Search in sources :

Example 16 with BaseConfigType

use of com.sun.identity.federation.jaxb.entityconfig.BaseConfigType in project OpenAM by OpenRock.

the class FSIDPFinderService method getCommonDomainIDP.

/**
     * Gets a preferred IDP from the common domain cookie.
     * @param request HttpServletRequest
     * @param response HttpServletResponse
     * @param realm The realm under which the entity resides.
     * @param entityID Hosted entity ID.
     * @param requestID Original Authentication Request ID.
     * @exception FSRedirectException for the redirection.
     *            IOException for any redirection failure.
     */
private String getCommonDomainIDP(HttpServletRequest request, HttpServletResponse response, String realm, String entityID, String requestID) throws FSRedirectException, IOException {
    String idpID = FSUtils.findPreferredIDP(realm, request);
    if (idpID != null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSIDPFinderService.getCommonDomainIDP:" + "Preferred IDP found from the common domain." + idpID);
        }
        if (requestCotSetMap.containsKey(requestID)) {
            requestCotSetMap.remove(requestID);
        }
        return idpID;
    }
    Set tmpCotSet = (Set) requestCotSetMap.get(requestID);
    if (tmpCotSet == null) {
        try {
            IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
            List cotList = null;
            if (metaManager != null) {
                BaseConfigType spConfig = metaManager.getSPDescriptorConfig(realm, entityID);
                cotList = IDFFMetaUtils.getAttributeValueFromConfig(spConfig, IFSConstants.COT_LIST);
            }
            if (cotList != null) {
                tmpCotSet = new HashSet();
                tmpCotSet.addAll(cotList);
            }
        } catch (IDFFMetaException ie) {
            FSUtils.debug.error("FSIDPFinderService.getCommonDomainIDP:cannot get meta:", ie);
            return null;
        }
    }
    if (tmpCotSet == null || tmpCotSet.isEmpty()) {
        FSUtils.debug.message("FSIDPFinderService.getCommonDomainIDP::No more Cots.");
        if (requestCotSetMap.containsKey(requestID)) {
            requestCotSetMap.remove(requestID);
        }
        return null;
    }
    Iterator iter = tmpCotSet.iterator();
    while (iter.hasNext()) {
        String cotName = (String) iter.next();
        iter.remove();
        requestCotSetMap.put(requestID, tmpCotSet);
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSIDPFinderService.getCommonDomainIDP: Trying Cot: " + cotName);
        }
        String readerServiceURL = null;
        try {
            CircleOfTrustManager cotManager = new CircleOfTrustManager();
            CircleOfTrustDescriptor cotDesc = cotManager.getCircleOfTrust(realm, cotName);
            if (cotDesc != null && (cotDesc.getCircleOfTrustStatus()).equalsIgnoreCase(IFSConstants.ACTIVE)) {
                readerServiceURL = cotDesc.getIDFFReaderServiceURL();
            }
        } catch (COTException fe) {
            FSUtils.debug.error("FSIDPFinderService.getCommonDomainIDP:" + "Unable to retrieve reader service url.", fe);
        }
        if (readerServiceURL != null) {
            String baseURL = FSServiceUtils.getBaseURL(request);
            StringBuffer returnURL = new StringBuffer(300);
            returnURL.append(baseURL).append(IFSConstants.IDP_FINDER_URL).append("?").append("RequestID").append("=").append(URLEncDec.encode(requestID)).append("&").append("Realm=").append(URLEncDec.encode(realm)).append("&").append("ProviderID=").append(URLEncDec.encode(entityID));
            StringBuffer redirectURL = new StringBuffer(300);
            redirectURL.append(readerServiceURL).append("?").append(IFSConstants.LRURL).append("=").append(URLEncDec.encode(returnURL.toString()));
            String url = redirectURL.toString();
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSIDPFinderService.getCommonDomainIDP:Redirection URL:" + url);
            }
            response.setHeader("Location", url);
            response.sendRedirect(url);
            throw new FSRedirectException(FSUtils.bundle.getString("Redirection_Happened"));
        }
    }
    return null;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) CircleOfTrustManager(com.sun.identity.cot.CircleOfTrustManager) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSRedirectException(com.sun.identity.federation.common.FSRedirectException) CircleOfTrustDescriptor(com.sun.identity.cot.CircleOfTrustDescriptor) COTException(com.sun.identity.cot.COTException) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) HashSet(java.util.HashSet)

