org.apache.wss4j.common.saml.builder.SAML2ComponentBuilder Maven / Gradle / Ivy
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.wss4j.common.saml.builder;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.bean.ActionBean;
import org.apache.wss4j.common.saml.bean.AttributeBean;
import org.apache.wss4j.common.saml.bean.AttributeStatementBean;
import org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean;
import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean;
import org.apache.wss4j.common.saml.bean.ProxyRestrictionBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Action;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.AuthzDecisionStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.DecisionTypeEnumeration;
import org.opensaml.saml2.core.Evidence;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.KeyInfoConfirmationDataType;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.OneTimeUse;
import org.opensaml.saml2.core.ProxyRestriction;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.core.SubjectLocality;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.schema.impl.XSStringBuilder;
import org.opensaml.xml.signature.KeyInfo;
import java.util.ArrayList;
import java.util.List;
/**
* Class SAML2ComponentBuilder provides builder methods that can be used
* to construct SAML v2.0 statements using the OpenSaml library.
*/
public final class SAML2ComponentBuilder {
private static volatile SAMLObjectBuilder assertionBuilder;
private static volatile SAMLObjectBuilder issuerBuilder;
private static volatile SAMLObjectBuilder subjectBuilder;
private static volatile SAMLObjectBuilder nameIdBuilder;
private static volatile SAMLObjectBuilder subjectConfirmationBuilder;
private static volatile SAMLObjectBuilder oneTimeUseBuilder;
private static volatile SAMLObjectBuilder proxyRestrictionBuilder;
private static volatile SAMLObjectBuilder conditionsBuilder;
private static volatile SAMLObjectBuilder subjectConfirmationDataBuilder;
private static volatile SAMLObjectBuilder keyInfoConfirmationDataBuilder;
private static volatile SAMLObjectBuilder authnStatementBuilder;
private static volatile SAMLObjectBuilder authnContextBuilder;
private static volatile SAMLObjectBuilder authnContextClassRefBuilder;
private static volatile SAMLObjectBuilder attributeStatementBuilder;
private static volatile SAMLObjectBuilder attributeBuilder;
private static volatile XSStringBuilder stringBuilder;
private static volatile SAMLObjectBuilder audienceRestrictionBuilder;
private static volatile SAMLObjectBuilder audienceBuilder;
private static volatile SAMLObjectBuilder authorizationDecisionStatementBuilder;
private static volatile SAMLObjectBuilder actionElementBuilder;
private static volatile XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
private static volatile SAMLObjectBuilder subjectLocalityBuilder;
private SAML2ComponentBuilder() {
// Complete
}
/**
* Create a SAML 2 assertion
*
* @return a SAML 2 assertion
*/
@SuppressWarnings("unchecked")
public static Assertion createAssertion() {
if (assertionBuilder == null) {
assertionBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
if (assertionBuilder == null) {
throw new IllegalStateException(
"OpenSaml engine not initialized. Please make sure to initialize the OpenSaml engine "
+ "prior using it"
);
}
}
Assertion assertion =
assertionBuilder.buildObject(Assertion.DEFAULT_ELEMENT_NAME, Assertion.TYPE_NAME);
assertion.setID(IDGenerator.generateID("_"));
assertion.setVersion(SAMLVersion.VERSION_20);
assertion.setIssueInstant(new DateTime());
return assertion;
}
/**
* Create an Issuer object
*
* @param issuerValue of type String
* @return an Issuer object
*/
@SuppressWarnings("unchecked")
public static Issuer createIssuer(String issuerValue) {
if (issuerBuilder == null) {
issuerBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
}
Issuer issuer = issuerBuilder.buildObject();
//
// The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD
// be unambiguous to the intended relying parties.
issuer.setValue(issuerValue);
return issuer;
}
/**
* Create a Conditions object
*
* @param conditionsBean A ConditionsBean object
* @return a Conditions object
*/
@SuppressWarnings("unchecked")
public static Conditions createConditions(ConditionsBean conditionsBean) {
if (conditionsBuilder == null) {
conditionsBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(Conditions.DEFAULT_ELEMENT_NAME);
}
Conditions conditions = conditionsBuilder.buildObject();
if (conditionsBean == null) {
DateTime newNotBefore = new DateTime();
conditions.setNotBefore(newNotBefore);
conditions.setNotOnOrAfter(newNotBefore.plusMinutes(5));
return conditions;
}
long tokenPeriodSeconds = conditionsBean.getTokenPeriodSeconds();
DateTime notBefore = conditionsBean.getNotBefore();
DateTime notAfter = conditionsBean.getNotAfter();
if (notBefore != null && notAfter != null) {
if (notBefore.isAfter(notAfter)) {
throw new IllegalStateException(
"The value of notBefore may not be after the value of notAfter"
);
}
conditions.setNotBefore(notBefore);
conditions.setNotOnOrAfter(notAfter);
} else {
DateTime newNotBefore = new DateTime();
conditions.setNotBefore(newNotBefore);
if (tokenPeriodSeconds <= 0) {
tokenPeriodSeconds = 5L * 60L;
}
DateTime notOnOrAfter =
new DateTime(newNotBefore.getMillis() + tokenPeriodSeconds * 1000L);
conditions.setNotOnOrAfter(notOnOrAfter);
}
if (conditionsBean.getAudienceURI() != null) {
