已经认证的用户,直接向应用发送断言
package com.xxx;
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.saml2.core.*;
import org.opensaml.saml2.core.impl.AssertionBuilder;
import org.opensaml.saml2.core.impl.ResponseBuilder;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.CredentialResolver;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import com.xxx.saml.idp.BindingAdapter;
import com.xxx.saml.idp.IdpConfiguration;
import com.xxx.saml.idp.UIASAttributeStatementGenerator;
import com.xxx.saml.util.IDService;
import com.xxx.saml.util.TimeService;
import com.xxx.saml.xml.AttributeStatementGenerator;
import com.xxx.saml.xml.AuthnStatementGenerator;
import com.xxx.saml.xml.EndpointGenerator;
import com.xxx.saml.xml.IssuerGenerator;
import com.xxx.saml.xml.StatusGenerator;
import com.xxx.saml.xml.SubjectGenerator;
import com.xxx.uias.userInfo.pojo.Privilege;
public class TestServlet extends HttpServlet {
private static final long serialVersionUID = 2572744487603163969L;
private final XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
private TimeService timeService = new TimeService();
private IDService idService = new IDService();
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
this.doPost(req, resp);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
request.setCharacterEncoding("utf-8"); //设置编码
response.setContentType("text/html; charset=utf-8");
String appCode = "demo333";
String issuingEntityName = "UIAS";
String acURL = "http://172.16.15.109:5050/aaa/samlsp/acService";
int validForInSeconds = 300;
String username = "testccc";
String ip = "172.16.15.109";
String inResponseTo = "";
DateTime authnInstant = new DateTime(System.currentTimeMillis());
AuthnStatementGenerator authnStatementGenerator = new AuthnStatementGenerator();
AttributeStatementGenerator attributeStatementGenerator = new AttributeStatementGenerator();
IssuerGenerator issuerGenerator = new IssuerGenerator(issuingEntityName);
SubjectGenerator subjectGenerator = new SubjectGenerator(timeService);
StatusGenerator statusGenerator = new StatusGenerator();
//1.生成authResponse
EndpointGenerator endpointGenerator = new EndpointGenerator();
Endpoint endpoint = endpointGenerator.generateEndpoint(AssertionConsumerService.DEFAULT_ELEMENT_NAME, acURL, null);
//2.
ResponseBuilder responseBuilder = (ResponseBuilder) builderFactory.getBuilder(Response.DEFAULT_ELEMENT_NAME);
Response authResponse = responseBuilder.buildObject();
Issuer responseIssuer = issuerGenerator.generateIssuer();
AssertionBuilder assertionBuilder = (AssertionBuilder)builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
Assertion assertion = assertionBuilder.buildObject();
Subject subject = subjectGenerator.generateSubject(acURL, validForInSeconds, username, inResponseTo, ip);
Issuer issuer = issuerGenerator.generateIssuer();
AuthnStatement authnStatement = authnStatementGenerator.generateAuthnStatement(authnInstant);
assertion.setIssuer(issuer);
assertion.setSubject(subject);
assertion.setID(idService.generateID());
assertion.setIssueInstant(timeService.getCurrentDateTime());
assertion.getAuthnStatements().add(authnStatement);
//权限
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();;
for(Privilege p: Privilege.values()){
authorities.add(new SimpleGrantedAuthority("ROLE_" + p.name()));
}
assertion.getAttributeStatements().add(attributeStatementGenerator.generateAttributeStatement(authorities));
//其他属性
UIASAttributeStatementGenerator attrState = new UIASAttributeStatementGenerator();
Map<String, String> attrMap = new HashMap<String, String>();
attrMap.put("appCode", appCode);
attrMap.put("name", "张三");
assertion.getAttributeStatements().add(attrState.generateAttributeStatement(attrMap));
authResponse.getAssertions().add(assertion);
authResponse.setIssuer(responseIssuer);
authResponse.setID(idService.generateID());
authResponse.setIssueInstant(timeService.getCurrentDateTime());
authResponse.setInResponseTo(inResponseTo);
authResponse.setDestination(acURL);
authResponse.setStatus(statusGenerator.generateStatus(StatusCode.SUCCESS_URI));
//JKS
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(issuingEntityName));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
CredentialResolver credentialResolver = IdpConfiguration.buildJKSCredentialResolver();
Credential signingCredential = credentialResolver.resolveSingle(criteriaSet);
BindingAdapter adapter = IdpConfiguration.buildBindingAdapter();
adapter.sendSAMLMessage(authResponse, endpoint, signingCredential, response);
