Examples of org.opensaml.ws.security.SecurityPolicyException

org.opensaml.ws.security.SecurityPolicyException
Exception indicating a security policy failure.

        }


        Unmarshaller unmarshaller = Configuration.getUnmarshallerFactory()
                .getUnmarshaller(KeyInfo.DEFAULT_ELEMENT_NAME);
        if (unmarshaller == null) {
            throw new SecurityPolicyException("Could not obtain a KeyInfo unmarshaller");
        }


        ByteArrayInputStream is = new ByteArrayInputStream(Base64.decode(kiBase64));
        KeyInfo keyInfo = null;
        try {
            Document doc = parser.parse(is);
            keyInfo = (KeyInfo) unmarshaller.unmarshall(doc.getDocumentElement());
        } catch (XMLParserException e) {
            log.error("Error parsing KeyInfo data", e);
            throw new SecurityPolicyException("Error parsing KeyInfo data", e);
        } catch (UnmarshallingException e) {
            log.error("Error unmarshalling KeyInfo data", e);
            throw new SecurityPolicyException("Error unmarshalling KeyInfo data", e);
        }


        if (keyInfo == null) {
            log.error("Could not successfully extract KeyInfo object from the form control data");
            return null;
        }


        List<Credential> credentials = new ArrayList<Credential>();
        CriteriaSet criteriaSet = new CriteriaSet(new KeyInfoCriteria(keyInfo));
        try {
            for (Credential cred : keyInfoResolver.resolve(criteriaSet)) {
                credentials.add(cred);
            }
        } catch (SecurityException e) {
            log.error("Error resolving credentials from KeyInfo", e);
            throw new SecurityPolicyException("Error resolving credentials from KeyInfo", e);
        }


        return credentials;
    }

View Full Code Here

        SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext;


        if (samlMsgCtx.getInboundSAMLMessageIssueInstant() == null) {
            if(requiredRule){
                log.error("Inbound SAML message issue instant not present in message context");
                throw new SecurityPolicyException("Inbound SAML message issue instant not present in message context");
            }else{
                return;
            }
        }


        DateTime issueInstant = samlMsgCtx.getInboundSAMLMessageIssueInstant();
        DateTime now = new DateTime();
        DateTime latestValid = now.plusSeconds(clockSkew);
        DateTime expiration = issueInstant.plusSeconds(clockSkew + expires);


        // Check message wasn't issued in the future
        if (issueInstant.isAfter(latestValid)) {
            log.error("Message was not yet valid: message time was {}, latest valid is: {}", issueInstant, latestValid);
            throw new SecurityPolicyException("Message was rejected because was issued in the future");
        }


        // Check message has not expired
        if (expiration.isBefore(now)) {
            log.error("Message was expired: message issue time was '" + issueInstant + "', message expired at: '"
                    + expiration + "', current time: '" + now + "'");
            throw new SecurityPolicyException("Message was rejected due to issue instant expiration");
        }


    }

View Full Code Here

    /** {@inheritDoc} */
    protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
        throws SecurityPolicyException {
        if (!(messageContext instanceof SAMLMessageContext)) {
            log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
            throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
        }
        
        SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;
        
        CriteriaSet criteriaSet = new CriteriaSet();

View Full Code Here

    protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) 
        throws SecurityPolicyException {
        
        if (!(messageContext instanceof SAMLMessageContext)) {
            log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
            throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
        }
        
        SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;


        CriteriaSet criteriaSet = super.buildCriteriaSet(entityID, messageContext);

View Full Code Here

                    samlMsgCtx.setInboundSAMLMessageAuthenticated(true);
                }
                return;
            } else {
                log.error("Validation of request simple signature failed for context issuer: {}", contextIssuer);
                throw new SecurityPolicyException("Validation of request simple signature failed for context issuer");
            }
        }
            
