Example 11 with FSAssertion
use of com.sun.identity.federation.message.FSAssertion in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method validateAssertions.
protected Subject validateAssertions(List assertions) {
FSUtils.debug.message("FSAssertionArtifactHandler.validateAssertions: Called");
// loop to check assertions
FSSubject subject = null;
Iterator iter = assertions.iterator();
FSAssertion assertion = null;
String aIDString = null;
String issuer = null;
Iterator stmtIter = null;
Statement statement = null;
int stmtType = Statement.NOT_SUPPORTED;
SubjectConfirmation subConf = null;
Set confMethods = null;
String confMethod = null;
Date date = null;
long time = System.currentTimeMillis() + 180000;
while (iter.hasNext()) {
assertion = (FSAssertion) iter.next();
if (!authnRequest.getRequestID().equals(assertion.getInResponseTo())) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion does not correspond to any valid request");
return null;
}
if (FSServiceUtils.isSigningOn()) {
if (!verifyAssertionSignature(assertion)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion signature verification failed");
return null;
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Assertion signature verified");
}
aIDString = assertion.getAssertionID();
// make sure it's not being used
if (idTimeMap.containsKey(aIDString)) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion: Assertion: " + aIDString + " is used");
return null;
}
// check issuer of the assertions
issuer = assertion.getIssuer();
try {
if (idpEntityId != null) {
if (!idpEntityId.equals(issuer)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not the entity where " + "AuthnRequest was sent originally.");
return null;
}
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is: " + issuer);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
IDPDescriptorType idpDesc = metaManager.getIDPDescriptor(realm, issuer);
if (idpDesc == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " Assertion issuer is not on the trust list");
return null;
}
setProviderDescriptor(idpDesc);
setProviderEntityId(issuer);
}
} catch (Exception ex) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not on the trust list");
return null;
}
// must be valid(timewise)
if (!assertion.isTimeValid()) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " Assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// if present, target of the assertions must == local server IP
Conditions conds = assertion.getConditions();
if (!forThisServer(conds)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "assertion is not issued for this site.");
return null;
}
//for each assertion, loop to check each statement
boolean authnStatementFound = false;
if (assertion.getStatement() != null) {
stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
authnStatementFound = true;
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "validating AuthenticationStatement:" + authStatement.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Exception. " + "Invalid AuthenticationStatement: ", e);
return null;
}
//check ReauthenticateOnOrAfter
reAuthnOnOrAfterDate = authStatement.getReauthenticateOnOrAfter();
//process SessionIndex
idpSessionIndex = authStatement.getSessionIndex();
authnContextStmt = authStatement.getAuthnContext();
subject = (FSSubject) authStatement.getSubject();
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Subject is null");
return null;
} else {
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "found Authentication Statement. " + "Subject = " + subject.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + " Exception. Invalid subject: ", e);
continue;
}
}
//bearer
if (((subConf = subject.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "missing or extra ConfirmationMethod.");
return null;
}
if (((confMethod = (String) confMethods.iterator().next()) == null) || !((confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER)) || (confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || (confMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)))) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: wrong " + "ConfirmationMethod");
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Confirmation method: " + confMethod);
}
} else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
AttributeStatement attrStatement = (AttributeStatement) statement;
if (!checkForAttributeStatement(attrStatement)) {
attrStatements.add(attrStatement);
}
}
}
}
if (!authnStatementFound) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "No Authentication statement found in the Assertion. " + "User is not authenticated by the IDP");
}
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Adding " + aIDString + " to idTimeMap.");
}
// add the assertion to idTimeMap
if ((date = conds.getNotOnorAfter()) != null) {
cGoThrough.addElement(aIDString);
idTimeMap.put(aIDString, new Long(date.getTime()));
} else {
cPeriodic.addElement(aIDString);
// it doesn't matter what we store for the value.
