下面列出了org.w3c.dom.Element#cloneNode ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
public void signAssertion(Document samlDocument) throws ProcessingException {
Element originalAssertionElement = org.keycloak.saml.common.util.DocumentUtil.getChildElement(samlDocument.getDocumentElement(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
if (originalAssertionElement == null) return;
Node clonedAssertionElement = originalAssertionElement.cloneNode(true);
Document temporaryDocument;
try {
temporaryDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
} catch (ConfigurationException e) {
throw new ProcessingException(e);
}
temporaryDocument.adoptNode(clonedAssertionElement);
temporaryDocument.appendChild(clonedAssertionElement);
signDocument(temporaryDocument);
samlDocument.adoptNode(clonedAssertionElement);
Element parentNode = (Element) originalAssertionElement.getParentNode();
parentNode.replaceChild(clonedAssertionElement, originalAssertionElement);
}
/**
* Import Node into Document
*
* @param document XML Document
* @param element Node to import
* @return Document
*/
protected Node importElement(Document document, Element element) {
try {
return document.importNode((Node)element, true);
} catch (DOMException ex) {
Node newNode = (Node)element.cloneNode(true);
return document.adoptNode(newNode);
}
}
public static void applyXSW2(Document document){
Element response = (Element) document.getElementsByTagNameNS(PROTOCOL_NSURI.get(), "Response").item(0);
Element clonedResponse = (Element) response.cloneNode(true);
Element clonedSignature = (Element) clonedResponse.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
Assume.assumeThat("Response needs to be signed", clonedSignature, notNullValue());
clonedResponse.removeChild(clonedSignature);
Element signature = (Element) response.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
response.insertBefore(clonedResponse, signature);
response.setAttribute("ID", "_evil_response_ID");
}
private static Document isolateDescendant(final Element mathElement, final Element descendant) {
Document result = XMLUtilities.createNSAwareDocumentBuilder().newDocument();
Element resultMathElement = (Element) mathElement.cloneNode(false);
result.adoptNode(resultMathElement);
result.appendChild(resultMathElement);
Element firstSemanticElementCopy = (Element) descendant.cloneNode(true);
result.adoptNode(firstSemanticElementCopy);
resultMathElement.appendChild(firstSemanticElementCopy);
return result;
}
public static void applyXSW1(Document document){
Element response = (Element) document.getElementsByTagNameNS(PROTOCOL_NSURI.get(), "Response").item(0);
Element clonedResponse = (Element) response.cloneNode(true);
Element clonedSignature = (Element) clonedResponse.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
Assume.assumeThat("Response needs to be signed", clonedSignature, notNullValue());
clonedResponse.removeChild(clonedSignature);
Element signature = (Element) response.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
signature.appendChild(clonedResponse);
response.setAttribute("ID", "_evil_response_ID");
}
private static Element copyBodyElement(Document document, TransformerContext context) {
Element body = getBodyElement(document, context);
if (body != null)
return (Element) body.cloneNode(true);
else
return null;
}
public void applyXSW4(Document document){
Element assertion = (Element) document.getElementsByTagNameNS("*", "Assertion").item(0);
Element evilAssertion = (Element) assertion.cloneNode(true);
Element copiedSignature = (Element) evilAssertion.getElementsByTagNameNS("*", "Signature").item(0);
evilAssertion.setAttribute("ID", "_evil_assertion_ID");
evilAssertion.removeChild(copiedSignature);
document.getDocumentElement().appendChild(evilAssertion);
evilAssertion.appendChild(assertion);
}
public static void applyXSW7(Document document){
Element assertion = (Element) document.getElementsByTagNameNS(ASSERTION_NSURI.get(), "Assertion").item(0);
Element extensions = document.createElement("Extensions");
document.getDocumentElement().insertBefore(extensions, assertion);
Element evilAssertion = (Element) assertion.cloneNode(true);
Element copiedSignature = (Element) evilAssertion.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
Assume.assumeThat("Assertion needs to be signed", copiedSignature, notNullValue());
evilAssertion.removeChild(copiedSignature);
extensions.appendChild(evilAssertion);
}
public static void applyXSW4(Document document){
Element assertion = (Element) document.getElementsByTagNameNS(ASSERTION_NSURI.get(), "Assertion").item(0);
Element evilAssertion = (Element) assertion.cloneNode(true);
Element copiedSignature = (Element) evilAssertion.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
Assume.assumeThat("Assertion needs to be signed", copiedSignature, notNullValue());
evilAssertion.setAttribute("ID", "_evil_assertion_ID");
evilAssertion.removeChild(copiedSignature);
document.getDocumentElement().appendChild(evilAssertion);
evilAssertion.appendChild(assertion);
}
public void applyXSW7(Document document){
Element assertion = (Element) document.getElementsByTagNameNS("*", "Assertion").item(0);
Element extensions = document.createElement("Extensions");
document.getDocumentElement().insertBefore(extensions, assertion);
Element evilAssertion = (Element) assertion.cloneNode(true);
Element copiedSignature = (Element) evilAssertion.getElementsByTagNameNS("*", "Signature").item(0);
evilAssertion.removeChild(copiedSignature);
extensions.appendChild(evilAssertion);
}
public WizardSubPageDataSource(WizardDataSub pd, int t) {
super(pd);
dsType = t;
Document doc = null;
Node currentNode = wizardData.panelData.getNode();
if (currentNode != null) {
doc = currentNode.getOwnerDocument();
}
if (doc != null) {
// First find the <view> node on the page that we are dealing with..