AudienceRestriction audienceRestriction =
createAudienceRestriction(conditionsBean.getAudienceURI());
conditions.getAudienceRestrictions().add(audienceRestriction);
}
if (conditionsBean.isOneTimeUse()) {
conditions.getConditions().add(createOneTimeUse());
}
if (conditionsBean.getProxyRestriction() != null) {
conditions.getConditions().add(createProxyRestriction(conditionsBean.getProxyRestriction()));
}
return conditions;
}
/**
* Create an AudienceRestriction object
*
* @param audienceURI of type String
* @return an AudienceRestriction object
*/
@SuppressWarnings("unchecked")
public static AudienceRestriction createAudienceRestriction(String audienceURI) {
if (audienceRestrictionBuilder == null) {
audienceRestrictionBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME);
}
if (audienceBuilder == null) {
audienceBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME);
}
AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject();
Audience audience = audienceBuilder.buildObject();
audience.setAudienceURI(audienceURI);
audienceRestriction.getAudiences().add(audience);
return audienceRestriction;
}
/**
* Create a OneTimeUse object
*
* @return a OneTimeUse object
*/
@SuppressWarnings("unchecked")
public static OneTimeUse createOneTimeUse() {
if (oneTimeUseBuilder == null) {
oneTimeUseBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(OneTimeUse.DEFAULT_ELEMENT_NAME);
}
return oneTimeUseBuilder.buildObject();
}
/**
* Create a ProxyRestriction object
*
* @return a ProxyRestriction object
*/
@SuppressWarnings("unchecked")
public static ProxyRestriction createProxyRestriction(ProxyRestrictionBean proxyRestrictionBean) {
if (proxyRestrictionBuilder == null) {
proxyRestrictionBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(ProxyRestriction.DEFAULT_ELEMENT_NAME);
}
ProxyRestriction proxyRestriction = proxyRestrictionBuilder.buildObject();
if (proxyRestrictionBean.getCount() > 0) {
proxyRestriction.setProxyCount(proxyRestrictionBean.getCount());
}
if (!proxyRestrictionBean.getAudienceURIs().isEmpty()) {
if (audienceBuilder == null) {
audienceBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME);
}
for (String audienceURI : proxyRestrictionBean.getAudienceURIs()) {
Audience audience = audienceBuilder.buildObject();
audience.setAudienceURI(audienceURI);
proxyRestriction.getAudiences().add(audience);
}
}
return proxyRestriction;
}
/**
* Create SAML 2 Authentication Statement(s).
*
* @param authBeans A list of AuthenticationStatementBean instances
* @return SAML 2 Authentication Statement(s).
*/
@SuppressWarnings("unchecked")
public static List createAuthnStatement(
List authBeans
) {
List authnStatements = new ArrayList();
if (authnStatementBuilder == null) {
authnStatementBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME);
}
if (authnContextBuilder == null) {
authnContextBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME);
}
if (authnContextClassRefBuilder == null) {
authnContextClassRefBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
}
if (subjectLocalityBuilder == null) {
subjectLocalityBuilder = (SAMLObjectBuilder)
builderFactory.getBuilder(SubjectLocality.DEFAULT_ELEMENT_NAME);
}
if (authBeans != null && authBeans.size() > 0) {
for (AuthenticationStatementBean statementBean : authBeans) {
AuthnStatement authnStatement = authnStatementBuilder.buildObject();
DateTime authInstant = statementBean.getAuthenticationInstant();
if (authInstant == null) {
authInstant = new DateTime();
}
authnStatement.setAuthnInstant(authInstant);
DateTime sessionNotOnOrAfter = statementBean.getSessionNotOnOrAfter();
if (sessionNotOnOrAfter != null) {
authnStatement.setSessionNotOnOrAfter(sessionNotOnOrAfter);
}
if (statementBean.getSessionIndex() != null) {
authnStatement.setSessionIndex(statementBean.getSessionIndex());
}
AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject();
authnContextClassRef.setAuthnContextClassRef(
transformAuthenticationMethod(statementBean.getAuthenticationMethod())
);
AuthnContext authnContext = authnContextBuilder.buildObject();
authnContext.setAuthnContextClassRef(authnContextClassRef);
authnStatement.setAuthnContext(authnContext);
SubjectLocalityBean subjectLocalityBean = statementBean.getSubjectLocality();
if (subjectLocalityBean != null) {
SubjectLocality subjectLocality = subjectLocalityBuilder.buildObject();
subjectLocality.setDNSName(subjectLocalityBean.getDnsAddress());
subjectLocality.setAddress(subjectLocalityBean.getIpAddress());
authnStatement.setSubjectLocality(subjectLocality);
}
authnStatements.add(authnStatement);
}
}
return authnStatements;
}
/**
* Transform the user-supplied authentication method value into one of the supported
* specification-compliant values.
*
* @param sourceMethod of type String
* @return String
*/
private static String transformAuthenticationMethod(String sourceMethod) {
String transformedMethod = "";
if ("Password".equalsIgnoreCase(sourceMethod)) {
transformedMethod = SAML2Constants.AUTH_CONTEXT_CLASS_REF_PASSWORD;
} else if (sourceMethod != null && !"".equals(sourceMethod)) {
return sourceMethod;
}
return transformedMethod;
}
/**
* Create a SAML2 Attribute
*
* @param friendlyName of type String
* @param name of type String
* @param nameFormat of type String
* @param values of type ArrayList
* @return a SAML2 Attribute
*/
public static Attribute createAttribute(
String friendlyName, String name, String nameFormat, List © 2015 - 2025 Weber Informatics LLC | Privacy Policy