} catch (Exception e) {
e.printStackTrace();
}
}
}
该发送类为参考:
import java.io.PrintWriter;
import java.io.IOException;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.List;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.X509EncodedKeySpec;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
public class ProcessSAML extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
File signatureVerificationPublicKeyFile = new File("C:/IdPSigningCert.cer");
File decryptionPrivateKeyFile = new File("C:/SPEncryptionCert.jks");
String decryptionPrivateKeyName = "test";
String decryptionPrivateKeyPassword = "test";
try
{
//bootstrap the opensaml stuff
org.opensaml.DefaultBootstrap.bootstrap();
// get the message context
MessageContext messageContext = new BasicSAMLMessageContext();
messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
HTTPPostDecoder samlMessageDecoder = new HTTPPostDecoder();
samlMessageDecoder.decode(messageContext);
// get the SAML Response
Response samlResponse = (Response)messageContext.getInboundMessage();
//get the certificate from the file
InputStream inputStream2 = new FileInputStream(signatureVerificationPublicKeyFile);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate)certificateFactory.generateCertificate(inputStream2);
inputStream2.close();
//pull out the public key part of the certificate into a KeySpec
X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(certificate.getPublicKey().getEncoded());
//get KeyFactory object that creates key objects, specifying RSA
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
//generate public key to validate signatures
PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
//create credentials
BasicX509Credential publicCredential = new BasicX509Credential();
//add public key value
publicCredential.setPublicKey(publicKey);
//create SignatureValidator
SignatureValidator signatureValidator = new SignatureValidator(publicCredential);
//get the signature to validate from the response object
Signature signature = samlResponse.getSignature();
//try to validate
try
{
signatureValidator.validate(signature);
}
catch (ValidationException ve)
{
out.println("Signature is not valid.");
out.println(ve.getMessage());
return;
}
//no validation exception was thrown
out.println("Signature is valid.");
//start decryption of assertion
//load up a KeyStore
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(decryptionPrivateKeyFile), decryptionPrivateKeyPassword.toCharArray());
RSAPrivateKey privateKey = (RSAPrivateKey) keyStore.getKey(decryptionPrivateKeyName, decryptionPrivateKeyPassword.toCharArray());
//create the credential
BasicX509Credential decryptionCredential = new BasicX509Credential();
decryptionCredential.setPrivateKey(privateKey);
StaticKeyInfoCredentialResolver skicr = new StaticKeyInfoCredentialResolver(decryptionCredential);
//create a decrypter
Decrypter decrypter = new Decrypter(null, skicr, new InlineEncryptedKeyResolver());
//decrypt the first (and only) assertion
Assertion decryptedAssertion;
try
{
decryptedAssertion = decrypter.decrypt(samlResponse.getEncryptedAssertions().get(0));
}
catch (DecryptionException de)
{
out.println("Assertion decryption failed.");
out.println(de.getMessage());
return;
}
out.println("Assertion decryption succeeded.");
//loop through the nodes to get the Attributes
//this is where you would do something with these elements
//to tie this user with your environment
List attributeStatements = decryptedAssertion.getAttributeStatements();
for (int i = 0; i < attributeStatements.size(); i++)
{
List attributes = attributeStatements.get(i).getAttributes();
for (int x = 0; x < attributes.size(); x++)
{
String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
List attributeValues = attributes.get(x).getAttributeValues();
for (int y = 0; y < attributeValues.size(); y++)
{
String strAttributeValue = attributeValues.get(y).getDOM().getTextContent();
out.println(strAttributeName + ": " + strAttributeValue + " ");
}
}
}
}
catch (Exception ex)
{
ex.printStackTrace();
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}
@Override
public String getServletInfo() {
return "This servlet processes a SAML 2.0 Response. It verifies the signature, " +
"decrypts an assertion, and parses out the data in the attribute statements. " +
"If you use this code as a base for your implementation please leave the @author comment intact. " +
"You should add your own name in addition.";
}
}