summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java80
1 files changed, 41 insertions, 39 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
index df91ce53..658dfe16 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
@@ -24,43 +24,44 @@ import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
-import org.apache.commons.lang3.StringUtils;
-import org.opensaml.common.xml.SAMLConstants;
-import org.opensaml.common.xml.SAMLSchemaBuilder;
-import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.StatusResponseType;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.security.MetadataCriteria;
-import org.opensaml.security.SAMLSignatureProfileValidator;
-import org.opensaml.xml.security.CriteriaSet;
-import org.opensaml.xml.security.credential.UsageType;
-import org.opensaml.xml.security.criteria.EntityIDCriteria;
-import org.opensaml.xml.security.criteria.UsageCriteria;
-import org.opensaml.xml.signature.SignatureTrustEngine;
-import org.opensaml.xml.validation.ValidationException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-import org.w3c.dom.Element;
-import org.xml.sax.SAXException;
-
import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-@Service("SAMLVerificationEngine")
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.core.criterion.EntityIdCriterion;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.common.xml.SAMLSchemaBuilder;
+import org.opensaml.saml.common.xml.SAMLSchemaBuilder.SAML1Version;
+import org.opensaml.saml.criterion.EntityRoleCriterion;
+import org.opensaml.saml.criterion.ProtocolCriterion;
+import org.opensaml.saml.saml2.core.RequestAbstractType;
+import org.opensaml.saml.saml2.core.StatusResponseType;
+import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
+import org.opensaml.security.credential.UsageType;
+import org.opensaml.security.criteria.UsageCriterion;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+import lombok.extern.slf4j.Slf4j;
+import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
+
+@Slf4j
public class SamlVerificationEngine {
- private static final Logger log = LoggerFactory.getLogger(SamlVerificationEngine.class);
+ private static SAMLSchemaBuilder schemaBuilder = new SAMLSchemaBuilder(SAML1Version.SAML_11);
@Autowired(required = true)
- IPvpMetadataProvider metadataProvider;
+ IPvp2MetadataProvider metadataProvider;
/**
* Verify signature of a signed SAML2 object.
@@ -72,7 +73,7 @@ public class SamlVerificationEngine {
* @throws Exception In case of a general error
*/
public void verify(final InboundMessage msg, final SignatureTrustEngine sigTrustEngine)
- throws org.opensaml.xml.security.SecurityException, Exception {
+ throws SecurityException, Exception {
try {
if (msg instanceof PvpSProfileRequest
&& ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) {
@@ -135,7 +136,7 @@ public class SamlVerificationEngine {
profileValidator.validate(samlObj.getSignature());
performSchemaValidation(samlObj.getDOM());
- } catch (final ValidationException e) {
+ } catch (final SignatureException e) {
log.warn("Signature is not conform to SAML signature profile", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
@@ -145,15 +146,16 @@ public class SamlVerificationEngine {
}
final CriteriaSet criteriaSet = new CriteriaSet();
- criteriaSet.add(new EntityIDCriteria(samlObj.getIssuer().getValue()));
- criteriaSet.add(new MetadataCriteria(defaultElementName, SAMLConstants.SAML20P_NS));
- criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+ criteriaSet.add(new EntityIdCriterion(samlObj.getIssuer().getValue()));
+ criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
+ criteriaSet.add(new EntityRoleCriterion(defaultElementName));
+ criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
try {
if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
- } catch (final org.opensaml.xml.security.SecurityException e) {
+ } catch (final org.opensaml.security.SecurityException e) {
log.warn("PVP2x message signature validation FAILED.", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
@@ -166,7 +168,7 @@ public class SamlVerificationEngine {
profileValidator.validate(samlObj.getSignature());
performSchemaValidation(samlObj.getDOM());
- } catch (final ValidationException e) {
+ } catch (final SignatureException e) {
log.warn("Signature is not conform to SAML signature profile", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
@@ -176,16 +178,16 @@ public class SamlVerificationEngine {
}
final CriteriaSet criteriaSet = new CriteriaSet();
- criteriaSet.add(new EntityIDCriteria(samlObj.getIssuer().getValue()));
- criteriaSet
- .add(new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
- criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+ criteriaSet.add(new EntityIdCriterion(samlObj.getIssuer().getValue()));
+ criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
+ criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
+ criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
try {
if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
- } catch (final org.opensaml.xml.security.SecurityException e) {
+ } catch (final org.opensaml.security.SecurityException e) {
log.warn("PVP2x message signature validation FAILED.", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
@@ -195,7 +197,7 @@ public class SamlVerificationEngine {
String err = null;
try {
- final Schema test = SAMLSchemaBuilder.getSAML11Schema();
+ final Schema test = schemaBuilder.getSAMLSchema();
final Validator val = test.newValidator();
val.validate(new DOMSource(source));
log.debug("Schema validation check done OK");
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 06:14:14 +0000