├── .editorconfig ├── .gitignore ├── .travis.yml ├── CONTRIBUTING.md ├── LICENSE.txt ├── README.adoc ├── build.gradle ├── core ├── build.gradle └── src │ ├── main │ ├── java │ │ └── org │ │ │ ├── opensaml │ │ │ ├── PaosBootstrap.java │ │ │ ├── liberty │ │ │ │ ├── binding │ │ │ │ │ ├── decoding │ │ │ │ │ │ └── HTTPPAOS11Decoder.java │ │ │ │ │ └── encoding │ │ │ │ │ │ └── HTTPPAOS11Encoder.java │ │ │ │ └── paos │ │ │ │ │ ├── Request.java │ │ │ │ │ ├── Response.java │ │ │ │ │ └── impl │ │ │ │ │ ├── RequestBuilder.java │ │ │ │ │ ├── RequestImpl.java │ │ │ │ │ ├── RequestMarshaller.java │ │ │ │ │ ├── RequestUnmarshaller.java │ │ │ │ │ ├── ResponseBuilder.java │ │ │ │ │ ├── ResponseImpl.java │ │ │ │ │ ├── ResponseMarshaller.java │ │ │ │ │ └── ResponseUnmarshaller.java │ │ │ ├── saml2 │ │ │ │ └── binding │ │ │ │ │ └── decoding │ │ │ │ │ ├── HTTPArtifactDecoderImpl.java │ │ │ │ │ └── HTTPSOAP11DecoderImpl.java │ │ │ └── ws │ │ │ │ └── transport │ │ │ │ └── http │ │ │ │ ├── HttpClientInTransport.java │ │ │ │ ├── HttpClientOutTransport.java │ │ │ │ ├── LocationAwareInTransport.java │ │ │ │ └── httpclient │ │ │ │ └── OutputStreamRequestEntity.java │ │ │ └── springframework │ │ │ └── security │ │ │ ├── providers │ │ │ └── ExpiringUsernameAuthenticationToken.java │ │ │ └── saml │ │ │ ├── SAMLAuthenticationProvider.java │ │ │ ├── SAMLAuthenticationToken.java │ │ │ ├── SAMLBootstrap.java │ │ │ ├── SAMLConstants.java │ │ │ ├── SAMLCredential.java │ │ │ ├── SAMLDiscovery.java │ │ │ ├── SAMLEntryPoint.java │ │ │ ├── SAMLLogoutFilter.java │ │ │ ├── SAMLLogoutProcessingFilter.java │ │ │ ├── SAMLProcessingFilter.java │ │ │ ├── SAMLRelayStateSuccessHandler.java │ │ │ ├── SAMLStatusException.java │ │ │ ├── SAMLWebSSOHoKProcessingFilter.java │ │ │ ├── context │ │ │ ├── SAMLContextProvider.java │ │ │ ├── SAMLContextProviderImpl.java │ │ │ ├── SAMLContextProviderLB.java │ │ │ └── SAMLMessageContext.java │ │ │ ├── key │ │ │ ├── EmptyKeyManager.java │ │ │ ├── JKSKeyManager.java │ │ │ └── KeyManager.java │ │ │ ├── log │ │ │ ├── SAMLDefaultLogger.java │ │ │ ├── SAMLEmptyLogger.java │ │ │ └── SAMLLogger.java │ │ │ ├── metadata │ │ │ ├── AbstractMetadataDelegate.java │ │ │ ├── CachingMetadataManager.java │ │ │ ├── ExtendedMetadata.java │ │ │ ├── ExtendedMetadataDelegate.java │ │ │ ├── ExtendedMetadataProvider.java │ │ │ ├── MetadataDisplayFilter.java │ │ │ ├── MetadataGenerator.java │ │ │ ├── MetadataGeneratorFilter.java │ │ │ ├── MetadataManager.java │ │ │ └── MetadataMemoryProvider.java │ │ │ ├── parser │ │ │ ├── ParserPoolHolder.java │ │ │ ├── SAMLBase.java │ │ │ ├── SAMLCollection.java │ │ │ └── SAMLObject.java │ │ │ ├── processor │ │ │ ├── HTTPArtifactBinding.java │ │ │ ├── HTTPPAOS11Binding.java │ │ │ ├── HTTPPostBinding.java │ │ │ ├── HTTPRedirectDeflateBinding.java │ │ │ ├── HTTPSOAP11Binding.java │ │ │ ├── SAMLBinding.java │ │ │ ├── SAMLBindingImpl.java │ │ │ ├── SAMLProcessor.java │ │ │ └── SAMLProcessorImpl.java │ │ │ ├── storage │ │ │ ├── EmptyStorageFactory.java │ │ │ ├── HttpSessionStorage.java │ │ │ ├── HttpSessionStorageFactory.java │ │ │ ├── SAMLMessageStorage.java │ │ │ └── SAMLMessageStorageFactory.java │ │ │ ├── trust │ │ │ ├── AllowAllSignatureTrustEngine.java │ │ │ ├── CertPathPKIXTrustEvaluator.java │ │ │ ├── MetadataCredentialResolver.java │ │ │ ├── PKIXInformationResolver.java │ │ │ ├── UntrustedCertificateException.java │ │ │ ├── X509KeyManager.java │ │ │ ├── X509TrustManager.java │ │ │ └── httpclient │ │ │ │ ├── TLSProtocolConfigurer.java │ │ │ │ └── TLSProtocolSocketFactory.java │ │ │ ├── userdetails │ │ │ └── SAMLUserDetailsService.java │ │ │ ├── util │ │ │ ├── DefaultURLComparator.java │ │ │ ├── SAMLUtil.java │ │ │ └── VelocityFactory.java │ │ │ └── websso │ │ │ ├── AbstractProfileBase.java │ │ │ ├── ArtifactResolutionProfile.java │ │ │ ├── ArtifactResolutionProfileBase.java │ │ │ ├── ArtifactResolutionProfileImpl.java │ │ │ ├── SingleLogoutProfile.java │ │ │ ├── SingleLogoutProfileImpl.java │ │ │ ├── WebSSOProfile.java │ │ │ ├── WebSSOProfileConsumer.java │ │ │ ├── WebSSOProfileConsumerHoKImpl.java │ │ │ ├── WebSSOProfileConsumerImpl.java │ │ │ ├── WebSSOProfileECPImpl.java │ │ │ ├── WebSSOProfileHoKImpl.java │ │ │ ├── WebSSOProfileImpl.java │ │ │ └── WebSSOProfileOptions.java │ └── resources │ │ ├── liberty-paos-config.xml │ │ └── schema │ │ └── liberty-schema-paos-1.1.xsd │ └── test │ ├── java │ └── org │ │ ├── opensaml │ │ ├── common │ │ │ ├── BaseSAMLObjectProviderTestCase.java │ │ │ ├── BaseTestCase.java │ │ │ └── BootstrapHelper.java │ │ └── liberty │ │ │ ├── binding │ │ │ └── decoding │ │ │ │ └── HTTPPAOS11DecoderTest.java │ │ │ └── paos │ │ │ └── impl │ │ │ ├── RequestTest.java │ │ │ └── ResponseTest.java │ │ └── springframework │ │ └── security │ │ ├── providers │ │ └── ExpiringUsernameAuthenticationTokenTest.java │ │ └── saml │ │ ├── SAMLAuthenticationProviderTest.java │ │ ├── SAMLAuthenticationTokenTest.java │ │ ├── SAMLCredentialTest.java │ │ ├── SAMLEntryPointTest.java │ │ ├── SAMLLogoutFilterTest.java │ │ ├── SAMLLogoutProcessingFilterTest.java │ │ ├── SAMLProcessingFilterTest.java │ │ ├── SAMLRelayStateSuccessHandlerTest.java │ │ ├── SAMLTestHelper.java │ │ ├── context │ │ └── SAMLContextProviderImplTest.java │ │ ├── key │ │ └── JKSKeyManagerTest.java │ │ ├── metadata │ │ ├── MetadataGeneratorFilterTest.java │ │ ├── MetadataGeneratorTest.java │ │ ├── MetadataManagerSignaturesTest.java │ │ ├── MetadataManagerTest.java │ │ └── TestingFilesystemMetadataProvider.java │ │ ├── parser │ │ ├── SAMLCollectionTest.java │ │ └── SAMLObjectTest.java │ │ ├── processor │ │ └── SAMLProcessorImplTest.java │ │ ├── storage │ │ ├── HttpSessionStorageTest.java │ │ └── StorageFactoryTestImpl.java │ │ ├── trust │ │ └── UntrustedCertificateExceptionTest.java │ │ ├── util │ │ └── SAMLUtilTest.java │ │ └── websso │ │ ├── ArtifactResolutionProfileImplTest.java │ │ ├── WebSSOProfileConsumerImplTest.java │ │ ├── WebSSOProfileHoKImplTest.java │ │ ├── WebSSOProfileImplTest.java │ │ └── WebSSOProfileTestHelper.java │ └── resources │ ├── log4j.properties │ ├── message │ ├── SAMLResponse.xml │ └── SAMLResponseInvalidSignature.xml │ ├── org │ ├── opensaml │ │ └── liberty │ │ │ └── paos │ │ │ └── impl │ │ │ ├── Request.xml │ │ │ ├── RequestOptionalAttributes.xml │ │ │ ├── Response.xml │ │ │ └── ResponseOptionalAttributes.xml │ └── springframework │ │ └── security │ │ └── saml │ │ ├── SAMLEntryPointTest.xml │ │ ├── SAMLProcessingFilterTest.xml │ │ ├── context │ │ └── SAMLContextProviderImplTest.xml │ │ ├── key │ │ ├── JKSKeyManagerTest.xml │ │ └── keystore.jks │ │ ├── metadata │ │ ├── MetadataGeneratorTest.xml │ │ ├── MetadataManagerSignaturesTest.xml │ │ └── MetadataManagerTest.xml │ │ ├── processor │ │ └── SAMLProcessorImplTest.xml │ │ ├── trust │ │ └── UntrustedCertificateExceptionTest.xml │ │ └── websso │ │ ├── WebSSOProfileConsumerImplTest.xml │ │ ├── WebSSOProfileHoKImplTest.xml │ │ └── WebSSOProfileImplTest.xml │ ├── testIDP.xml │ ├── testIDPNoSSOBinding.xml │ ├── testIDPNoSigning.xml │ ├── testIDPnestedMetadata.xml │ ├── testResponse_01.xml │ ├── testSP.xml │ ├── testSP2.xml │ ├── testSPMissingDescriptor.xml │ ├── testSP_signed.xml │ ├── testSP_signed_ca.xml │ ├── testSP_signed_ca2.xml │ ├── testSP_signed_ca2_chain.xml │ └── testSP_signed_invalid.xml ├── docs ├── dist │ └── license.txt └── reference │ └── docbook │ ├── administration-ui.xml │ ├── configuration.xml │ ├── glossary.xml │ ├── idp-guide.xml │ ├── index.xml │ ├── introduction.xml │ ├── quick-start.xml │ ├── troubleshooting.xml │ └── whats-new.xml ├── gradle.properties ├── gradle ├── ide.gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── sample ├── build.gradle └── src │ └── main │ ├── java │ └── org │ │ └── springframework │ │ └── security │ │ └── saml │ │ └── web │ │ ├── MetadataController.java │ │ ├── MetadataForm.java │ │ └── MetadataValidator.java │ ├── resources │ ├── log4j.properties │ ├── metadata │ │ └── idp.xml │ └── security │ │ └── samlKeystore.jks │ └── webapp │ ├── WEB-INF │ ├── saml-servlet.xml │ ├── security │ │ ├── adminLogin.jsp │ │ ├── idpSelection.jsp │ │ ├── metadataGenerator.jsp │ │ ├── metadataList.jsp │ │ ├── metadataView.jsp │ │ └── providerView.jsp │ ├── securityContext.xml │ ├── templates │ │ ├── footer.jsp │ │ ├── head.jsp │ │ ├── navigation.jsp │ │ └── sidebar.jsp │ └── web.xml │ ├── css │ └── style.css │ ├── error.jsp │ ├── images │ ├── favicon.png │ ├── logo.png │ ├── main-two-columns-left.gif │ └── main-two-columns.gif │ ├── index.jsp │ └── logout.jsp └── settings.gradle /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig for Spring Security 2 | # see https://github.com/spring-projects/spring-security/blob/master/CONTRIBUTING.md#mind-the-whitespace 3 | 4 | root = true 5 | 6 | [*] 7 | end_of_line = lf 8 | trim_trailing_whitespace = true 9 | insert_final_newline = true 10 | max_line_length = 120 11 | 12 | [*.java] 13 | indent_style = tab 14 | indent_size = 4 15 | charset = latin1 16 | continuation_indent_size = 4 17 | 18 | [*.xml] 19 | indent_style = tab 20 | indent_size = 4 21 | charset = latin1 22 | continuation_indent_size = 4 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /.idea 2 | /**/*.ipr 3 | /**/*.iws 4 | /**/*.iml 5 | /**/target 6 | build 7 | bin 8 | out 9 | .settings 10 | .classpath 11 | .project 12 | .gradle 13 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: java 2 | dist: trusty 3 | jdk: 4 | - oraclejdk8 5 | 6 | before_cache: 7 | - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock 8 | - rm -fr $HOME/.gradle/caches/*/plugin-resolution/ 9 | 10 | cache: 11 | directories: 12 | - $HOME/.gradle/caches/ 13 | - $HOME/.gradle/wrapper/ 14 | 15 | before_install: 16 | 17 | install: 18 | 19 | script: 20 | - ./gradlew test 21 | 22 | after_success: 23 | 24 | after_failure: -------------------------------------------------------------------------------- /core/build.gradle: -------------------------------------------------------------------------------- 1 | description = "Spring Security SAML v2 library" 2 | 3 | dependencies { 4 | compile "org.springframework.security:spring-security-core:$springSecurityVersion", 5 | "org.springframework.security:spring-security-config:$springSecurityVersion", 6 | "org.slf4j:slf4j-api:$slf4jVersion" 7 | 8 | compile ("org.springframework.security:spring-security-web:$springSecurityVersion") { 9 | exclude group: "org.springframework", module: "spring-jdbc" 10 | exclude group: "org.springframework", module: "spring-tx" 11 | } 12 | 13 | compile(group: "org.opensaml", name: "opensaml", version: "$openSamlVersion") { 14 | exclude(module: 'bcprov-jdk15on') 15 | exclude(group: 'org.slf4j', module: 'log4j-over-slf4j') 16 | exclude(group: 'org.slf4j', module: 'jcl-over-slf4j') 17 | exclude(group: 'org.slf4j', module: 'jul-to-slf4j') 18 | exclude(group: 'org.owasp.esapi', module: 'esapi') 19 | exclude(group: 'ca.juliusdavies', module: 'not-yet-commons-ssl') 20 | exclude(group: "org.apache.velocity", module: 'velocity') 21 | } 22 | compile group: 'org.apache.velocity', name: 'velocity-engine-core', version: '2.0' 23 | compile group:'org.bouncycastle', name:'bcprov-jdk15on', version: "$bcprovVersion" 24 | compile group:'org.bouncycastle', name:'bcpkix-jdk15on', version: "$bcpkixVersion" 25 | compile group: 'org.apache.santuario', name: 'xmlsec', version: "$openSamlXmlSec" 26 | compile (group:'org.owasp.esapi', name:'esapi', version: "$esapiVersion") { 27 | exclude(group: 'org.beanshell', module: 'bsh-core') 28 | exclude(group: 'xalan', module: 'xalan') 29 | exclude(group: 'xom', module: 'xom') 30 | exclude(group: 'log4j', module: 'log4j') 31 | exclude(group: 'commons-configuration', module: 'commons-configuration') 32 | exclude(group: 'commons-beanutils', module: 'commons-beanutils-core') 33 | exclude(group: 'commons-fileupload', module: 'commons-fileupload') 34 | exclude(group: 'org.owasp.antisamy', module: 'antisamy') 35 | exclude(group: 'org.apache.xmlgraphics', module: 'batik-css') 36 | } 37 | compile group: 'xalan', name: 'xalan', version:"$xalanVersion" 38 | compile group: "com.narupley", name: "not-going-to-be-commons-ssl", version: "0.3.20" 39 | compile group: "xml-apis", name: "xml-apis", version: "$xmlApisVersion" 40 | 41 | provided "javax.servlet:javax.servlet-api:3.0.1" 42 | 43 | testCompile "org.slf4j:slf4j-simple:$slf4jVersion", 44 | "org.easymock:easymock:3.5.1", 45 | "junit:junit:4.12", 46 | "commons-logging:commons-logging:1.2", 47 | "xmlunit:xmlunit:1.6" 48 | testCompile ("org.springframework:spring-test:$springVersion") { 49 | exclude group: "commons-logging", module: "commons-logging" 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/PaosBootstrap.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml; 18 | 19 | import org.opensaml.xml.ConfigurationException; 20 | 21 | public class PaosBootstrap extends DefaultBootstrap { 22 | 23 | /** XMLTooling configuration file for PAOS binding */ 24 | private static String[] paosXmlToolingConfig = { "/liberty-paos-config.xml" }; 25 | 26 | public static synchronized void bootstrap() throws ConfigurationException { 27 | DefaultBootstrap.bootstrap(); 28 | DefaultBootstrap.initializeXMLTooling(paosXmlToolingConfig); 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/binding/decoding/HTTPPAOS11Decoder.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.binding.decoding; 18 | 19 | import java.util.ArrayList; 20 | import java.util.List; 21 | 22 | import javax.xml.namespace.QName; 23 | 24 | import org.opensaml.common.binding.SAMLMessageContext; 25 | import org.opensaml.common.xml.SAMLConstants; 26 | import org.opensaml.saml2.binding.decoding.HTTPSOAP11Decoder; 27 | import org.opensaml.saml2.ecp.RelayState; 28 | import org.opensaml.saml2.ecp.impl.RelayStateImpl; 29 | import org.opensaml.ws.message.MessageContext; 30 | import org.opensaml.ws.message.decoder.MessageDecodingException; 31 | import org.opensaml.ws.soap.soap11.Envelope; 32 | import org.opensaml.xml.XMLObject; 33 | import org.opensaml.xml.parse.ParserPool; 34 | 35 | public class HTTPPAOS11Decoder extends HTTPSOAP11Decoder { 36 | 37 | public HTTPPAOS11Decoder() { 38 | super(); 39 | initUnderstoodHeaders(); 40 | } 41 | 42 | public HTTPPAOS11Decoder(ParserPool pool) { 43 | super(pool); 44 | initUnderstoodHeaders(); 45 | } 46 | 47 | private void initUnderstoodHeaders() { 48 | QName paosResponse = new QName(SAMLConstants.PAOS_NS, 49 | "Response", SAMLConstants.PAOS_PREFIX); 50 | 51 | List headerNames = new ArrayList(); 52 | headerNames.add(paosResponse); 53 | 54 | setUnderstoodHeaders(headerNames); 55 | } 56 | 57 | @Override 58 | protected void doDecode(MessageContext messageContext) 59 | throws MessageDecodingException { 60 | super.doDecode(messageContext); 61 | 62 | // Setting the RelayState in the message context 63 | SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; 64 | Envelope soapMessage = (Envelope) samlMsgCtx.getInboundMessage(); 65 | 66 | List relayStateHeader = soapMessage.getHeader().getUnknownXMLObjects( 67 | new QName(SAMLConstants.SAML20ECP_NS, 68 | RelayState.DEFAULT_ELEMENT_LOCAL_NAME, 69 | SAMLConstants.SAML20ECP_PREFIX)); 70 | 71 | if (relayStateHeader.size() == 1 72 | && relayStateHeader.get(0) instanceof RelayStateImpl) { 73 | samlMsgCtx.setRelayState(((RelayStateImpl) relayStateHeader.get(0)).getValue()); 74 | } 75 | } 76 | 77 | } 78 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/Request.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos; 18 | 19 | import javax.xml.namespace.QName; 20 | 21 | import org.opensaml.common.SAMLObject; 22 | import org.opensaml.common.xml.SAMLConstants; 23 | import org.opensaml.ws.soap.soap11.ActorBearing; 24 | import org.opensaml.ws.soap.soap11.MustUnderstandBearing; 25 | 26 | /** 27 | * Liberty Alliance PAOS Request header. 28 | */ 29 | public interface Request extends SAMLObject, MustUnderstandBearing, 30 | ActorBearing { 31 | 32 | /** Element local name. */ 33 | public static final String DEFAULT_ELEMENT_LOCAL_NAME = "Request"; 34 | 35 | /** Default element name. */ 36 | public static final QName DEFAULT_ELEMENT_NAME = 37 | new QName(SAMLConstants.PAOS_NS, DEFAULT_ELEMENT_LOCAL_NAME, 38 | SAMLConstants.PAOS_PREFIX); 39 | 40 | /** Local name of the XSI type. */ 41 | public static final String TYPE_LOCAL_NAME = "RequestType"; 42 | 43 | /** QName of the XSI type. */ 44 | public static final QName TYPE_NAME = 45 | new QName(SAMLConstants.PAOS_NS, TYPE_LOCAL_NAME, SAMLConstants.PAOS_PREFIX); 46 | 47 | /** responseConsumerURL attribute name. */ 48 | public static final String RESPONSE_CONSUMER_URL_ATTRIB_NAME = "responseConsumerURL"; 49 | 50 | /** service attribute name. */ 51 | public static final String SERVICE_ATTRIB_NAME = "service"; 52 | 53 | /** messageID attribute name. */ 54 | public static final String MESSAGE_ID_ATTRIB_NAME = "messageID"; 55 | 56 | /** 57 | * Get the responseConsumerURL attribute value. 58 | * 59 | * @return the responseConsumerURL attribute value 60 | */ 61 | public String getResponseConsumerURL(); 62 | 63 | /** 64 | * Set the responseConsumerURL attribute value. 65 | * 66 | * @param newResponseConsumerURL the new responseConsumerURL attribute value 67 | */ 68 | public void setResponseConsumerURL(String newResponseConsumerURL); 69 | 70 | /** 71 | * Get the service attribute value. 72 | * 73 | * @return the service attribute value 74 | */ 75 | public String getService(); 76 | 77 | /** 78 | * Set the service attribute value. 79 | * 80 | * @param newService the new service attribute value 81 | */ 82 | public void setService(String newService); 83 | 84 | /** 85 | * Get the messageID attribute value. 86 | * 87 | * @return the messageID attribute value 88 | */ 89 | public String getMessageID(); 90 | 91 | /** 92 | * Set the messageID attribute value. 93 | * 94 | * @param newMessageID the new messageID attribute value 95 | */ 96 | public void setMessageID(String newMessageID); 97 | 98 | } 99 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/Response.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos; 18 | 19 | import javax.xml.namespace.QName; 20 | 21 | import org.opensaml.common.SAMLObject; 22 | import org.opensaml.common.xml.SAMLConstants; 23 | import org.opensaml.ws.soap.soap11.ActorBearing; 24 | import org.opensaml.ws.soap.soap11.MustUnderstandBearing; 25 | 26 | /** 27 | * Liberty Alliance PAOS Response header. 28 | */ 29 | public interface Response extends SAMLObject, MustUnderstandBearing, 30 | ActorBearing { 31 | 32 | /** Element local name. */ 33 | public static final String DEFAULT_ELEMENT_LOCAL_NAME = "Response"; 34 | 35 | /** Default element name. */ 36 | public static final QName DEFAULT_ELEMENT_NAME = 37 | new QName(SAMLConstants.PAOS_NS, DEFAULT_ELEMENT_LOCAL_NAME, 38 | SAMLConstants.PAOS_PREFIX); 39 | 40 | /** Local name of the XSI type. */ 41 | public static final String TYPE_LOCAL_NAME = "ResponseType"; 42 | 43 | /** QName of the XSI type. */ 44 | public static final QName TYPE_NAME = 45 | new QName(SAMLConstants.PAOS_NS, TYPE_LOCAL_NAME, SAMLConstants.PAOS_PREFIX); 46 | 47 | /** messageID attribute name. */ 48 | public static final String REF_TO_MESSAGE_ID_ATTRIB_NAME = "refToMessageID"; 49 | 50 | /** 51 | * Get the refToMessageID attribute value. 52 | * 53 | * @return the refToMessageID attribute value 54 | */ 55 | public String getRefToMessageID(); 56 | 57 | /** 58 | * Set the refToMessageID attribute value. 59 | * 60 | * @param newRefToMessageID the new refToMessageID attribute value 61 | */ 62 | public void setRefToMessageID(String newRefToMessageID); 63 | 64 | } 65 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/impl/RequestBuilder.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import org.opensaml.common.impl.AbstractSAMLObjectBuilder; 20 | import org.opensaml.common.xml.SAMLConstants; 21 | import org.opensaml.liberty.paos.Request; 22 | 23 | public class RequestBuilder extends AbstractSAMLObjectBuilder { 24 | 25 | /** 26 | * Constructor. 