Package org.apache.rahas.impl

Class SAML2TokenIssuer

java.lang.Object
org.apache.rahas.impl.SAML2TokenIssuer
All Implemented Interfaces:
TokenIssuer
public class SAML2TokenIssuer extends Object implements TokenIssuer
WS-Trust based SAML2 token issuer. This issuer will generate request security token responses with SAML2 assertions.

  • Field Details

    • signatureList

      protected List<org.opensaml.xmlsec.signature.Signature> signatureList

  • Constructor Details

    • SAML2TokenIssuer

      public SAML2TokenIssuer()

  • Method Details

    • issue

      public org.apache.axiom.soap.SOAPEnvelope issue(RahasData data) throws TrustException
      This is the main method which issues SAML2 assertions as security token responses. This method will read issuer configuration and in message context properties (Basically request security token properties) and will create a security token response with SAML2 assertion. The attributes are retrieved from a callback class.
      Specified by:
      issue in interface TokenIssuer
      Parameters:
      data - A populated RahasData instance
      Returns:
      A SOAP message with security token response (as per ws-trust spec) with a SAML2 assertion.
      Throws:
      TrustException - If an error occurred while creating the response.

    • createRequestSecurityTokenResponse

      protected org.apache.axiom.soap.SOAPEnvelope createRequestSecurityTokenResponse(RahasData rahasData, org.opensaml.saml.saml2.core.Assertion assertion, org.apache.axiom.soap.SOAPEnvelope soapEnvelope) throws TrustException
      This method prepares the final response. This method will create a request security token response as specified in WS-Trust specification. The equivalent XML would take following format, 
        <wst:RequestSecurityTokenResponse xmlns:wst="...">
       <wst:TokenType>...</wst:TokenType>
       <wst:RequestedSecurityToken>...</wst:RequestedSecurityToken>
       ...
       <wsp:AppliesTo xmlns:wsp="...">...</wsp:AppliesTo>
       <wst:RequestedAttachedReference>
       ...
       </wst:RequestedAttachedReference>
       <wst:RequestedUnattachedReference>
       ...
       </wst:RequestedUnattachedReference>
       <wst:RequestedProofToken>...</wst:RequestedProofToken>
       <wst:Entropy>
       <wst:BinarySecret>...</wst:BinarySecret>
       </wst:Entropy>
       <wst:Lifetime>...</wst:Lifetime>
   </wst:RequestSecurityTokenResponse>
      Thus the RequestedSecurityToken will have SAML2 assertion passed.
      Parameters:
      rahasData - The configuration data which comes with RST
      assertion - OpenSAM representation of SAML2 assertion.
      soapEnvelope - SOAP message envelope
      Returns:
      SOAPEnvelope which includes RequestSecurityTokenResponse
      Throws:
      TrustException - If an error occurred while creating RequestSecurityTokenResponse.

    • buildAssertion

      protected org.opensaml.saml.saml2.core.Assertion buildAssertion(Document doc, org.apache.wss4j.common.crypto.Crypto crypto, RahasData data) throws TrustException
      This methods builds the SAML2 assertion. The equivalent XML would look as follows, 
      <saml:Assertion
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
      Version="2.0"
      IssueInstant="2004-12-05T09:22:05Z">
      <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
      <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
      <saml:Subject>
        <saml:NameID
          Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
          3f7b3dcf-1674-4ecd-92c8-1544f346baf8
        </saml:NameID>
        <saml:SubjectConfirmation
          Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData
            InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
            Recipient="https://sp.example.com/SAML2/SSO/POST"
            NotOnOrAfter="2004-12-05T09:27:05Z"/>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions
        NotBefore="2004-12-05T09:17:05Z"
        NotOnOrAfter="2004-12-05T09:27:05Z">
        <saml:AudienceRestriction>
          <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
        </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement
        AuthnInstant="2004-12-05T09:22:00Z"
        SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
         </saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
        <saml:Attribute
          xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
          x500:Encoding="LDAP"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
          Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
          FriendlyName="eduPersonAffiliation">
          <saml:AttributeValue
            xsi:type="xs:string">member</saml:AttributeValue>
          <saml:AttributeValue
            xsi:type="xs:string">staff</saml:AttributeValue>
        </saml:Attribute>
      </saml:AttributeStatement>
    </saml:Assertion>
      Reference - en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertions
      Parameters:
      doc - The Document which comprises SAML 2 assertion.
      crypto - Crypto properties.
      data - The RST data and other configuration information.
      Returns:
      OpenSAML representation of an Assertion.
      Throws:
      TrustException - If an error occurred while creating the Assertion.