Element originalXPageViewNode = XPagesDOMUtil.getViewNode(doc);
if (originalXPageViewNode != null) {
clonedXPageViewElement = originalXPageViewNode.cloneNode(false);
}
//clone the paneldata
extraData = new PanelExtraData();
extraData.setDesignerProject(wizardData.panelData.getDesignerProject());
extraData.setNode(clonedXPageViewElement);
extraData.setDocument(clonedXPageViewElement.getOwnerDocument());
extraData.setHostWorkbenchPart(wizardData.panelData.getHostWorkbenchPart());
extraData.setWorkbenchPart(wizardData.panelData.getWorkbenchPart());
}
}
private Element getResourceElement(Application app, Element resElement,
GrammarInfo gInfo, Set<String> typeClassNames,
String type, File srcDir) {
if (!type.isEmpty()) {
if (type.startsWith("#")) {
Element resourceType = resolveLocalReference(app.getAppElement(), "resource_type", type);
if (resourceType != null) {
Element realElement = (Element)resourceType.cloneNode(true);
DOMUtils.setAttribute(realElement, "id", resElement.getAttribute("id"));
DOMUtils.setAttribute(realElement, "path", resElement.getAttribute("path"));
return realElement;
}
} else {
URI wadlRef = URI.create(type);
String wadlRefPath = app.getWadlPath() != null
? getBaseWadlPath(app.getWadlPath()) + wadlRef.getPath() : wadlRef.getPath();
Application refApp = new Application(readDocument(wadlRefPath), wadlRefPath);
GrammarInfo gInfoBase = generateSchemaCodeAndInfo(refApp, typeClassNames, srcDir);
if (gInfoBase != null) {
gInfo.getElementTypeMap().putAll(gInfoBase.getElementTypeMap());
gInfo.getNsMap().putAll(gInfoBase.getNsMap());
}
return getResourceElement(refApp, resElement, gInfo, typeClassNames,
"#" + wadlRef.getFragment(), srcDir);
}
}
return resElement;
}
public static void applyXSW3(Document document){
Element assertion = (Element) document.getElementsByTagNameNS(ASSERTION_NSURI.get(), "Assertion").item(0);
Element evilAssertion = (Element) assertion.cloneNode(true);
Element copiedSignature = (Element) evilAssertion.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
Assume.assumeThat("Assertion needs to be signed", copiedSignature, notNullValue());
evilAssertion.setAttribute("ID", "_evil_assertion_ID");
evilAssertion.removeChild(copiedSignature);
document.getDocumentElement().insertBefore(evilAssertion, assertion);
}
public static void applyXSW6(Document document){
Element evilAssertion = (Element) document.getElementsByTagNameNS(ASSERTION_NSURI.get(), "Assertion").item(0);
Element originalSignature = (Element) evilAssertion.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
Element assertion = (Element) evilAssertion.cloneNode(true);
Element copiedSignature = (Element) assertion.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0);
Assume.assumeThat("Assertion needs to be signed", copiedSignature, notNullValue());
assertion.removeChild(copiedSignature);
originalSignature.appendChild(assertion);
evilAssertion.setAttribute("ID", "_evil_assertion_ID");
}
/**
* Validate a SAML 2 Protocol Response
* @param samlResponse
* @param postBinding
* @return a SSOValidatorResponse object
* @throws WSSecurityException
*/
public SSOValidatorResponse validateSamlResponse(
org.opensaml.saml.saml2.core.Response samlResponse,
boolean postBinding
) throws WSSecurityException {
// Check the Issuer
validateIssuer(samlResponse.getIssuer());
// The Response must contain at least one Assertion.
