See here:
https://github.com/apache/cxf/blob/540bb76f6f3d3d23944c566905f9f395c6f86b79/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/custom/CustomUTValidator.java
SOAPMessage soapMessage = getSOAPMessage((SoapMessage)data.getMsgContext());
try {
Element soapBody = SAAJUtils.getBody(soapMessage);
if (soapBody != null) {
// Find custom Element in the SOAP Body
Element realm = XMLUtils.findElement(soapBody, "realm", "
http://cxf.apache.org/custom";);
...
Colm.
On Tue, Feb 18, 2020 at 7:12 PM Tóth Csaba <[email protected]> wrote:
> Hello!
> I have problem with my SAML validation.
> - I already did, that inside the validation i can call an LDAP request,
> get the given cert from the LDAP, and check agains the cert in the SAML.
> BUT
> I need data from the request too. special one of the given claims. I
> need that value to giv it into the LDAP query.
> How can I get the full request, or at least the SOAP body from the (it
> can be any form: stream, string, dom, object...)
> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.validate()
> function?
>
> Thanx
> Csaba
>
> On 2019-09-02 12:17, Tóth Csaba wrote:
> > Thanx!
> > It's look like good, just I need data from the request too (a claims)
> > for the query.
> >
> > Csaba
> >
> > On 2019-09-02 11:36, Colm O hEigeartaigh wrote:
> >> I guess you could do something like override verifySignedAssertion, to
> >> retrieve the certs from your DB using the SAML Assertion:
> >>
> >>
> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java#L205
> >>
> >>
> >> and then override the verifyTrustInCerts method in the underlying
> >> SignatureTrustValidator:
> >>
> >>
> https://github.com/apache/wss4j/blob/9d09fe641e0d714605c8c70f5ed224901ba97bcc/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java#L97
> >>
> >>
> >> Colm.
> >>
> >>
> >> On Fri, Aug 30, 2019 at 5:20 PM Tóth Csaba <[email protected]> wrote:
> >>
> >>> Hello!
> >>> The request contains a SAML in the security header.
> >>> This SAML contains a
> >>> <saml2:Subject>
> >>> <saml2:NameID
> >>>
> >>>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>
> >>>
> >>> <saml2:SubjectConfirmation
> >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> >>> <saml2:SubjectConfirmationData
> >>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
> >>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
> >>> </saml2:SubjectConfirmation>
> >>> </saml2:Subject>
> >>> In the request is an attribute in the claims:
> >>> <ns:Claims Dialect="myDialect">
> >>> <saml-a:Attribute
> >>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> >>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
> >>> <saml-a:AttributeValue
> >>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
> >>> </saml-a:Attribute>
> >>>
> >>> </ns:Claims>
> >>>
> >>> the certification with which the incomming SAML signed is stored in a
> >>> database and for the query I need the saml2:NameID value (MyUserID) and
> >>> the "urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> >>> organisationID
> >>> (myOrganizationID).
> >>>
> >>> I can do this query, but only after the SAML validation is done.
> >>>
> >>> Somehow i need to run the SAML signature validation after I can get the
> >>> data (inside the
> >>> org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle()
> >>> function)
> >>>
> >>> or get the data from the request at the
> >>> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator or
> >>> org.apache.wss4j.dom.validate.SamlAssertionValidator
> >>>
> >>>
> >>> Thanx
> >>>
> >>> Csaba
> >>>
> >>> the request:
> >>>
> >>> ---------------------------------------
> >>>
> >>>
> >>> <soapenv:Envelope xmlns:a="http://www.w3.org/2005/08/addressing";
> >>> xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
> >>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
> >>> <soapenv:Header>
> >>> <wsse:Security soapenv:mustUnderstand="1"
> >>> xmlns:wsse="
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> >>>
> >>>
> >>> xmlns:wsu="
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> >>>
> >>>
> >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> >>>
> >>> <saml2:Assertion
> >>> ID="Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842"
> >>> IssueInstant="2018-02-06T18:29:56.647Z" Version="2.0"
> >>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> >>> xmlns:xs="http://www.w3.org/2001/XMLSchema";>
> >>> <saml2:Issuer>....</saml2:Issuer>
> >>> <ds:Signature
> >>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >>> <ds:SignedInfo>
> >>> <ds:CanonicalizationMethod
> >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >>> <ds:SignatureMethod
> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >>> <ds:Reference
> >>> URI="#Assertion_62053dd27ca793af50a2144e85f12ffa9b4ed842">
> >>> <ds:Transforms>
> >>> <ds:Transform
> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >>> <ds:Transform
> >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> >>> <ec:InclusiveNamespaces
> >>> PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >>> </ds:Transform>
> >>> </ds:Transforms>
> >>> <ds:DigestMethod
> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >>> <ds:DigestValue>....</ds:DigestValue>
> >>> </ds:Reference>
> >>> </ds:SignedInfo>
> >>> <ds:SignatureValue>....</ds:SignatureValue>
> >>> <ds:KeyInfo>
> >>> <ds:X509Data>
> >>> <ds:X509Certificate>......</ds:X509Certificate>
> >>> </ds:X509Data>
> >>> </ds:KeyInfo>
> >>> </ds:Signature>
> >>> <saml2:Subject>
> >>> <saml2:NameID
> >>>
> >>>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">myUserID</saml2:NameID>
>
> >>>
> >>> <saml2:SubjectConfirmation
> >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> >>> <saml2:SubjectConfirmationData
> >>> InResponseTo="_81cf1d573493698b6f5daab7fd88c66809ec858f45"
> >>> NotOnOrAfter="2018-02-06T18:39:56.655Z"/>
> >>> </saml2:SubjectConfirmation>
> >>> </saml2:Subject>
> >>> <saml2:Conditions
> >>> NotBefore="2018-02-06T18:29:56.647Z"
> >>> NotOnOrAfter="2018-02-06T18:39:56.647Z">
> >>> <saml2:AudienceRestriction>
> >>> <saml2:Audience>.....</saml2:Audience>
> >>> </saml2:AudienceRestriction>
> >>> </saml2:Conditions>
> >>> <saml2:AuthnStatement
> >>> AuthnInstant="2018-02-06T18:29:56.647Z"
> >>> SessionNotOnOrAfter="2018-02-06T18:33:16.647Z">
> >>> <saml2:AuthnContext>
> >>>
> >>>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
>
> >>>
> >>> </saml2:AuthnContext>
> >>> </saml2:AuthnStatement>
> >>> <saml2:AttributeStatement>
> >>> ....