Example 17 with BaseConfigType

use of com.sun.identity.federation.jaxb.entityconfig.BaseConfigType in project OpenAM by OpenRock.

the class FSServiceManager method getSSOAndFedHandler.

/**
     * Returns handler at <code>IDP</code> side that handles single sign on and
     * federation requests.
     * @param request http request object
     * @param response http response object
     * @param authnRequest authentication request sent by service provider
     * @param realm The realm under which the entity resides.
     * @return <code>FSSSOAndFedHandler</code> object
     */
public FSSSOAndFedHandler getSSOAndFedHandler(HttpServletRequest request, HttpServletResponse response, FSAuthnRequest authnRequest, String realm) {
    FSUtils.debug.message("FSServiceManager.getSSOAndFedHandler: Called ");
    if ((request == null) || (response == null) || (authnRequest == null)) {
        FSUtils.debug.error("FSServiceManager.getSSOAndFedHandler: " + FSUtils.bundle.getString("nullInputParameter"));
        return null;
    }
    try {
        FSSSOAndFedHandler returnHandler = null;
        String profile = authnRequest.getProtocolProfile();
        IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
        String spEntityId = authnRequest.getProviderId();
        SPDescriptorType spDescriptor = metaManager.getSPDescriptor(realm, spEntityId);
        BaseConfigType spConfig = metaManager.getSPDescriptorConfig(realm, spEntityId);
        String relayState = authnRequest.getRelayState();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSServiceManager.getSSOAndFedHandler: requested profile:" + profile);
        }
        if (profile != null) {
            if (profile.equals(IFSConstants.SSO_PROF_BROWSER_ART)) {
                returnHandler = new FSSSOBrowserArtifactProfileHandler(request, response, authnRequest, spDescriptor, spConfig, spEntityId, relayState);
            } else if (profile.equals(IFSConstants.SSO_PROF_BROWSER_POST)) {
                returnHandler = new FSSSOBrowserPostProfileHandler(request, response, authnRequest, spDescriptor, spConfig, spEntityId, relayState);
            } else if (profile.equals(IFSConstants.SSO_PROF_WML_POST)) {
                returnHandler = new FSSSOWMLPostProfileHandler(request, response, authnRequest, spDescriptor, spConfig, spEntityId, relayState);
            } else if (profile.equals(IFSConstants.SSO_PROF_LECP)) {
                returnHandler = new FSSSOLECPProfileHandler(request, response, authnRequest, spDescriptor, spConfig, spEntityId, relayState);
            } else {
                FSUtils.debug.error("FSServiceManager.getSSOAndFedHandler: " + "Unknown Protocol profile request");
                returnHandler = new FSSSOBrowserArtifactProfileHandler(request, response, authnRequest, spDescriptor, spConfig, spEntityId, relayState);
            }
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSServiceManager.getSSOAndFedHandler: " + "No protocol profile in the Request");
            }
            returnHandler = new FSSSOBrowserArtifactProfileHandler(request, response, authnRequest, spDescriptor, spConfig, spEntityId, relayState);
        }
        return returnHandler;
    } catch (IDFFMetaException ex) {
        FSUtils.debug.error("FSServiceManager.getSSOAndFedHandler: ", ex);
        return null;
    }
}
Also used : BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) FSSSOWMLPostProfileHandler(com.sun.identity.federation.services.fednsso.FSSSOWMLPostProfileHandler) FSSSOBrowserArtifactProfileHandler(com.sun.identity.federation.services.fednsso.FSSSOBrowserArtifactProfileHandler) FSSSOBrowserPostProfileHandler(com.sun.identity.federation.services.fednsso.FSSSOBrowserPostProfileHandler) FSSSOLECPProfileHandler(com.sun.identity.federation.services.fednsso.FSSSOLECPProfileHandler) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) SPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType) FSSSOAndFedHandler(com.sun.identity.federation.services.fednsso.FSSSOAndFedHandler)