if (samlResponse.getAssertions() == null || samlResponse.getAssertions().isEmpty()) {
LOG.warning("The Response must contain at least one Assertion");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// The Response must contain a Destination that matches the assertionConsumerURL if it is
// signed
String destination = samlResponse.getDestination();
if (samlResponse.isSigned()
&& (destination == null || !destination.equals(assertionConsumerURL))) {
LOG.warning("The Response must contain a destination that matches the assertion consumer URL");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
if (enforceResponseSigned && !samlResponse.isSigned()) {
LOG.warning("The Response must be signed!");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// Validate Assertions
org.opensaml.saml.saml2.core.Assertion validAssertion = null;
Instant sessionNotOnOrAfter = null;
for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) {
// Check the Issuer
if (assertion.getIssuer() == null) {
LOG.warning("Assertion Issuer must not be null");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
validateIssuer(assertion.getIssuer());
if (!samlResponse.isSigned() && enforceAssertionsSigned && assertion.getSignature() == null) {
LOG.warning("The enclosed assertions in the SAML Response must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// Check for AuthnStatements and validate the Subject accordingly
if (assertion.getAuthnStatements() != null
&& !assertion.getAuthnStatements().isEmpty()) {
org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject();
org.opensaml.saml.saml2.core.SubjectConfirmation subjectConf =
validateAuthenticationSubject(subject, assertion.getID(), postBinding);
if (subjectConf != null) {
validateAudienceRestrictionCondition(assertion.getConditions());
validAssertion = assertion;
sessionNotOnOrAfter = null;
// Store Session NotOnOrAfter
for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
if (authnStatment.getSessionNotOnOrAfter() != null) {
sessionNotOnOrAfter =
Instant.ofEpochMilli(authnStatment.getSessionNotOnOrAfter().toDate().getTime());
}
}
// Fall back to the SubjectConfirmationData NotOnOrAfter if we have no session NotOnOrAfter
if (sessionNotOnOrAfter == null) {
sessionNotOnOrAfter =
Instant.ofEpochMilli(subjectConf.getSubjectConfirmationData()
.getNotOnOrAfter().toDate().getTime());
}
}
}
}
if (validAssertion == null) {
LOG.warning("The Response did not contain any Authentication Statement that matched "
+ "the Subject Confirmation criteria");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
SSOValidatorResponse validatorResponse = new SSOValidatorResponse();
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
if (samlResponse.getIssueInstant() != null) {
validatorResponse.setCreated(Instant.ofEpochMilli(samlResponse.getIssueInstant().toDate().getTime()));
}
Element assertionElement = validAssertion.getDOM();
Element clonedAssertionElement = (Element)assertionElement.cloneNode(true);
validatorResponse.setAssertionElement(clonedAssertionElement);
validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement));
validatorResponse.setOpensamlAssertion(validAssertion);
return validatorResponse;
}
void split(BrowserContext context, Displayable d) {
Element e = d.element;
String reference = e.getAttribute("ref");
Element original = context.getSourceElementByReference(reference);
if (original == null) return;
Element splitted = (Element) original.cloneNode(false);
int x, y, w, h;
try {
x = Integer.parseInt(e.getAttribute("x"));
y = Integer.parseInt(e.getAttribute("y"));
w = Integer.parseInt(e.getAttribute("w"));
h = Integer.parseInt(e.getAttribute("h"));
} catch (NumberFormatException ex) {
ex.printStackTrace();
return;
}
// Calculate position of mouse given the current scale
Point position = context.getMousePosition();
position.x = (int) ((double) position.x / context.getScale());
position.y = (int) ((double) position.y / context.getScale());
if (splitDirection == DIR_VERTICAL) {
original.setAttribute("height", ""+(position.y-y-1));
splitted.setAttribute("y", ""+position.y);
splitted.setAttribute("height", ""+(y+h-position.y));
} else {
original.setAttribute("width", ""+(position.x-x-1));
splitted.setAttribute("x", ""+position.x);
splitted.setAttribute("width", ""+(x+w-position.x));
}
original.getParentNode().appendChild(splitted);
context.retransform();
}
/**
* Validate a SAML 2 Protocol Response
* @param samlResponse
* @param postBinding
* @return a SSOValidatorResponse object
* @throws WSSecurityException
*/
public SSOValidatorResponse validateSamlResponse(
org.opensaml.saml.saml2.core.Response samlResponse,
boolean postBinding
) throws WSSecurityException {
// Check the Issuer
validateIssuer(samlResponse.getIssuer());
// The Response must contain at least one Assertion.
