaml.SAMLSubjectStatement;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.signature.SignatureException;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.URIDereferencer;
@@ -57,11 +56,7 @@ import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignContext;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
-import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
-import javax.xml.crypto.dsig.keyinfo.KeyValue;
-import javax.xml.crypto.dsig.keyinfo.X509Data;
-import javax.xml.crypto.dsig.keyinfo.X509IssuerSerial;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
@@ -112,7 +107,7 @@ public class WSSecSignatureSAML extends
* @throws org.apache.ws.security.WSSecurityException
*/
public Document build(
- Document doc, Crypto uCrypto, SAMLAssertion assertion,
+ Document doc, Crypto uCrypto, AssertionWrapper assertion,
Crypto iCrypto, String iKeyName, String iKeyPW, WSSecHeader secHeader
) throws WSSecurityException {
@@ -194,7 +189,7 @@ public class WSSecSignatureSAML extends
* @throws WSSecurityException
*/
public void prepare(
- Document doc, Crypto uCrypto, SAMLAssertion assertion, Crypto iCrypto,
+ Document doc, Crypto uCrypto, AssertionWrapper assertion, Crypto iCrypto,
String iKeyName, String iKeyPW, WSSecHeader secHeader
) throws WSSecurityException {
@@ -217,30 +212,12 @@ public class WSSecSignatureSAML extends
// (includes Subject), then get the _first_ confirmation method only
// thats if "senderVouches" is true.
//
- SAMLSubjectStatement samlSubjS = null;
- Iterator<?> it = assertion.getStatements();
- while (it.hasNext()) {
- SAMLObject so = (SAMLObject) it.next();
- if (so instanceof SAMLSubjectStatement) {
- samlSubjS = (SAMLSubjectStatement) so;
- break;
- }
- }
- SAMLSubject samlSubj = null;
- if (samlSubjS != null) {
- samlSubj = samlSubjS.getSubject();
- }
- if (samlSubj == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "invalidSAMLToken", new Object[] { "for Signature" });
- }
-
String confirmMethod = null;
- it = samlSubj.getConfirmationMethods();
- if (it.hasNext()) {
- confirmMethod = (String) it.next();
+ List<String> methods = assertion.getConfirmationMethods();
+ if (methods != null && methods.size() > 0) {
+ confirmMethod = methods.get(0);
}
- if (SAMLSubject.CONF_SENDER_VOUCHES.equals(confirmMethod)) {
+ if (OpenSAMLUtil.isMethodSenderVouches(confirmMethod)) {
senderVouches = true;
}
//
@@ -270,47 +247,7 @@ public class WSSecSignatureSAML extends
new Object[] { "for SAML Signature (Key Holder)" }
);
}
- Element e = samlSubj.getKeyInfo();
- try {
- XMLStructure keyInfoStructure = new DOMStructure(e);
- KeyInfo keyInfo = keyInfoFactory.unmarshalKeyInfo(keyInfoStructure);
- List<?> list = keyInfo.getContent();
-
- for (int i = 0; i < list.size(); i++) {
- XMLStructure xmlStructure = (XMLStructure) list.get(i);
- if (xmlStructure instanceof KeyValue) {
- publicKey = ((KeyValue)xmlStructure).getPublicKey();
- break;
- } else if (xmlStructure instanceof X509Data) {
- List<?> x509Data = ((X509Data)xmlStructure).getContent();
- for (int j = 0; j < x509Data.size(); j++) {
- Object x509obj = x509Data.get(j);
- if (x509obj instanceof X509Certificate) {
- certs = new X509Certificate[1];
- certs[0] = (X509Certificate)x509obj;
- break;
- } else if (x509obj instanceof X509IssuerSerial) {
- String alias =
- userCrypto.getAliasForX509Cert(
- ((X509IssuerSerial)x509obj).getIssuerName(),
- ((X509IssuerSerial)x509obj).getSerialNumber()
- );
- certs = userCrypto.getCertificates(alias);
- break;
- }
- }
- }
- }
- // TODO: get alias name for cert, check against username set by
- // caller
- } catch (Exception e3) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "invalidSAMLsecurity",
- new Object[] { "cannot get certificate (key holder)" },
- e3
- );
- }
+ certs = userCrypto.getCertificates(user);
wsDocInfo.setCrypto(userCrypto);
}
if ((certs == null || certs.length == 0 || certs[0] == null)
@@ -389,8 +326,14 @@ public class WSSecSignatureSAML extends
if (WSConstants.X509_KEY_IDENTIFIER == keyIdentifierType) {
Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
+ String valueType = null;
+ if (assertion.getSaml1() != null) {
+ valueType = WSConstants.WSS_SAML_KI_VALUE_TYPE;
+ } else if (assertion.getSaml2() != null) {