Example 18 with BaseConfigType

use of com.sun.identity.federation.jaxb.entityconfig.BaseConfigType in project OpenAM by OpenRock.

the class FSAssertionConsumerService method doPost.

/**
     * Handles post profile.
     * @param request <code>HttpServletRequest</code> object
     * @param response <code>HttpServletResponse</code> object
     * @exception ServletException, IOException if error occurs.
     */
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    FSUtils.debug.message("FSAssertionConsumerService.doPost : called");
    Document doc = null;
    if ((request == null) || (response == null)) {
        response.sendError(response.SC_INTERNAL_SERVER_ERROR, FSUtils.bundle.getString("nullInputParameter"));
        return;
    }
    String metaAlias = FSServiceUtils.getMetaAlias(request);
    String realm = IDFFMetaUtils.getRealmByMetaAlias(metaAlias);
    String baseURL = FSServiceUtils.getBaseURL(request);
    String framedPageURL = FSServiceUtils.getCommonLoginPageURL(metaAlias, null, null, request, baseURL);
    String hostEntityId = null;
    SPDescriptorType hostDesc = null;
    BaseConfigType hostConfig = null;
    try {
        hostEntityId = metaManager.getEntityIDByMetaAlias(metaAlias);
        hostDesc = metaManager.getSPDescriptor(realm, hostEntityId);
        hostConfig = metaManager.getSPDescriptorConfig(realm, hostEntityId);
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Exception when obtain host meta data:", e);
        FSUtils.forwardRequest(request, response, framedPageURL);
        return;
    }
    // obtain AuthnResponse message
    String encodedAuthnResponse = request.getParameter(IFSConstants.POST_AUTHN_RESPONSE_PARAM);
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionConsumerService.doPost: " + "Base64 encoded AuthnResponse: " + encodedAuthnResponse);
    }
    if (encodedAuthnResponse == null) {
        String[] data = { FSUtils.bundle.getString("missingAuthnResponse") };
        LogUtil.error(Level.INFO, LogUtil.MISSING_AUTHN_RESPONSE, data);
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("missingAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
        FSUtils.forwardRequest(request, response, framedPageURL);
        return;
    }
    encodedAuthnResponse = encodedAuthnResponse.replace(' ', '\n');
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionConsumerService.doPost: " + "Base64 encoded AuthnResponse2: " + encodedAuthnResponse);
    }
    FSAuthnResponse authnResponse = null;
    try {
        String decodedAuthnResponse = new String(Base64.decode(encodedAuthnResponse));
        FSUtils.debug.message("Decoded authnResponse" + decodedAuthnResponse);
        doc = XMLUtils.toDOMDocument(decodedAuthnResponse, FSUtils.debug);
        if (doc == null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionConsumerService.doPost:Error " + "while parsing input xml string");
            }
            throw new FSMsgException("parseError", null);
        }
        authnResponse = new FSAuthnResponse(doc.getDocumentElement());
        if (authnResponse == null) {
            FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Invalid AuthnResponse. " + "Can't parse Base64 encoded AuthnResponse");
            String[] data = { FSUtils.bundle.getString("invalidAuthnResponse") };
            LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data);
            FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("invalidAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
            FSUtils.forwardRequest(request, response, framedPageURL);
            return;
        }
    } catch (FSException e) {
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Invalid AuthnResponse. FSException" + " occured while parsing Base64 encoded AuthnResponse: ", e);
        String[] data = { FSUtils.bundle.getString("invalidAuthnResponse") };
        LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data);
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("invalidAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
        FSUtils.forwardRequest(request, response, framedPageURL);
        return;
    } catch (SAMLException e) {
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Invalid AuthnResponse. SAMLException" + " occurred while parsing Base64 encoded AuthnResponse: ", e);
        String[] data = { FSUtils.bundle.getString("invalidAuthnResponse") };
        LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data);
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("invalidAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
        FSUtils.forwardRequest(request, response, framedPageURL);
        return;
    }
    try {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionConsumerService.doPost: " + "AuthnResponse received is valid: " + authnResponse.toXMLString());
        }
    } catch (FSException e) {
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Invalid AuthnResponse. FSException" + " occurred while calling AuthnResponse.toXMLString(): ", e);
        String[] data = { FSUtils.bundle.getString("invalidAuthnResponse") };
        LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data);
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("invalidAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
        FSUtils.forwardRequest(request, response, framedPageURL);
        return;
    }
    FSAuthnRequest authnRequest = null;
    String requestID = authnResponse.getInResponseTo();
    if (requestID == null) {
