Examples of org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler

• org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler

  Handles for dealing with SAML2 Authentication

  Configuration Options: @see SAML2Handler#CLOCK_SKEW_MILIS: a milisecond value sets a skew for checking the validity of assertion (SP Setting) @see SAML2Handler#DISABLE_AUTHN_STATEMENT Setting a value will disable the generation of an AuthnStatement (IDP Setting) @see SAML2Handler#DISABLE_SENDING_ROLES Setting any value will disable the generation and return of roles to SP (IDP Setting) @see SAML2Handler#USE_MULTI_VALUED_ROLES Setting any value will have an attribute statement with multiple values (IDP Setting) @see SAML2Handler#DISABLE_ROLE_PICKING Setting to true will disable picking IDP attribute statements (SP Setting) @see SAML2Handler#ROLE_KEY a csv list of strings that represent the roles coming from IDP (SP Setting) @see GeneralConstants#NAMEID_FORMAT Setting to a value will provide the nameid format to be sent to IDP (SP Setting) @see SAML2Handler#ASSERTION_CONSUMER_URL: the url to be used for assertionConsumerURL (SP Setting)

  @author Anil.Saldhana@redhat.com @since Oct 8, 2009

        return handler;
    }

    private SAML2AuthenticationHandler createAuthenticationHandler() throws ConfigurationException {
        SAML2AuthenticationHandler handler = new SAML2AuthenticationHandler();

        handler.initHandlerConfig(new DefaultSAML2HandlerConfig());

        return handler;
    }

        return handlerChain;
    }

    private SAML2EncryptionHandler createEncryptionHandler() throws ConfigurationException {
        SAML2EncryptionHandler handler = new SAML2EncryptionHandler();

        DefaultSAML2HandlerConfig handlerConfig = new DefaultSAML2HandlerConfig();

        handler.initHandlerConfig(handlerConfig);

        return handler;
    }

    public void testResponseIdVerification() throws Exception {
        // 1) CONFIGURATION AND INITIALIZATION OF TEST

        // Create handlers
        SAML2AuthenticationHandler authenticationHandler = new SAML2AuthenticationHandler();
        SAML2InResponseToVerificationHandler verificationHandler = new SAML2InResponseToVerificationHandler();

        // Create configuration for handlers
        SAML2HandlerChainConfig chainConfig = new DefaultSAML2HandlerChainConfig();
        SAML2HandlerConfig handlerConfig = new DefaultSAML2HandlerConfig();
        handlerConfig.addParameter(GeneralConstants.NAMEID_FORMAT, JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
        handlerConfig.addParameter(SAML2Handler.DISABLE_SENDING_ROLES, "true");

        Map<String, Object> chainOptions = new HashMap<String, Object>();
        ProviderType spType = new SPType();
        chainOptions.put(GeneralConstants.CONFIGURATION, spType);
        chainOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "true");
        chainConfig.set(chainOptions);

        // Initialize the handlers
        authenticationHandler.initChainConfig(chainConfig);
        authenticationHandler.initHandlerConfig(handlerConfig);
        verificationHandler.initChainConfig(chainConfig);
        verificationHandler.initHandlerConfig(handlerConfig);

        // Create a Protocol Context
        MockHttpSession session = new MockHttpSession();
        MockServletContext servletContext = new MockServletContext();
        MockHttpServletRequest servletRequest = new MockHttpServletRequest(session, "POST");
        MockHttpServletResponse servletResponse = new MockHttpServletResponse();
        HTTPContext httpContext = new HTTPContext(servletRequest, servletResponse, servletContext);

        // Create handler request and response
        IssuerInfoHolder issuerInfo = new IssuerInfoHolder("http://localhost:8080/sales/");
        SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), null,
                SAML2Handler.HANDLER_TYPE.SP);
        request.setTypeOfRequestToBeGenerated(SAML2HandlerRequest.GENERATE_REQUEST_TYPE.AUTH);
        SAML2HandlerResponse response = new DefaultSAML2HandlerResponse();