+ valueType = WSConstants.WSS_SAML2_KI_VALUE_TYPE;
+ }
keyId.setAttributeNS(
- null, "ValueType", WSConstants.WSS_SAML_KI_VALUE_TYPE
+ null, "ValueType", valueType
);
keyId.appendChild(doc.createTextNode(assertion.getId()));
Element elem = secRefSaml.getElement();
@@ -398,7 +341,11 @@ public class WSSecSignatureSAML extends
} else {
Reference ref = new Reference(doc);
ref.setURI("#" + assertion.getId());
- ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+ if (assertion.getSaml1() != null) {
+ ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+ } else if (assertion.getSaml2() != null) {
+ ref.setValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
+ }
secRefSaml.setReference(ref);
}
wsDocInfo.addTokenElement(secRefSaml.getElement());
@@ -434,14 +381,24 @@ public class WSSecSignatureSAML extends
case WSConstants.BST_DIRECT_REFERENCE:
Reference ref = new Reference(doc);
ref.setURI("#" + assertion.getId());
- ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+ if (assertion.getSaml1() != null) {
+ ref.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+ } else if (assertion.getSaml2() != null) {
+ ref.setValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
+ }
secRef.setReference(ref);
break;
case WSConstants.X509_KEY_IDENTIFIER :
Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
+ String valueType = null;
+ if (assertion.getSaml1() != null) {
+ valueType = WSConstants.WSS_SAML_KI_VALUE_TYPE;
+ } else if (assertion.getSaml2() != null) {
+ valueType = WSConstants.WSS_SAML2_KI_VALUE_TYPE;
+ }
keyId.setAttributeNS(
- null, "ValueType", WSConstants.WSS_SAML_KI_VALUE_TYPE
+ null, "ValueType", valueType
);
keyId.appendChild(doc.createTextNode(assertion.getId()));
Element elem = secRef.getElement();
@@ -462,9 +419,13 @@ public class WSSecSignatureSAML extends
try {
samlToken = (Element) assertion.toDOM(doc);
- } catch (SAMLException e2) {
+ } catch (MarshallingException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_SIGNATURE, "noSAMLdoc", null, ex
+ );
+ } catch (SignatureException ex) {
throw new WSSecurityException(
- WSSecurityException.FAILED_SIGNATURE, "noSAMLdoc", null, e2
+ WSSecurityException.FAILED_SIGNATURE, "noSAMLdoc", null, ex
);
}
wsDocInfo.addTokenElement(samlToken);
Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java?rev=1055456&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java (added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java Wed Jan 5 13:39:09 2011
@@ -0,0 +1,543 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.saml.ext;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder;
+import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
+
+import org.apache.ws.security.util.DOM2Writer;
+import org.apache.ws.security.util.UUIDGenerator;
+
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.common.SignableSAMLObject;
+import org.opensaml.saml1.core.AuthenticationStatement;
+import org.opensaml.saml1.core.AuthorizationDecisionStatement;
+import org.opensaml.saml1.core.ConfirmationMethod;
+import org.opensaml.saml1.core.Subject;
+import org.opensaml.saml1.core.SubjectConfirmation;
+import org.opensaml.saml1.core.SubjectStatement;
+import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.AuthzDecisionStatement;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.io.UnmarshallingException;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureException;
+import org.opensaml.xml.validation.ValidationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Class AssertionWrapper can generate, sign, and validate both SAML v1.1
+ * and SAML v2.0 assertions.
+ * <p/>
+ * Created on May 18, 2009
+ */
+public class AssertionWrapper {
+ /**
+ * Field log
+ */
+ private static final Log log = LogFactory.getLog(AssertionWrapper.class);
+
+ /**
+ * Raw SAML assertion data
+ */
+ private XMLObject xmlObject = null;
+
+ /**
+ * Typed SAML v1.1 assertion
+ */
+ private org.opensaml.saml1.core.Assertion saml1 = null;
+
+ /**
+ * Typed SAML v2.0 assertion
+ */
+ private org.opensaml.saml2.core.Assertion saml2 = null;
+
+ /**
+ * Which SAML specification to use (currently, only v1.1 and v2.0 are supported)
+ */
+ private SAMLVersion samlVersion;
+
+ /**
+ * Fully qualified class name of the SAML callback handler implementation to use.