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Invalid AuthnResponse. AuthnResponse " + "received does not have inResponseTo attribute");
        String[] data = { FSUtils.bundle.getString("invalidAuthnResponse") };
        LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data);
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("invalidAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
        FSUtils.forwardRequest(request, response, framedPageURL);
        return;
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionConsumerService.doPost: " + "AuthnResponse received is against requestID: " + requestID);
    }
    authnRequest = getInResponseToRequest(requestID, metaAlias);
    if (authnRequest == null) {
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Invalid AuthnResponse. AuthnResponse" + " received does not have an associated AuthnRequest");
        String[] data = { FSUtils.bundle.getString("invalidAuthnResponse") };
        LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data);
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("invalidAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
        FSUtils.forwardRequest(request, response, framedPageURL);
        return;
    }
    String framedLoginPageURL = FSServiceUtils.getCommonLoginPageURL(metaAlias, authnRequest.getRelayState(), null, request, baseURL);
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionConsumerService.doPost: " + "inResponseTo validation is successful");
    }
    try {
        String idpEntityId = null;
        IDPDescriptorType idpDescriptor = null;
        if (!authnRequest.getProtocolProfile().equals(IFSConstants.SSO_PROF_LECP)) {
            idpEntityId = getProvider(authnResponse.getInResponseTo(), metaAlias);
            idpDescriptor = metaManager.getIDPDescriptor(realm, idpEntityId);
            if (idpEntityId == null || idpDescriptor == null) {
                FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Invalid AuthnResponse. Sender information " + "not found for the received AuthnResponse");
                String[] data = { FSUtils.bundle.getString("invalidAuthnResponse") };
                LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data);
                FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("invalidAuthnResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
                FSUtils.forwardRequest(request, response, framedLoginPageURL);
                return;
            }
            if ((FSServiceUtils.isSigningOn() || (FSServiceUtils.isSigningOptional() && authnRequest.getProtocolProfile().equals(IFSConstants.SSO_PROF_BROWSER_POST))) && !verifyAuthnResponseSignature(doc, idpDescriptor, idpEntityId)) {
                FSUtils.debug.error("FSAssertionConsumerService.doPost: Signature " + "verification failed");
                FSUtils.forwardRequest(request, response, framedLoginPageURL);
                return;
            }
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionConsumerService.doPost: " + "LECP Profile identified. IDP info is unknown so far" + "Get providerId from the response");
            }
            idpEntityId = authnResponse.getProviderId();
            idpDescriptor = metaManager.getIDPDescriptor(realm, idpEntityId);
        }
        // handle sso
        FSServiceManager sm = FSServiceManager.getInstance();
        FSAssertionArtifactHandler handler = sm.getAssertionArtifactHandler(request, response, authnRequest, authnResponse, idpDescriptor, idpEntityId);
        if (handler == null) {
            FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "could not create AssertionArtifactHandler");
            String[] data = { FSUtils.bundle.getString("requestProcessingFailed") };
            LogUtil.error(Level.INFO, LogUtil.AUTHN_REQUEST_PROCESSING_FAILED, data);
            FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("requestProcessingFailed") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
            FSUtils.forwardRequest(request, response, framedLoginPageURL);
            return;
        }
        handler.setHostEntityId(hostEntityId);
        handler.setHostDescriptor(hostDesc);
        handler.setHostDescriptorConfig(hostConfig);
        handler.setMetaAlias(metaAlias);
        handler.setRealm(realm);
        handler.processAuthnResponse(authnResponse);
        return;
    } catch (Exception se) {
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + "Exception: ", se);
        FSUtils.debug.error("FSAssertionConsumerService.doPost: " + FSUtils.bundle.getString("requestProcessingFailed") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
        FSUtils.forwardRequest(request, response, framedLoginPageURL);
        return;
    }
}
Also used : FSMsgException(com.sun.identity.federation.message.common.FSMsgException) FSAuthnRequest(com.sun.identity.federation.message.FSAuthnRequest) Document(org.w3c.dom.Document) SPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType) SAMLException(com.sun.identity.saml.common.SAMLException) ServletException(javax.servlet.ServletException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) FSMsgException(com.sun.identity.federation.message.common.FSMsgException) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType) FSServiceManager(com.sun.identity.federation.services.FSServiceManager) FSAuthnResponse(com.sun.identity.federation.message.FSAuthnResponse) FSException(com.sun.identity.federation.common.FSException)

