Search in sources :

Example 6 with FSSubject

use of com.sun.identity.federation.message.FSSubject in project OpenAM by OpenRock.

the class FSAssertionArtifactHandler method processAuthnResponse.

/**
     * Processes <code>FSAuthnResponse</code>.
     * @param authnResponse <code>FSAuthnResponse</code> objec to be processed
     */
public void processAuthnResponse(FSAuthnResponse authnResponse) {
    FSUtils.debug.message("FSAssertionArtifactHandler.ProcessAuthnResponse: Called");
    this.authnResponse = authnResponse;
    // Call SP adapter SPI
    FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostEntityId, hostConfig);
    if (spAdapter != null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler, POST" + " Invokde spAdapter.preSSOFederationProcess");
        }
        try {
            spAdapter.preSSOFederationProcess(hostEntityId, request, response, authnRequest, authnResponse, null);
        } catch (Exception e) {
            // log run time exception in Adapter
            // implementation, continue
            FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.preSSOFederationSuccess", e);
        }
    }
    String baseURL = FSServiceUtils.getBaseURL(request);
    String framedLoginPageURL = FSServiceUtils.getCommonLoginPageURL(hostMetaAlias, authnRequest.getRelayState(), null, request, baseURL);
    this.relayState = authnRequest.getRelayState();
    if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
        this.relayState = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.PROVIDER_HOME_PAGE_URL);
        if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
            this.relayState = baseURL + IFSConstants.SP_DEFAULT_RELAY_STATE;
        }
    }
    try {
        if (authnResponse == null) {
            String[] data = { FSUtils.bundle.getString("missingAuthnResponse") };
            LogUtil.error(Level.INFO, LogUtil.MISSING_AUTHN_RESPONSE, data, ssoToken);
            FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("missingAuthnResponse") + " AuthnRequest Processing Failed at the IDP " + "Redirecting to the Framed Login Page");
            response.sendRedirect(framedLoginPageURL);
            return;
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler.doPost:Received " + authnResponse.toXMLString());
        }
        boolean valid = verifyResponseStatus(authnResponse);
        if (!valid) {
            FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
            // clean request map
            String inResponseTo = authnResponse.getInResponseTo();
            sessionManager.removeAuthnRequest(inResponseTo);
            String[] data = { authnResponse.toXMLString() };
            LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data, ssoToken);
            FSUtils.debug.warning("FSAssertionArtifactHandler." + " processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
            if ((spAdapter == null) || !(spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, null, FederationSPAdapter.INVALID_AUTHN_RESPONSE))) {
                response.sendRedirect(framedLoginPageURL);
            }
            return;
        }
        // check Assertion
        List assertions = authnResponse.getAssertion();
        FSSubject validSubject = (FSSubject) validateAssertions(assertions);
        if (validSubject == null) {
            String[] data = { FSUtils.bundle.getString("invalidAssertion") };
            LogUtil.error(Level.INFO, LogUtil.INVALID_ASSERTION, data, ssoToken);
            FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("InvalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
            response.sendRedirect(framedLoginPageURL);
            return;
        }
        FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
        if (doFederate) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Initiate Account Federation");
            }
            NameIdentifier ni = validSubject.getIDPProvidedNameIdentifier();
            if (ni == null) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionArtifactHandler.processAuthnResponse:" + " IDPProvided NameIdentifier is null");
                }
                ni = validSubject.getNameIdentifier();
            }
            if (ni != null) {
                int returnCode = doAccountFederation(ni);
                if (returnCode == FederationSPAdapter.SUCCESS) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Account federation" + " successful");
                    }
                    String inResponseTo = authnResponse.getInResponseTo();
                    sessionManager.removeAuthnRequest(inResponseTo);
                    sessionManager.removeLocalSessionToken(inResponseTo);
                    return;
                } else {
                    String[] data = { FSUtils.bundle.getString("AccountFederationFailed") };
                    LogUtil.error(Level.INFO, LogUtil.ACCOUNT_FEDERATION_FAILED, data, ssoToken);
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("AccountFederationFailed") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
                    if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, (FSResponse) samlResponse, returnCode)) {
                        response.sendRedirect(framedLoginPageURL);
                    }
                }
            } else {
                throw new FSException("missingNIofSubject", null);
            }
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Initiate SingleSign-On");
            }
            //check for SPProvidedNameIdentifier