+ * NOTE: Each application should provide a unique implementation of this
+ * <code>Callback</code> that is able to extract any dynamic data from the local
+ * environment that should be included in the generated SAML statements.
+ */
+ private CallbackHandler samlCallbackHandler = null;
+
+ /**
+ * Constructor AssertionWrapper creates a new AssertionWrapper instance.
+ *
+ * @param element of type Element
+ * @throws UnmarshallingException when
+ */
+ public AssertionWrapper(Element element) throws UnmarshallingException {
+ this(OpenSAMLUtil.fromDom(element));
+ }
+
+ /**
+ * Constructor AssertionWrapper creates a new AssertionWrapper instance.
+ *
+ * @param saml2 of type Assertion
+ */
+ public AssertionWrapper(org.opensaml.saml2.core.Assertion saml2) {
+ this((XMLObject) saml2);
+ }
+
+ /**
+ * Constructor AssertionWrapper creates a new AssertionWrapper instance.
+ *
+ * @param saml1 of type Assertion
+ */
+ public AssertionWrapper(org.opensaml.saml1.core.Assertion saml1) {
+ this((XMLObject) saml1);
+ }
+
+ /**
+ * Constructor AssertionWrapper creates a new AssertionWrapper instance.
+ * This is the primary constructor. All other constructor calls should
+ * be routed to this method to ensure that the wrapper is initialized
+ * correctly.
+ *
+ * @param xmlObject of type XMLObject
+ */
+ public AssertionWrapper(XMLObject xmlObject) {
+ this.xmlObject = xmlObject;
+ if (xmlObject instanceof org.opensaml.saml1.core.Assertion) {
+ this.saml1 = (org.opensaml.saml1.core.Assertion) xmlObject;
+ samlVersion = SAMLVersion.VERSION_11;
+ } else if (xmlObject instanceof org.opensaml.saml2.core.Assertion) {
+ this.saml2 = (org.opensaml.saml2.core.Assertion) xmlObject;
+ samlVersion = SAMLVersion.VERSION_20;
+ } else {
+ log.error(
+ "AssertionWrapper: found unexpected type "
+ + (xmlObject != null ? xmlObject.getClass().getName() : xmlObject)
+ );
+ }
+ }
+
+ /**
+ * Constructor AssertionWrapper creates a new AssertionWrapper instance.
+ * This constructor is primarily called on the client side to initialize
+ * the wrapper from a configuration file. <br>
+ * NOTE: The OpenSaml library MUST be initialized prior to constructing an AssertionWrapper
+ *
+ * @param parms of type SAMLParms
+ */
+ public AssertionWrapper(SAMLParms parms) {
+ OpenSAMLUtil.initSamlEngine();
+ // Set the SAML version
+ if (parms.getSamlVersion().equalsIgnoreCase("1.1")) {
+ samlVersion = SAMLVersion.VERSION_11;
+ } else if (parms.getSamlVersion().equalsIgnoreCase("2.0")) {
+ samlVersion = SAMLVersion.VERSION_20;
+ } else {
+ // Default to SAML v1.1
+ samlVersion = SAMLVersion.VERSION_11;
+ }
+
+ //
+ // Create the SAML callback that the handler will use to get the required data from the
+ // client application.
+ //
+ SAMLCallback[] samlCallbacks = new SAMLCallback[] { new SAMLCallback() };
+
+ try {
+ // Get the SAML source data using the currently configured callback implementation.