        String derivedIssuer = deriveSignerEntityID(samlMsgCtx);
        if (derivedIssuer != null) {
            log.debug("Attempting to validate SAML protocol message simple signature using derived issuer: {}",
                    derivedIssuer);
            CriteriaSet criteriaSet = buildCriteriaSet(derivedIssuer, samlMsgCtx);
            if (validateSignature(signature, signedContent, algorithmURI, criteriaSet, candidateCredentials)) {
                log.info("Validation of request simple signature succeeded");
                if (!samlMsgCtx.isInboundSAMLMessageAuthenticated()) {
                    log.info("Authentication via request simple signature succeeded for derived issuer {}",
                            derivedIssuer);
                    samlMsgCtx.setInboundMessageIssuer(derivedIssuer);
                    samlMsgCtx.setInboundSAMLMessageAuthenticated(true);
                }
                return;
            } else {
                log.error("Validation of request simple signature failed for derived issuer: {}", derivedIssuer);
                throw new SecurityPolicyException("Validation of request simple signature failed for derived issuer");
            }
        }
        
        log.error("Neither context nor derived issuer available, can not attempt SAML simple signature validation");
        throw new SecurityPolicyException("No message issuer available, can not attempt simple signature validation");
    }

View Full Code Here

                log.error("Signature validation using request-derived credentials failed");
                return false;
            }
        } catch (SecurityException e) {
            log.error("There was an error evaluating the request's simple signature using the trust engine", e);
            throw new SecurityPolicyException("Error during trust engine evaluation of the simple signature", e);
        }
    }

View Full Code Here

        SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext;


        String messageIsuer = DatatypeHelper.safeTrimOrNullString(samlMsgCtx.getInboundMessageIssuer());
        if (messageIsuer == null && requiredRule) {
            log.error("Message contained no Issuer ID, replay check not possible");
            throw new SecurityPolicyException("Message contained no Issuer ID, replay check not possible");
        }


        String messageId = DatatypeHelper.safeTrimOrNullString(samlMsgCtx.getInboundSAMLMessageId());
        if (messageId == null && requiredRule) {
            log.error("Message contained no ID, replay check not possible");
            throw new SecurityPolicyException("SAML message from issuer " + messageIsuer + " did not contain an ID");
        }


        if (replayCache.isReplay(messageIsuer, messageId)) {
            log.error("Replay detected of message '" + messageId + "' from issuer " + messageIsuer);
            throw new SecurityPolicyException("Rejecting replayed message ID '" + messageId + "' from issuer "
                    + messageIsuer);
        }


    }

View Full Code Here

                    samlMsgCtx.setInboundSAMLMessageAuthenticated(true);
                }
            } else {
                log.error("Validation of protocol message signature failed for context issuer '" + contextIssuer
                        + "', message type: " + msgType);
                throw new SecurityPolicyException("Validation of protocol message signature failed");
            }
        } else {
            log.error("Context issuer unavailable, can not attempt SAML protocol message signature validation");
            throw new SecurityPolicyException("Context issuer unavailable, can not validate signature");
        }
    }

View Full Code Here

        if (getSignaturePrevalidator() != null) {
            try {
                getSignaturePrevalidator().validate(signature);
            } catch (ValidationException e) {
                log.error("Protocol message signature failed signature pre-validation", e);
                throw new SecurityPolicyException("Protocol message signature failed signature pre-validation", e);
            }
        }
    }

View Full Code Here

0 1 2 3

TOP

Related Classes of org.opensaml.ws.security.SecurityPolicyException

org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule

org.opensaml.common.binding.security.BaseSAMLXMLSignatureSecurityPolicyRule

org.opensaml.common.binding.security.IssueInstantRule

org.opensaml.common.binding.security.MessageReplayRule

org.opensaml.common.binding.security.SAMLMDClientCertAuthRule

org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule

org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule

org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule

org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule

org.opensaml.ws.security.provider.BaseTrustEngineRule

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.