SamlSsoClient

最新推荐文章于 2022-11-21 02:48:23 发布
最新推荐文章于 2022-11-21 02:48:23 发布
阅读量1k 收藏 1
点赞数
// Copyright (C) 2009 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package com.google.enterprise.connector.saml.client;

import com.google.enterprise.connector.common.GettableHttpServlet;
import com.google.enterprise.connector.common.HttpExchange;
import com.google.enterprise.connector.common.PostableHttpServlet;
import com.google.enterprise.connector.common.SecurityManagerUtil;
import com.google.enterprise.connector.saml.common.HttpExchangeToInTransport;
import com.google.enterprise.connector.saml.common.HttpExchangeToOutTransport;
import com.google.enterprise.connector.security.identity.DomainCredentials;
import com.google.enterprise.connector.spi.SecAuthnIdentity;
import com.google.enterprise.connector.spi.VerificationStatus;

import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.saml2.binding.decoding.HTTPSOAP11Decoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;
import org.opensaml.saml2.core.ArtifactResolve;
import org.opensaml.saml2.core.ArtifactResponse;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.metadata.ArtifactResolutionService;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;

import java.io.IOException;
import java.net.URL;
import java.util.List;
import java.util.logging.Logger;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import static com.google.enterprise.connector.saml.common.OpenSamlUtil.initializeLocalEntity;
import static com.google.enterprise.connector.saml.common.OpenSamlUtil.initializePeerEntity;
import static com.google.enterprise.connector.saml.common.OpenSamlUtil.makeArtifactResolve;
import static com.google.enterprise.connector.saml.common.OpenSamlUtil.makeAuthnRequest;
import static com.google.enterprise.connector.saml.common.OpenSamlUtil.makeIssuer;
import static com.google.enterprise.connector.saml.common.OpenSamlUtil.makeSamlMessageContext;
import static com.google.enterprise.connector.saml.common.OpenSamlUtil.runDecoder;
import static com.google.enterprise.connector.saml.common.OpenSamlUtil.runEncoder;
import com.google.enterprise.connector.servlet.SecurityManagerServlet;

import static org.opensaml.common.xml.SAMLConstants.SAML20P_NS;
import static org.opensaml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI;
import static org.opensaml.common.xml.SAMLConstants.SAML2_SOAP11_BINDING_URI;

public class SamlSsoClient extends SecurityManagerServlet
    implements GettableHttpServlet, PostableHttpServlet {
  private static final Logger LOGGER = Logger.getLogger(SamlSsoClient.class.getName());
  private static final String CLIENT_ID_NAME = "SamlSsoClient.clientId";

  public static void startSamlRequest(HttpServletRequest request, HttpServletResponse response,
                                      SecAuthnIdentity id)
      throws IOException {
    request.getSession().setAttribute(CLIENT_ID_NAME, id);

    SAMLMessageContext<SAMLObject, AuthnRequest, NameID> context = makeSamlMessageContext();

    EntityDescriptor localEntity = getSmEntity();
    SPSSODescriptor sp = localEntity.getSPSSODescriptor(SAML20P_NS);
    initializeLocalEntity(context, localEntity, sp, Endpoint.DEFAULT_ELEMENT_NAME);
    {
      EntityDescriptor peerEntity = getEntity(id.getAuthority());
      initializePeerEntity(context, peerEntity, peerEntity.getIDPSSODescriptor(SAML20P_NS),
          SingleSignOnService.DEFAULT_ELEMENT_NAME,
          SAML2_REDIRECT_BINDING_URI);
    }

    // Generate the request
    AuthnRequest authnRequest = makeAuthnRequest();
    authnRequest.setProviderName("Google Security Manager");
    authnRequest.setIssuer(makeIssuer(context.getOutboundMessageIssuer()));
    authnRequest.setIsPassive(false);
    authnRequest.setAssertionConsumerServiceIndex(
        sp.getDefaultAssertionConsumerService().getIndex());
    context.setOutboundSAMLMessage(authnRequest);
    //context.setRelayState();

    // Send the request via redirect to the user agent
    initResponse(response);
    context.setOutboundMessageTransport(new HttpServletResponseAdapter(response, true));
    runEncoder(new HTTPRedirectDeflateEncoder(), context);
  }

  // GET implies the assertion is being sent with the artifact binding.
  @Override
  public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    LOGGER.info("Received assertion via artifact binding");
    consumeAssertion(request, response, decodeArtifactResponse(request));
  }

