SAML UPDATE

支持腾讯云和阿里云SAML 单点登录，支持属性扩展

Author: shimingxy

maxkey-core/src/main/java/org/maxkey/domain/ExtraAttr.java

@@ -10,15 +10,23 @@
 public class ExtraAttr {
 
 	String attr;
+	String type;
 	String value;
 
+	public ExtraAttr(String attr, String value) {
+		super();
+		this.attr = attr;
+		this.value = value;
+	}
+	
 	/**
 	 * @param attr
 	 * @param value
 	 */
-	public ExtraAttr(String attr, String value) {
+	public ExtraAttr(String attr, String type,String value) {
 		super();
 		this.attr = attr;
+		this.type=type;
 		this.value = value;
 	}
 	public String getAttr() {
@@ -34,6 +42,12 @@ public void setValue(String value) {
 		this.value = value;
 	}
 
+	public String getType() {
+		return type;
+	}
+	public void setType(String type) {
+		this.type = type;
+	}
 	@Override
 	public String toString() {
 		return "ExtraAttr [attr=" + attr + ", value=" + value + "]";

maxkey-protocols/maxkey-protocol-saml-2.0/.sts4-cache/classpath-data.json

@@ -86,11 +86,11 @@ public ModelAndView  metadata(HttpServletRequest request,
 
 	        IDPSSODescriptor descriptor = metadataGenerator.buildIDPSSODescriptor();
 
-	        descriptor.getSingleSignOnServices().add(metadataGenerator.getSingleSignOnService(WebContext.getHttpContextPath()+"/saml/v20/authorize/"+appId,null));
+	        descriptor.getSingleSignOnServices().add(metadataGenerator.getSingleSignOnService(WebContext.getHttpContextPath()+"/saml/v20/authz/"+appId,null));
 
-	        descriptor.getSingleSignOnServices().add(metadataGenerator.getSingleSignOnService(WebContext.getHttpContextPath()+"/saml/v20/authorize/"+appId,SAMLConstants.SAML2_REDIRECT_BINDING_URI));
+	        descriptor.getSingleSignOnServices().add(metadataGenerator.getSingleSignOnService(WebContext.getHttpContextPath()+"/saml/v20/authz/"+appId,SAMLConstants.SAML2_REDIRECT_BINDING_URI));
 
-	        descriptor.getSingleSignOnServices().add(metadataGenerator.getSingleSignOnService(WebContext.getHttpContextPath()+"/saml/v20/authorize/"+appId,SAMLConstants.SAML2_POST_SIMPLE_SIGN_BINDING_URI));
+	        descriptor.getSingleSignOnServices().add(metadataGenerator.getSingleSignOnService(WebContext.getHttpContextPath()+"/saml/v20/authz/"+appId,SAMLConstants.SAML2_POST_SIMPLE_SIGN_BINDING_URI));
 
 	        descriptor.getSingleLogoutServices().add(metadataGenerator.getSingleLogoutService(WebContext.getHttpContextPath()+"/logout",null));
 

maxkey-protocols/maxkey-protocol-saml-2.0/src/main/java/org/maxkey/authz/saml20/metadata/endpoint/MetadataEndpoint.java

@@ -7,6 +7,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.joda.time.DateTime;
+import org.maxkey.authn.BasicAuthentication;
 import org.maxkey.authz.saml.common.AuthnRequestInfo;
 import org.maxkey.authz.saml.common.EndpointGenerator;
 import org.maxkey.authz.saml20.binding.BindingAdapter;
@@ -48,7 +49,7 @@ public ModelAndView assertion(HttpServletRequest request,HttpServletResponse res
 		bindingAdapter = (BindingAdapter) request.getSession().getAttribute("samlv20Adapter");
 		logger.debug("saml20 assertion get session samlv20Adapter "+bindingAdapter);
 		AppsSAML20Details saml20Details = bindingAdapter.getSaml20Details();
-
+		logger.debug("saml20Details "+saml20Details.getExtendAttr());
 		AuthnRequestInfo authnRequestInfo = bindingAdapter.getAuthnRequestInfo();
 
 		if (authnRequestInfo == null) {
@@ -67,7 +68,10 @@ public ModelAndView assertion(HttpServletRequest request,HttpServletResponse res
 			grantedAuthority.add(anthGrantedAuthority);
 		}
 		//TODO:
-		String userName =authToken.getPrincipal().toString();
+		//String userName ="shimingxy@qq.com";
+		String userName =((BasicAuthentication )authToken.getPrincipal()).getJ_username();
+		//aly
+		//String userName ="admin@1729982683323703.onaliyun.com";
 		DateTime authnInstant = new DateTime(request.getSession().getCreationTime());
 