        // 2) GENERATE SAML AUTHENTICATION REQUEST

        // Generate SAML AuthnRequest with handlers
        authenticationHandler.generateSAMLRequest(request, response);
        verificationHandler.generateSAMLRequest(request, response);

        // Parse document and verify that ID is saved in Http session
        Document samlReqDoc = response.getResultingDocument();
        SAMLParser parser = new SAMLParser();
        AuthnRequestType authnRequest = (AuthnRequestType) parser.parse(DocumentUtil.getNodeAsStream(samlReqDoc));
        assertEquals(authnRequest.getID(), servletRequest.getSession().getAttribute(GeneralConstants.AUTH_REQUEST_ID));

        // 3) SEND SAML AUTHENTICATION REQUEST TO IDP

        // Generate request and response for IDP
        SAML2HandlerResponse handlerResponseFromIdp = sendRequestToIdp(authnRequest, samlReqDoc, httpContext, handlerConfig);

        // Parse SAML response from IDP
        Document doc2response = handlerResponseFromIdp.getResultingDocument();
        assertNotNull(doc2response);
        String responseString = DocumentUtil.asString(doc2response);

        // 4) PROCESS SAML RESPONSE FROM IDP. VERIFICATION OF InResponseId SHOULD BE SUCCESSFUL

        HandlerContext handlerContext = getHandlerRequestAndResponse(httpContext, issuerInfo, responseString);

        // Assert that ID from session is not null
        String inResponseIdFromSession = (String) servletRequest.getSession().getAttribute(GeneralConstants.AUTH_REQUEST_ID);
        assertNotNull(inResponseIdFromSession);

        // Handle response from IDP
        authenticationHandler.handleStatusResponseType(handlerContext.request, handlerContext.response);
        verificationHandler.handleStatusResponseType(handlerContext.request, handlerContext.response);

        // Verify that Id is not in session anymore. Becaue it was removed by SAML2ResponseIdVerificationHandler
        assertNull(servletRequest.getSession().getAttribute(GeneralConstants.AUTH_REQUEST_ID));

        // 5) CHANGE InResponseId IN SAML RESPONSE. VALIDATION MUST FAIL NOW.

        // Change InResponseId
        String responseStringChangedId = responseString.replaceAll("InResponseTo=\"" + inResponseIdFromSession + "\"",
                "InResponseTo=\"ID_101dcb5e-f432-4f45-87cb-47daff92edef\"");
        HandlerContext handlerContextChangedId = getHandlerRequestAndResponse(httpContext, issuerInfo, responseStringChangedId);

        // Set Id to session again as it was removed in previous processing
        servletRequest.getSession().setAttribute(GeneralConstants.AUTH_REQUEST_ID, inResponseIdFromSession);

        // Handle response with changed Id. This time it should fail
        try {
            authenticationHandler.handleStatusResponseType(handlerContextChangedId.request, handlerContextChangedId.response);
            verificationHandler.handleStatusResponseType(handlerContextChangedId.request, handlerContextChangedId.response);

            fail("Verification of InResponseTo should fail.");
        } catch (ProcessingException pe) {
            assertEquals(ErrorCodes.AUTHN_REQUEST_ID_VERIFICATION_FAILED, pe.getMessage());
        }

        // 6) REMOVE InResponseId FROM SAML RESPONSE. VALIDATION MUST FAIL NOW.