    • createSubjectWithHolderOfKeySubjectConfirmation

      protected org.opensaml.saml.saml2.core.Subject createSubjectWithHolderOfKeySubjectConfirmation(Document doc, org.apache.wss4j.common.crypto.Crypto crypto, Instant creationTime, Instant expirationTime, RahasData data) throws TrustException
      This method will create a SAML 2 subject based on Holder of Key confirmation method. The relevant XML would look as follows, 
        <saml2:Subject>
       <saml2:NameID>
           ...
       </saml2:NameID>
       <saml2:SubjectConfirmation
               Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
           <saml2:SubjectConfirmationData
                   xsi:type="saml2:KeyInfoConfirmationDataType">
               <ds:KeyInfo>
                   <ds:KeyValue>...</ds:KeyValue>
               </ds:KeyInfo>
           </saml2:SubjectConfirmationData>
       </saml2:SubjectConfirmation>
   </saml2:Subject>
      KeyInfo can be created based on public key or symmetric key. That is decided by looking at the RahasData.getKeyType. TODO make sure this implementation is correct. Theoretically we should be able to have many subject confirmation methods in a SAML2 subject. TODO - Do we need to support that ?
      Parameters:
      doc - The original XML document which we need to include the assertion.
      crypto - The relevant crypto properties
      creationTime - The time that assertion was created.
      expirationTime - The expiring time
      data - The configuration data relevant request.
      Returns:
      OpenSAML representation of the SAML2 object.
      Throws:
      TrustException - If an error occurred while creating the subject.

    • createSubjectWithBearerSubjectConfirmation

      protected org.opensaml.saml.saml2.core.Subject createSubjectWithBearerSubjectConfirmation(RahasData data) throws TrustException
      This method creates a subject element with the bearer subject confirmation method. 
         <saml:Subject>
       <saml:NameIdentifier
                   NameQualifier="www.example.com"
                   Format="urn:oasis:names:tc:SAML:1.1:nameid-
           format:X509SubjectName">
           uid=joe,ou=people,ou=saml-demo,o=baltimore.com
       </saml:NameIdentifier>
       <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>
               urn:oasis:names:tc:SAML:1.0:cm:bearer
           </saml:ConfirmationMethod>
       </saml:SubjectConfirmation>
   </saml:Subject>
      Parameters:
      data - RahasData element
      Returns:
      SAML 2.0 Subject element with Bearer subject confirmation
      Throws:
      TrustException - if an error occurred while creating the subject.

    • signAssertion

      protected org.opensaml.saml.saml2.core.Assertion signAssertion(Document document, org.opensaml.saml.saml2.core.Assertion assertion, org.apache.wss4j.common.crypto.Crypto crypto) throws TrustException
      This method signs the given assertion with issuer's private key.
      Parameters:
      document - The original RST document.
      assertion - Assertion to be signed.
      crypto - The cryptographic properties.
      Returns:
      The signed assertion.
      Throws:
      TrustException - If an error occurred while signing the assertion.