  // POST implies the assertion is being sent with the POST binding.
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    LOGGER.info("Received assertion via POST binding");
    consumeAssertion(request, response, decodePostResponse(request));
  }

  private void consumeAssertion(
      HttpServletRequest request, HttpServletResponse response, Response samlResponse)
      throws IOException {
    String code = samlResponse.getStatus().getStatusCode().getValue();
    LOGGER.info("status code = " + code);
    SecAuthnIdentity id = getSamlClientId(request.getSession());
    if (code.equals(StatusCode.SUCCESS_URI)) {
      extractResponseInfo(samlResponse, id);
      id.setVerificationStatus(VerificationStatus.VERIFIED);
    } else if (code.equals(StatusCode.AUTHN_FAILED_URI)) {
      id.setVerificationStatus(VerificationStatus.REFUTED);
    } else {
      LOGGER.warning("SAML IdP failed to resolve: " + code);
      id.setVerificationStatus(VerificationStatus.INDETERMINATE);
    }

    getBackEnd().authenticate(request, response);
  }

  private void extractResponseInfo(Response samlResponse, SecAuthnIdentity id) {
    List<Assertion> assertions = samlResponse.getAssertions();
    if (assertions.size() <= 0) {
      return;
    }
    Assertion assertion = assertions.get(0);
    id.setUsername(assertion.getSubject().getNameID().getValue());
    LOGGER.info("Credential verified: " + DomainCredentials.class.cast(id).dumpInfo());
  }

  // The OpenSAML HTTPArtifactDecoder isn't implemented, so we must manually decode the
  // artifact.
  private Response decodeArtifactResponse(HttpServletRequest request)
      throws IOException {
    String artifact = request.getParameter("SAMLart");
    if (artifact == null) {
      throw new IOException("No artifact in message");
    }

    SAMLObject message = resolveArtifact(request, artifact, request.getParameter("RelayState"));
    if (! (message instanceof Response)) {
      throw new IOException("Unable to resolve artifact");
    }
    return (Response) message;
  }

  private SAMLObject resolveArtifact(HttpServletRequest request, String artifact, String relayState)
      throws IOException {
    // Establish the SAML message context.
    SAMLMessageContext<ArtifactResponse, ArtifactResolve, NameID> context =
        makeSamlMessageContext();

    EntityDescriptor localEntity = getSmEntity();
    initializeLocalEntity(context, localEntity, localEntity.getSPSSODescriptor(SAML20P_NS),
                          Endpoint.DEFAULT_ELEMENT_NAME);
    {
      EntityDescriptor peerEntity = getEntity(getSamlClientId(request.getSession()).getAuthority());
      initializePeerEntity(context, peerEntity, peerEntity.getIDPSSODescriptor(SAML20P_NS),
                           ArtifactResolutionService.DEFAULT_ELEMENT_NAME,
                           SAML2_SOAP11_BINDING_URI);
    }

    // Generate the request.
    {
      ArtifactResolve artifactResolve = makeArtifactResolve(artifact);
      artifactResolve.setIssuer(makeIssuer(localEntity.getEntityID()));
      context.setOutboundSAMLMessage(artifactResolve);
    }

    // Encode the request.
    HttpExchange exchange =
        SecurityManagerUtil.getHttpClient()
        .postExchange(new URL(context.getPeerEntityEndpoint().getLocation()), null);
    HttpExchangeToOutTransport out = new HttpExchangeToOutTransport(exchange);
    context.setOutboundMessageTransport(out);
    context.setRelayState(relayState);
    runEncoder(new HTTPSOAP11Encoder(), context);
    out.finish();

    // Do HTTP exchange.
    int status = exchange.exchange();
    if (status != 200) {
      throw new IOException("Incorrect HTTP status: " + status);
    }

    // Decode the response.
    context.setInboundMessageTransport(new HttpExchangeToInTransport(exchange));
    runDecoder(new HTTPSOAP11Decoder(), context);

    // Return the decoded response.
    return context.getInboundSAMLMessage().getMessage();
  }

  private Response decodePostResponse(HttpServletRequest request)
      throws IOException {
    SAMLMessageContext<Response, SAMLObject, NameID> context =
        makeSamlMessageContext();