> >>> </saml2:AttributeStatement>
> >>> </saml2:Assertion>
> >>> </wsse:Security>
> >>> </soapenv:Header>
> >>> <soapenv:Body>
> >>> <ns:RequestSecurityToken>
> >>> <ns:TokenType>
> >>>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> >>>
> >>> </ns:TokenType>
> >>> <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> >>> </ns:RequestType>
> >>> <ns:Claims Dialect="MyDialect">
> >>> <saml-a:Attribute
> >>> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> >>> xmlns:saml-a="urn:oasis:names:tc:SAML:2.0:assertion"
> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
> >>> <saml-a:AttributeValue
> >>> xsi:type="xs:string">myOrganizationID</saml-a:AttributeValue>
> >>> </saml-a:Attribute>
> >>> ...
> >>> </ns:Claims>
> >>> </ns:RequestSecurityToken>
> >>> </soapenv:Body>
> >>> </soapenv:Envelope>
> >>>
> >>>
> >>> On 2019-08-30 12:14, Colm O hEigeartaigh wrote:
> >>>> Can you post what the request looks like? Even a redacted version
> >>>> of it?
> >>>>
> >>>> Colm.
> >>>>
> >>>> On Thu, Aug 29, 2019 at 7:48 PM Tóth Csaba <[email protected]> wrote:
> >>>>
> >>>>> Hello!
> >>>>>
> >>>>> I study the WSS4J SAML Validator, but not help much, my problem is
> >>>>> need
> >>>>> to get the certificate based of the content of the request and header
> >>>>> SAML (get out the subject, do an query and the query give back the
> >>>>> certificate), and need to validate the SAML with this certificate.
> >>>>>
> >>>>> In this case (SamlAssertionValidator) is running before i able to
> >>>>> parse
> >>>>> the request. I can create a dummy validate() function, but after I
> >>>>> need
> >>>>> to somehow call it again.
> >>>>>
> >>>>> Any help will welcome.
> >>>>>
> >>>>> Thanx
> >>>>>
> >>>>> Csaba
> >>>>>
> >>>>>
> >>>>>> Does the SAML assertion appear in the security header of the
> >>>>>> request or
> >>>>> in
> >>>>>> the body of the request? For the former, you will need to implement
> >>> your
> >>>>>> own WSS4J SAML Validator, or subclass the existing one in some way:
> >>>>>>
> >>>>>>
> >>>
> https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
> >>>
> >>>>>> If the SAML assertion is in the SOAP Body then it's handled by
> >>>>>> the STS
> >>>>>> code, so you will need to either replace or override this class:
> >>>>>>
> >>>>>>
> >>>
> https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
> >>>
> >>>>>> Colm.
> >>>>>>
> >>>>>> On Tue, Aug 6, 2019 at 9:03 PM Tóth Csaba <[email protected]> wrote:
> >>>>>>
> >>>>>>> Hello!
> >>>>>>>
> >>>>>>> I have a request with the STS to validate a incoming SAML with a
> >>>>>>> certificate what come from another source: example need to query it
> >>>>> from
> >>>>>>> a database, based on the data in the request.
> >>>>>>>
> >>>>>>> How start it? I know the SAML validation is in the deep and need
> >>>>>>> the
> >>>>>>> certificate to be in a truststore. Can I give directly the
> >>>>>>> certificate
> >>>>>>> as an attribute or need to create a own, custom truststore manager?
> >>>>>>>
> >>>>>>> Thanx.
> >>>>>>>
> >>>>>>> Csaba
> >>>>>>>
> >>>>>>>
> >>>>>> --
> >>>>>> Colm O hEigeartaigh
> >>>>>>
> >>>>>> Talend Community Coder
> >>>>>> http://coders.talend.com
> >>>>>>
> >>>
> >
>
>