 		String remoteAddress=WebContext.getRequestIpAddress(request);

maxkey-protocols/maxkey-protocol-saml-2.0/src/main/java/org/maxkey/authz/saml20/provider/endpoint/AssertionEndpoint.java

@@ -75,7 +75,6 @@ public Assertion generateAssertion(
 
 		AttributeStatement attributeStatement =attributeStatementGenerator.generateAttributeStatement(authorities, attributeMap);
 		assertion.getAttributeStatements().add(attributeStatement);
-
 		assertion.setID(idService.generateID());
 		assertion.setIssueInstant(timeService.getCurrentDateTime());
 

maxkey-protocols/maxkey-protocol-saml-2.0/src/main/java/org/maxkey/authz/saml20/provider/xml/AssertionGenerator.java

@@ -5,6 +5,12 @@
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Map.Entry;
+
+import org.maxkey.authz.saml20.binding.BindingAdapter;
+import org.maxkey.domain.ExtraAttr;
+import org.maxkey.domain.ExtraAttrs;
+import org.maxkey.domain.apps.AppsSAML20Details;
+import org.maxkey.web.WebContext;
 import org.opensaml.Configuration;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeStatement;
@@ -14,10 +20,13 @@
 import org.opensaml.xml.XMLObjectBuilderFactory;
 import org.opensaml.xml.schema.XSString;
 import org.opensaml.xml.schema.impl.XSStringBuilder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.core.GrantedAuthority;
 
 public class AttributeStatementGenerator {
-
+	private final static Logger logger = LoggerFactory.getLogger(AttributeStatementGenerator.class);
+	
 	private final XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
 
 	public AttributeStatement generateAttributeStatement(Collection<GrantedAuthority> authorities) {
@@ -44,22 +53,38 @@ public AttributeStatement generateAttributeStatement(
 				String key = entry.getKey();
 				String value = entry.getValue();
 
-				Attribute attribute=builderAttribute(key,value);
+				Attribute attribute=builderAttribute(key,value,Attribute.BASIC);
 
 				attributeStatement.getAttributes().add(attribute);
 
 			}
 		}
+		 BindingAdapter bindingAdapter = (BindingAdapter) WebContext.getSession().getAttribute("samlv20Adapter");
+		AppsSAML20Details saml20Details = bindingAdapter.getSaml20Details();
+		logger.debug("ExtendAttr "+saml20Details.getExtendAttr());
+		ExtraAttrs extraAttrs=new ExtraAttrs(saml20Details.getExtendAttr());
+		for(ExtraAttr extraAttr : extraAttrs.getExtraAttrs()) {
+			logger.debug("Attribute : "+extraAttr.getAttr()+" , Vale : "+extraAttr.getValue()+" , Type : "+extraAttr.getType());
+			attributeStatement.getAttributes().add(builderAttribute(extraAttr.getAttr(),extraAttr.getValue(),extraAttr.getType()));
+		}
+		//tencent
+		//attributeStatement.getAttributes().add(builderAttribute("https://cloud.tencent.com/SAML/Attributes/Role","qcs::cam::uin/100013138092:roleName/cloud.tencent_maxkey,qcs::cam::uin/100013138092:saml-provider/maxkey",Attribute.UNSPECIFIED));
+		//attributeStatement.getAttributes().add(builderAttribute("https://cloud.tencent.com/SAML/Attributes/RoleSessionName","maxkey",Attribute.UNSPECIFIED));
+		//aliyun
+		//attributeStatement.getAttributes().add(builderAttribute("https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName","2037230828547234327",Attribute.UNSPECIFIED));
+		//attributeStatement.getAttributes().add(builderAttribute("https://www.aliyun.com/SAML-Role/Attributes/Role","acs:ram::1729982683323703:role/maxkey,acs:ram::1729982683323703:saml-provider/maxkey",Attribute.UNSPECIFIED));
+		//attributeStatement.getAttributes().add(builderAttribute("https://www.aliyun.com/SAML-Role/Attributes/SessionDuration","1800",Attribute.UNSPECIFIED));
+		
 		return attributeStatement;
 	}
 