    EntityDescriptor localEntity = getSmEntity();
    initializeLocalEntity(context, localEntity, localEntity.getSPSSODescriptor(SAML20P_NS),
                          AssertionConsumerService.DEFAULT_ELEMENT_NAME);
    {
      EntityDescriptor peerEntity = getEntity(getSamlClientId(request.getSession()).getAuthority());
      initializePeerEntity(context, peerEntity, peerEntity.getIDPSSODescriptor(SAML20P_NS),
          SingleSignOnService.DEFAULT_ELEMENT_NAME,
          SAML2_REDIRECT_BINDING_URI);
    }

    context.setInboundMessageTransport(new HttpServletRequestAdapter(request));
    HTTPPostDecoder decoder = new HTTPPostDecoder();
    runDecoder(decoder, context);

    Response samlResponse = context.getInboundSAMLMessage();
    if (samlResponse == null) {
      throw new IOException("Decoded SAML response is null");
    }
    return samlResponse;
  }

  private static SecAuthnIdentity getSamlClientId(HttpSession session) {
    return SecAuthnIdentity.class.cast(session.getAttribute(CLIENT_ID_NAME));
  }

  // Public for use by BackEnd.
  public static void eraseSamlClientState(HttpSession session) {
    session.removeAttribute(CLIENT_ID_NAME);
  }
}