if (samlResponse.getAssertions() == null || samlResponse.getAssertions().isEmpty()) {
LOG.debug("The Response must contain at least one Assertion");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// The Response must contain a Destination that matches the assertionConsumerURL if it is
// signed
String destination = samlResponse.getDestination();
if (samlResponse.isSigned()
&& (destination == null || !destination.equals(assertionConsumerURL))) {
LOG.debug("The Response must contain a destination that matches the assertion consumer URL");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
if (enforceResponseSigned && !samlResponse.isSigned()) {
LOG.debug("The Response must be signed!");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// Validate Assertions
org.opensaml.saml.saml2.core.Assertion validAssertion = null;
Instant sessionNotOnOrAfter = null;
for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) {
// Check the Issuer
if (assertion.getIssuer() == null) {
LOG.debug("Assertion Issuer must not be null");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
validateIssuer(assertion.getIssuer());
if (!samlResponse.isSigned() && enforceAssertionsSigned && assertion.getSignature() == null) {
LOG.debug("The enclosed assertions in the SAML Response must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// Check for AuthnStatements and validate the Subject accordingly
if (assertion.getAuthnStatements() != null
&& !assertion.getAuthnStatements().isEmpty()) {
org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject();
if (validateAuthenticationSubject(subject, assertion.getID(), postBinding)) {
validateAudienceRestrictionCondition(assertion.getConditions());
validAssertion = assertion;
// Store Session NotOnOrAfter
for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
if (authnStatment.getSessionNotOnOrAfter() != null) {
sessionNotOnOrAfter = authnStatment.getSessionNotOnOrAfter().toDate().toInstant();
}
}
}
}
}
if (validAssertion == null) {
LOG.debug("The Response did not contain any Authentication Statement that matched "
+ "the Subject Confirmation criteria");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
SSOValidatorResponse validatorResponse = new SSOValidatorResponse();
validatorResponse.setResponseId(samlResponse.getID());
validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
Element assertionElement = validAssertion.getDOM();
Element clonedAssertionElement = (Element)assertionElement.cloneNode(true);
validatorResponse.setAssertionElement(clonedAssertionElement);
validatorResponse.setAssertion(DOM2Writer.nodeToString(clonedAssertionElement));
return validatorResponse;
}
public Element deepCopyNotNull(Element value) {
return (Element) value.cloneNode(true);
}
/**
* Gets a clone of the configuration element for a qualified element. Note that this configuration reflects the
* state of things as they were when the configuration was loaded, applications may have programmatically removed
* builder, marshallers, and unmarshallers during runtime.
*
* @param qualifedName the namespace qualifed element name of the schema type of the object provider
*
* @return the object provider configuration element or null if no object provider is configured with that name
*
* @deprecated this method is deprecated with no replacement
*/
public static Element getObjectProviderConfiguration(QName qualifedName) {
Element configElement = configuredObjectProviders.get(qualifedName);
if (configElement != null) {
return (Element) configElement.cloneNode(true);
}
return null;
}
/**
* Gets a clone of the ValidatorSuite configuration element for the ID. Note that this configuration reflects the
* state of things as they were when the configuration was loaded, applications may have programmatically removed
* altered the suite during runtime.
*
* @param suiteId the ID of the ValidatorSuite whose configuration is to be retrieved
*
* @return the validator suite configuration element or null if no suite is configured with that ID
*
* @deprecated this method is deprecated with no replacement
*/
public static Element getValidatorSuiteConfiguration(String suiteId) {
Element configElement = validatorSuiteConfigurations.get(suiteId);
if (configElement != null) {
return (Element) configElement.cloneNode(true);
}
return null;
}