    • createAttributeStatement

      protected org.opensaml.saml.saml2.core.AttributeStatement createAttributeStatement(RahasData data) throws TrustException
      This method creates an AttributeStatement. The relevant XML would look like as follows, 
        <saml:AttributeStatement>
    <saml:Attribute
      xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
      x500:Encoding="LDAP"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
      FriendlyName="eduPersonAffiliation">
      <saml:AttributeValue
        xsi:type="xs:string">member</saml:AttributeValue>
      <saml:AttributeValue
        xsi:type="xs:string">staff</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
      Reference - http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertions
      Parameters:
      data - The RahasData which carry information about RST.
      Returns:
      An AttributeStatement with filled attributes retrieved by calling callback class.
      Throws:
      TrustException - If an error occurred while creating the AttributeStatement.

    • createAuthenticationStatement

      protected org.opensaml.saml.saml2.core.AuthnStatement createAuthenticationStatement(RahasData data) throws TrustException
      This method creates an authentication statement. The equivalent XML would look as follows, 
        <saml:AuthnStatement
    AuthnInstant="2004-12-05T09:22:00Z"
    SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
     </saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
      Parameters:
      data - The RahasData which carry information about RST.
      Returns:
      OpenSAML representation of an AuthnStatement class.
      Throws:
      TrustException - If an error occurred while creating the authentication statement.

    • setSubjectNamedIdentifierData

      protected static void setSubjectNamedIdentifierData(org.opensaml.saml.saml2.core.Subject subject, String subjectNameId, String format) throws TrustException
      This method will set the subject principal details to the given subject.
      Parameters:
      subject - The subject.
      subjectNameId - Subject name id, to identify the principal
      format - Format of the subjectNameId, i.e. email, x509subject etc ...
      Throws:
      TrustException - If an error occurred while building NameID.

    • createKeyInfo

      protected org.opensaml.xmlsec.signature.KeyInfo createKeyInfo(Document doc, org.apache.wss4j.common.crypto.Crypto crypto, RahasData data) throws TrustException
      This method creates the KeyInfo relevant for the assertion. The KeyInfo could be created in 2 ways. 1. Using symmetric key - KeyInfo is created using a symmetric key 2. Using a public key - KeyInfo created using a public key The methodology is decided by looking at RahasData.getKeyType() method.
      Parameters:
      doc - The document which we are processing.
      crypto - Includes crypto properties relevant to issuer.
      data - Includes metadata about the RST.
      Returns:
      OpenSAML representation of KeyInfo.
      Throws:
      TrustException - If an error occurred while creating the KeyInfo object.

    • getResponseAction

      public String getResponseAction(RahasData data) throws TrustException
      Description copied from interface: TokenIssuer
      Returns the wsa:Action of the response.
      Specified by:
      getResponseAction in interface TokenIssuer
      Parameters:
      data - A populated RahasData instance
      Returns:
      Returns the wsa:Action of the response
      Throws:
      TrustException - If an error occurred while during operation.

    • setConfigurationFile

      public void setConfigurationFile(String configFile)
      Description copied from interface: TokenIssuer
      Set the configuration file of this TokenIssuer.

      This is the text value of the <configuration-file> element of the token-dispatcher-configuration

      Specified by:
      setConfigurationFile in interface TokenIssuer
      Parameters:
      configFile - Sets the token issuer configuration file.

    • setConfigurationElement

      public void setConfigurationElement(org.apache.axiom.om.OMElement configElement)
      Description copied from interface: TokenIssuer
      Set the configuration element of this TokenIssuer.

      This is the <configuration> element of the token-dispatcher-configuration

      Specified by:
      setConfigurationElement in interface TokenIssuer
      Parameters:
      configElement - OMElement representing the configuration

    • setConfigurationParamName

      public void setConfigurationParamName(String configParamName)
      Description copied from interface: TokenIssuer
      Set the name of the configuration parameter.

      If this is used then there must be a org.apache.axis2.description.Parameter object available in the via the messageContext when the TokenIssuer is called.

      Specified by:
      setConfigurationParamName in interface TokenIssuer
      Parameters:
      configParamName - The configuration parameter to be set.
      See Also:
      • Parameter