idTimeMap.put(aIDString, aIDString);
}
securityAssertions = assertion.getDiscoveryCredential();
}
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " couldn't find Subject.");
return null;
}
return subject;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Date(java.util.Date)
SessionException(com.sun.identity.plugin.session.SessionException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
IOException(java.io.IOException)
Conditions(com.sun.identity.saml.assertion.Conditions)
IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType)
SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
FSException(com.sun.identity.federation.common.FSException)
Example 12 with FSAssertion
use of com.sun.identity.federation.message.FSAssertion in project OpenAM by OpenRock.
the class FSSSOWMLPostProfileHandler method sendAuthnResponse.
protected void sendAuthnResponse(FSAuthnResponse authnResponse) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler.sendAuthnResponse: Called");
try {
authnResponse.setProviderId(hostedEntityId);
Document doc = XMLUtils.toDOMDocument(authnResponse.toXMLString(true, true), FSUtils.debug);
//sign assertions
if (FSServiceUtils.isSigningOn()) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: start signing assertions");
}
List assList = authnResponse.getAssertion();
if (assList != null) {
Iterator iter = assList.iterator();
while (iter.hasNext()) {
FSAssertion assertion = (FSAssertion) iter.next();
String id = assertion.getID();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: id attr is" + id);
}
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null) {
FSUtils.debug.error("SOAPReceiver.onMessage: " + "couldn't obtain this site's cert alias.");
return;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: Site's certAlias is " + certAlias);
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
int minorVersion = assertion.getMinorVersion();
if (minorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ID, id, false);
} else if (minorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || minorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ASSERTION_ID, assertion.getAssertionID(), false);
} else {
FSUtils.debug.message("invalid minor version.");
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: SignatureManager" + " finished signing ");
}
}
}
}
String respStr = FSServiceUtils.printDocument(doc);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: Signed AuthnResponse: " + respStr);
}
String b64Resp = Base64.encode(respStr.getBytes());
response.setContentType("text/vnd.wap.wml");
response.setHeader("Pragma", "no-cache");
response.setHeader("Cache-Control", "no-cache");
PrintWriter out = response.getWriter();
out.println("<!DOCTYPE wml PUBLIC \"-//WAPFORUM//DTD WML 1.1//EN\" " + "\"http://www.wapforum.org/DTD/wml_1.1.xml\">");
out.println("<wml>");
out.println("<card id=\"response\" title=\"IDP Response\">");
out.println("<onevent type=\"onenterforward\">");
out.println("<go method=\"post\" href=\"" + FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID()) + "\">");
out.println("<postfield name=\"" + IFSConstants.POST_AUTHN_RESPONSE_PARAM + "\" " + "value=\"" + b64Resp + "\"/>");
out.println("</go>");
out.println("</onevent>");
out.println("<onevent type=\"onenterbackward\">");
out.println("<prev/>");
out.println("</onevent>");
out.println("</card>");
out.println("</wml>");
out.close();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler:sendAuthnResponse: " + "AuthnResponse sent successfully to: " + FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID()));
}
} catch (Exception ex) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler:sendAuthnResponse: " + "Failed to send AuthnResponse");
}
}
Also used :
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
List(java.util.List)
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
PrintWriter(java.io.PrintWriter)
Aggregations
FSAssertion (com.sun.identity.federation.message.FSAssertion)12
FSException (com.sun.identity.federation.common.FSException)9
List (java.util.List)8
Iterator (java.util.Iterator)7
FSSubject (com.sun.identity.federation.message.FSSubject)5
SAMLException (com.sun.identity.saml.common.SAMLException)5
FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)4
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)4
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)4
IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)4
NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)4
XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)4
HashMap (java.util.HashMap)4
HashSet (java.util.HashSet)4
Map (java.util.Map)4
Set (java.util.Set)4
Document (org.w3c.dom.Document)4
SessionException (com.sun.identity.plugin.session.SessionException)3
Conditions (com.sun.identity.saml.assertion.Conditions)3
SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)3