-	public Attribute builderAttribute(String attributeName,String value ){
+	public Attribute builderAttribute(String attributeName,String value ,String nameFormat){
 		AttributeBuilder attributeBuilder = (AttributeBuilder) builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
 		Attribute attribute = attributeBuilder.buildObject();
 		attribute.setName(attributeName);
 
 		// urn:oasis:names:tc:SAML:2.0:attrname-format:basic
-		attribute.setNameFormat(Attribute.DEFAULT_ELEMENT_LOCAL_NAME);
+		attribute.setNameFormat(nameFormat);
 
 		// Response/Assertion/AttributeStatement/Attribute/AttributeValue
 		XSStringBuilder stringBuilder = (XSStringBuilder) builderFactory.getBuilder(XSString.TYPE_NAME);
@@ -75,7 +100,7 @@ public Attribute   builderGrantedAuthority(Collection<GrantedAuthority> authorit
 		// Response/Assertion/AttributeStatement/Attribute
 		AttributeBuilder attributeBuilder = (AttributeBuilder) builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
 		Attribute attribute = attributeBuilder.buildObject();
-		attribute.setName(GrantedAuthority.class.getName());
+		attribute.setName("GrantedAuthority");
 
 		// urn:oasis:names:tc:SAML:2.0:attrname-format:basic
 		attribute.setNameFormat(Attribute.BASIC);

maxkey-protocols/maxkey-protocol-saml-2.0/src/main/java/org/maxkey/authz/saml20/provider/xml/AttributeStatementGenerator.java

@@ -26,8 +26,18 @@
 import org.opensaml.xml.encryption.EncryptionException;
 import org.opensaml.xml.encryption.EncryptionParameters;
 import org.opensaml.xml.encryption.KeyEncryptionParameters;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallerFactory;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.security.credential.BasicCredential;
 import org.opensaml.xml.security.credential.Credential;
 import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.SignatureException;
+import org.opensaml.xml.signature.Signer;
+import org.opensaml.xml.signature.impl.SignatureBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.GrantedAuthority;
@@ -87,6 +97,10 @@ public Response generateAuthnResponse(  AppsSAML20Details saml20Details,
 											authnInstant);
 
 		try{
+			
+			logger.debug("authResponse.isSigned "+authResponse.isSigned());
+			
+			//assertion.setSignature(newSignature);
 			if(BOOLEAN.isTrue(saml20Details.getEncrypted())) {
 				// Assume this contains a recipient's RSA public
 				logger.info("begin to encrypt assertion");
@@ -107,20 +121,48 @@ public Response generateAuthnResponse(  AppsSAML20Details saml20Details,
 				encrypter.setKeyPlacement(KeyPlacement.PEER);
 				EncryptedAssertion encryptedAssertion = encrypter.encrypt(assertion);
 				authResponse.getEncryptedAssertions().add(encryptedAssertion);
-			} else {
-				authResponse.getAssertions().add(assertion);
-			}
+			} 
+			
+			SignatureBuilder signatureBuilder = (SignatureBuilder) builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME);
+	        BasicCredential basicCredential = new BasicCredential();
+	        basicCredential.setPrivateKey(signingCredential.getPrivateKey());
+	        
+	        Signature signature = signatureBuilder.buildObject();
+	        signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+	        signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+	        
+	        signature.setSigningCredential(basicCredential);
+	        KeyInfoGeneratorFactory keyInfoGeneratorFactory = Configuration
+					.getGlobalSecurityConfiguration()
+					.getKeyInfoGeneratorManager().getDefaultManager()
+					.getFactory(signingCredential);
+	        
+	        signature.setKeyInfo(keyInfoGeneratorFactory.newInstance().generate(signingCredential));
+	        BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
+	        config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+	        config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+			assertion.setSignature(signature);
+
+			Configuration.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);
+            Signer.signObject(signature);
+            
+			logger.debug("assertion.isSigned "+assertion.isSigned());;
+			authResponse.getAssertions().add(assertion);
+			
 		}
 		catch (EncryptionException e) {
 			logger.info("Unable to encrypt assertion .");
 			e.printStackTrace();
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
 		}
 
 		authResponse.setIssuer(responseIssuer);
 		authResponse.setID(idService.generateID());
 		authResponse.setIssueInstant(timeService.getCurrentDateTime());
 		authResponse.setInResponseTo(inResponseTo);
-		authResponse.getAssertions().add(assertion);
+		//authResponse.getAssertions().add(assertion);
 		authResponse.setDestination(assertionConsumerURL);
 		authResponse.setStatus(statusGenerator.generateStatus(StatusCode.SUCCESS_URI));
 		return authResponse;

maxkey-protocols/maxkey-protocol-saml-2.0/src/main/java/org/maxkey/authz/saml20/provider/xml/AuthnResponseGenerator.java