Example 19 with BaseConfigType

use of com.sun.identity.federation.jaxb.entityconfig.BaseConfigType in project OpenAM by OpenRock.

the class IDFFProviderManager method isNameIDEncryptionEnabled.

/**
     * Returns whether the specified provider requires name ID encryption
     * or not.
     * @param providerID provider ID.
     * @return true if the specified provider requires name ID encryption,
     *     false if it doesn't.
     */
public boolean isNameIDEncryptionEnabled(String providerID) {
    EntityConfigElement entityConfig = null;
    try {
        entityConfig = idffMetaManager.getEntityConfig(ROOT_REALM, providerID);
    } catch (IDFFMetaException imex) {
        ProviderUtil.debug.error("IDFFProviderManager.isNameIDEncryptionEnabled:", imex);
    }
    if (entityConfig == null) {
        return false;
    }
    BaseConfigType baseConfig = IDFFMetaUtils.getSPDescriptorConfig(entityConfig);
    if (baseConfig == null) {
        baseConfig = IDFFMetaUtils.getIDPDescriptorConfig(entityConfig);
        if (baseConfig == null) {
            return false;
        }
    }
    Map attrMap = IDFFMetaUtils.getAttributes(baseConfig);
    if ((attrMap == null) || (attrMap.isEmpty())) {
        return false;
    }
    List values = (List) attrMap.get(IFSConstants.ENABLE_NAMEID_ENCRYPTION);
    if ((values == null) || values.isEmpty()) {
        return false;
    }
    return ((String) values.get(0)).equalsIgnoreCase("true");
}
Also used : BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) List(java.util.List) Map(java.util.Map) EntityConfigElement(com.sun.identity.federation.jaxb.entityconfig.EntityConfigElement)

Example 20 with BaseConfigType

use of com.sun.identity.federation.jaxb.entityconfig.BaseConfigType in project OpenAM by OpenRock.

the class FSAssertionManager method createFSAssertion.