27 | */ 28 | public RequestBuilder() { 29 | 30 | } 31 | 32 | /** {@inheritDoc} */ 33 | @Override 34 | public Request buildObject() { 35 | return buildObject(SAMLConstants.PAOS_NS, Request.DEFAULT_ELEMENT_LOCAL_NAME, 36 | SAMLConstants.PAOS_PREFIX); 37 | } 38 | 39 | /** {@inheritDoc} */ 40 | @Override 41 | public Request buildObject(String namespaceURI, String localName, String namespacePrefix) { 42 | return new RequestImpl(namespaceURI, localName, namespacePrefix); 43 | } 44 | 45 | } 46 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/impl/RequestMarshaller.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import org.opensaml.common.impl.AbstractSAMLObjectMarshaller; 20 | import org.opensaml.liberty.paos.Request; 21 | import org.opensaml.xml.XMLObject; 22 | import org.opensaml.xml.io.MarshallingException; 23 | import org.opensaml.xml.util.XMLHelper; 24 | import org.w3c.dom.Element; 25 | 26 | /** 27 | * Marshaller for instances of {@link Request}. 28 | */ 29 | public class RequestMarshaller extends AbstractSAMLObjectMarshaller { 30 | 31 | /** {@inheritDoc} */ 32 | protected void marshallAttributes(XMLObject xmlObject, Element domElement) 33 | throws MarshallingException { 34 | Request request = (Request) xmlObject; 35 | 36 | if (request.getResponseConsumerURL() != null) { 37 | domElement.setAttributeNS(null, Request.RESPONSE_CONSUMER_URL_ATTRIB_NAME, 38 | request.getResponseConsumerURL()); 39 | } 40 | if (request.getService() != null) { 41 | domElement.setAttributeNS(null, Request.SERVICE_ATTRIB_NAME, request.getService()); 42 | } 43 | if (request.getMessageID() != null) { 44 | domElement.setAttributeNS(null, Request.MESSAGE_ID_ATTRIB_NAME, 45 | request.getMessageID()); 46 | } 47 | if (request.isSOAP11MustUnderstandXSBoolean() != null) { 48 | XMLHelper.marshallAttribute(Request.SOAP11_MUST_UNDERSTAND_ATTR_NAME, 49 | request.isSOAP11MustUnderstandXSBoolean().toString(), domElement, false); 50 | } 51 | if (request.getSOAP11Actor() != null) { 52 | XMLHelper.marshallAttribute(Request.SOAP11_ACTOR_ATTR_NAME, 53 | request.getSOAP11Actor(), domElement, false); 54 | } 55 | 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/impl/RequestUnmarshaller.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import javax.xml.namespace.QName; 20 | 21 | import org.opensaml.common.impl.AbstractSAMLObjectUnmarshaller; 22 | import org.opensaml.liberty.paos.Request; 23 | import org.opensaml.xml.XMLObject; 24 | import org.opensaml.xml.io.UnmarshallingException; 25 | import org.opensaml.xml.schema.XSBooleanValue; 26 | import org.opensaml.xml.util.XMLHelper; 27 | import org.w3c.dom.Attr; 28 | 29 | /** 30 | * Unmarshaller for instances of {@link Request}. 31 | */ 32 | public class RequestUnmarshaller extends AbstractSAMLObjectUnmarshaller { 33 | 34 | /** {@inheritDoc} */ 35 | protected void processAttribute(XMLObject samlObject, Attr attribute) 36 | throws UnmarshallingException { 37 | Request request = (Request) samlObject; 38 | 39 | QName attrName = XMLHelper.getNodeQName(attribute); 40 | if (Request.SOAP11_MUST_UNDERSTAND_ATTR_NAME.equals(attrName)) { 41 | request.setSOAP11MustUnderstand(XSBooleanValue.valueOf(attribute.getValue())); 42 | } else if (Request.SOAP11_ACTOR_ATTR_NAME.equals(attrName)) { 43 | request.setSOAP11Actor(attribute.getValue()); 44 | } else if (Request.RESPONSE_CONSUMER_URL_ATTRIB_NAME.equals(attribute.getLocalName())) { 45 | request.setResponseConsumerURL(attribute.getValue()); 46 | } else if (Request.SERVICE_ATTRIB_NAME.equals(attribute.getLocalName())) { 47 | request.setService(attribute.getValue()); 48 | } else if (Request.MESSAGE_ID_ATTRIB_NAME.equals(attribute.getLocalName())) { 49 | request.setMessageID(attribute.getValue()); 50 | } else { 51 | super.processAttribute(samlObject, attribute); 52 | } 53 | 54 | } 55 | 56 | } 57 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/impl/ResponseBuilder.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import org.opensaml.common.impl.AbstractSAMLObjectBuilder; 20 | import org.opensaml.common.xml.SAMLConstants; 21 | import org.opensaml.liberty.paos.Response; 22 | 23 | public class ResponseBuilder extends AbstractSAMLObjectBuilder { 24 | 25 | /** 26 | * Constructor. 27 | */ 28 | public ResponseBuilder() { 29 | 30 | } 31 | 32 | /** {@inheritDoc} */ 33 | @Override 34 | public Response buildObject() { 35 | return buildObject(SAMLConstants.PAOS_NS, Response.DEFAULT_ELEMENT_LOCAL_NAME, 36 | SAMLConstants.PAOS_PREFIX); 37 | } 38 | 39 | /** {@inheritDoc} */ 40 | @Override 41 | public Response buildObject(String namespaceURI, String localName, 42 | String namespacePrefix) { 43 | return new ResponseImpl(namespaceURI, localName, namespacePrefix); 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/impl/ResponseImpl.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import java.util.List; 20 | 21 | import org.opensaml.common.impl.AbstractSAMLObject; 22 | import org.opensaml.liberty.paos.Response; 23 | import org.opensaml.xml.XMLObject; 24 | import org.opensaml.xml.schema.XSBooleanValue; 25 | 26 | public class ResponseImpl extends AbstractSAMLObject implements Response { 27 | 28 | /** refToMessageID attribute */ 29 | private String refToMessageID; 30 | 31 | /** soap11:actor attribute. */ 32 | private String soap11Actor; 33 | 34 | /** soap11:mustUnderstand. */ 35 | private XSBooleanValue soap11MustUnderstand; 36 | 37 | /** 38 | * Constructor. 39 | * 40 | * @param namespaceURI the namespace the element is in 41 | * @param elementLocalName the local name of the XML element this Object represents 42 | * @param namespacePrefix the prefix for the given namespace 43 | */ 44 | protected ResponseImpl(String namespaceURI, String elementLocalName, 45 | String namespacePrefix) { 46 | super(namespaceURI, elementLocalName, namespacePrefix); 47 | } 48 | 49 | /** {@inheritDoc} */ 50 | public String getRefToMessageID() { 51 | return refToMessageID; 52 | } 53 | 54 | /** {@inheritDoc} */ 55 | public void setRefToMessageID(String newRefToMessageID) { 56 | refToMessageID = prepareForAssignment(refToMessageID, newRefToMessageID); 57 | } 58 | 59 | /** {@inheritDoc} */ 60 | public List getOrderedChildren() { 61 | // No elements 62 | return null; 63 | } 64 | 65 | /** {@inheritDoc} */ 66 | public Boolean isSOAP11MustUnderstand() { 67 | if (soap11MustUnderstand != null) { 68 | return soap11MustUnderstand.getValue(); 69 | } 70 | return Boolean.FALSE; 71 | } 72 | 73 | /** {@inheritDoc} */ 74 | public XSBooleanValue isSOAP11MustUnderstandXSBoolean() { 75 | return soap11MustUnderstand; 76 | } 77 | 78 | /** {@inheritDoc} */ 79 | public void setSOAP11MustUnderstand(Boolean newMustUnderstand) { 80 | if (newMustUnderstand != null) { 81 | soap11MustUnderstand = prepareForAssignment(soap11MustUnderstand, 82 | new XSBooleanValue(newMustUnderstand, true)); 83 | } else { 84 | soap11MustUnderstand = prepareForAssignment(soap11MustUnderstand, null); 85 | } 86 | } 87 | 88 | /** {@inheritDoc} */ 89 | public void setSOAP11MustUnderstand(XSBooleanValue newMustUnderstand) { 90 | soap11MustUnderstand = prepareForAssignment(soap11MustUnderstand, 91 | newMustUnderstand); 92 | } 93 | 94 | /** {@inheritDoc} */ 95 | public String getSOAP11Actor() { 96 | return soap11Actor; 97 | } 98 | 99 | /** {@inheritDoc} */ 100 | public void setSOAP11Actor(String newActor) { 101 | soap11Actor = prepareForAssignment(soap11Actor, newActor); 102 | } 103 | 104 | } 105 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/impl/ResponseMarshaller.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import org.opensaml.common.impl.AbstractSAMLObjectMarshaller; 20 | import org.opensaml.liberty.paos.Response; 21 | import org.opensaml.xml.XMLObject; 22 | import org.opensaml.xml.io.MarshallingException; 23 | import org.opensaml.xml.util.XMLHelper; 24 | import org.w3c.dom.Element; 25 | 26 | /** 27 | * Marshaller for instances of {@link Response}. 28 | */ 29 | public class ResponseMarshaller extends AbstractSAMLObjectMarshaller { 30 | 31 | /** {@inheritDoc} */ 32 | protected void marshallAttributes(XMLObject xmlObject, Element domElement) 33 | throws MarshallingException { 34 | Response response = (Response) xmlObject; 35 | 36 | if (response.getRefToMessageID() != null) { 37 | domElement.setAttributeNS(null, Response.REF_TO_MESSAGE_ID_ATTRIB_NAME, 38 | response.getRefToMessageID()); 39 | } 40 | if (response.isSOAP11MustUnderstandXSBoolean() != null) { 41 | XMLHelper.marshallAttribute(Response.SOAP11_MUST_UNDERSTAND_ATTR_NAME, 42 | response.isSOAP11MustUnderstandXSBoolean().toString(), domElement, false); 43 | } 44 | if (response.getSOAP11Actor() != null) { 45 | XMLHelper.marshallAttribute(Response.SOAP11_ACTOR_ATTR_NAME, 46 | response.getSOAP11Actor(), domElement, false); 47 | } 48 | 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/liberty/paos/impl/ResponseUnmarshaller.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import javax.xml.namespace.QName; 20 | 21 | import org.opensaml.common.impl.AbstractSAMLObjectUnmarshaller; 22 | import org.opensaml.liberty.paos.Response; 23 | import org.opensaml.xml.XMLObject; 24 | import org.opensaml.xml.io.UnmarshallingException; 25 | import org.opensaml.xml.schema.XSBooleanValue; 26 | import org.opensaml.xml.util.XMLHelper; 27 | import org.w3c.dom.Attr; 28 | 29 | /** 30 | * Unmarshaller for instances of {@link Response}. 31 | */ 32 | public class ResponseUnmarshaller extends AbstractSAMLObjectUnmarshaller { 33 | 34 | /** {@inheritDoc} */ 35 | protected void processAttribute(XMLObject samlObject, Attr attribute) 36 | throws UnmarshallingException { 37 | Response response = (Response) samlObject; 38 | 39 | QName attrName = XMLHelper.getNodeQName(attribute); 40 | if (Response.SOAP11_MUST_UNDERSTAND_ATTR_NAME.equals(attrName)) { 41 | response.setSOAP11MustUnderstand(XSBooleanValue.valueOf(attribute.getValue())); 42 | } else if (Response.SOAP11_ACTOR_ATTR_NAME.equals(attrName)) { 43 | response.setSOAP11Actor(attribute.getValue()); 44 | } else if (Response.REF_TO_MESSAGE_ID_ATTRIB_NAME.equals(attribute.getLocalName())) { 45 | response.setRefToMessageID(attribute.getValue()); 46 | } else { 47 | super.processAttribute(samlObject, attribute); 48 | } 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/saml2/binding/decoding/HTTPSOAP11DecoderImpl.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Vladimir Schaefer 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.opensaml.saml2.binding.decoding; 17 | 18 | import org.opensaml.common.binding.SAMLMessageContext; 19 | import org.opensaml.ws.message.decoder.MessageDecodingException; 20 | import org.opensaml.ws.transport.InTransport; 21 | import org.opensaml.ws.transport.http.HttpClientInTransport; 22 | import org.opensaml.ws.transport.http.LocationAwareInTransport; 23 | import org.opensaml.xml.parse.ParserPool; 24 | 25 | /** 26 | * Custom implementation of the decoder which takes into account user HTTPInput method 27 | * for determining correct expected URI. 28 | */ 29 | public class HTTPSOAP11DecoderImpl extends HTTPSOAP11Decoder { 30 | 31 | public HTTPSOAP11DecoderImpl(ParserPool pool) { 32 | super(pool); 33 | } 34 | 35 | @Override 36 | protected String getActualReceiverEndpointURI(SAMLMessageContext messageContext) throws MessageDecodingException { 37 | 38 | InTransport inTransport = messageContext.getInboundMessageTransport(); 39 | if (inTransport instanceof LocationAwareInTransport) { 40 | return ((LocationAwareInTransport)inTransport).getLocalAddress(); 41 | } else { 42 | return super.getActualReceiverEndpointURI(messageContext); 43 | } 44 | 45 | } 46 | 47 | /** 48 | * In case message destination is set (was included in the message) check is made against the endpoint. Otherwise 49 | * always passes. 50 | * 51 | * @param messageDestination destination from the SAML message 52 | * @param receiverEndpoint endpoint address 53 | * @return true if the endpoints are equivalent, false otherwise 54 | */ 55 | @Override 56 | protected boolean compareEndpointURIs(String messageDestination, String receiverEndpoint) throws MessageDecodingException { 57 | 58 | // Message destination is not obligatory 59 | return messageDestination == null || super.compareEndpointURIs(messageDestination, receiverEndpoint); 60 | 61 | } 62 | 63 | } -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/ws/transport/http/HttpClientInTransport.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Mandus Elfving 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.opensaml.ws.transport.http; 17 | 18 | import org.apache.commons.httpclient.methods.PostMethod; 19 | import org.opensaml.xml.security.credential.Credential; 20 | 21 | import java.io.IOException; 22 | import java.io.InputStream; 23 | import java.util.List; 24 | 25 | /** 26 | * Implementation of HTTPInTransport delegating to a HTTPClient postMethod object. 27 | * 28 | * @author Mandus Elfving, Vladimir Schafer 29 | */ 30 | public class HttpClientInTransport implements HTTPInTransport, LocationAwareInTransport { 31 | 32 | private final PostMethod postMethod; 33 | private final String endpointURI; 34 | 35 | public HttpClientInTransport(PostMethod postMethod, String endpointURI) { 36 | this.postMethod = postMethod; 37 | this.endpointURI = endpointURI; 38 | } 39 | 40 | public String getLocalAddress() { 41 | return endpointURI; 42 | } 43 | 44 | public String getPeerAddress() { 45 | return null; 46 | } 47 | 48 | public String getPeerDomainName() { 49 | return null; 50 | } 51 | 52 | public InputStream getIncomingStream() { 53 | try { 54 | return postMethod.getResponseBodyAsStream(); 55 | } catch (IOException ioe) { 56 | return null; 57 | } 58 | } 59 | 60 | public Object getAttribute(String s) { 61 | return null; 62 | } 63 | 64 | public String getCharacterEncoding() { 65 | return postMethod.getResponseCharSet(); 66 | } 67 | 68 | public Credential getLocalCredential() { 69 | return null; 70 | } 71 | 72 | public Credential getPeerCredential() { 73 | return null; 74 | } 75 | 76 | public boolean isAuthenticated() { 77 | return false; 78 | } 79 | 80 | public void setAuthenticated(boolean b) { 81 | 82 | } 83 | 84 | public boolean isConfidential() { 85 | return false; 86 | } 87 | 88 | public void setConfidential(boolean b) { 89 | 90 | } 91 | 92 | public boolean isIntegrityProtected() { 93 | return false; 94 | } 95 | 96 | public void setIntegrityProtected(boolean b) { 97 | 98 | } 99 | 100 | public String getHeaderValue(String s) { 101 | return null; 102 | } 103 | 104 | public String getHTTPMethod() { 105 | return postMethod.getName(); 106 | } 107 | 108 | public int getStatusCode() { 109 | return postMethod.getStatusCode(); 110 | } 111 | 112 | public String getParameterValue(String s) { 113 | return null; 114 | } 115 | 116 | public List getParameterValues(String s) { 117 | return null; 118 | } 119 | 120 | public HTTP_VERSION getVersion() { 121 | return null; 122 | } 123 | } 124 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/ws/transport/http/LocationAwareInTransport.java: -------------------------------------------------------------------------------- 1 | package org.opensaml.ws.transport.http; 2 | 3 | /** 4 | * Interface marks HTTP In Transports which can contain URL at which is the reception of data done. 5 | */ 6 | public interface LocationAwareInTransport { 7 | 8 | public String getLocalAddress(); 9 | 10 | } 11 | -------------------------------------------------------------------------------- /core/src/main/java/org/opensaml/ws/transport/http/httpclient/OutputStreamRequestEntity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Mandus Elfving 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.opensaml.ws.transport.http.httpclient; 17 | 18 | import org.apache.commons.httpclient.methods.RequestEntity; 19 | 20 | import java.io.ByteArrayOutputStream; 21 | import java.io.IOException; 22 | import java.io.OutputStream; 23 | 24 | /** 25 | * @author Mandus Elfving 26 | */ 27 | public class OutputStreamRequestEntity implements RequestEntity { 28 | 29 | private final ByteArrayOutputStream outputStream; 30 | private final String contentType; 31 | 32 | public OutputStreamRequestEntity(ByteArrayOutputStream outputStream) { 33 | this(outputStream, null); 34 | } 35 | 36 | public OutputStreamRequestEntity(ByteArrayOutputStream outputStream, String contentType) { 37 | this.outputStream = outputStream; 38 | this.contentType = contentType; 39 | } 40 | 41 | public boolean isRepeatable() { 42 | return true; 43 | } 44 | 45 | public void writeRequest(OutputStream outputStream) throws IOException { 46 | this.outputStream.writeTo(outputStream); 47 | } 48 | 49 | public long getContentLength() { 50 | return this.outputStream.size(); 51 | } 52 | 53 | public String getContentType() { 54 | return this.contentType; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/providers/ExpiringUsernameAuthenticationToken.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.providers; 16 | 17 | import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; 18 | import org.springframework.security.core.GrantedAuthority; 19 | 20 | import java.util.Collection; 21 | import java.util.Date; 22 | 23 | /** 24 | * Authentication token with capability to disable itself after specific datetime. In case no expiration date is 25 | * specified for the token functionality is exactly the same as of {@link UsernamePasswordAuthenticationToken}. 26 | * 27 | * @author Vladimir Schäfer 28 | */ 29 | public class ExpiringUsernameAuthenticationToken extends UsernamePasswordAuthenticationToken { 30 | 31 | private Date tokenExpiration; 32 | 33 | /** 34 | * @param principal principal 35 | * @param credentials credential 36 | * 37 | * @see UsernamePasswordAuthenticationToken#UsernamePasswordAuthenticationToken(Object, Object) 38 | */ 39 | public ExpiringUsernameAuthenticationToken(Object principal, Object credentials) { 40 | super(principal, credentials); 41 | } 42 | 43 | /** 44 | * Should only be used by authenticationManager as specified in {@link UsernamePasswordAuthenticationToken}. In 45 | * case the tokenExpiration is not null the calls to the isAuthenticated method will return false after 46 | * the current time is beyond the tokenExpiration. No functionality is changed when tokenExpiration is null. 47 | * 48 | * @param tokenExpiration null or date after which the token is not valid anymore 49 | * @param principal principal 50 | * @param credentials credentials 51 | * @param authorities authorities 52 | */ 53 | public ExpiringUsernameAuthenticationToken(Date tokenExpiration, Object principal, Object credentials, Collection authorities) { 54 | super(principal, credentials, authorities); 55 | this.tokenExpiration = tokenExpiration; 56 | } 57 | 58 | /** 59 | * @return true in case the token is authenticated (determined by constructor call) and tokenExpiration 60 | * is either null or the expiration time is on or after current time. 61 | */ 62 | @Override 63 | public boolean isAuthenticated() { 64 | if (tokenExpiration != null && new Date().compareTo(tokenExpiration) >= 0) { 65 | return false; 66 | } else { 67 | return super.isAuthenticated(); 68 | } 69 | } 70 | 71 | /** 72 | * @return null if no expiration is set, expiration date otherwise 73 | */ 74 | public Date getTokenExpiration() { 75 | return tokenExpiration; 76 | } 77 | 78 | /** 79 | * SAML credentials can be kept without clearing. 80 | */ 81 | @Override 82 | public void eraseCredentials() { 83 | } 84 | 85 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/SAMLAuthenticationToken.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | import org.springframework.security.authentication.AbstractAuthenticationToken; 18 | import org.springframework.security.saml.context.SAMLMessageContext; 19 | import org.springframework.util.Assert; 20 | 21 | /** 22 | * SAML Token is used to pass SAMLContext object through to the SAML Authentication provider. 