            NameIdentifier niIdp = validSubject.getIDPProvidedNameIdentifier();
            NameIdentifier ni = validSubject.getNameIdentifier();
            if (niIdp == null) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionArtifactHandler.processAuthnResponse:" + " IDPProvided NameIdentifier is null");
                }
                niIdp = ni;
            }
            if ((niIdp == null) || (ni == null)) {
                String[] data = { FSUtils.bundle.getString("invalidResponse") };
                LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data, ssoToken);
                FSUtils.debug.error("FSAssertionArtifactHandler." + " processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
                response.sendRedirect(framedLoginPageURL);
                return;
            }
            String idpHandle = niIdp.getName();
            String spHandle = ni.getName();
            int handleType;
            if ((idpHandle == null) || (spHandle == null)) {
                String[] data = { FSUtils.bundle.getString("invalidResponse") };
                LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data, ssoToken);
                FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
                response.sendRedirect(framedLoginPageURL);
                return;
            }
            if (idpHandle.equals(spHandle)) {
                ni = niIdp;
                handleType = IFSConstants.REMOTE_OPAQUE_HANDLE;
            } else {
                handleType = IFSConstants.LOCAL_OPAQUE_HANDLE;
            }
            Map env = new HashMap();
            env.put(IFSConstants.FS_USER_PROVIDER_ENV_AUTHNRESPONSE_KEY, authnResponse);
            int returnCode = doSingleSignOn(ni, handleType, niIdp, env);
            if (returnCode == FederationSPAdapter.SUCCESS) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Accountfederation successful");
                }
                String requestID = authnResponse.getInResponseTo();
                sessionManager.removeAuthnRequest(requestID);
                if (isIDPProxyEnabled(requestID)) {
                    sendProxyResponse(requestID);
                    return;
                }
                String[] data = { this.relayState };
                LogUtil.access(Level.INFO, LogUtil.ACCESS_GRANTED_REDIRECT_TO, data, ssoToken);
                FSUtils.debug.message("ArtifactHandler.notfederated, postSSO");
                if (spAdapter != null) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAssertionArtifactHandler," + " Invoke spAdapter.postSSOFederationSuccess");
                    }
                    try {
                        if (spAdapter.postSSOFederationSuccess(hostEntityId, request, response, ssoToken, authnRequest, authnResponse, null)) {
                            // return if the SP spi redirection happened
                            return;
                        }
                    } catch (Exception e) {
                        // log run time exception in Adapter
                        // implementation, continue
                        FSUtils.debug.error("FSAssertionArtifadctHandler" + " SPAdapter.postSSOFederationSuccess:", e);
                    }
                }
                redirectToResource(this.relayState);
                return;
            } else {
                String[] data = { FSUtils.bundle.getString("SSOfailed") };
                LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data, ssoToken);
                FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
                if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, null, returnCode)) {
                    response.sendRedirect(framedLoginPageURL);
                }
                return;
            }
        }
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: Exception Occured: ", e);
        try {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
            response.sendRedirect(framedLoginPageURL);
        } catch (IOException ioe) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: IOException Occured: ", ioe);
            return;
        }
        return;
    }
}
Also used : FSSubject(com.sun.identity.federation.message.FSSubject) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) HashMap(java.util.HashMap) IOException(java.io.IOException) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) FSException(com.sun.identity.federation.common.FSException) List(java.util.List) ArrayList(java.util.ArrayList) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) FederationSPAdapter(com.sun.identity.federation.plugins.FederationSPAdapter) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

FSSubject (com.sun.identity.federation.message.FSSubject)6 FSException (com.sun.identity.federation.common.FSException)5 FSAssertion (com.sun.identity.federation.message.FSAssertion)5 List (java.util.List)5 FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)4 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)4 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)4 SAMLException (com.sun.identity.saml.common.SAMLException)4 HashMap (java.util.HashMap)4 HashSet (java.util.HashSet)4 Iterator (java.util.Iterator)4 Map (java.util.Map)4 Set (java.util.Set)4 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)3 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)3 SessionException (com.sun.identity.plugin.session.SessionException)3 Conditions (com.sun.identity.saml.assertion.Conditions)3 SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)3 ArrayList (java.util.ArrayList)3 Date (java.util.Date)3