/**
     * Creates an assertion artifact.
     * @param id session ID
     * @param artifact assertion artifact
     * @param realm the realm under which the entity resides.
     * @param spEntityID service provider's entity ID
     * @param spHandle service provider issued <code>NameIdentifier</code>
     * @param idpHandle identity provider issued <code>NameIdentifier</code>
     * @param inResponseTo value to InResponseTo attribute. It's the request ID.
     * @param assertionMinorVersion minor version the assertion should use
     * @exception FSException,SAMLException if error occurrs
     */
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
    FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
    // check input
    if ((id == null) || (spEntityID == null)) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
        }
        throw new FSException("nullInput", null);
    }
    String destID = spEntityID;
    String authMethod = null;
    String authnContextStatementRef = null;
    String authnContextClassRef = null;
    Date authInstant = null;
    String securityDomain = null;
    Object token = null;
    String univId = null;
    SubjectLocality authLocality = null;
    FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
    IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
    Map attributes = new HashMap();
    if (metaManager != null) {
        BaseConfigType idpConfig = null;
        try {
            idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
        } catch (IDFFMetaException e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
            }
            idpConfig = null;
        }
        if (idpConfig != null) {
            attributes = IDFFMetaUtils.getAttributes(idpConfig);
        }
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        token = sessionProvider.getSession(id);
        String[] strAuthInst = null;
        try {
            strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
            try {
                authInstant = DateUtils.stringToDate(strAuthInst[0]);
            } catch (ParseException ex) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
                }
            }
        } else {
            authInstant = new java.util.Date();
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
        }
        try {
            String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
            if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
                authMethod = strAuthMethod[0];
            }
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
        if (assertionIssuer == null) {
            assertionIssuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
        }
        try {
            String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
            authLocality = new SubjectLocality(ipAddress, assertionIssuer);
        } catch (UnknownHostException uhe) {
            FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
        }
        try {
            FSSession session = sessionManager.getSession(token);
            authnContextClassRef = session.getAuthnContext();
            authnContextStatementRef = authnContextClassRef;
        } catch (Exception ex) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
            }
            authnContextStatementRef = null;
        }
        if (authnContextStatementRef != null) {
            if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
                authMethod = IFSConstants.AC_XML_NS;
            } else {
                authMethod = IFSConstants.AC_12_XML_NS;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
        }
        univId = sessionProvider.getPrincipalName(token);
        securityDomain = hostEntityId;
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
        throw new FSException("alliance_manager_no_local_descriptor", null, e);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
    }
    SubjectConfirmation subConfirmation = null;
    String artString = null;
    if (artifact != null) {
        artString = artifact.getAssertionArtifact();
        if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
            subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
        } else {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
        }
        subConfirmation.setSubjectConfirmationData(artString);
    } else {
        // set to bearer for POST profile
        subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
    }
    IDPProvidedNameIdentifier idpNi = null;
    if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
        idpNi.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
    } else {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    }
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
    authnContext.setMinorVersion(assertionMinorVersion);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
    FSSession session = sessionManager.getSession(univId, id);
    if (session == null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
        }
        return null;
    }
    String sessionIndex = session.getSessionIndex();
    if (sessionIndex == null) {
        sessionIndex = SAMLUtils.generateID();
        session.setSessionIndex(sessionIndex);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
    }
    statement.setSessionIndex(sessionIndex);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    FSUtils.debug.message("here before date");
    Date notAfter;
    if (artifact != null) {
        notAfter = new Date(issueInstant.getTime() + artifactTimeout);
    } else {
        notAfter = new Date(issueInstant.getTime() + assertionTimeout);
    }
    FSUtils.debug.message("here after date");
    statement.setReauthenticateOnOrAfter(notAfter);
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(null, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList();
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    /**
         * This is added to create an attribute statement for the bootstrap
         * information.
         */
    AttributeStatement attribStatement = null;