23 | * 24 | * @author Vladimir Schäfer 25 | */ 26 | public class SAMLAuthenticationToken extends AbstractAuthenticationToken { 27 | 28 | private static final long serialVersionUID = 1L; 29 | 30 | /** 31 | * SAML context with content to verify 32 | */ 33 | private transient SAMLMessageContext credentials; 34 | 35 | /** 36 | * Default constructor initializing the context 37 | * 38 | * @param credentials SAML context object created after decoding 39 | */ 40 | public SAMLAuthenticationToken(SAMLMessageContext credentials) { 41 | 42 | super(null); 43 | 44 | Assert.notNull(credentials, "SAMLAuthenticationToken requires the credentials parameter to be set"); 45 | 46 | this.credentials = credentials; 47 | 48 | setAuthenticated(false); 49 | 50 | } 51 | 52 | /** 53 | * Returns the stored SAML context 54 | * 55 | * @return context 56 | */ 57 | public SAMLMessageContext getCredentials() { 58 | return this.credentials; 59 | } 60 | 61 | /** 62 | * Always null 63 | * 64 | * @return null 65 | */ 66 | public Object getPrincipal() { 67 | return null; 68 | } 69 | 70 | /** 71 | * This object can never be authenticated, call with true result in exception. 72 | * 73 | * @param isAuthenticated only false value allowed 74 | * 75 | * @throws IllegalArgumentException if isAuthenticated is true 76 | */ 77 | public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException { 78 | if (isAuthenticated) { 79 | throw new IllegalArgumentException( 80 | "Cannot set this token to trusted - use constructor containing GrantedAuthority[]s instead"); 81 | } 82 | super.setAuthenticated(false); 83 | } 84 | 85 | } 86 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/SAMLBootstrap.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2011 Vladimir Schaefer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | import org.opensaml.Configuration; 18 | import org.opensaml.PaosBootstrap; 19 | import org.opensaml.xml.ConfigurationException; 20 | import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; 21 | import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; 22 | import org.springframework.beans.BeansException; 23 | import org.springframework.beans.FatalBeanException; 24 | import org.springframework.beans.factory.config.BeanFactoryPostProcessor; 25 | import org.springframework.beans.factory.config.ConfigurableListableBeanFactory; 26 | 27 | /** 28 | * Initialization for SAML library. Is automatically called as part of Spring initialization. 29 | * 30 | * @author Vladimir Schaefer 31 | */ 32 | public class SAMLBootstrap implements BeanFactoryPostProcessor { 33 | 34 | /** 35 | * Automatically called to initialize the whole module. 36 | * 37 | * @param beanFactory bean factory 38 | * @throws BeansException errors 39 | */ 40 | public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException { 41 | try { 42 | PaosBootstrap.bootstrap(); 43 | setMetadataKeyInfoGenerator(); 44 | } catch (ConfigurationException e) { 45 | throw new FatalBeanException("Error invoking OpenSAML bootstrap", e); 46 | } 47 | } 48 | 49 | /** 50 | * Method registers extension specific KeyInfoGenerator which emits . 51 | * 52 | * @see SAMLConstants#SAML_METADATA_KEY_INFO_GENERATOR 53 | */ 54 | protected void setMetadataKeyInfoGenerator() { 55 | NamedKeyInfoGeneratorManager manager = Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager(); 56 | X509KeyInfoGeneratorFactory generator = new X509KeyInfoGeneratorFactory(); 57 | generator.setEmitEntityCertificate(true); 58 | generator.setEmitEntityCertificateChain(true); 59 | manager.registerFactory(SAMLConstants.SAML_METADATA_KEY_INFO_GENERATOR, generator); 60 | } 61 | 62 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/SAMLConstants.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Vladimir Schaefer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | import org.opensaml.saml2.core.AuthnRequest; 18 | 19 | import javax.xml.namespace.QName; 20 | 21 | /** 22 | * Constant values for SAML module. 23 | * 24 | * @author Vladimir Schaefer 25 | */ 26 | public class SAMLConstants { 27 | 28 | /** 29 | * Constant identifying special version of the KeyInfoGenerator used to include credentials in generated 30 | * metadata. 31 | */ 32 | public static final String SAML_METADATA_KEY_INFO_GENERATOR = "MetadataKeyInfoGenerator"; 33 | 34 | /** 35 | * Identifier of the WebSSO profile. 36 | */ 37 | public static final String SAML2_WEBSSO_PROFILE_URI = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser"; 38 | 39 | /** 40 | * Identifier of the WebSSO HoK profile. 41 | */ 42 | public static final String SAML2_HOK_WEBSSO_PROFILE_URI = "urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"; 43 | 44 | /** 45 | * Identifier of the ECP profile. 46 | */ 47 | public static final String SAML2_ECP_PROFILE_URI = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"; 48 | 49 | /** 50 | * Identifier of the Artifact profile. 51 | */ 52 | public static final String SAML2_ARTIFACT_PROFILE_URI = "urn:oasis:names:tc:SAML:2.0:profiles:artifact"; 53 | 54 | /** 55 | * Identifier of the Single Logout profile. 56 | */ 57 | public static final String SAML2_SLO_PROFILE_URI = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:logout"; 58 | 59 | public static final String AUTH_N_REQUEST = "AuthNRequest"; 60 | public static final String AUTH_N_RESPONSE = "AuthNResponse"; 61 | public static final String LOGOUT_REQUEST = "LogoutRequest"; 62 | public static final String LOGOUT_RESPONSE = "LogoutResponse"; 63 | 64 | public static final String SUCCESS = "SUCCESS"; 65 | public static final String FAILURE = "FAILURE"; 66 | 67 | public static final String PAOS_HTTP_ACCEPT_HEADER = "application/vnd.paos+xml"; 68 | public static final String PAOS_HTTP_HEADER = "PAOS"; 69 | 70 | /** 71 | * Used as attribute inside HttpServletRequest to indicate required local entity id to the context provider. 72 | */ 73 | public static final String LOCAL_ENTITY_ID = "localEntityId"; 74 | 75 | /** 76 | * Used as attribute inside HttpServletRequest to indicate required peer entity id to the context provider. 77 | */ 78 | public static final String PEER_ENTITY_ID = "peerEntityId"; 79 | 80 | /** 81 | * Used to store context path inside InTransport 82 | */ 83 | public static final String LOCAL_CONTEXT_PATH = "localContextPath"; 84 | 85 | /** 86 | * Qualified name of the attribute used to convey binding information in the Holder of Key metadata endpoint. 87 | */ 88 | public static final QName WEBSSO_HOK_METADATA_ATT_NAME = new QName(org.springframework.security.saml.SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI, AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME); 89 | 90 | } 91 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/SAMLRelayStateSuccessHandler.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Vladimir Schafer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | import org.slf4j.Logger; 18 | import org.slf4j.LoggerFactory; 19 | import org.springframework.security.core.Authentication; 20 | import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; 21 | 22 | import javax.servlet.ServletException; 23 | import javax.servlet.http.HttpServletRequest; 24 | import javax.servlet.http.HttpServletResponse; 25 | import java.io.IOException; 26 | 27 | /** 28 | * Implementation of a success handler which interprets meaning of the RelayState inside SAMLCredential 29 | * as an URL to redirect user to. 30 | * 31 | * @author Vladimir Schafer 32 | */ 33 | public class SAMLRelayStateSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler { 34 | 35 | /** 36 | * Class logger. 37 | */ 38 | protected static final Logger log = LoggerFactory.getLogger(SAMLRelayStateSuccessHandler.class); 39 | 40 | /** 41 | * Implementation tries to load RelayString from the SAMLCredential authentication object and in case the state 42 | * is present uses it as the target URL. In case the state is missing behaviour is the same as of the 43 | * SavedRequestAwareAuthenticationSuccessHandler. 44 | */ 45 | @Override 46 | public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException { 47 | 48 | Object credentials = authentication.getCredentials(); 49 | if (credentials instanceof SAMLCredential) { 50 | SAMLCredential samlCredential = (SAMLCredential) credentials; 51 | String relayStateURL = getTargetURL(samlCredential.getRelayState()); 52 | if (relayStateURL != null) { 53 | log.debug("Redirecting to RelayState Url: " + relayStateURL); 54 | getRedirectStrategy().sendRedirect(request, response, relayStateURL); 55 | return; 56 | } 57 | } 58 | 59 | super.onAuthenticationSuccess(request, response, authentication); 60 | 61 | } 62 | 63 | /** 64 | * Method is responsible for processing relayState and returning URL the system can redirect to. Method 65 | * can decide to ignore the relayState and redirect user to default location by returning null. 66 | * 67 | * @param relayState relay state to process, can be null 68 | * @return null to ignore the state, URL to redirect to otherwise 69 | */ 70 | protected String getTargetURL(String relayState) { 71 | return relayState; 72 | } 73 | 74 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/SAMLStatusException.java: -------------------------------------------------------------------------------- 1 | package org.springframework.security.saml; 2 | 3 | import org.opensaml.common.SAMLException; 4 | 5 | /** 6 | * SAML exception which contains status code which should be returned to the caller as part of status message. 7 | */ 8 | public class SAMLStatusException extends SAMLException { 9 | 10 | private String statusCode; 11 | private String statusMessage; 12 | 13 | public SAMLStatusException(String statusCode, String message) { 14 | super(message); 15 | this.statusCode = statusCode; 16 | this.statusMessage = message; 17 | } 18 | 19 | public SAMLStatusException(String statusCode, Exception wrappedException) { 20 | super(wrappedException); 21 | this.statusCode = statusCode; 22 | this.statusMessage = wrappedException.getMessage(); 23 | } 24 | 25 | public SAMLStatusException(String statusCode, String message, Exception wrappedException) { 26 | super(message, wrappedException); 27 | this.statusCode = statusCode; 28 | this.statusMessage = message; 29 | } 30 | 31 | public String getStatusCode() { 32 | return statusCode; 33 | } 34 | 35 | public String getStatusMessage() { 36 | return statusMessage; 37 | } 38 | 39 | } 40 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/SAMLWebSSOHoKProcessingFilter.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | /** 18 | * Filter processes messages sent from IDP as part of the WebSSO Holder-of-Key profile. 19 | * 20 | * @author Vladimir Schäfer 21 | */ 22 | public class SAMLWebSSOHoKProcessingFilter extends SAMLProcessingFilter { 23 | 24 | /** 25 | * URL for Web SSO HoK profile responses or unsolicited requests 26 | */ 27 | public static final String WEBSSO_HOK_URL = "/saml/HoKSSO"; 28 | 29 | /** 30 | * Default constructor. 31 | */ 32 | public SAMLWebSSOHoKProcessingFilter() { 33 | super(WEBSSO_HOK_URL); 34 | } 35 | 36 | /** 37 | * Name of the WebSSO HoK profile this filter processes. 38 | * 39 | * @return profile name 40 | * @see SAMLConstants#SAML2_HOK_WEBSSO_PROFILE_URI 41 | */ 42 | protected String getProfileName() { 43 | return SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI; 44 | } 45 | 46 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/context/SAMLContextProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Vladimir Schaefer 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml.context; 17 | 18 | import org.opensaml.saml2.metadata.provider.MetadataProviderException; 19 | import org.springframework.security.saml.SAMLCredential; 20 | 21 | import javax.servlet.http.HttpServletRequest; 22 | import javax.servlet.http.HttpServletResponse; 23 | 24 | /** 25 | * Implementation is supposed to provide SAMLContext by populating all data about the local entity related 26 | * to an Request. 27 | * 28 | * @author Vladimir Schaefer 29 | */ 30 | public interface SAMLContextProvider { 31 | 32 | /** 33 | * Creates a SAMLContext with local entity values filled. Also request and response must be stored in the context 34 | * as message transports. Local entity ID is populated from data in the request object. 35 | * 36 | * @param request request 37 | * @param response response 38 | * @return context 39 | * @throws MetadataProviderException in case of metadata problems 40 | */ 41 | SAMLMessageContext getLocalEntity(HttpServletRequest request, HttpServletResponse response) throws MetadataProviderException; 42 | 43 | /** 44 | * Creates a SAMLContext with local entity and peer values filled. Also request and response must be stored in the context 45 | * as message transports. Local and peer entity IDs are populated from data in the request object. 46 | * 47 | * @param request request 48 | * @param response response 49 | * @return context 50 | * @throws MetadataProviderException in case of metadata problems 51 | */ 52 | SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request, HttpServletResponse response) throws MetadataProviderException; 53 | 54 | } 55 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/key/EmptyKeyManager.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Sch�fer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.key; 16 | 17 | import org.opensaml.xml.security.CriteriaSet; 18 | import org.opensaml.xml.security.SecurityException; 19 | import org.opensaml.xml.security.credential.Credential; 20 | import org.slf4j.Logger; 21 | import org.slf4j.LoggerFactory; 22 | 23 | import java.security.cert.X509Certificate; 24 | import java.util.*; 25 | 26 | /** 27 | * Key manager doesn't provide access to any keys and can be used to skip inclusion of keystore files in the 28 | * Spring SAML projects. Empty key store can only be used in situations when Spring SAML doesn't perform decryption 29 | * of incoming messages and doesn't need to create digital signatures. 30 | * 31 | * @author Vladimir Schafer 32 | */ 33 | public class EmptyKeyManager implements KeyManager { 34 | 35 | private final Logger log = LoggerFactory.getLogger(EmptyKeyManager.class); 36 | 37 | @Override 38 | public Credential getCredential(String keyName) { 39 | return null; 40 | } 41 | 42 | @Override 43 | public Credential getDefaultCredential() { 44 | return null; 45 | } 46 | 47 | @Override 48 | public String getDefaultCredentialName() { 49 | return null; 50 | } 51 | 52 | @Override 53 | public Set getAvailableCredentials() { 54 | return Collections.emptySet(); 55 | } 56 | 57 | @Override 58 | public X509Certificate getCertificate(String alias) { 59 | return null; 60 | } 61 | 62 | @Override 63 | public Iterable resolve(CriteriaSet criteria) throws SecurityException { 64 | return null; 65 | } 66 | 67 | @Override 68 | public Credential resolveSingle(CriteriaSet criteria) throws SecurityException { 69 | return null; 70 | } 71 | 72 | } 73 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/key/KeyManager.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009-2011 Vladimir Schafer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.key; 16 | 17 | import org.opensaml.xml.security.credential.Credential; 18 | import org.opensaml.xml.security.credential.CredentialResolver; 19 | 20 | import java.security.cert.X509Certificate; 21 | import java.util.Set; 22 | 23 | /** 24 | * Interface defines basic service required by the SAML Extension implementation. 25 | * 26 | * @author Vladimir Schafer 27 | */ 28 | public interface KeyManager extends CredentialResolver { 29 | 30 | /** 31 | * Returns Credential object used to sign the messages issued by this entity. 32 | * Public, X509 and Private keys are set in the credential. 33 | * 34 | * @param keyName name of the key to use, in case of null default key is used 35 | * @return credential 36 | */ 37 | public Credential getCredential(String keyName); 38 | 39 | /** 40 | * Returns Credential object used to sign the messages issued by this entity. 41 | * Public, X509 and Private keys are set in the credential. 42 | * 43 | * @return credential 44 | */ 45 | public Credential getDefaultCredential(); 46 | 47 | /** 48 | * Method provides name of the credential which should be used by default when no other is specified. It 49 | * must be possible to call getCredential with the returned name in order to obtain Credential value. 50 | * 51 | * @return default credential name 52 | */ 53 | public String getDefaultCredentialName(); 54 | 55 | /** 56 | * Method provides list of all credentials available in the storage. 57 | * 58 | * @return available credentials 59 | */ 60 | public Set getAvailableCredentials(); 61 | 62 | /** 63 | * Returns certificate with the given alias from the keystore. 64 | * 65 | * @param alias alias of certificate to find 66 | * @return certificate with the given alias or null if not found 67 | */ 68 | public X509Certificate getCertificate(String alias); 69 | 70 | 71 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/log/SAMLEmptyLogger.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Vladimir Sch�fer 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml.log; 17 | 18 | import org.springframework.security.core.Authentication; 19 | import org.springframework.security.saml.context.SAMLMessageContext; 20 | 21 | /** 22 | * Logger implementation which ignores all values. 23 | * 24 | * @author Vladimir Sch�fer 25 | */ 26 | public class SAMLEmptyLogger implements SAMLLogger { 27 | 28 | public void log(String operation, String result, SAMLMessageContext context) { 29 | } 30 | 31 | public void log(String operation, String result, SAMLMessageContext context, Exception e) { 32 | } 33 | 34 | public void log(String operation, String result, SAMLMessageContext context, Authentication a, Exception e) { 35 | } 36 | 37 | } 38 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/log/SAMLLogger.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Vladimir Sch�fer 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml.log; 17 | 18 | import org.springframework.security.core.Authentication; 19 | import org.springframework.security.saml.context.SAMLMessageContext; 20 | 21 | /** 22 | * Implementations are supposed to log significant SAML operations. 23 | * 24 | * @author Vladimir Sch�fer 25 | */ 26 | public interface SAMLLogger { 27 | 28 | void log(String operation, String result, SAMLMessageContext context); 29 | void log(String operation, String result, SAMLMessageContext context, Exception e); 30 | void log(String operation, String result, SAMLMessageContext context, Authentication a, Exception e); 31 | 32 | } 33 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/metadata/ExtendedMetadataProvider.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2011 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.metadata; 16 | 17 | import org.opensaml.saml2.metadata.provider.MetadataProviderException; 18 | 19 | /** 20 | * Provider capable of supplying metadata extensions including information about requirements of the given entity. 21 | * 22 | * @author Vladimir Schäfer 23 | */ 24 | public interface ExtendedMetadataProvider { 25 | 26 | /** 27 | * Implementation should try to localize additional metadata for the given entity. 28 | * 29 | * @param entityID entity to load metadata for 30 | * @return null if not found, metadata otherwise 31 | * @throws MetadataProviderException in case an error occurs 32 | */ 33 | ExtendedMetadata getExtendedMetadata(String entityID) throws MetadataProviderException; 34 | 35 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/metadata/MetadataMemoryProvider.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Sch�fer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.metadata; 16 | 17 | import org.opensaml.saml2.metadata.EntityDescriptor; 18 | import org.opensaml.saml2.metadata.provider.AbstractMetadataProvider; 19 | import org.opensaml.saml2.metadata.provider.MetadataProviderException; 20 | import org.opensaml.xml.XMLObject; 21 | 22 | /** 23 | * Class implements simple metadata provider which retrieves EntityDescriptor from preconfigured object. 