+ if (samlCallbackHandler == null) {
+ samlCallbackHandler = parms.getCallbackHandler();
+ }
+
+ samlCallbackHandler.handle(samlCallbacks);
+
+ } catch (IOException e) {
+ throw new IllegalStateException(
+ "IOException while creating SAML assertion wrapper", e
+ );
+ } catch (UnsupportedCallbackException e) {
+ throw new IllegalStateException(
+ "UnsupportedCallbackException while creating SAML assertion wrapper", e
+ );
+ }
+
+ if (samlVersion.equals(SAMLVersion.VERSION_11)) {
+ // Build a SAML v1.1 assertion
+ saml1 = SAML1ComponentBuilder.createSamlv1Assertion(parms.getIssuer());
+
+ // Process the SAML authentication statement(s)
+ List<AuthenticationStatement> authenticationStatements =
+ SAML1ComponentBuilder.createSamlv1AuthenticationStatement(
+ samlCallbacks[0].getAuthenticationStatementData()
+ );
+
+ // Process the SAML attribute statement(s)
+ List<org.opensaml.saml1.core.AttributeStatement> attributeStatements =
+ SAML1ComponentBuilder.createSamlv1AttributeStatement(
+ samlCallbacks[0].getAttributeStatementData()
+ );
+
+ // Process the SAML authorization decision statement(s)
+ List<org.opensaml.saml1.core.AuthorizationDecisionStatement> authDecisionStatements =
+ SAML1ComponentBuilder.createSamlv1AuthorizationDecisionStatement(
+ samlCallbacks[0].getAuthDecisionStatementData()
+ );
+
+ // Build the complete assertion
+ org.opensaml.saml1.core.Conditions conditions =
+ SAML1ComponentBuilder.createSamlv1Conditions(samlCallbacks[0].getConditions());
+ saml1.setConditions(conditions);
+
+ // Add the SAML authentication statement(s) (if any)
+ for (AuthenticationStatement authnStatement : authenticationStatements) {
+ saml1.getAuthenticationStatements().add(authnStatement);
+ }
+
+ // Add the SAML attribute statement(s) (if any)
+ for (org.opensaml.saml1.core.AttributeStatement attrStatement : attributeStatements) {
+ saml1.getAttributeStatements().add(attrStatement);
+ }
+
+ // Add the SAML authorization decision statement(s) (if any)
+ for (AuthorizationDecisionStatement authzStatement : authDecisionStatements) {
+ saml1.getAuthorizationDecisionStatements().add(authzStatement);
+ }
+
+ // Set the OpenSaml2 XMLObject instance
+ xmlObject = saml1;
+
+ } else if (samlVersion.equals(SAMLVersion.VERSION_20)) {
+ // Build a SAML v2.0 assertion
+ saml2 = SAML2ComponentBuilder.createAssertion();
+ Issuer issuer = SAML2ComponentBuilder.createIssuer(parms.getIssuer());
+ NameID nameID = SAML2ComponentBuilder.createNameID(samlCallbacks[0].getSubject());
+
+ // Authn Statement(s)
+ List<AuthnStatement> authnStatements =
+ SAML2ComponentBuilder.createAuthnStatement(
+ samlCallbacks[0].getAuthenticationStatementData()
+ );
+
+ // Attribute statement(s)
+ List<org.opensaml.saml2.core.AttributeStatement> attributeStatements =
+ SAML2ComponentBuilder.createAttributeStatement(
+ samlCallbacks[0].getAttributeStatementData()
+ );
+
+ // AuthzDecisionStatement(s)
+ List<AuthzDecisionStatement> authDecisionStatements =
+ SAML2ComponentBuilder.createAuthorizationDecisionStatement(
+ samlCallbacks[0].getAuthDecisionStatementData()
+ );
+
+ // Build the SAML v2.0 assertion
+ saml2.setIssuer(issuer);
+
+ org.opensaml.saml2.core.SubjectConfirmation subjectConfirmation =
+ SAML2ComponentBuilder.createSubjectConfirmation(
+ SAML2Constants.SBJ_CONFIRMATION_SENDER_VOUCHES
+ );
+ org.opensaml.saml2.core.Subject subject =
+ SAML2ComponentBuilder.createSubject(nameID, subjectConfirmation);
+ saml2.setSubject(subject);
+
+ org.opensaml.saml2.core.Conditions conditions =
+ SAML2ComponentBuilder.createConditions(samlCallbacks[0].getConditions());
+ saml2.setConditions(conditions);
+
+ // Add the SAML authentication statemnt(s) (if any)
+ for (AuthnStatement authnStatement : authnStatements) {
+ saml2.getAuthnStatements().add(authnStatement);
+ }
+
+ // Add the SAML attribute statemnt(s) (if any)
+ for (org.opensaml.saml2.core.AttributeStatement attributeStatement : attributeStatements) {
+ saml2.getAttributeStatements().add(attributeStatement);
+ }
+
+ // Add the SAML authorization decision statemnt(s) (if any)
+ for (AuthzDecisionStatement authorizationDecisionStatement : authDecisionStatements) {
+ saml2.getAuthzDecisionStatements().add(authorizationDecisionStatement);
+ }
+
+ // Set the OpenSaml2 XMLObject instance
+ xmlObject = saml2;
+ }
+ }
+
+ /**
+ * Method getSaml1 returns the saml1 of this AssertionWrapper object.
