I guess you could do something like override verifySignedAssertion, to retrieve the certs from your DB using the SAML Assertion:
https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205 and then override the verifyTrustInCerts method in the underlying SignatureTrustValidator: https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97 Colm. On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <ig...@domen.hu> wrote: > Hello! > The request contains a SAML in the security header. > This SAML contains a > <saml2:Subject> > <saml2:NameID > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData > InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45" > NotOnOrAfter="2018-02-06T18:39:56.655Z"/> > </saml2:SubjectConfirmation> > </saml2:Subject> > In the request is an attribute in the claims: > <ns:Claims Dialect="myDialect"> > <saml-a:Attribute > Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" > xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <saml-a:AttributeValue > xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue> > </saml-a:Attribute> > > </ns:Claims> > > the certification with which the incomming SAML signed is stored in a > database and for the query I need the saml2:NameID value (MyUserID) and > the "urn:oasis:names:tc:xspa:1.0:subject:organization-id" organisationID > (myOrganizationID). > > I can do this query, but only after the SAML validation is done. > > Somehow i need to run the SAML signature validation after I can get the > data (inside the > org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle() function) > > or get the data from the request at the > org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or > org.apache.wss4j.dom.validate.SamlAssertionValidator > > > Thanx > > Csaba > > the request: > > --------------------------------------- > > > <soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"; > xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> > <soapenv:Header> > <wsse:Security soapenv:mustUnderstand="1" > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > > <saml2:Assertion > ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842" > IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xs="http://www.w3.org/2001/XMLSchema";> > <saml2:Issuer>....</saml2:Issuer> > <ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference > URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>....</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>....</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > <ds:X509Certificate>......</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2:Subject> > <saml2:NameID > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData > InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45" > NotOnOrAfter="2018-02-06T18:39:56.655Z"/> > </saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2018-02-06T18:29:56.647Z" > NotOnOrAfter="2018-02-06T18:39:56.647Z"> > <saml2:AudienceRestriction> > <saml2:Audience>.....</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement > AuthnInstant="2018-02-06T18:29:56.647Z" > SessionNotOnOrAfter="2018-02-06T18:33:16.647Z"> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > .... > </saml2:AttributeStatement> > </saml2:Assertion> > </wsse:Security> > </soapenv:Header> > <soapenv:Body> > <ns:RequestSecurityToken> > <ns:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > </ns:TokenType> > <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </ns:RequestType> > <ns:Claims Dialect="MyDialect"> > <saml-a:Attribute > Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" > xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <saml-a:AttributeValue > xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue> > </saml-a:Attribute> > ... > </ns:Claims> > </ns:RequestSecurityToken> > </soapenv:Body> > </soapenv:Envelope> > > > On 2019-08-30 12:14, Colm O hEigeartaigh wrote: > > Can you post what the request looks like? Even a redacted version of it? > > > > Colm. > > > > On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <ig...@domen.hu> wrote: > > > >> Hello! > >> > >> I study the WSS4J SAML Validator, but not help much, my problem is need > >> to get the certificate based of the content of the request and header > >> SAML (get out the subject, do an query and the query give back the > >> certificate), and need to validate the SAML with this certificate. > >> > >> In this case (SamlAssertionValidator) is running before i able to parse > >> the request. I can create a dummy validate() function, but after I need > >> to somehow call it again. > >> > >> Any help will welcome. > >> > >> Thanx > >> > >> Csaba > >> > >> > >>> Does the SAML assertion appear in the security header of the request or > >> in > >>> the body of the request? For the former, you will need to implement > your > >>> own WSS4J SAML Validator, or subclass the existing one in some way: > >>> > >>> > >> > https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java > >>> If the SAML assertion is in the SOAP Body then it's handled by the STS > >>> code, so you will need to either replace or override this class: > >>> > >>> > >> > https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java > >>> Colm. > >>> > >>> On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <ig...@domen.hu> wrote: > >>> > >>>> Hello! > >>>> > >>>> I have a request with the STS to validate a incoming SAML with a > >>>> certificate what come from another source: example need to query it > >> from > >>>> a database, based on the data in the request. > >>>> > >>>> How start it? I know the SAML validation is in the deep and need the > >>>> certificate to be in a truststore. Can I give directly the certificate > >>>> as an attribute or need to create a own, custom truststore manager? > >>>> > >>>> Thanx. > >>>> > >>>> Csaba > >>>> > >>>> > >>> -- > >>> Colm O hEigeartaigh > >>> > >>> Talend Community Coder > >>> http://coders.talend.com > >>> > >> > >