24 | * 25 | * @author Vladimir Sch�fer 26 | */ 27 | public class MetadataMemoryProvider extends AbstractMetadataProvider { 28 | 29 | /** 30 | * Preconfigured descriptor 31 | */ 32 | private EntityDescriptor descriptor; 33 | 34 | /** 35 | * Constructor settings descriptor in parameter as the only entity available from this provider. 36 | * 37 | * @param descriptor descriptor to use 38 | */ 39 | public MetadataMemoryProvider(EntityDescriptor descriptor) { 40 | this.descriptor = descriptor; 41 | } 42 | 43 | /** 44 | * @return preconfigured entity descriptor 45 | */ 46 | public XMLObject getMetadata() { 47 | return descriptor; 48 | } 49 | 50 | @Override 51 | protected XMLObject doGetMetadata() throws MetadataProviderException { 52 | return descriptor; 53 | } 54 | 55 | } 56 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/parser/ParserPoolHolder.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009-2011 Vladimir Schaefer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.parser; 16 | 17 | import org.opensaml.xml.parse.BasicParserPool; 18 | import org.opensaml.xml.parse.ParserPool; 19 | import org.springframework.beans.factory.annotation.Autowired; 20 | 21 | /** 22 | * Class is initialized from the Spring context and allows retrieval of the ParserPool for code 23 | * not managed by Spring. 24 | * 25 | * @author Vladimir Schaefer 26 | */ 27 | public final class ParserPoolHolder { 28 | 29 | /** 30 | * Pool instance. 31 | */ 32 | private static ParserPool pool; 33 | 34 | /** 35 | * Initializes the static parserPool property and makes it available for getPool calls. 36 | * In case the pool was already previously initialized the last value will be overwritten. 37 | * 38 | * @param pool pool to initialize the static property wih 39 | */ 40 | @Autowired 41 | public void setParserPool(ParserPool pool) { 42 | if (pool != null) { 43 | setPool(pool); 44 | } 45 | } 46 | 47 | private synchronized static void setPool(ParserPool pool) { 48 | ParserPoolHolder.pool = pool; 49 | } 50 | 51 | /** 52 | * @return parserPool or create a default one if none was provided 53 | */ 54 | public synchronized static ParserPool getPool() { 55 | if (pool == null) { 56 | setPool(new BasicParserPool()); 57 | } 58 | return pool; 59 | } 60 | 61 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/processor/HTTPArtifactBinding.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Mandus Elfving 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.processor; 16 | 17 | import org.apache.velocity.app.VelocityEngine; 18 | import org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule; 19 | import org.opensaml.common.xml.SAMLConstants; 20 | import org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl; 21 | import org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder; 22 | import org.opensaml.ws.message.decoder.MessageDecoder; 23 | import org.opensaml.ws.message.encoder.MessageEncoder; 24 | import org.opensaml.ws.security.SecurityPolicyRule; 25 | import org.opensaml.ws.transport.InTransport; 26 | import org.opensaml.ws.transport.OutTransport; 27 | import org.opensaml.ws.transport.http.HTTPInTransport; 28 | import org.opensaml.ws.transport.http.HTTPOutTransport; 29 | import org.opensaml.xml.parse.ParserPool; 30 | import org.opensaml.xml.signature.SignatureTrustEngine; 31 | import org.springframework.security.saml.context.SAMLMessageContext; 32 | import org.springframework.security.saml.websso.ArtifactResolutionProfile; 33 | 34 | import java.util.List; 35 | 36 | /** 37 | * Http artifact binding. 38 | * 39 | * @author Mandus Elfving, Vladimir Schaefer 40 | */ 41 | public class HTTPArtifactBinding extends SAMLBindingImpl { 42 | 43 | /** 44 | * Creates default implementation of the binding. 45 | * 46 | * @param parserPool parserPool for message deserialization 47 | * @param velocityEngine engine for message formatting 48 | * @param artifactProfile profile used to retrieven the artifact message 49 | */ 50 | public HTTPArtifactBinding(ParserPool parserPool, VelocityEngine velocityEngine, ArtifactResolutionProfile artifactProfile) { 51 | this(new HTTPArtifactDecoderImpl(artifactProfile, parserPool), new HTTPArtifactEncoder(velocityEngine, "/templates/saml2-post-artifact-binding.vm", null)); 52 | } 53 | 54 | /** 55 | * Implementation of the binding with custom encoder and decoder. 56 | * 57 | * @param decoder custom decoder implementation 58 | * @param encoder custom encoder implementation 59 | */ 60 | public HTTPArtifactBinding(MessageDecoder decoder, MessageEncoder encoder) { 61 | super(decoder, encoder); 62 | } 63 | 64 | public boolean supports(InTransport transport) { 65 | if (transport instanceof HTTPInTransport) { 66 | HTTPInTransport t = (HTTPInTransport) transport; 67 | return t.getParameterValue("SAMLart") != null; 68 | } else { 69 | return false; 70 | } 71 | } 72 | 73 | public boolean supports(OutTransport transport) { 74 | return transport instanceof HTTPOutTransport; 75 | } 76 | 77 | public String getBindingURI() { 78 | return SAMLConstants.SAML2_ARTIFACT_BINDING_URI; 79 | } 80 | 81 | @Override 82 | public void getSecurityPolicy(List securityPolicy, SAMLMessageContext samlContext) { 83 | 84 | SignatureTrustEngine engine = samlContext.getLocalTrustEngine(); 85 | securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine)); 86 | 87 | } 88 | 89 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/processor/HTTPPAOS11Binding.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml.processor; 17 | 18 | import org.opensaml.common.xml.SAMLConstants; 19 | import org.opensaml.liberty.binding.decoding.HTTPPAOS11Decoder; 20 | import org.opensaml.liberty.binding.encoding.HTTPPAOS11Encoder; 21 | import org.opensaml.ws.message.decoder.MessageDecoder; 22 | import org.opensaml.ws.message.encoder.MessageEncoder; 23 | import org.opensaml.ws.transport.InTransport; 24 | import org.opensaml.ws.transport.http.HttpServletRequestAdapter; 25 | import org.opensaml.xml.parse.ParserPool; 26 | 27 | import javax.servlet.http.HttpServletRequest; 28 | 29 | public class HTTPPAOS11Binding extends HTTPSOAP11Binding { 30 | 31 | public HTTPPAOS11Binding(ParserPool parserPool) { 32 | super(new HTTPPAOS11Decoder(parserPool), new HTTPPAOS11Encoder()); 33 | } 34 | 35 | public HTTPPAOS11Binding(MessageDecoder decoder, MessageEncoder encoder) { 36 | super(decoder, encoder); 37 | } 38 | 39 | @Override 40 | public boolean supports(InTransport transport) { 41 | if (transport instanceof HttpServletRequestAdapter) { 42 | HttpServletRequestAdapter t = (HttpServletRequestAdapter) transport; 43 | if(!"POST".equalsIgnoreCase(t.getHTTPMethod())){ 44 | return false; 45 | } 46 | HttpServletRequest request = t.getWrappedRequest(); 47 | String contentType = request.getContentType(); 48 | return contentType != null 49 | && contentType.startsWith(org.springframework.security.saml.SAMLConstants.PAOS_HTTP_ACCEPT_HEADER); 50 | } else { 51 | return false; 52 | } 53 | } 54 | 55 | @Override 56 | public String getBindingURI() { 57 | return SAMLConstants.SAML2_PAOS_BINDING_URI; 58 | } 59 | 60 | } 61 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/processor/HTTPRedirectDeflateBinding.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Mandus Elfving 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.processor; 16 | 17 | import org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule; 18 | import org.opensaml.common.xml.SAMLConstants; 19 | import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; 20 | import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; 21 | import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; 22 | import org.opensaml.ws.message.decoder.MessageDecoder; 23 | import org.opensaml.ws.message.encoder.MessageEncoder; 24 | import org.opensaml.ws.security.SecurityPolicyRule; 25 | import org.opensaml.ws.transport.InTransport; 26 | import org.opensaml.ws.transport.OutTransport; 27 | import org.opensaml.ws.transport.http.HTTPInTransport; 28 | import org.opensaml.ws.transport.http.HTTPOutTransport; 29 | import org.opensaml.ws.transport.http.HTTPTransport; 30 | import org.opensaml.xml.parse.ParserPool; 31 | import org.opensaml.xml.signature.SignatureTrustEngine; 32 | import org.springframework.security.saml.context.SAMLMessageContext; 33 | 34 | import java.util.List; 35 | 36 | /** 37 | * Http redirect binding. 38 | * 39 | * @author Mandus Elfving 40 | */ 41 | public class HTTPRedirectDeflateBinding extends SAMLBindingImpl { 42 | 43 | /** 44 | * Creates binding with default encoder and decoder. 45 | * 46 | * @param parserPool parser pool 47 | */ 48 | public HTTPRedirectDeflateBinding(ParserPool parserPool) { 49 | this(new HTTPRedirectDeflateDecoder(parserPool), new HTTPRedirectDeflateEncoder()); 50 | } 51 | 52 | /** 53 | * Constructor with customized encoder and decoder 54 | * 55 | * @param decoder decoder 56 | * @param encoder encoder 57 | */ 58 | public HTTPRedirectDeflateBinding(MessageDecoder decoder, MessageEncoder encoder) { 59 | super(decoder, encoder); 60 | } 61 | 62 | public boolean supports(InTransport transport) { 63 | if (transport instanceof HTTPInTransport) { 64 | HTTPTransport t = (HTTPTransport) transport; 65 | return "GET".equalsIgnoreCase(t.getHTTPMethod()) && (t.getParameterValue("SAMLRequest") != null || t.getParameterValue("SAMLResponse") != null); 66 | } else { 67 | return false; 68 | } 69 | } 70 | 71 | public boolean supports(OutTransport transport) { 72 | return transport instanceof HTTPOutTransport; 73 | } 74 | 75 | public String getBindingURI() { 76 | return SAMLConstants.SAML2_REDIRECT_BINDING_URI; 77 | } 78 | 79 | @Override 80 | public void getSecurityPolicy(List securityPolicy, SAMLMessageContext samlContext) { 81 | 82 | SignatureTrustEngine engine = samlContext.getLocalTrustEngine(); 83 | securityPolicy.add(new SAML2HTTPRedirectDeflateSignatureRule(engine)); 84 | securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine)); 85 | 86 | } 87 | 88 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/processor/HTTPSOAP11Binding.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Mandus Elfving 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.processor; 16 | 17 | import org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule; 18 | import org.opensaml.common.xml.SAMLConstants; 19 | import org.opensaml.saml2.binding.decoding.HTTPSOAP11DecoderImpl; 20 | import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; 21 | import org.opensaml.ws.message.decoder.MessageDecoder; 22 | import org.opensaml.ws.message.encoder.MessageEncoder; 23 | import org.opensaml.ws.security.SecurityPolicyRule; 24 | import org.opensaml.ws.transport.InTransport; 25 | import org.opensaml.ws.transport.OutTransport; 26 | import org.opensaml.ws.transport.http.HTTPOutTransport; 27 | import org.opensaml.ws.transport.http.HttpServletRequestAdapter; 28 | import org.opensaml.xml.parse.ParserPool; 29 | import org.opensaml.xml.signature.SignatureTrustEngine; 30 | import org.springframework.security.saml.context.SAMLMessageContext; 31 | 32 | import javax.servlet.http.HttpServletRequest; 33 | import java.util.List; 34 | 35 | /** 36 | * Http SOAP 1.1 binding. 37 | * 38 | * @author Mandus Elfving, Vladimir Schaefer 39 | */ 40 | public class HTTPSOAP11Binding extends SAMLBindingImpl { 41 | 42 | /** 43 | * Creates binding with default encoder and decoder. 44 | * 45 | * @param parserPool parser pool 46 | */ 47 | public HTTPSOAP11Binding(ParserPool parserPool) { 48 | this(new HTTPSOAP11DecoderImpl(parserPool), new HTTPSOAP11Encoder()); 49 | } 50 | 51 | /** 52 | * Constructor with customized encoder and decoder 53 | * 54 | * @param decoder decoder 55 | * @param encoder encoder 56 | */ 57 | public HTTPSOAP11Binding(MessageDecoder decoder, MessageEncoder encoder) { 58 | super(decoder, encoder); 59 | } 60 | 61 | public boolean supports(InTransport transport) { 62 | if (transport instanceof HttpServletRequestAdapter) { 63 | HttpServletRequestAdapter t = (HttpServletRequestAdapter) transport; 64 | HttpServletRequest request = t.getWrappedRequest(); 65 | return "POST".equalsIgnoreCase(t.getHTTPMethod()) && request.getContentType() != null && request.getContentType().startsWith("text/xml"); 66 | } else { 67 | return false; 68 | } 69 | } 70 | 71 | public boolean supports(OutTransport transport) { 72 | return transport instanceof HTTPOutTransport; 73 | } 74 | 75 | public String getBindingURI() { 76 | return SAMLConstants.SAML2_SOAP11_BINDING_URI; 77 | } 78 | 79 | @Override 80 | public void getSecurityPolicy(List securityPolicy, SAMLMessageContext samlContext) { 81 | 82 | SignatureTrustEngine engine = samlContext.getLocalTrustEngine(); 83 | securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine)); 84 | 85 | } 86 | 87 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/processor/SAMLBinding.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Mandus Elfving 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.processor; 16 | 17 | import org.opensaml.ws.message.decoder.MessageDecoder; 18 | import org.opensaml.ws.message.encoder.MessageEncoder; 19 | import org.opensaml.ws.security.SecurityPolicyRule; 20 | import org.opensaml.ws.transport.InTransport; 21 | import org.opensaml.ws.transport.OutTransport; 22 | import org.springframework.security.saml.context.SAMLMessageContext; 23 | 24 | import java.util.List; 25 | 26 | /** 27 | * Implementation describes a single binding usable for parsing of a SAML message. 28 | * 29 | * @author Mandus Elfving 30 | */ 31 | public interface SAMLBinding { 32 | 33 | /** 34 | * Checks whether current binding can be used to extract SAML message from the request. 35 | * 36 | * @param transport verify whether this binding supports given transport mechanism 37 | * @return true if this binding can be used to parse SAML message 38 | */ 39 | boolean supports(InTransport transport); 40 | 41 | /** 42 | * Checks whether current binding can be used to send a message using given transport. 43 | * 44 | * @param transport verify whether this binding supports given transport mechanism 45 | * @return true if this binding can be used to send message over the transport 46 | */ 47 | boolean supports(OutTransport transport); 48 | 49 | /** 50 | * Creates decoder capable of parsing message with the given binding 51 | * 52 | * @return instance of the decoder 53 | */ 54 | MessageDecoder getMessageDecoder(); 55 | 56 | /** 57 | * Creates encoder capable of creating messages to be sent using given bindidn. 58 | * 59 | * @return encoder 60 | */ 61 | MessageEncoder getMessageEncoder(); 62 | 63 | /** 64 | * Binding identifier. 65 | * 66 | * @return identifier 67 | */ 68 | String getBindingURI(); 69 | 70 | /** 71 | * Security rules to apply for incoming SAML messages received using the binding. 72 | * 73 | * @param securityPolicy storage for created policies 74 | * @param samlContext processed context 75 | */ 76 | void getSecurityPolicy(List securityPolicy, SAMLMessageContext samlContext); 77 | 78 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/processor/SAMLBindingImpl.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Vladimir Schaefer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.processor; 16 | 17 | import org.opensaml.ws.message.decoder.MessageDecoder; 18 | import org.opensaml.ws.message.encoder.MessageEncoder; 19 | import org.opensaml.ws.security.SecurityPolicyRule; 20 | import org.opensaml.xml.parse.ParserPool; 21 | import org.springframework.beans.factory.annotation.Autowired; 22 | import org.springframework.security.saml.context.SAMLMessageContext; 23 | import org.springframework.security.saml.key.KeyManager; 24 | import org.springframework.security.saml.metadata.MetadataManager; 25 | 26 | import java.util.List; 27 | 28 | /** 29 | * Implementation contains a static decoder instance returned in case conditions specified in 30 | * the subclass are satisfied. 31 | * 32 | * @author Vladimir Schaefer 33 | */ 34 | public abstract class SAMLBindingImpl implements SAMLBinding { 35 | 36 | private MessageDecoder decoder; 37 | private MessageEncoder encoder; 38 | 39 | protected SAMLBindingImpl(MessageDecoder decoder, MessageEncoder encoder) { 40 | this.decoder = decoder; 41 | this.encoder = encoder; 42 | } 43 | 44 | public MessageDecoder getMessageDecoder() { 45 | return decoder; 46 | } 47 | 48 | public MessageEncoder getMessageEncoder() { 49 | return encoder; 50 | } 51 | 52 | public void getSecurityPolicy(List securityPolicy, SAMLMessageContext samlContext) { 53 | } 54 | 55 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/processor/SAMLProcessor.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009-2011 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.processor; 16 | 17 | import org.opensaml.common.SAMLException; 18 | import org.opensaml.saml2.metadata.provider.MetadataProviderException; 19 | import org.opensaml.ws.message.decoder.MessageDecodingException; 20 | import org.opensaml.ws.message.encoder.MessageEncodingException; 21 | import org.springframework.security.saml.context.SAMLMessageContext; 22 | 23 | /** 24 | * Implementation is responsible for sending and receiving SAML messages using any of the supported binding. Processor 25 | * is unaware of the content of the messages or of the profile as part of which they're exchanged. Is is responsibility 26 | * of the caller to properly fill SAMLMessageContext with all required data. 27 | * 28 | * @author Vladimir Schäfer 29 | */ 30 | public interface SAMLProcessor { 31 | 32 | SAMLMessageContext retrieveMessage(SAMLMessageContext context, String binding) throws SAMLException, MetadataProviderException, MessageDecodingException, org.opensaml.xml.security.SecurityException; 33 | SAMLMessageContext retrieveMessage(SAMLMessageContext context) throws SAMLException, MetadataProviderException, MessageDecodingException, org.opensaml.xml.security.SecurityException; 34 | SAMLMessageContext sendMessage(SAMLMessageContext context, boolean sign, String binding) throws SAMLException, MetadataProviderException, MessageEncodingException; 35 | SAMLMessageContext sendMessage(SAMLMessageContext context, boolean sign) throws SAMLException, MetadataProviderException, MessageEncodingException; 36 | 37 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/storage/EmptyStorageFactory.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009-2011 Vladimir Schaefer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.storage; 16 | 17 | import javax.servlet.http.HttpServletRequest; 18 | 19 | /** 20 | * Storage factory which doesn't return any storage implementation and disables the message storage mechanism. 21 | */ 22 | public class EmptyStorageFactory implements SAMLMessageStorageFactory { 23 | 24 | public SAMLMessageStorage getMessageStorage(HttpServletRequest request) { 25 | return null; 26 | } 27 | 28 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/storage/HttpSessionStorageFactory.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009-2011 Vladimir Schaefer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.storage; 16 | 17 | import javax.servlet.http.HttpServletRequest; 18 | 19 | /** 20 | * Default storage factory which provides HTTP Session storage. 21 | */ 22 | public class HttpSessionStorageFactory implements SAMLMessageStorageFactory { 23 | 24 | public SAMLMessageStorage getMessageStorage(HttpServletRequest request) { 25 | return new HttpSessionStorage(request); 26 | } 27 | 28 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/storage/SAMLMessageStorage.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.storage; 16 | 17 | import org.opensaml.xml.XMLObject; 18 | 19 | /** 20 | * Implementations serve as data stores for sent/received SAML messages. Potential implementations could 21 | * be using for example central repository common for all users within the application or HttpSession. 22 | *