        // Remove inResponseId
        String responseStringRemovedId = responseString.replaceAll("InResponseTo=\"" + inResponseIdFromSession + "\"", "");
        HandlerContext handlerContextRemovedId = getHandlerRequestAndResponse(httpContext, issuerInfo, responseStringRemovedId);

        // Set Id to session again as it was removed in previous processing
        servletRequest.getSession().setAttribute(GeneralConstants.AUTH_REQUEST_ID, inResponseIdFromSession);

        // Now handle again response from IDP. This time it should also fail as InResponseTo is null
        try {
            authenticationHandler.handleStatusResponseType(handlerContextRemovedId.request, handlerContextRemovedId.response);
            verificationHandler.handleStatusResponseType(handlerContextRemovedId.request, handlerContextRemovedId.response);

            fail("Verification of InResponseTo should fail.");
        } catch (ProcessingException pe) {
            assertEquals(ErrorCodes.AUTHN_REQUEST_ID_VERIFICATION_FAILED, pe.getMessage());
        }

        chainOptionsIdp.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "true");
        SAML2HandlerChainConfig chainConfigIdp = new DefaultSAML2HandlerChainConfig(chainOptionsIdp);

        // Create and init handlers for IDP
        SAML2AuthenticationHandler authenticationHandlerIdp = new SAML2AuthenticationHandler();
        SAML2InResponseToVerificationHandler verificationHandlerIdp = new SAML2InResponseToVerificationHandler();
        authenticationHandlerIdp.initChainConfig(chainConfigIdp);
        authenticationHandlerIdp.initHandlerConfig(handlerConfig);
        verificationHandlerIdp.initChainConfig(chainConfigIdp);
        verificationHandlerIdp.initHandlerConfig(handlerConfig);

        HttpSession session = BaseSAML2Handler.getHttpSession(idpHandlerRequest);
        session.setAttribute(GeneralConstants.PRINCIPAL_ID, new Principal() {
            public String getName() {
                return "testPrincipal";
            }
        });

        // Init Picketlink Core STS
        PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
        sts.installDefaultConfiguration();

        // Init identityServer
        IdentityServer identityServer = new IdentityServer();
        httpContext.getServletContext().setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer);

        // Handle request by IDP
        authenticationHandlerIdp.handleRequestType(idpHandlerRequest, idpHandlerResponse);
        verificationHandlerIdp.handleRequestType(idpHandlerRequest, idpHandlerResponse);

        return idpHandlerResponse;
    }

 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
 */
public class SAMLIssuerTrustHandlerUnitTestCase extends TestCase {

    public void testIssuer() throws Exception {
        SAML2IssuerTrustHandler issuerTrustHandler = new SAML2IssuerTrustHandler();

        // Create a Protocol Context
        MockHttpSession session = new MockHttpSession();
        MockServletContext servletContext = new MockServletContext();
        MockHttpServletRequest servletRequest = new MockHttpServletRequest(session, "POST");
        MockHttpServletResponse servletResponse = new MockHttpServletResponse();
        HTTPContext httpContext = new HTTPContext(servletRequest, servletResponse, servletContext);

        // Create chainConfig for IDP
        TrustType trustType = new TrustType();
        Map<String, Object> chainOptionsIdp = new HashMap<String, Object>();
        IDPType idpType = new IDPType();
        idpType.setTrust(trustType);
        chainOptionsIdp.put(GeneralConstants.CONFIGURATION, idpType);
        SAML2HandlerChainConfig chainConfigIdp = new DefaultSAML2HandlerChainConfig(chainOptionsIdp);
        issuerTrustHandler.initChainConfig(chainConfigIdp);

        // Create documentHolder
        NameIDType issuer = new NameIDType();
        AuthnRequestType authnRequestType = new AuthnRequestType("ID_123456789", null);
        authnRequestType.setIssuer(issuer);
        SAMLDocumentHolder documentHolder = new SAMLDocumentHolder(authnRequestType);

        // Create request and response
        SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, null, documentHolder,
              SAML2Handler.HANDLER_TYPE.IDP);
        SAML2HandlerResponse response = new DefaultSAML2HandlerResponse();

        // Test localhost
        issuer.setValue("http://localhost:8080/sales");
        trustType.setDomains("localhost,google.com,somedomain.com");
        issuerTrustHandler.handleRequestType(request, response);