    Advice advice = null;
    String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
    if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
        AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
        authContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        try {
            FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
            attribStatement = bootStrap.getBootStrapStatement();
            if (bootStrap.hasCredentials()) {
                advice = bootStrap.getCredentials();
            }
        } catch (Exception e) {
            FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
        }
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet();
    statements.add(statement);
    if (attribStatement != null) {
        statements.add(attribStatement);
    }
    String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
    if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
        try {
            Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
            List attribStatements = null;
            if (pluginClass instanceof FSRealmAttributePlugin) {
                FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
            } else if (pluginClass instanceof FSAttributePlugin) {
                FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
            }
            if ((attribStatements != null) && (attribStatements.size() != 0)) {
                Iterator iter = attribStatements.iterator();
                while (iter.hasNext()) {
                    statements.add((AttributeStatement) iter.next());
                }
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
        }
    }
    if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
        AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
        statements.add(autoFedStatement);
    }
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
    assertion.setMinorVersion(assertionMinorVersion);
    assertion.setID(aID.getAssertionIDReference());
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
    }
    String aIDString = assertion.getAssertionID();
    Entry entry = new Entry(assertion, destID, artString, token);
    Integer maxNumber = null;
    try {
        int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
        maxNumber = new Integer(temp);
    } catch (Exception ex) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
        }
        maxNumber = null;
    }
    if (maxNumber == null) {
        maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
    }
    int maxValue = maxNumber.intValue();
    if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
        FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
        throw new FSException("errorCreateAssertion", null);
    }
    Object oldEntry = null;
    try {
        synchronized (idEntryMap) {
            oldEntry = idEntryMap.put(aIDString, entry);
        }
        if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
            idffSvc.setAssertions((long) idEntryMap.size());
        }
    } catch (Exception e) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
        }
        throw new FSException("errorCreateAssertion", null);
    }
    if (LogUtil.isAccessLoggable(Level.FINER)) {
        String[] data = { assertion.toString() };
        LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
    } else {
        String[] data = { assertion.getAssertionID() };
        LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
    }
    if (artString != null) {
        try {
            synchronized (artIdMap) {
                oldEntry = artIdMap.put(artString, aIDString);
            }
            if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
                idffSvc.setArtifacts((long) artIdMap.size());
            }
        } catch (Exception e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
            }
            throw new FSException("errorCreateArtifact", null);
        }
        if (oldEntry != null) {
            artifactTimeoutRunnable.removeElement(aIDString);
        }
        artifactTimeoutRunnable.addElement(aIDString);
    } else {
        if (oldEntry != null) {
            assertionTimeoutRunnable.removeElement(aIDString);
        }
        assertionTimeoutRunnable.addElement(aIDString);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) FSSubject(com.sun.identity.federation.message.FSSubject) Date(java.util.Date) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) SessionProvider(com.sun.identity.plugin.session.SessionProvider) HashSet(java.util.HashSet) UnknownHostException(java.net.UnknownHostException) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ParseException(java.text.ParseException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) UnknownHostException(java.net.UnknownHostException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) ParseException(java.text.ParseException) Advice(com.sun.identity.saml.assertion.Advice) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

BaseConfigType (com.sun.identity.federation.jaxb.entityconfig.BaseConfigType)54 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)33 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)18 List (java.util.List)18 FSException (com.sun.identity.federation.common.FSException)17 SessionException (com.sun.identity.plugin.session.SessionException)14 IOException (java.io.IOException)14 ArrayList (java.util.ArrayList)14 Iterator (java.util.Iterator)14 IDPDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType)13 SAMLException (com.sun.identity.saml.common.SAMLException)13 FSMsgException (com.sun.identity.federation.message.common.FSMsgException)12 ProviderDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)12 FSSessionManager (com.sun.identity.federation.services.FSSessionManager)10 HashMap (java.util.HashMap)10 Map (java.util.Map)10 ServletException (javax.servlet.ServletException)10 FSAuthnRequest (com.sun.identity.federation.message.FSAuthnRequest)9 Set (java.util.Set)9 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)8