23 | * Messages may need to be stored for example to pair a response with an original request. 24 | * 25 | * @author Vladimir Schäfer 26 | */ 27 | public interface SAMLMessageStorage { 28 | 29 | /** 30 | * Stores given message in the data store. Request must have the ID filled. 31 | * 32 | * @param messageId key under which will the message be stored 33 | * @param message message to store 34 | */ 35 | void storeMessage(String messageId, XMLObject message); 36 | 37 | /** 38 | * Retrieves message stored under given ID. 39 | * 40 | * @param messageID message ID to look up 41 | * @return request or null if not found 42 | */ 43 | XMLObject retrieveMessage(String messageID); 44 | 45 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/storage/SAMLMessageStorageFactory.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.storage; 16 | 17 | import javax.servlet.http.HttpServletRequest; 18 | 19 | /** 20 | * Factories implementing this interface provide services for storage and retrieval of SAML messages for 21 | * e.g. verification of retrieved responses. 22 | */ 23 | public interface SAMLMessageStorageFactory { 24 | 25 | /** 26 | * Provides message storage related to the given request. 27 | * 28 | * @param request currently processed HTTP request 29 | * @return storage objects 30 | */ 31 | SAMLMessageStorage getMessageStorage(HttpServletRequest request); 32 | 33 | } 34 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/trust/AllowAllSignatureTrustEngine.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009-2011 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.trust; 16 | 17 | import org.opensaml.xml.security.*; 18 | import org.opensaml.xml.security.SecurityException; 19 | import org.opensaml.xml.security.credential.Credential; 20 | import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; 21 | import org.opensaml.xml.signature.Signature; 22 | import org.opensaml.xml.signature.SignatureTrustEngine; 23 | 24 | /** 25 | * Special type of trust engine which always trusts the credential and thus skips the verification. 26 | */ 27 | public class AllowAllSignatureTrustEngine implements SignatureTrustEngine { 28 | 29 | private KeyInfoCredentialResolver keyInfoResolver; 30 | 31 | public AllowAllSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver) { 32 | this.keyInfoResolver = keyInfoResolver; 33 | } 34 | 35 | public KeyInfoCredentialResolver getKeyInfoResolver() { 36 | return keyInfoResolver; 37 | } 38 | 39 | public boolean validate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, Credential candidateCredential) throws org.opensaml.xml.security.SecurityException { 40 | return true; 41 | } 42 | 43 | public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException { 44 | return true; 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/trust/X509KeyManager.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Vladimir Schaefer 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml.trust; 17 | 18 | import org.opensaml.xml.security.x509.X509Credential; 19 | 20 | import java.net.Socket; 21 | import java.security.Principal; 22 | import java.security.PrivateKey; 23 | import java.security.cert.X509Certificate; 24 | 25 | /** 26 | * Class can be used to initialize new SSL/TLS connections with client/server authentication. Uses a static credential 27 | * for determining private key and certificate chain. 28 | */ 29 | public class X509KeyManager implements javax.net.ssl.X509KeyManager { 30 | 31 | private static final String ALIAS_NAME = "constantAlias"; 32 | private static final String[] ALIAS = new String[] { ALIAS_NAME }; 33 | 34 | private String[] aliases; 35 | private String alias; 36 | private PrivateKey privateKey; 37 | private X509Certificate[] chain; 38 | 39 | /** 40 | * Credential used for authentication of the server/client. 41 | * 42 | * @param credential credential or null for manager returning always empty values 43 | */ 44 | public X509KeyManager(X509Credential credential) { 45 | if (credential != null) { 46 | this.privateKey = credential.getPrivateKey(); 47 | this.chain = credential.getEntityCertificateChain().toArray(new X509Certificate[credential.getEntityCertificateChain().size()]); 48 | this.alias = ALIAS_NAME; 49 | this.aliases = ALIAS; 50 | } else { 51 | this.privateKey = null; 52 | this.chain = null; 53 | this.alias = null; 54 | this.aliases = null; 55 | } 56 | } 57 | 58 | public String[] getClientAliases(String s, Principal[] principals) { 59 | return aliases; 60 | } 61 | 62 | public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) { 63 | return alias; 64 | } 65 | 66 | public String[] getServerAliases(String s, Principal[] principals) { 67 | return aliases; 68 | } 69 | 70 | public String chooseServerAlias(String s, Principal[] principals, Socket socket) { 71 | return alias; 72 | } 73 | 74 | public X509Certificate[] getCertificateChain(String s) { 75 | return chain; 76 | } 77 | 78 | public PrivateKey getPrivateKey(String s) { 79 | return privateKey; 80 | } 81 | 82 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/trust/httpclient/TLSProtocolConfigurer.java: -------------------------------------------------------------------------------- 1 | package org.springframework.security.saml.trust.httpclient; 2 | 3 | import org.apache.commons.httpclient.protocol.Protocol; 4 | import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; 5 | import org.springframework.beans.factory.InitializingBean; 6 | import org.springframework.beans.factory.annotation.Autowired; 7 | import org.springframework.security.saml.key.KeyManager; 8 | 9 | import java.util.Set; 10 | 11 | /** 12 | * Class initializes instance of TLSProtocolSocketFactory and registers is at one of the protocol 13 | * inside HTTP Client. It also automatically makes the MetadataManager dependant on this bean. 14 | */ 15 | public class TLSProtocolConfigurer implements InitializingBean { 16 | 17 | /** 18 | * Name of protocol to register. 19 | */ 20 | private String protocolName = "https"; 21 | 22 | /* 23 | * Default port of protocol. 24 | */ 25 | private int protocolPort = 443; 26 | 27 | /** 28 | * Storage for all available keys. 29 | */ 30 | private KeyManager keyManager; 31 | 32 | /** 33 | * Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution. 34 | */ 35 | private String sslHostnameVerification = "default"; 36 | 37 | /** 38 | * Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is null 39 | * all keys in the keyStore will be treated as trusted. 40 | */ 41 | private Set trustedKeys; 42 | 43 | /** 44 | * Initializes the socket factory and registers it to the HTTP Client's protocol registry. 45 | * 46 | * @throws Exception error 47 | */ 48 | @Override 49 | public void afterPropertiesSet() throws Exception { 50 | ProtocolSocketFactory socketFactory = new TLSProtocolSocketFactory(keyManager, trustedKeys, sslHostnameVerification); 51 | Protocol p = new Protocol(protocolName, socketFactory, protocolPort); 52 | Protocol.registerProtocol(protocolName, p); 53 | } 54 | 55 | /** 56 | * Key manager includes all cryptography material for the SAML instance. 57 | * 58 | * @param keyManager key manager 59 | */ 60 | @Autowired 61 | public void setKeyManager(KeyManager keyManager) { 62 | this.keyManager = keyManager; 63 | } 64 | 65 | /** 66 | * Hostname verifier to use for verification of SSL connections. Default value is "default", other supported options 67 | * are "defaultAndLocalhost", "strict" and "allowAll". 68 | * 69 | * @param sslHostnameVerification hostname verification type flag 70 | */ 71 | public void setSslHostnameVerification(String sslHostnameVerification) { 72 | this.sslHostnameVerification = sslHostnameVerification; 73 | } 74 | 75 | /** 76 | * When not set all certificates included in the keystore will be used as trusted certificate authorities. When specified, 77 | * only keys with the defined aliases will be used for trust evaluation. 78 | * 79 | * @param trustedKeys trusted keys 80 | */ 81 | public void setTrustedKeys(Set trustedKeys) { 82 | this.trustedKeys = trustedKeys; 83 | } 84 | 85 | /** 86 | * Name of protocol (ID) to register to HTTP Client, https by default. 87 | * 88 | * @param protocolName protocol 89 | */ 90 | public void setProtocolName(String protocolName) { 91 | this.protocolName = protocolName; 92 | } 93 | 94 | /** 95 | * Default port for protocol, 443 by default. 96 | * 97 | * @param protocolPort port 98 | */ 99 | public void setProtocolPort(int protocolPort) { 100 | this.protocolPort = protocolPort; 101 | } 102 | 103 | } 104 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/userdetails/SAMLUserDetailsService.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.userdetails; 16 | 17 | import org.springframework.security.core.userdetails.UserDetails; 18 | import org.springframework.security.core.userdetails.UsernameNotFoundException; 19 | import org.springframework.security.saml.SAMLCredential; 20 | 21 | /** 22 | * The SAMLUserDetailsService interface is similar to UserDetailsService with difference that SAML 23 | * data is used in order obtain information about the user. Implementers of the interface are 24 | * supposed to locate user in a arbitrary dataStore based on information present in the SAMLCredential 25 | * and return such a date in a form of application specific UserDetails object. 26 | * 27 | * @author Vladimir Schäfer 28 | */ 29 | public interface SAMLUserDetailsService { 30 | 31 | /** 32 | * The method is supposed to identify local account of user referenced by data in the SAML assertion 33 | * and return UserDetails object describing the user. In case the user has no local account, implementation 34 | * may decide to create one or just populate UserDetails object with data from assertion. 35 | *