+ *
+ * @return the saml1 (type Assertion) of this AssertionWrapper object.
+ */
+ public org.opensaml.saml1.core.Assertion getSaml1() {
+ return saml1;
+ }
+
+ /**
+ * Method getSaml2 returns the saml2 of this AssertionWrapper object.
+ *
+ * @return the saml2 (type Assertion) of this AssertionWrapper object.
+ */
+ public org.opensaml.saml2.core.Assertion getSaml2() {
+ return saml2;
+ }
+
+ /**
+ * Method getXmlObject returns the xmlObject of this AssertionWrapper object.
+ *
+ * @return the xmlObject (type XMLObject) of this AssertionWrapper object.
+ */
+ public XMLObject getXmlObject() {
+ return xmlObject;
+ }
+
+ /**
+ * Method isCreated returns the created of this AssertionWrapper object.
+ *
+ * @return the created (type boolean) of this AssertionWrapper object.
+ */
+ public boolean isCreated() {
+ return saml1 != null || saml2 != null;
+ }
+
+
+ /**
+ * Create a DOM from the current XMLObject content. If the user-supplied doc is not null,
+ * reparent the returned Element so that it is compatible with the user-supplied document.
+ *
+ * @param doc of type Document
+ * @return Element
+ * @throws MarshallingException when
+ * @throws SignatureException when
+ */
+ public Element toDOM(Document doc) throws MarshallingException, SignatureException {
+ return OpenSAMLUtil.toDom(xmlObject, doc);
+ }
+
+ /**
+ * Method assertionToString ...
+ *
+ * @return String
+ * @throws MarshallingException when
+ * @throws SignatureException when
+ * @throws IOException when
+ */
+ public String assertionToString() throws MarshallingException, SignatureException {
+ Element element = toDOM(null);
+ return DOM2Writer.nodeToString(element);
+ }
+
+ /**
+ * Method getId returns the id of this AssertionWrapper object.
+ *
+ * @return the id (type String) of this AssertionWrapper object.
+ */
+ public String getId() {
+ String id = null;
+ if (saml2 != null) {
+ id = saml2.getID();
+ } else if (saml1 != null) {
+ id = saml1.getID();
+ } else {
+ log.error("AssertionWrapper: unable to return ID - no saml assertion object");
+ }
+ if (id == null || id.length() == 0) {
+ log.error("AssertionWrapper: ID was null, seeting a new ID value");
+ id = UUIDGenerator.getUUID();
+ if (saml2 != null) {
+ saml2.setID(id);
+ } else if (saml1 != null) {
+ saml1.setID(id);
+ }
+ }
+ return id;
+ }
+
+ /**
+ * Method getIssuerString returns the issuerString of this AssertionWrapper object.
+ *
+ * @return the issuerString (type String) of this AssertionWrapper object.
+ */
+ public String getIssuerString() {
+ if (saml2 != null && saml2.getIssuer() != null) {
+ return saml2.getIssuer().getValue();
+ } else if (saml1 != null) {
+ return saml1.getIssuer();
+ }
+ log.error(
+ "AssertionWrapper: unable to return Issuer string - no saml assertion "
+ + "object or issuer is null"
+ );
+ return null;
+ }
+
+ /**
+ * Method getConfirmationMethods returns the confirmationMethods of this
+ * AssertionWrapper object.
+ *
+ * @return the confirmationMethods of this AssertionWrapper object.