        // Test somedomain
        issuer.setValue("http://www.somedomain.com:8080/sales/");
        issuerTrustHandler.handleRequestType(request, response);

        // Test non-trusted domain
        try {
            issuer.setValue("http://www.evil.com:8080/sales/");
            issuerTrustHandler.handleRequestType(request, response);

            fail("www.evil.com is non-trusted domain");
        }
        catch (ProcessingException pe) {
            Assert.assertEquals(pe.getCause().getClass(), IssuerNotTrustedException.class);
        }

        // Test google.com
        issuer.setValue("google.com");
        issuerTrustHandler.handleRequestType(request, response);

        issuer.setValue("google.com/a/mposolda1.com");
        issuerTrustHandler.handleRequestType(request, response);
    }

        Document authDoc = saml2Request.convert(authnRequest);

        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        KeyPair keypair = kpg.genKeyPair();

        SAML2SignatureGenerationHandler handler = new SAML2SignatureGenerationHandler();

        SAML2HandlerChainConfig chainConfig = new DefaultSAML2HandlerChainConfig();
        SAML2HandlerConfig handlerConfig = new DefaultSAML2HandlerConfig();

        Map<String, Object> chainOptions = new HashMap<String, Object>();
        SPType idpType = new SPType();
        chainOptions.put(GeneralConstants.CONFIGURATION, idpType);
        chainOptions.put(GeneralConstants.KEYPAIR, keypair);
        chainConfig.set(chainOptions);

        // Initialize the handler
        handler.initChainConfig(chainConfig);
        handler.initHandlerConfig(handlerConfig);

        // Create a Protocol Context
        MockHttpSession session = new MockHttpSession();
        MockServletContext servletContext = new MockServletContext();
        String httpMethod = isPostBinding ? "POST" : "GET";
        MockHttpServletRequest servletRequest = new MockHttpServletRequest(session, httpMethod);
        MockHttpServletResponse servletResponse = new MockHttpServletResponse();
        HTTPContext httpContext = new HTTPContext(servletRequest, servletResponse, servletContext);

        SAMLDocumentHolder docHolder = new SAMLDocumentHolder(authnRequest, authDoc);
        IssuerInfoHolder issuerInfo = new IssuerInfoHolder("http://localhost:8080/idp/");
        SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), docHolder,
                SAML2Handler.HANDLER_TYPE.IDP);
        request.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.AUTH);

        SAML2HandlerResponse response = new DefaultSAML2HandlerResponse();
        response.setPostBindingForResponse(isPostBinding);

        request.addOption(GeneralConstants.SENDER_PUBLIC_KEY, keypair.getPublic());

        SAML2AuthenticationHandler authHandler = new SAML2AuthenticationHandler();
        authHandler.initChainConfig(chainConfig);
        authHandler.initHandlerConfig(handlerConfig);
        authHandler.generateSAMLRequest(request, response);

        handler.generateSAMLRequest(request, response);
        Document signedDoc = response.getResultingDocument();

        assertNotNull("Signed Doc is not null", signedDoc);
        SAMLDocumentHolder signedHolder = new SAMLDocumentHolder(signedDoc);
        request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), signedHolder,

        if (!isPostBinding) {
            servletRequest.setQueryString(response.getDestinationQueryStringWithSignature());
        }

        SAML2SignatureValidationHandler validHandler = new SAML2SignatureValidationHandler();
        validHandler.initChainConfig(chainConfig);
        validHandler.initHandlerConfig(handlerConfig);

        validHandler.handleStatusResponseType(request, response);
    }

        return handler;
    }

    private SAML2SignatureValidationHandler createSignatureValidationHandler() throws ConfigurationException {
        SAML2SignatureValidationHandler handler = new SAML2SignatureValidationHandler();

        handler.initHandlerConfig(new DefaultSAML2HandlerConfig());

        return handler;
    }