36 | * Returned object should correctly implement the getAuthorities method as it will be used to populate 37 | * entitlements inside the Authentication object. 38 | * 39 | * @param credential data populated from SAML message used to validate the user 40 | * 41 | * @return a fully populated user record (never null) 42 | * 43 | * @throws UsernameNotFoundException if the user details object can't be populated 44 | */ 45 | Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException; 46 | 47 | } 48 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/util/DefaultURLComparator.java: -------------------------------------------------------------------------------- 1 | package org.springframework.security.saml.util; 2 | 3 | import org.opensaml.common.binding.decoding.BasicURLComparator; 4 | import org.opensaml.ws.transport.InTransport; 5 | 6 | import java.util.List; 7 | 8 | /** 9 | * Default implementation of {@link org.opensaml.common.binding.decoding.URIComparator} used in {@link SAMLUtil#getEndpoint(List, String, InTransport)} 10 | */ 11 | public class DefaultURLComparator extends BasicURLComparator { 12 | @Override 13 | public boolean compare(String uri1, String uri2) { 14 | if (uri2 == null){ 15 | return uri1 == null; 16 | } 17 | int queryStringIndex = uri2.indexOf('?'); 18 | if (queryStringIndex >= 0){ 19 | uri2 = uri2.substring(0, queryStringIndex);// removing query string to keep behavior of SAMLUtil.getEndpoint(List, String, InTransport) unchanged 20 | } 21 | return super.compare(uri1, uri2); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/util/VelocityFactory.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2010 Vladimir Schaefer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.util; 16 | 17 | import org.apache.velocity.app.VelocityEngine; 18 | import org.apache.velocity.runtime.RuntimeConstants; 19 | 20 | /** 21 | * Factory class for creating VelocityEngine instance. 22 | * 23 | * @author Vladimir Schäfer 24 | */ 25 | public class VelocityFactory { 26 | 27 | public static VelocityEngine getEngine() { 28 | 29 | try { 30 | VelocityEngine velocityEngine = new VelocityEngine(); 31 | velocityEngine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); 32 | velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); 33 | velocityEngine.setProperty("classpath.resource.loader.class", "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); 34 | velocityEngine.init(); 35 | return velocityEngine; 36 | } catch (Exception e) { 37 | throw new RuntimeException("Error configuring velocity", e); 38 | } 39 | 40 | } 41 | 42 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/websso/ArtifactResolutionProfile.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Vladimir Schaefer 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml.websso; 17 | 18 | import org.opensaml.common.SAMLObject; 19 | import org.opensaml.ws.message.decoder.MessageDecodingException; 20 | import org.springframework.security.saml.context.SAMLMessageContext; 21 | 22 | /** 23 | * Implementations must load referenced artifact using SAML artifact resolution protocol. 24 | */ 25 | public interface ArtifactResolutionProfile { 26 | 27 | /** 28 | * Implementation must resolve artifact with the given ID, locate endpoint usable for it resolution 29 | * and load referenced SAML message. 30 | * 31 | * @param context saml context with pre-populated local entity 32 | * @param artifactId artifact to resolve 33 | * @param endpointURI URI of the endpoint the message was sent to 34 | * @return message the artifact references 35 | * @throws MessageDecodingException in case message loading fails 36 | */ 37 | SAMLObject resolveArtifact(SAMLMessageContext context, String artifactId, String endpointURI) throws MessageDecodingException; 38 | 39 | } 40 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/websso/WebSSOProfile.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.websso; 16 | 17 | import org.opensaml.common.SAMLException; 18 | import org.opensaml.saml2.metadata.provider.MetadataProviderException; 19 | import org.opensaml.ws.message.encoder.MessageEncodingException; 20 | import org.springframework.security.saml.context.SAMLMessageContext; 21 | import org.springframework.security.saml.storage.SAMLMessageStorage; 22 | 23 | /** 24 | * @author Vladimir Schäfer 25 | */ 26 | public interface WebSSOProfile { 27 | 28 | void sendAuthenticationRequest(SAMLMessageContext context, WebSSOProfileOptions options) throws SAMLException, MetadataProviderException, MessageEncodingException; 29 | 30 | } 31 | -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileConsumer.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.websso; 16 | 17 | import org.opensaml.common.SAMLException; 18 | import org.opensaml.xml.encryption.DecryptionException; 19 | import org.opensaml.xml.validation.ValidationException; 20 | import org.springframework.security.saml.SAMLCredential; 21 | import org.springframework.security.saml.context.SAMLMessageContext; 22 | import org.springframework.security.saml.storage.SAMLMessageStorage; 23 | 24 | /** 25 | * @author Vladimir Schäfer 26 | */ 27 | public interface WebSSOProfileConsumer { 28 | 29 | SAMLCredential processAuthenticationResponse(SAMLMessageContext context) throws SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, DecryptionException; 30 | 31 | } -------------------------------------------------------------------------------- /core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileHoKImpl.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schafer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.websso; 16 | 17 | import org.opensaml.saml2.metadata.AssertionConsumerService; 18 | import org.opensaml.saml2.metadata.SingleSignOnService; 19 | import org.opensaml.saml2.metadata.provider.MetadataProviderException; 20 | import org.springframework.security.saml.SAMLConstants; 21 | import org.springframework.security.saml.util.SAMLUtil; 22 | 23 | /** 24 | * Class implements WebSSO profile and offers capabilities for SP initialized SSO and 25 | * process Response coming from IDP or IDP initialized SSO. HTTP-POST and HTTP-Redirect 26 | * bindings are supported. 27 | * 28 | * @author Vladimir Schafer 29 | */ 30 | public class WebSSOProfileHoKImpl extends WebSSOProfileImpl { 31 | 32 | @Override 33 | public String getProfileIdentifier() { 34 | return SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI; 35 | } 36 | 37 | @Override 38 | protected boolean isEndpointSupported(SingleSignOnService endpoint) throws MetadataProviderException { 39 | 40 | // Only HoK endpoints are supported 41 | if (!SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI.equals(endpoint.getBinding())) { 42 | return false; 43 | } 44 | 45 | String binding = SAMLUtil.getBindingForEndpoint(endpoint); 46 | return org.opensaml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI.equals(binding) || 47 | org.opensaml.common.xml.SAMLConstants.SAML2_ARTIFACT_BINDING_URI.equals(binding) || 48 | org.opensaml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(binding); 49 | 50 | } 51 | 52 | @Override 53 | protected boolean isEndpointSupported(AssertionConsumerService endpoint) throws MetadataProviderException { 54 | 55 | // Only HoK endpoints are supported 56 | if (!SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI.equals(endpoint.getBinding())) { 57 | return false; 58 | } 59 | 60 | String binding = SAMLUtil.getBindingForEndpoint(endpoint); 61 | return org.opensaml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI.equals(binding) || 62 | org.opensaml.common.xml.SAMLConstants.SAML2_ARTIFACT_BINDING_URI.equals(binding); 63 | 64 | } 65 | 66 | } -------------------------------------------------------------------------------- /core/src/main/resources/liberty-paos-config.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /core/src/main/resources/schema/liberty-schema-paos-1.1.xsd: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 10 | The source code in this XSD file was excerpted verbatim from: 11 | 12 | Liberty Reverse HTTP Binding 13 | Version 1.1 14 | 14th December 2004 15 | 16 | Copyright (c) 2003-2005 Liberty Alliance participants, see 17 | http://www.projectliberty.org/specs/idws f_1_1_copyrights.php 18 | 19 | 20 | 21 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /core/src/test/java/org/opensaml/common/BootstrapHelper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.] 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.common; 18 | 19 | import org.opensaml.DefaultBootstrap; 20 | import org.opensaml.PaosBootstrap; 21 | import org.opensaml.xml.ConfigurationException; 22 | 23 | /** 24 | * Extension to the default bootstrap process which sets up configuration for testing 25 | * purposes. 26 | */ 27 | public class BootstrapHelper extends DefaultBootstrap { 28 | 29 | /** List of XMLTooling configuration files with any needed test configuration. */ 30 | private static String[] testConfigs = { }; 31 | 32 | /** {@inheritDoc} */ 33 | public static synchronized void bootstrap() throws ConfigurationException { 34 | PaosBootstrap.bootstrap(); 35 | 36 | initializeXMLTooling(testConfigs); 37 | } 38 | 39 | } 40 | -------------------------------------------------------------------------------- /core/src/test/java/org/opensaml/liberty/binding/decoding/HTTPPAOS11DecoderTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2010 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /** 18 | * Test case for {@link HTTPPAOS11Decoder}. Note that only the few functionalities added 19 | * on top of {@link HTTPSOAP11Decoder} are tested. 20 | */ 21 | package org.opensaml.liberty.binding.decoding; 22 | 23 | import javax.xml.namespace.QName; 24 | 25 | import org.opensaml.common.BaseTestCase; 26 | import org.opensaml.common.xml.SAMLConstants; 27 | import org.opensaml.ws.message.decoder.MessageDecodingException; 28 | import org.opensaml.ws.transport.http.HttpServletRequestAdapter; 29 | import org.opensaml.xml.security.SecurityException; 30 | import org.springframework.mock.web.MockHttpServletRequest; 31 | import org.springframework.security.saml.context.SAMLMessageContext; 32 | 33 | public class HTTPPAOS11DecoderTest extends BaseTestCase { 34 | 35 | private HTTPPAOS11Decoder decoder; 36 | private SAMLMessageContext messageContext; 37 | private MockHttpServletRequest httpRequest; 38 | 39 | private String expectedRelayState; 40 | 41 | /** {@inheritDoc} */ 42 | protected void setUp() throws Exception { 43 | super.setUp(); 44 | 45 | expectedRelayState = "df558a"; 46 | 47 | httpRequest = new MockHttpServletRequest(); 48 | httpRequest.setMethod("POST"); 49 | 50 | messageContext = new SAMLMessageContext(); 51 | messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(httpRequest)); 52 | 53 | decoder = new HTTPPAOS11Decoder(); 54 | } 55 | 56 | public void testUnderstandsPaosResponseHeader() { 57 | QName paosResponseHeader = new QName(SAMLConstants.PAOS_NS, "Response", 58 | SAMLConstants.PAOS_PREFIX); 59 | 60 | assertTrue("The PAOS Decoder does not understand paos:Response header", 61 | decoder.getUnderstoodHeaders().contains(paosResponseHeader)); 62 | } 63 | 64 | public void testRelayState() throws MessageDecodingException, SecurityException { 65 | String soapMessage = 66 | " " + 67 | " " + 68 | "" + expectedRelayState + 72 | "" + 73 | " " + 74 | " " + 76 | " " + 78 | "" + 79 | ""; 80 | 81 | httpRequest.setContent(soapMessage.getBytes()); 82 | 83 | decoder.decode(messageContext); 84 | 85 | assertEquals("The messageContext does not have the correct RelayState", 86 | expectedRelayState, messageContext.getRelayState()); 87 | } 88 | 89 | } 90 | -------------------------------------------------------------------------------- /core/src/test/java/org/opensaml/liberty/paos/impl/ResponseTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2011 Jonathan Tellier 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package org.opensaml.liberty.paos.impl; 18 | 19 | import org.opensaml.common.BaseSAMLObjectProviderTestCase; 20 | import org.opensaml.liberty.paos.Response; 21 | 22 | /** 23 | * Test case for creating, marshalling, and unmarshalling {@link Response}. 24 | */ 25 | public class ResponseTest extends BaseSAMLObjectProviderTestCase { 26 | 27 | private String expectedSOAP11Actor; 28 | private Boolean expectedSOAP11MustUnderstand; 29 | private String expectedRefToMessageID; 30 | 31 | public ResponseTest() { 32 | singleElementFile = "/org/opensaml/liberty/paos/impl/Response.xml"; 33 | singleElementOptionalAttributesFile = 34 | "/org/opensaml/liberty/paos/impl/ResponseOptionalAttributes.xml"; 35 | } 36 | 37 | /** {@inheritDoc} */ 38 | protected void setUp() throws Exception { 39 | super.setUp(); 40 | 41 | expectedSOAP11Actor = "http://schemas.xmlsoap.org/soap/actor/next"; 42 | expectedSOAP11MustUnderstand = true; 43 | expectedRefToMessageID = "6c3a4f8b9c2d"; 44 | } 45 | 46 | /** {@inheritDoc} */ 47 | @Override 48 | public void testSingleElementMarshall() { 49 | Response response = getResponseWithRequiredAttributes(); 50 | 51 | assertEquals(expectedDOM, response); 52 | } 53 | 54 | /** {@inheritDoc} */ 55 | @Override 56 | public void testSingleElementOptionalAttributesMarshall() { 57 | Response response = getResponseWithRequiredAttributes(); 58 | 59 | response.setRefToMessageID(expectedRefToMessageID); 60 | 61 | assertEquals(expectedOptionalAttributesDOM, response); 62 | } 63 | 64 | private Response getResponseWithRequiredAttributes() { 65 | Response response = (Response) buildXMLObject(Response.DEFAULT_ELEMENT_NAME); 66 | 67 | response.setSOAP11Actor(expectedSOAP11Actor); 68 | response.setSOAP11MustUnderstand(expectedSOAP11MustUnderstand); 69 | return response; 70 | } 71 | 72 | /** {@inheritDoc} */ 73 | @Override 74 | public void testSingleElementUnmarshall() { 75 | Response response = (Response) unmarshallElement(singleElementFile); 76 | 77 | testResponseRequiredElements(response); 78 | } 79 | 80 | /** {@inheritDoc} */ 81 | @Override 82 | public void testSingleElementOptionalAttributesUnmarshall() { 83 | Response response = (Response) unmarshallElement(singleElementOptionalAttributesFile); 84 | 85 | testResponseRequiredElements(response); 86 | 87 | assertEquals("refToMessageID had unexpected value", expectedRefToMessageID, 88 | response.getRefToMessageID()); 89 | } 90 | 91 | private void testResponseRequiredElements(Response response) { 92 | assertNotNull(response); 93 | 94 | assertEquals("SOAP mustUnderstand had unexpected value", 95 | expectedSOAP11MustUnderstand, response.isSOAP11MustUnderstand()); 96 | assertEquals("SOAP actor had unexpected value", 97 | expectedSOAP11Actor, response.getSOAP11Actor()); 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/providers/ExpiringUsernameAuthenticationTokenTest.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.providers; 16 | 17 | import org.joda.time.DateTime; 18 | import org.junit.Test; 19 | import org.springframework.security.core.GrantedAuthority; 20 | 21 | import java.util.Date; 22 | import java.util.LinkedList; 23 | 24 | import static org.junit.Assert.assertFalse; 25 | import static org.junit.Assert.assertTrue; 26 | 27 | /** 28 | * Test for the ExpiringUsernameAuthenticationToken. 29 | * 30 | * @author Vladimir Schäfer 31 | */ 32 | public class ExpiringUsernameAuthenticationTokenTest { 33 | 34 | /** 35 | * Verifies that in case expiration date is not set the token is valid. 36 | * 37 | * @throws Exception error 38 | */ 39 | @Test 40 | public void testExpirationNull() throws Exception { 41 | ExpiringUsernameAuthenticationToken t = new ExpiringUsernameAuthenticationToken(null, null, null, new LinkedList()); 42 | assertTrue(t.isAuthenticated()); 43 | } 44 | 45 | /** 46 | * Verifies that in case expiration date is set to the future the token is valid. 47 | * 48 | * @throws Exception error 49 | */ 50 | @Test 51 | public void testExpirationFuture() throws Exception { 52 | Date future = new DateTime().plusHours(2).toDate(); 53 | ExpiringUsernameAuthenticationToken t = new ExpiringUsernameAuthenticationToken(future, null, null, new LinkedList()); 54 | assertTrue(t.isAuthenticated()); 55 | } 56 | 57 | /** 58 | * Verifies that token changes from valid to invalid when time passes over the change point. 59 | * 60 | * @throws Exception error 61 | */ 62 | @Test 63 | public void testExpirationFutureChange() throws Exception { 64 | Date future = new DateTime().plusMillis(1000).toDate(); 65 | ExpiringUsernameAuthenticationToken t = new ExpiringUsernameAuthenticationToken(future, null, null, new LinkedList()); 66 | assertTrue(t.isAuthenticated()); 67 | synchronized (this) { 68 | wait(1000); 69 | } 70 | assertFalse(t.isAuthenticated()); 71 | } 72 | 73 | /** 74 | * Verifies that constructor without expiration is always non authenticated.. 75 | * 76 | * @throws Exception error 77 | */ 78 | @Test 79 | public void testNonAuthenticatedToken() throws Exception { 80 | ExpiringUsernameAuthenticationToken t = new ExpiringUsernameAuthenticationToken(null, null); 81 | assertFalse(t.isAuthenticated()); 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/SAMLAuthenticationTokenTest.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Sch�fer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | import org.junit.Before; 18 | import org.junit.Test; 19 | import org.springframework.security.saml.context.SAMLMessageContext; 20 | import org.springframework.security.saml.storage.SAMLMessageStorage; 21 | 22 | import static junit.framework.Assert.assertEquals; 23 | import static org.easymock.EasyMock.createMock; 24 | import static org.junit.Assert.assertNull; 25 | 26 | /** 27 | * @author Vladimir Sch�fer 28 | */ 29 | public class SAMLAuthenticationTokenTest { 30 | 31 | SAMLAuthenticationToken token; 32 | SAMLMessageContext context; 33 | SAMLMessageStorage storage; 34 | 35 | @Before 36 | public void initialize() { 37 | context = new SAMLMessageContext(); 38 | storage = createMock(SAMLMessageStorage.class); 39 | token = new SAMLAuthenticationToken(context); 40 | } 41 | 42 | @Test 43 | public void testInitial() { 44 | assertEquals(context, token.getCredentials()); 45 | assertNull(token.getPrincipal()); 46 | } 47 | 48 | /** 49 | * Verifies that the token can't be set as authenticated. 50 | */ 51 | @Test(expected = IllegalArgumentException.class) 52 | public void testSetAuthenticated() { 53 | token.setAuthenticated(true); 54 | } 55 | 56 | /** 57 | * Verifies that the token can't be created without context. 58 | */ 59 | @Test(expected = IllegalArgumentException.class) 60 | public void testCreateWithoutContext() { 61 | token = new SAMLAuthenticationToken(null); 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/SAMLLogoutFilterTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2002-2015 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml; 17 | 18 | import static org.junit.Assert.*; 19 | 20 | import org.junit.Before; 21 | import org.junit.Test; 22 | import org.springframework.mock.web.MockHttpServletRequest; 23 | import org.springframework.mock.web.MockHttpServletResponse; 24 | import org.springframework.security.web.authentication.logout.LogoutHandler; 25 | import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; 26 | import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; 27 | 28 | /** 29 | * @author Rob Winch 30 | */ 31 | public class SAMLLogoutFilterTest { 32 | SAMLLogoutFilter filter; 33 | 34 | MockHttpServletRequest request; 35 | MockHttpServletResponse response; 36 | 37 | private LogoutHandler[] handlers; 38 | 39 | @Before 40 | public void setup() { 41 | request = new MockHttpServletRequest(); 42 | response = new MockHttpServletResponse(); 43 | handlers = new LogoutHandler[] { new SecurityContextLogoutHandler() }; 44 | filter = new SAMLLogoutFilter("/logout", handlers, handlers); 45 | } 46 | 47 | @Test 48 | public void requiresLogout() { 49 | assertEquals(false, filter.requiresLogout(request, response)); 50 | 51 | request.setRequestURI("/logout"); 52 | 53 | assertEquals(false, filter.requiresLogout(request, response)); 54 | } 55 | 56 | @Test 57 | public void constructorStringLogoutHandlersLogoutHandlersNotNullFilterProcessUrl() { 58 | assertNotNull(filter.getFilterProcessesUrl()); 59 | } 60 | 61 | @Test 62 | public void constructorLogoutSuccessHandlerLogoutHandlersLogoutHandlersNotNullFilterProcessUrl() { 63 | filter = new SAMLLogoutFilter(new SimpleUrlLogoutSuccessHandler(), handlers, handlers); 64 | assertNotNull(filter.getFilterProcessesUrl()); 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/SAMLLogoutProcessingFilterTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2002-2015 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml; 17 | 18 | import static org.junit.Assert.*; 19 | 20 | import org.junit.Before; 21 | import org.junit.Test; 22 | import org.springframework.security.web.authentication.logout.LogoutHandler; 23 | import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; 24 | import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; 25 | 26 | /** 27 | * @author Rob Winch 28 | */ 29 | public class SAMLLogoutProcessingFilterTest { 30 | SAMLLogoutProcessingFilter filter; 31 | 32 | LogoutHandler[] logoutHandlers; 33 | 34 | @Before 35 | public void setup() { 36 | logoutHandlers = new LogoutHandler[] { new SecurityContextLogoutHandler() }; 37 | } 38 | 39 | @Test 40 | public void constructorStringLogoutHanldersNotNullFilterProcessUrl() { 41 | filter = new SAMLLogoutProcessingFilter("/", logoutHandlers); 42 | 43 | assertNotNull(filter.getFilterProcessesUrl()); 44 | } 45 | 46 | @Test 47 | public void constructorLogoutSuccessHandlerLogoutHanldersNotNullFilterProcessUrl() { 48 | filter = new SAMLLogoutProcessingFilter(new SimpleUrlLogoutSuccessHandler(), logoutHandlers); 49 | 50 | assertNotNull(filter.getFilterProcessesUrl()); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/SAMLRelayStateSuccessHandlerTest.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | import org.junit.Before; 18 | import org.junit.Test; 19 | import org.opensaml.saml2.core.Attribute; 20 | import org.opensaml.saml2.core.impl.AssertionBuilder; 21 | import org.opensaml.saml2.core.impl.NameIDBuilder; 22 | import org.springframework.security.core.Authentication; 23 | import org.springframework.security.web.RedirectStrategy; 24 | 25 | import javax.servlet.http.HttpServletRequest; 26 | import javax.servlet.http.HttpServletResponse; 27 | import java.util.Collections; 28 | import java.util.List; 29 | 30 | import static org.easymock.EasyMock.*; 31 | 32 | /** 33 | * @author Michael Beauregard 34 | */ 35 | public class SAMLRelayStateSuccessHandlerTest { 36 | 37 | SAMLRelayStateSuccessHandler successHandler; 38 | Authentication authentication; 39 | SAMLCredential credential; 40 | HttpServletRequest request; 41 | HttpServletResponse response; 42 | RedirectStrategy redirectStrategy; 43 | 44 | @Before 45 | public void initialize() throws Exception { 46 | request = createMock(HttpServletRequest.class); 47 | response = createMock(HttpServletResponse.class); 48 | 49 | authentication = createMock(Authentication.class); 50 | 51 | NameIDBuilder nameIDBuilder = new NameIDBuilder(); 52 | AssertionBuilder assertionBuilder = new AssertionBuilder(); 53 | List attrs = Collections.emptyList(); 54 | 55 | credential = new SAMLCredential( 56 | nameIDBuilder.buildObject("uri:the-namespace", "localName", "prefix"), 57 | assertionBuilder.buildObject("uri:the-namespace", "localName", "prefix"), 58 | "remoteEntityID", "relayState", attrs, "localEntityID"); 59 | 60 | redirectStrategy = createMock(RedirectStrategy.class); 61 | 62 | successHandler = new SAMLRelayStateSuccessHandler(); 63 | successHandler.setRedirectStrategy(redirectStrategy); 64 | } 65 | 66 | /** 67 | * Verifies that the success handler interprets the RelayState in the SAMLCredential 68 | * as a redirect URL. 69 | * @throws Exception - 70 | */ 71 | @Test 72 | public void testSuccessWithSAMLCredential() throws Exception { 73 | expect(authentication.getCredentials()).andReturn(credential); 74 | redirectStrategy.sendRedirect(request, response, credential.getRelayState()); 75 | expectLastCall(); 76 | 77 | replayMock(); 78 | successHandler.onAuthenticationSuccess(request, response, authentication); 79 | verifyMock(); 80 | } 81 | 82 | private void replayMock() { 83 | replay(request); 84 | replay(response); 85 | replay(authentication); 86 | replay(redirectStrategy); 87 | } 88 | 89 | private void verifyMock() { 90 | verify(request); 91 | verify(response); 92 | verify(authentication); 93 | verify(redirectStrategy); 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/SAMLTestHelper.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2013 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml; 16 | 17 | import org.opensaml.Configuration; 18 | import org.opensaml.DefaultBootstrap; 19 | import org.opensaml.xml.ConfigurationException; 20 | import org.opensaml.xml.XMLObjectBuilderFactory; 21 | 22 | import javax.servlet.http.HttpServletRequest; 23 | 24 | import static org.easymock.EasyMock.expect; 25 | 26 | /** 27 | * Helper for SAML tests. 28 | */ 29 | public class SAMLTestHelper { 30 | 31 | private static XMLObjectBuilderFactory builderFactory; 32 | 33 | /** 34 | * Helper method for setting of request parameters for local context population. 35 | * 36 | * @param request 37 | * @param requestURI 38 | * @param localEntityId 39 | */ 40 | public static void setLocalContextParameters(HttpServletRequest request, String requestURI, String localEntityId) { 41 | expect(request.isSecure()).andReturn(false); 42 | expect(request.getContextPath()).andReturn(""); 43 | request.setAttribute(SAMLConstants.LOCAL_CONTEXT_PATH, ""); 44 | expect(request.getRequestURI()).andReturn(requestURI); 45 | expect(request.getAttribute(SAMLConstants.LOCAL_ENTITY_ID)).andReturn(localEntityId); 46 | expect(request.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null); 47 | } 48 | 49 | /** 50 | * Helper method for setting of request parameters for peer context population. 51 | * 52 | * @param request 53 | * @param idpParameter 54 | * @param peerEntityId 55 | */ 56 | public static void setPeerContextParameters(HttpServletRequest request, String idpParameter, String peerEntityId) { 57 | expect(request.getAttribute(org.springframework.security.saml.SAMLConstants.PEER_ENTITY_ID)).andReturn(peerEntityId); 58 | expect(request.getParameter(SAMLEntryPoint.IDP_PARAMETER)).andReturn(idpParameter); 59 | } 60 | 61 | /** 62 | * Helper method providing factory for construction of SAML messages. 63 | * 64 | * @return builder factory 65 | * @throws Exception 66 | */ 67 | public static XMLObjectBuilderFactory getBuilderFactory() { 68 | if (builderFactory == null) { 69 | try { 70 | DefaultBootstrap.bootstrap(); 71 | } catch (ConfigurationException e) { 72 | throw new RuntimeException("Error creating builder factory"); 73 | } 74 | builderFactory = Configuration.getBuilderFactory(); 75 | } 76 | return builderFactory; 77 | } 78 | 79 | } -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/key/JKSKeyManagerTest.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schafer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.key; 16 | 17 | import org.junit.Before; 18 | import org.junit.Test; 19 | import org.springframework.context.ApplicationContext; 20 | import org.springframework.context.support.ClassPathXmlApplicationContext; 21 | 22 | import static org.junit.Assert.assertNotNull; 23 | import static org.junit.Assert.assertNull; 24 | 25 | /** 26 | * Verifies that the keyStore class can be initialized and is able to return keys from 27 | * the keystore which contains one key aliased "apollo". 