ku1989
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
智能客户端(SmartClient
1902的专栏
01-03 1694
智能客户端(SmartClient)    本文主要讨论基于企业环境的客户端应用程序模型,由于本人曾经从事过传统的客户端/服务器两层结构应用程序和基于.net平台的多层结构应用程序的开发,因此本文将着重描述.net平台上的智能客户端应用程序模型,并根据一般的企业应用系统的需求来一步一步构造出一个较为完整的客户端软件框架。简介    智能客户端的概念作为Microsoft.net平台的一个特
java 调用webservice 报 No service named XXXXHttpSoap11Endpoint is availab异常
iteye_15582的博客
10-31 2980
服务能正常使用,但是每次调用后台输出如下异常:   [wasrv] 2015-10-30 20:29:01 :Exception:  org.apache.axis.ConfigurationException: No service named  XXXXHttpSoap11Endpoint is available org.apache.axis.ConfigurationExcep...
saml-client_java_saml_client_
09-29
Example code for a saml client in Java using org.opensaml.
Smart Client 智能客户端介绍
GGP_DWS_DANG的网络日记专栏
12-07 1910
智能客户端应用程序可以将胖客户端应用程序的优点与瘦客户端应用程序的部署和可管理性优点结合起来,然而,要完全实现智能客户端应用程序的优点,需要考虑许多体系结构和设计问题。智能客户端应用程序是瘦客户端应用程序的强大替代产品。它们可以为用户提供内容丰富且响应迅速的用户界面,提供脱机工作的能力,并且提供利用本地硬件和软件资源的方法。智能客户端为用户提供了在强大且直观的客户端环境中访问信息和远程服务的能力,
HTTP以及SOAP协议详解
DREAMER
04-21 3204
引言                                         HTTP是一个属于应用层的面向对象的协议,由于其简捷、快速的方式,适用于分布式超媒体信息系统。它于1990年提出,经过几年的使用与发展,得到不断地完善和扩展。目前在WWW中使用的是HTTP/1.0的第六版,HTTP/1.1的规范化工作正在进行之中,而且HTTP-NG(Next Generation
SAML2.0 笔记(二)
最新发布
CoffeeAndIce的博客
11-21 4298
针对SAML2 的实际操作内容流程讲解
OpenSAML 使用引导 III: Service Provider 的实现之Artifact与断言
weixin_34414650的博客
09-10 865
前文OpenSAML 使用引导 II : Service Provider 的实现之AuthnRequest介绍从Service Provider(SP)角度出发,讲解如何使用OpenSAML如申请身份鉴别请求,并从IDP出得到断言的引用标识——SAML Artifact,本文将继续讨论Artifact的具...
java定向查询_java – SAML HTTP重定向绑定中未保留的查询字符串
weixin_39741459的博客
02-27 109
我们使用Spring SAML Security Extension在我们的应用程序中实现SAML.我们现在有以下问题:我们的一位客户正在为其身份提供商提供包含参数的URL.元数据看起来像这样(为简洁起见,大量缩写):Location="https://idp.example.com/login?parameter=value"/>可以看出,有一个名为“parameter”的参数,其值为“v...
深入浅出SAML协议
日薪灬越亿的博客
03-15 1万+
SAML概述 SAML(Security Assertion Markup Language 安全断言标记语言)是一个基于XML的开源标准数据格式,为在安全域间交换身份认证和授权数据,尤其是在IDP(Identity Provider身份提供方)和SP(Service Provider 服务提供方)之间。SAML是OASIS(Organization for the Advancement of Structured Information Standards 安全服务技术委员会)制定的标准,始于2001
OpenSAML2.X 在SSO系统中的应用
weixin_34389926的博客
08-03 1337
背景 年底的时候有机会开发一个SPA(单页面应用)的项目,那时候须要用到票据的方式能够用Cookie的方式来登录。当是想到了OpenID或者是CAS的方式来做统一认证中心。后来一个安全界的大牛推荐让我用SAML,就走上了一条SAML路。后来因为个人原因离开了那个SPA项目,离开的时候SAML还没有開始做,仅仅是大致上了解一些,后来在工作之余还是把OpenSAML2.X 完好成...
php 解析 saml协议,SAML2.0 协议初识(二)---Service Provider(SP)
weixin_31899235的博客
03-25 975
上一节,我们初步认识了 SAML 协议的概念和工作流程,这一节将介绍 SP 端的一些细节。通常情况下,SP 端是请求发起端,即当用户访问 SP 端的受保护资源时,由 SP 端向认证中心(IDP 端)发起认证请求。最终请求会回到 SP 端并由 SP 端将受保护资源授权给用户。假设,SP 有一受保护静态资源 index.html,通常情况下,为了保护该静态资源,SP 可以选择用过滤器对访问该资源的请求...
SAML2.0 协议初识(二)---Service Provider(SP)
weixin_30723433的博客
01-02 1024
上一节,我们初步认识了 SAML 协议的概念和工作流程,这一节将介绍 SP 端的一些细节。 通常情况下,SP 端是请求发起端,即当用户访问 SP 端的受保护资源时,由 SP 端向认证中心(IDP 端)发起认证请求。最终请求会回到 SP 端并由 SP 端将受保护资源授权给用户。 假设,SP 有一受保护静态资源 index.html,通常情况下,为了保护该静态资源,SP 可以选择用过滤器对访问该资...
SSO里面的SAML和OIDC到底讲了啥
teobler的博客
06-01 1932
本文首发于我的博客 https://teobler.com 转载请注明出处 SSO是什么 在了解SSO是什么之前,我们需要搞清楚两个概念: Authentication & Authorization。 Authentication(又被称为AuthN,身份验证),它指的是 the process of verifying that "you are who you say you are",也就是说这个过程是为了证明你是你。通常来说有这么几个方式: Single-factor - 也就是可以.
opensaml的SOAP消息发送和接收
weixin_34248023的博客
02-04 426
首先是Saml工具类 SamlUtils package xuzs.common; import java.io.IOException; import java.io.InputStream; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilder; import javax....
java saml_如何使用Java Single Sign-On SAML支持实施企业用户管理(并保持活动状态)...
danpu0978的博客
05-23 982
java saml 我们如何添加Single Sign-On SAML支持并在生产中对其进行调试 团队可能会使用数十种服务和应用程序来完成任务。 每个服务都要求他们注册并记住复杂的密码,而最终每个服务的内部所有者必须手动处理登录凭据和帐户设置。 这就是SAML的用武之地,旨在帮助公司和服务拥有更好的身份验证流程,而无需手动注册每个人。 以下文章将介绍如何在公司中实施SAML单一登录,并...
基于SAML2.0单点登录的实现(JAVA)
热门推荐
xuliang1265的博客
11-23 1万+
一、实现流程 二、git中下载sp程序,部署服务,并调试,确保与idp可以通信。 1、下载地址 https://github.com/vdenotaris/spring-boot-security-saml-sample 2、配置证书,修改 \src\main\resources\update-certifcate.sh,并运行,会根据配置生成jks证书。解决SSL peer failed ho...
saml java实现_java-saml
weixin_36295010的博客
02-12 2132
OneLogin's SAML Java Toolkit Add SAML support to your Java applications using this library.Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc.Ve...
SAML2.0协议 - 维基百科版翻译
如果你真的想做一件事,你一定会找到方法; 如果你不想做一件事,你一定会找到借口。
10-26 3053
[url=http://saml.xml.org/saml-specifications]SAML 2.0 Specifications - http://saml.xml.org[/url] Security Assertion Markup Language(SAML)是以XML为基础的,为在安全域间交换认证和授权数据的标准,即在[color=red]身份提供者(断言的产生者)和服务提供...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值