+ */
+ public List<String> getConfirmationMethods() {
+ List<String> methods = new ArrayList<String>();
+ if (saml2 != null) {
+ org.opensaml.saml2.core.Subject subject = saml2.getSubject();
+ List<org.opensaml.saml2.core.SubjectConfirmation> confirmations =
+ subject.getSubjectConfirmations();
+ for (org.opensaml.saml2.core.SubjectConfirmation confirmation : confirmations) {
+ methods.add(confirmation.getMethod());
+ }
+ } else if (saml1 != null) {
+ List<SubjectStatement> subjectStatements = new ArrayList<SubjectStatement>();
+ subjectStatements.addAll(saml1.getSubjectStatements());
+ subjectStatements.addAll(saml1.getAuthenticationStatements());
+ subjectStatements.addAll(saml1.getAttributeStatements());
+ subjectStatements.addAll(saml1.getAuthorizationDecisionStatements());
+ for (SubjectStatement subjectStatement : subjectStatements) {
+ Subject subject = subjectStatement.getSubject();
+ if (subject != null) {
+ SubjectConfirmation confirmation = subject.getSubjectConfirmation();
+ if (confirmation != null) {
+ XMLObject data = confirmation.getSubjectConfirmationData();
+ if (data instanceof ConfirmationMethod) {
+ ConfirmationMethod method = (ConfirmationMethod) data;
+ methods.add(method.getConfirmationMethod());
+ }
+ List<ConfirmationMethod> confirmationMethods =
+ confirmation.getConfirmationMethods();
+ for (ConfirmationMethod confirmationMethod : confirmationMethods) {
+ methods.add(confirmationMethod.getConfirmationMethod());
+ }
+ }
+ }
+ }
+ }
+ return methods;
+ }
+
+ /**
+ * Method isSigned returns the signed of this AssertionWrapper object.
+ *
+ * @return the signed (type boolean) of this AssertionWrapper object.
+ */
+ public boolean isSigned() {
+ if (saml2 != null) {
+ return saml2.isSigned() || saml2.getSignature() != null;
+ } else if (saml1 != null) {
+ return saml1.isSigned() || saml1.getSignature() != null;
+ }
+ return false;
+ }
+
+ /**
+ * Method setSignature sets the signature of this AssertionWrapper object.
+ *
+ * @param signature the signature of this AssertionWrapper object.
+ */
+ public void setSignature(Signature signature) {
+ if (xmlObject instanceof SignableSAMLObject) {
+ SignableSAMLObject signableObject = (SignableSAMLObject) xmlObject;
+ signableObject.setSignature(signature);
+ signableObject.releaseDOM();
+ signableObject.releaseChildrenDOM(true);
+ } else {
+ log.error("Attempt to sign an unsignable object " + xmlObject.getClass().getName());
+ }
+ }
+
+ /**
+ * Verify the signature of this assertion
+ *
+ * @throws ValidationException
+ */
+ public void verify() throws ValidationException {
+ SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
+ Signature sig = null;
+ if (saml2 != null && saml2.getSignature() != null) {
+ sig = saml2.getSignature();
+ } else if (saml1 != null && saml1.getSignature() != null) {
+ sig = saml1.getSignature();
+ }
+ if (sig != null) {
+ validator.validate(sig);
+ } else {
+ log.debug("AssertionWrapper: no signature to validate");
+ }
+ }
+
+ /**
+ * Method getSamlVersion returns the samlVersion of this AssertionWrapper object.
+ *
+ * @return the samlVersion (type SAMLVersion) of this AssertionWrapper object.
+ */
+ public SAMLVersion getSamlVersion() {
+ if (samlVersion == null) {
+ // Try to set the version.
+ log.debug("The SAML version was null in getSamlVersion(). Recomputing SAML version...");
+ if (saml1 != null && saml2 == null) {
+ samlVersion = SAMLVersion.VERSION_11;
+ } else if (saml1 == null && saml2 != null) {
+ samlVersion = SAMLVersion.VERSION_20;
+ } else {
+ // We are only supporting SAML v1.1 or SAML v2.0 at this time.
+ throw new IllegalStateException(
+ "Could not determine the SAML version number. Check your "
+ + "configuration and try again."
+ );
+ }
+ }
+ return samlVersion;
+ }
+
+ /**
+ * Method setSamlVersion sets the samlVersion of this AssertionWrapper object.
+ *
+ * @param samlVersion the samlVersion of this AssertionWrapper object.
+ */
+ public void setSamlVersion(SAMLVersion samlVersion) {
+ this.samlVersion = samlVersion;
+ }
+
+ /**
+ * Method setSamlCallbackHandler sets the samlCallbackHandler of this AssertionWrapper object.
+ *
+ * @param samlCallbackHandler the samlCallbackHandler of this AssertionWrapper object.
+ */
+ public void setSamlCallbackHandler(CallbackHandler samlCallbackHandler) {
+ this.samlCallbackHandler = samlCallbackHandler;
+ }
+
+}