28 | * 29 | * @author Vladimir Schafer 30 | */ 31 | public class JKSKeyManagerTest { 32 | 33 | private ApplicationContext context; 34 | private JKSKeyManager keyManager; 35 | 36 | @Before 37 | public void init() { 38 | String resName = "/" + getClass().getName().replace('.', '/') + ".xml"; 39 | context = new ClassPathXmlApplicationContext(resName); 40 | keyManager = (JKSKeyManager) context.getBean("keyManager"); 41 | } 42 | 43 | /** 44 | * Verifies that the keystore can be loaded. 45 | */ 46 | @Test 47 | public void testGetKeystore() { 48 | assertNotNull(keyManager.getKeyStore()); 49 | } 50 | 51 | /** 52 | * Verifies that the keys can be retreived from the store. 53 | */ 54 | @Test 55 | public void testGetKey() { 56 | assertNotNull(keyManager.getPublicKey("apollo")); 57 | } 58 | 59 | /** 60 | * Verifies that error during initialization leads to runtime exception. 61 | */ 62 | @Test(expected = RuntimeException.class) 63 | public void testInitialize() { 64 | new JKSKeyManager(null, "xxx", null, null); 65 | } 66 | 67 | /** 68 | * Verifies that invalid key names return null. 69 | */ 70 | @Test 71 | public void testGetEmptyKey() { 72 | assertNull(keyManager.getPublicKey("")); 73 | assertNull(keyManager.getPublicKey(null)); 74 | } 75 | 76 | /** 77 | * Verifies that non existing keys return null. 78 | */ 79 | @Test 80 | public void testGetKeyNonExistent() { 81 | assertNull(keyManager.getPublicKey("apollo111")); 82 | } 83 | 84 | /** 85 | * Verifies that the certificate can be retrieved. 86 | */ 87 | @Test 88 | public void testGetCertificate() { 89 | assertNotNull(keyManager.getCertificate("apollo")); 90 | } 91 | 92 | /** 93 | * Verifies that attempt to load nonexistent certificate will return null. 94 | */ 95 | @Test 96 | public void testGetCertificateNonExistent() { 97 | assertNull(keyManager.getCertificate("apollo13")); 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/metadata/TestingFilesystemMetadataProvider.java: -------------------------------------------------------------------------------- 1 | package org.springframework.security.saml.metadata; 2 | 3 | import org.joda.time.DateTime; 4 | import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider; 5 | import org.opensaml.saml2.metadata.provider.MetadataProviderException; 6 | 7 | import java.io.File; 8 | import java.util.Timer; 9 | 10 | /** 11 | * Provider which constantly refreshes itself. 12 | */ 13 | public class TestingFilesystemMetadataProvider extends FilesystemMetadataProvider { 14 | 15 | public TestingFilesystemMetadataProvider(File metadata) throws MetadataProviderException { 16 | super(metadata); 17 | } 18 | 19 | public TestingFilesystemMetadataProvider(Timer backgroundTaskTimer, File metadata) throws MetadataProviderException { 20 | super(backgroundTaskTimer, metadata); 21 | } 22 | 23 | @Override 24 | public DateTime getLastRefresh() { 25 | return null; 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/storage/StorageFactoryTestImpl.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schafer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.storage; 16 | 17 | import javax.servlet.http.HttpServletRequest; 18 | 19 | /** 20 | * Storage factory used for testing. 21 | */ 22 | public class StorageFactoryTestImpl implements SAMLMessageStorageFactory { 23 | 24 | SAMLMessageStorage storage; 25 | 26 | public StorageFactoryTestImpl(SAMLMessageStorage storage) { 27 | this.storage = storage; 28 | } 29 | 30 | public SAMLMessageStorage getMessageStorage(HttpServletRequest request) { 31 | return storage; 32 | } 33 | 34 | } 35 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/trust/UntrustedCertificateExceptionTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012 Vladimir Schaefer 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.saml.trust; 17 | 18 | import org.junit.Before; 19 | import org.junit.Test; 20 | import org.springframework.context.ApplicationContext; 21 | import org.springframework.context.support.ClassPathXmlApplicationContext; 22 | import org.springframework.security.saml.context.SAMLContextProviderImpl; 23 | import org.springframework.security.saml.key.KeyManager; 24 | 25 | import java.security.cert.X509Certificate; 26 | 27 | import static org.junit.Assert.assertNotNull; 28 | import static org.junit.Assert.assertTrue; 29 | 30 | /** 31 | * Test for untrusted certificate exception. 32 | */ 33 | public class UntrustedCertificateExceptionTest { 34 | 35 | ApplicationContext context; 36 | KeyManager keyManager; 37 | 38 | @Before 39 | public void init() { 40 | String resName = "/" + getClass().getName().replace('.', '/') + ".xml"; 41 | context = new ClassPathXmlApplicationContext(resName); 42 | keyManager = context.getBean("keyManager", KeyManager.class); 43 | } 44 | 45 | /** 46 | * Verifies that exception can produce a message about untrusted certificate. 47 | */ 48 | @Test 49 | public void testExceptionGetMessage() { 50 | X509Certificate certificate = keyManager.getCertificate("apollo"); 51 | UntrustedCertificateException exception = new UntrustedCertificateException("Error in cert", new X509Certificate[]{certificate}); 52 | String message = exception.getMessage(); 53 | assertTrue(message.contains("cf:f4:0a:3f:fb:4e:32:a0:4e:65:9d:65:78:d7:45:46:a8:6a:92:32")); 54 | } 55 | 56 | /** 57 | * Verifies that message can handle null certificates. 58 | */ 59 | @Test 60 | public void testExceptionNullCert(){ 61 | UntrustedCertificateException exception = new UntrustedCertificateException("Error in cert", null); 62 | String message = exception.getMessage(); 63 | assertNotNull(message); 64 | } 65 | 66 | /** 67 | * Verifies that message can handle empty certificates. 68 | */ 69 | @Test 70 | public void testExceptionEmptyCert(){ 71 | UntrustedCertificateException exception = new UntrustedCertificateException("Error in cert", new X509Certificate[0]); 72 | String message = exception.getMessage(); 73 | assertNotNull(message); 74 | } 75 | 76 | } 77 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/util/SAMLUtilTest.java: -------------------------------------------------------------------------------- 1 | package org.springframework.security.saml.util; 2 | 3 | import org.joda.time.DateTime; 4 | import org.junit.Test; 5 | 6 | import static org.junit.Assert.assertEquals; 7 | import static org.junit.Assert.assertNull; 8 | import static org.junit.Assert.assertTrue; 9 | 10 | /** 11 | * Tests for SAMLUtil class. 12 | */ 13 | public class SAMLUtilTest { 14 | 15 | /** 16 | * Verifies that values are correctly cleaned to conform with NCName type 17 | */ 18 | @Test 19 | public void testNCNameClean() { 20 | assertNull(SAMLUtil.getNCNameString(null)); 21 | assertEquals("", SAMLUtil.getNCNameString("")); 22 | assertEquals("_", SAMLUtil.getNCNameString("-")); 23 | assertEquals("_http___test_8080_context_xyz__3", SAMLUtil.getNCNameString("-http://test:8080/context#xyz=$3")); 24 | assertEquals("urn_xyz_test", SAMLUtil.getNCNameString("urn:xyz:test")); 25 | assertEquals("test.user", SAMLUtil.getNCNameString("test.user")); 26 | assertEquals("test___2", SAMLUtil.getNCNameString("test&^%2")); 27 | } 28 | 29 | @Test 30 | public void isDateTimeSkewShouldReturnTrueForMaxIntegerForwardInterval() { 31 | assertTrue(SAMLUtil.isDateTimeSkewValid(60, Integer.MAX_VALUE, new DateTime())); 32 | } 33 | 34 | @Test 35 | public void isDateTimeSkewShouldReturnTrueForZeroForwardInterval() { 36 | assertTrue(SAMLUtil.isDateTimeSkewValid(60, 0, new DateTime())); 37 | } 38 | 39 | @Test(expected = IllegalArgumentException.class) 40 | public void isDateTimeSkewShouldThrowErrorForForwardIntervalHigherThanInteger() { 41 | SAMLUtil.isDateTimeSkewValid(60, Integer.MAX_VALUE+1L, new DateTime()); 42 | } 43 | 44 | @Test(expected = IllegalArgumentException.class) 45 | public void isDateTimeSkewShouldThrowErrorForForwardIntervalLessThanZero() { 46 | SAMLUtil.isDateTimeSkewValid(60, -1, new DateTime()); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /core/src/test/java/org/springframework/security/saml/websso/ArtifactResolutionProfileImplTest.java: -------------------------------------------------------------------------------- 1 | /* Copyright 2009 Vladimir Schäfer 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * https://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | package org.springframework.security.saml.websso; 16 | 17 | import org.apache.commons.httpclient.HostConfiguration; 18 | import org.apache.commons.httpclient.HttpClient; 19 | import org.apache.commons.httpclient.URI; 20 | import org.junit.Test; 21 | 22 | import static org.junit.Assert.*; 23 | 24 | /** 25 | * @author Vladimir Schäfer 26 | */ 27 | public class ArtifactResolutionProfileImplTest { 28 | 29 | /** 30 | * Verifies that hostConfiguration can be loaded when HttpClient has no defaults. 31 | */ 32 | @Test 33 | public void testHostConfigurationNoDefaults() throws Exception { 34 | HttpClient client = new HttpClient(); 35 | ArtifactResolutionProfileImpl artifactResolutionProfile = new ArtifactResolutionProfileImpl(client); 36 | URI uri = new URI("http", "test", "/artifact", null); 37 | HostConfiguration hostConfiguration = artifactResolutionProfile.getHostConfiguration(uri, null); 38 | assertNotNull(hostConfiguration); 39 | assertEquals("test", hostConfiguration.getHost()); 40 | } 41 | 42 | /** 43 | * Verifies that hostConfiguration is correctly cloned when HttpClient contains defaults. 44 | */ 45 | @Test 46 | public void testHostConfigurationWithDefaults() throws Exception { 47 | 48 | // Client object with default settings 49 | HttpClient client = new HttpClient(); 50 | HostConfiguration defaultConfiguration = new HostConfiguration(); 51 | defaultConfiguration.setProxy("testProxy", 8000); 52 | defaultConfiguration.getParams().setParameter("testParam", "testValue"); 53 | client.setHostConfiguration(defaultConfiguration); 54 | 55 | ArtifactResolutionProfileImpl artifactResolutionProfile = new ArtifactResolutionProfileImpl(client); 56 | URI uri = new URI("http", "test", "/artifact", null); 57 | HostConfiguration hostConfiguration = artifactResolutionProfile.getHostConfiguration(uri, null); 58 | 59 | // Verify that settings were cloned 60 | assertNotNull(hostConfiguration); 61 | assertEquals("test", hostConfiguration.getHost()); 62 | assertEquals("testProxy", hostConfiguration.getProxyHost()); 63 | assertEquals(8000, hostConfiguration.getProxyPort()); 64 | assertEquals("testValue", hostConfiguration.getParams().getParameter("testParam")); 65 | 66 | // Make sure default object and newly created configuration are independent 67 | defaultConfiguration.setProxyHost(null); 68 | assertEquals("testProxy", hostConfiguration.getProxyHost()); 69 | assertEquals(8000, hostConfiguration.getProxyPort()); 70 | 71 | } 72 | 73 | /** 74 | * Verifies that hostname verification is supported with the supplied libraries. 75 | */ 76 | @Test 77 | public void testHostnameVerificationSupported() { 78 | HttpClient client = new HttpClient(); 79 | ArtifactResolutionProfileImpl artifactResolutionProfile = new ArtifactResolutionProfileImpl(client); 80 | assertTrue(artifactResolutionProfile.isHostnameVerificationSupported()); 81 | } 82 | 83 | } 84 | -------------------------------------------------------------------------------- /core/src/test/resources/log4j.properties: -------------------------------------------------------------------------------- 1 | log4j.rootCategory=INFO, CONSOLE 2 | 3 | # CONSOLE is set to be a ConsoleAppender using a PatternLayout. 4 | log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender 5 | log4j.appender.CONSOLE.Threshold=DEBUG 6 | log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout 7 | log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n -------------------------------------------------------------------------------- /core/src/test/resources/org/opensaml/liberty/paos/impl/Request.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /core/src/test/resources/org/opensaml/liberty/paos/impl/RequestOptionalAttributes.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /core/src/test/resources/org/opensaml/liberty/paos/impl/Response.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | -------------------------------------------------------------------------------- /core/src/test/resources/org/opensaml/liberty/paos/impl/ResponseOptionalAttributes.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | -------------------------------------------------------------------------------- /core/src/test/resources/org/springframework/security/saml/key/JKSKeyManagerTest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /core/src/test/resources/org/springframework/security/saml/key/keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spring-attic/spring-security-saml/397da3ef007fef0e01c75ccd705b39639ba98af9/core/src/test/resources/org/springframework/security/saml/key/keystore.jks -------------------------------------------------------------------------------- /core/src/test/resources/org/springframework/security/saml/metadata/MetadataManagerSignaturesTest.xml: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /core/src/test/resources/org/springframework/security/saml/trust/UntrustedCertificateExceptionTest.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /core/src/test/resources/testIDP.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 12 | urn:oasis:names:tc:SAML:2.0:nameid-format:transient 13 | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 14 | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /core/src/test/resources/testIDPNoSSOBinding.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh 9 | bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w 10 | ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw 11 | CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK 12 | BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B 13 | AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+ 14 | RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY 15 | Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U 16 | QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA 17 | cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC 18 | /FfwWigmrW0Y0Q== 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 31 | urn:oasis:names:tc:SAML:2.0:nameid-format:transient 32 | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 33 | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /core/src/test/resources/testSP2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly 7 | LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx 8 | FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN 9 | MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu 10 | c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV 11 | MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN 12 | BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb 13 | uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1 14 | qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF 15 | AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF 16 | njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH 17 | STdzW1akQ9dX2Et/8TiJe6SHuQ== 18 | 19 | 20 | 21 | 22 | 23 | 24 | MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly 25 | LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx 26 | FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN 27 | MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu 28 | c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV 29 | MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN 30 | BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb 31 | uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1 32 | qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF 33 | AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF 34 | njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH 35 | STdzW1akQ9dX2Et/8TiJe6SHuQ== 36 | 37 | 38 | 39 | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 40 | urn:oasis:names:tc:SAML:2.0:nameid-format:transient 41 | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 42 | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 43 | urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 44 | 45 | 46 | -------------------------------------------------------------------------------- /core/src/test/resources/testSPMissingDescriptor.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /docs/reference/docbook/index.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | Spring Security SAML Extension 7 | Reference Documentation 8 | 9 | 10 | Vladimír Schäfer 11 | 12 | 13 | Spring Security SAML Extension 14 | 15 | 2009-2014 16 | Vladimír Schäfer 17 | 18 | ${version} 19 | 20 | 21 | 22 | 23 | Getting Started 24 | 25 | This chapter provides essential information needed to enable your application to act as 26 | a service provider and interact with identity providers using SAML 2.0 protocol. Later in this 27 | guide you can find information about detailed configuration options and additional use-cases 28 | enabled by this component. 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | Sample application 44 | 45 | Chapter provides reference for the sample application and its administration user interface. 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | Integration guide 54 | 55 | This chapter includes step-by-step instructions on basic steps required for 56 | enabling single sign-on with common identity providers. 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /docs/reference/docbook/troubleshooting.xml: -------------------------------------------------------------------------------- 1 | 2 | 11 | 12 | Troubleshooting common problems 13 | 14 | 15 | Time synchronization 16 | Processing of SAML messages and assertions is often limited to a specific time window which e.g. prevents possibilities of replay attacks. 17 | Validation of messages can fail when internal clocks of the IDP and SP machines are not synchronized. Make sure to use a 18 | time synchronization service on all systems in the federation. 19 | 20 | 21 | 22 | Error 'InResponseToField doesn't correspond to sent message' during SSO 23 | Make sure that application uses the same HttpSession during sending of the request and reception of the response. Typically, this problem arises when the authentication request is initialized 24 | from localhost address or http scheme, while response is received at a public host name or https scheme. E.g., when initializing authentication from URL https://host:port/app/saml/login, the response 25 | must be received at https://host;port/app/saml/SSO, not https://host:port/app/saml/SSO or https://localhost:port/app/saml/SSO. 26 | The checking of the InResponseToField can be disabled by re-configuring the context provider as follows: 27 | 28 | 29 | 30 | 31 | ]]> 32 | 33 | 34 | 35 | 36 | System is redirecting to e.g. localhost address when public facing URL is different 37 | In case you use automatic metadata generation make sure to set property entityBaseURL on bean MetadataGenerator to 38 | e.g. https://server:port/yourapp or use pre-generated metadata. 39 | 40 | 41 | 42 | System fails during decryption or encryption of fields, e.g. with 'Failed to decrypt EncryptedData' 43 | Make sure the Unlimited Strength Jurisdiction Policy Files are correctly installed in your JDK. See for details. 44 | 45 | 46 | 47 | My system fails during validation of certificates with errors similar to "PKIX path building failed" 48 | This is typically caused by misconfiguration of certificates. Either your metadata or keyStore do not contain the correct leaf certificates or CA certificates, or your certificates are invalid. 49 | You can get additional information by starting your application with flag -Djavax.net.debug=all. 50 | 51 | 52 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /gradle.properties: -------------------------------------------------------------------------------- 1 | version=1.0.11.BUILD-SNAPSHOT 2 | maxParallelForks=1 3 | -------------------------------------------------------------------------------- /gradle/ide.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: "propdeps-eclipse" 2 | apply plugin: "propdeps-idea" 3 | apply plugin: 'eclipse-wtp' 4 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spring-attic/spring-security-saml/397da3ef007fef0e01c75ccd705b39639ba98af9/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | #Fri Apr 17 15:46:37 CDT 2015 2 | distributionBase=GRADLE_USER_HOME 3 | distributionPath=wrapper/dists 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | distributionUrl=https\://services.gradle.org/distributions/gradle-4.10.3-all.zip 7 | -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- 1 | @if "%DEBUG%" == "" @echo off 2 | @rem ########################################################################## 3 | @rem 4 | @rem Gradle startup script for Windows 5 | @rem 6 | @rem ########################################################################## 7 | 8 | @rem Set local scope for the variables with windows NT shell 9 | if "%OS%"=="Windows_NT" setlocal 10 | 11 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 12 | set GRADLE_OPTS=-Xmx1024m -XX:MaxHeapSize=256m %GRADLE_OPTS% 13 | set DEFAULT_JVM_OPTS= 14 | 15 | set DIRNAME=%~dp0 16 | if "%DIRNAME%" == "" set DIRNAME=. 17 | set APP_BASE_NAME=%~n0 18 | set APP_HOME=%DIRNAME% 19 | 20 | @rem Find java.exe 21 | if defined JAVA_HOME goto findJavaFromJavaHome 22 | 23 | set JAVA_EXE=java.exe 24 | %JAVA_EXE% -version >NUL 2>&1 25 | if "%ERRORLEVEL%" == "0" goto init 26 | 27 | echo. 28 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 29 | echo. 30 | echo Please set the JAVA_HOME variable in your environment to match the 31 | echo location of your Java installation. 32 | 33 | goto fail 34 | 35 | :findJavaFromJavaHome 36 | set JAVA_HOME=%JAVA_HOME:"=% 37 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 38 | 39 | if exist "%JAVA_EXE%" goto init 40 | 41 | echo. 42 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 43 | echo. 44 | echo Please set the JAVA_HOME variable in your environment to match the 45 | echo location of your Java installation. 46 | 47 | goto fail 48 | 49 | :init 50 | @rem Get command-line arguments, handling Windowz variants 51 | 52 | if not "%OS%" == "Windows_NT" goto win9xME_args 53 | if "%@eval[2+2]" == "4" goto 4NT_args 54 | 55 | :win9xME_args 56 | @rem Slurp the command line arguments. 57 | set CMD_LINE_ARGS= 58 | set _SKIP=2 59 | 60 | :win9xME_args_slurp 61 | if "x%~1" == "x" goto execute 62 | 63 | set CMD_LINE_ARGS=%* 64 | goto execute 65 | 66 | :4NT_args 67 | @rem Get arguments from the 4NT Shell from JP Software 68 | set CMD_LINE_ARGS=%$ 69 | 70 | :execute 71 | @rem Setup the command line 72 | 73 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 74 | 75 | @rem Execute Gradle 76 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% 77 | 78 | :end 79 | @rem End local scope for the variables with windows NT shell 80 | if "%ERRORLEVEL%"=="0" goto mainEnd 81 | 82 | :fail 83 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 84 | rem the _cmd.exe /c_ return code! 85 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 86 | exit /b 1 87 | 88 | :mainEnd 89 | if "%OS%"=="Windows_NT" endlocal 90 | 91 | :omega 92 | -------------------------------------------------------------------------------- /sample/build.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'war' 2 | apply plugin: 'com.bmuschko.tomcat' 3 | 4 | // Disable publishing to repository for the sample project 5 | if (tasks.findByPath('artifactoryPublish')) { 6 | artifactoryPublish.enabled = false 7 | } 8 | 9 | war.archiveName = "${project.name}.war" 10 | 11 | description = "Spring Security SAML v2 sample webapp" 12 | 13 | dependencies { 14 | 15 | compile project(":spring-security-saml2-core"), 16 | "org.springframework:spring-core:$springVersion", 17 | "org.springframework:spring-beans:$springVersion", 18 | "org.springframework:spring-context:$springVersion", 19 | "org.springframework:spring-aop:$springVersion", 20 | "org.springframework:spring-web:$springVersion", 21 | "org.springframework:spring-webmvc:$springVersion", 22 | "org.springframework.security:spring-security-config:$springSecurityVersion", 23 | "org.slf4j:slf4j-log4j12:$slf4jVersion", 24 | "javax.servlet:jstl:1.2" 25 | 26 | providedCompile "javax.servlet:jsp-api:2.0" 27 | 28 | testCompile "junit:junit:4.4" 29 | 30 | def tomcatVersion = '8.5.63' 31 | tomcat "org.apache.tomcat.embed:tomcat-embed-core:${tomcatVersion}" 32 | tomcat "org.apache.tomcat.embed:tomcat-embed-jasper:${tomcatVersion}" 33 | 34 | } 35 | -------------------------------------------------------------------------------- /sample/src/main/resources/log4j.properties: -------------------------------------------------------------------------------- 1 | log4j.rootCategory=INFO, CONSOLE 2 | 3 | # CONSOLE is set to be a ConsoleAppender using a PatternLayout. 4 | log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender 5 | log4j.appender.CONSOLE.Threshold=DEBUG 6 | log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout 7 | log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n 8 | 9 | # Logging of Spring Security extension 10 | log4j.logger.org.springframework.security.saml=INFO 11 | 12 | # Logging of SAML messages, set to FINEST to enable 13 | log4j.logger.PROTOCOL_MESSAGE=INFO 14 | 15 | # Logging of OpenSAML library 16 | log4j.logger.org.opensaml=INFO -------------------------------------------------------------------------------- /sample/src/main/resources/metadata/idp.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh 9 | bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w 10 | ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw 11 | CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK 12 | BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B 13 | AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+ 14 | RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY 15 | Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U 16 | QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA 17 | cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC 18 | /FfwWigmrW0Y0Q== 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 31 | urn:oasis:names:tc:SAML:2.0:nameid-format:transient 32 | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 33 | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 34 | 35 | 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /sample/src/main/resources/security/samlKeystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spring-attic/spring-security-saml/397da3ef007fef0e01c75ccd705b39639ba98af9/sample/src/main/resources/security/samlKeystore.jks -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/saml-servlet.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/security/adminLogin.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="org.springframework.security.web.csrf.CsrfToken" %> 2 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 3 | 4 | 5 | 6 | 7 |