@@ -3,7 +3,6 @@
 
 
 import org.maxkey.authz.saml.service.TimeService;
-import org.opensaml.Configuration;
 import org.opensaml.saml2.core.NameID;
 import org.opensaml.saml2.core.NameIDType;
 import org.opensaml.saml2.core.Subject;
@@ -13,11 +12,10 @@
 import org.opensaml.saml2.core.impl.SubjectBuilder;
 import org.opensaml.saml2.core.impl.SubjectConfirmationBuilder;
 import org.opensaml.saml2.core.impl.SubjectConfirmationDataBuilder;
-import org.opensaml.xml.XMLObjectBuilderFactory;
 
 public class SubjectGenerator {
 
-	private final XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+	//private final XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
 	private final TimeService timeService;
 
 	public SubjectGenerator(TimeService timeService) {
@@ -47,31 +45,30 @@ public Subject generateSubject(
 	}
 
 	public NameID builderNameID(String value,String strSPNameQualifier){
-		//Response/Assertion/Subject/NameID
-		NameIDBuilder nameIDBuilder = (NameIDBuilder) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
-		NameID nameID = nameIDBuilder.buildObject();
+		//Response/Assertion/Subject/NameID	
+		NameID nameID = new NameIDBuilder().buildObject();
 		nameID.setValue(value);
-		nameID.setFormat(NameIDType.PERSISTENT);
-		nameID.setSPNameQualifier(strSPNameQualifier);
+		//nameID.setFormat(NameIDType.PERSISTENT);
+		nameID.setFormat(NameIDType.UNSPECIFIED);
+		//nameID.setSPNameQualifier(strSPNameQualifier);
 
 		return nameID;
 	}
 
 	public Subject builderSubject (NameID nameID){
 		//Response/Assertion/Subject
-		SubjectBuilder subjectBuilder =  (SubjectBuilder)builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME);
-		Subject subject = subjectBuilder.buildObject();
+		Subject subject = new SubjectBuilder().buildObject();
 		subject.setNameID(nameID);
 		return subject;
 	}
 
 	public SubjectConfirmation builderSubjectConfirmation(String recipient,String inResponseTo,int validInSeconds,String clientAddress){
-		SubjectConfirmationBuilder subjectConfirmationBuilder = (SubjectConfirmationBuilder)builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
-		SubjectConfirmation subjectConfirmation = subjectConfirmationBuilder.buildObject();
+		//SubjectConfirmationBuilder subjectConfirmationBuilder = (SubjectConfirmationBuilder)builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
+		SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
 		subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
 
-		SubjectConfirmationDataBuilder subjectConfirmationDataBuilder = (SubjectConfirmationDataBuilder)builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME);
-		SubjectConfirmationData subjectConfirmationData = subjectConfirmationDataBuilder.buildObject();
+		//SubjectConfirmationDataBuilder subjectConfirmationDataBuilder = (SubjectConfirmationDataBuilder)builderFactory.getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME);
+		SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationDataBuilder().buildObject();
 
 		subjectConfirmationData.setRecipient(recipient);
 		//if idp-init not need inResponseTo

maxkey-protocols/maxkey-protocol-saml-2.0/src/main/java/org/maxkey/authz/saml20/provider/xml/SubjectGenerator.java

@@ -46,6 +46,9 @@ public class SAML20DetailsController   extends BaseAppContorller {
 	@Autowired
 	AppsSaml20DetailsService saml20DetailsService;
 
+	@Autowired
+	String maxKeyURI;
+	
 	@RequestMapping(value = { "/forwardAdd" })
 	public ModelAndView forwardAdd() {
 		ModelAndView modelAndView=new ModelAndView("apps/saml20/appAdd");
@@ -84,6 +87,7 @@ public ModelAndView forwardUpdate(@PathVariable("id") String id) {
 		decoderSecret(saml20Details);
 		WebContext.setAttribute(saml20Details.getId(), saml20Details.getIcon());
 		modelAndView.addObject("model",saml20Details);
+		modelAndView.addObject("maxKeyURI",maxKeyURI);
 		return modelAndView;
 	}
 	/**