8 | 9 |
10 |
11 |
12 |
13 |
14 |

Login to administration

15 |

Please login to the metadata administration using a local account (by default admin/admin).

16 |
17 | <% String errorString = (String) request.getAttribute("error"); %> 18 | <% if (errorString != null && errorString.trim().equals("true")) { %> 19 |
Incorrect login name or password. Please retry using correct login name and password.
20 | <% } %> 21 |

22 |

23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 39 | 40 |
35 | <% CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); %> 36 | 37 | 38 |
41 |
42 |
43 |
44 |
 
45 |
46 |
47 |
 
48 |
49 | 50 |
51 | 52 |
53 | 54 | 55 | -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/security/idpSelection.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="org.springframework.security.saml.metadata.MetadataManager" %> 2 | <%@ page import="org.springframework.web.context.WebApplicationContext" %> 3 | <%@ page import="org.springframework.web.context.support.WebApplicationContextUtils" %> 4 | <%@ page import="java.util.Set" %> 5 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 6 | 7 | 8 | 9 | 10 |
11 | 12 |
13 |
14 |
15 |
16 |
17 |

IDP Selection

18 |

Please select Identity Provider to authenticate with.

19 |
20 | <% 21 | WebApplicationContext context = WebApplicationContextUtils.getWebApplicationContext(getServletConfig().getServletContext()); 22 | MetadataManager mm = context.getBean("metadata", MetadataManager.class); 23 | Set idps = mm.getIDPEntityNames(); 24 | pageContext.setAttribute("idp", idps); 25 | %> 26 |

27 |

" method="GET"> 28 | 29 | " value=""/> 30 | 31 |
32 | 33 |
34 | 35 |
36 |
37 |
38 |
 
39 |
40 |
41 |
 
42 |
43 | 44 |
45 | 46 |
47 | 48 | -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/security/providerView.jsp: -------------------------------------------------------------------------------- 1 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 2 | <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %> 3 | 4 | 5 | 6 | 7 |
8 | 9 |
10 |
11 |
12 |
13 |
14 |

Metadata provider detail

15 |

Overview of a metadata provider which can include multiple SAML entities.

16 |
17 |

"><< Back

18 | Provider: 19 |

20 | 21 | "/> 22 | 23 | 24 |
25 |

"><< Back

26 |
27 |
28 |
 
29 |
30 |
31 |
 
32 |
33 | 34 |
35 | 36 |
37 | 38 | -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/templates/footer.jsp: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/templates/head.jsp: -------------------------------------------------------------------------------- 1 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 2 | 3 | 4 | 5 | 6 | 7 | "/> 8 | " media="screen" /> 9 | Spring SAML Sample application 10 | -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/templates/navigation.jsp: -------------------------------------------------------------------------------- 1 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 2 | -------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/templates/sidebar.jsp: -------------------------------------------------------------------------------- 1 | 32 |
 
-------------------------------------------------------------------------------- /sample/src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | Spring Security SAML 8 | Sample application demonstrating Spring security SAML integration. 9 | 10 | 11 | contextConfigLocation 12 | 13 | /WEB-INF/securityContext.xml 14 | 15 | 16 | 17 | 18 | saml 19 | org.springframework.web.servlet.DispatcherServlet 20 | 1 21 | 22 | 23 | 24 | saml 25 | /saml/web/* 26 | 27 | 28 | 29 | springSecurityFilterChain 30 | org.springframework.web.filter.DelegatingFilterProxy 31 | 32 | 33 | springSecurityFilterChain 34 | /* 35 | 36 | 37 | 38 | org.springframework.web.context.ContextLoaderListener 39 | 40 | 41 | 42 | index.jsp 43 | 44 | 45 | 46 | java.lang.Exception 47 | /error.jsp 48 | 49 | 50 | -------------------------------------------------------------------------------- /sample/src/main/webapp/error.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="java.io.StringWriter" %> 2 | <%@ page import="java.io.PrintWriter" %> 3 | <%@ page import="org.springframework.security.web.WebAttributes" %> 4 | <%@ page isErrorPage="true" %> 5 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 6 | 7 | 8 | 9 | 10 |
11 | 12 |
13 |
14 |
15 |
16 |
17 |

Error

18 |

An error occurred.

19 |
20 | <% 21 | // Load exception set from Spring Security unless set from web.xml error handler 22 | if (exception == null) { 23 | exception = (Throwable) request.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION); 24 | } 25 | %> 26 | <% if (exception != null) { %> 27 | Message:
28 | <%= exception.getMessage() %> 29 |

30 | StackTrace:
31 | 
<%
32 |                                     StringWriter stringWriter = new StringWriter();
33 |                                     PrintWriter printWriter = new PrintWriter(stringWriter);
34 |                                     exception.printStackTrace(printWriter);
35 |                                     out.println(stringWriter);
36 |                                     printWriter.close();
37 |                                     stringWriter.close();
38 |                                 %>
39 |
40 | Make sure to hide error content from your production environments to minimize leakage of useful data to potential 41 | attackers. 42 | <% } %> 43 |
44 |
45 |
 
46 |
47 |
48 |
 
49 |
50 | 51 |
52 | 53 |
54 | 55 | -------------------------------------------------------------------------------- /sample/src/main/webapp/images/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spring-attic/spring-security-saml/397da3ef007fef0e01c75ccd705b39639ba98af9/sample/src/main/webapp/images/favicon.png -------------------------------------------------------------------------------- /sample/src/main/webapp/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spring-attic/spring-security-saml/397da3ef007fef0e01c75ccd705b39639ba98af9/sample/src/main/webapp/images/logo.png -------------------------------------------------------------------------------- /sample/src/main/webapp/images/main-two-columns-left.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spring-attic/spring-security-saml/397da3ef007fef0e01c75ccd705b39639ba98af9/sample/src/main/webapp/images/main-two-columns-left.gif -------------------------------------------------------------------------------- /sample/src/main/webapp/images/main-two-columns.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spring-attic/spring-security-saml/397da3ef007fef0e01c75ccd705b39639ba98af9/sample/src/main/webapp/images/main-two-columns.gif -------------------------------------------------------------------------------- /sample/src/main/webapp/logout.jsp: -------------------------------------------------------------------------------- 1 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 2 | 3 | 4 | 5 | 6 |
7 | 8 |
9 |
10 |
11 |
12 |
13 |

Logout

14 |

You have been logged out.

15 |
16 |

17 | ">Back to index 18 |

19 |
20 |
21 |
 
22 |
23 |
24 |
 
25 |
26 | 27 |
28 | 29 |
30 | 31 | -------------------------------------------------------------------------------- /settings.gradle: -------------------------------------------------------------------------------- 1 | include "core" 2 | include "sample" 3 | 4 | rootProject.name = "spring-security-saml" 5 | 6 | rootProject.children.each { p -> 7 | p.name = "spring-security-saml2-${p.name}" 8 | } 9 | --------------------------------------------------------------------------------