Search in sources :

Example 1 with FSAuthnDecisionHandler

use of com.sun.identity.federation.services.FSAuthnDecisionHandler in project OpenAM by OpenRock.

the class FSSSOAndFedHandler method processPreAuthnSSO.

/**
     * Handles authentication request.
     * @param authnRequest <code>FSAuthnRequest</code> object
     * @return <code>true</code> if the request is handled successfully;
     *  <code>false</code> otherwise.
     */
public boolean processPreAuthnSSO(FSAuthnRequest authnRequest) {
    FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: Called");
    String loginURL = null;
    List authenticationContextClassRef = null;
    String currentAuthnContextRef = null;
    String authType = null;
    FSAuthContextResult authnResult = null;
    FSSessionManager sessionMgr = FSSessionManager.getInstance(metaAlias);
    if (authnRequest.getAuthnContext() != null) {
        authenticationContextClassRef = authnRequest.getAuthnContext().getAuthnContextClassRefList();
        if (authenticationContextClassRef == null) {
            String authCtxRefDefault = IFSConstants.DEFAULT_AUTHNCONTEXT_PASSWORD;
            authenticationContextClassRef = new ArrayList();
            authenticationContextClassRef.add(authCtxRefDefault);
        }
        authType = authnRequest.getAuthContextCompType();
        currentAuthnContextRef = null;
    }
    boolean authenticated = true;
    Object ssoToken = null;
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        ssoToken = sessionProvider.getSession(request);
        if (ssoToken == null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "session is null. User is not authenticated.");
            }
            authenticated = false;
        } else if (!sessionProvider.isValid(ssoToken)) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "session is not valid. User is not authenticated.");
            }
            authenticated = false;
        } else {
            FSSession ssoSession = sessionMgr.getSession(ssoToken);
            if (ssoSession != null) {
                currentAuthnContextRef = ssoSession.getAuthnContext();
                if (currentAuthnContextRef != null) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User has an existing " + "valid session with authnContext: " + currentAuthnContextRef);
                    }
                } else {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's authentication" + " context information not found using " + "default authentication context");
                    }
                    currentAuthnContextRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
                }
            } else {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSSSOAndFedHandler.process" + "PreAuthnSSO: User's authenticated session " + "information is not present in FSSessionManager. " + "using default authentication context");
                }
                currentAuthnContextRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
            }
            authenticated = true;
        }
        if (authenticated) {
            // added in case of multiple SPs
            try {
                sessionProvider.addListener(ssoToken, new FSTokenListener(metaAlias));
            } catch (Exception e) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "Couldn't add listener to session:", e);
                }
            }
        }
    } catch (SessionException se) {
        FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "SSOException Occured: User does not have session " + se.getMessage());
        authenticated = false;
    }
    //Initiate proxying
    if (!authenticated) {
        try {
            boolean isProxy = isIDPProxyEnabled(authnRequest);
            if (isProxy && !authnRequest.getFederate()) {
                String preferredIDP = getPreferredIDP(authnRequest);
                if (preferredIDP != null) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOAndFedHandler.process" + "PreAuthnSSO:IDP to be proxied" + preferredIDP);
                    }
                    sendProxyAuthnRequest(authnRequest, preferredIDP);
                    return true;
                }
            //else continue for the local authentication.
            }
        } catch (FSRedirectException re) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOAndFedHandle.processPreAuthnSSO:" + "Redirecting for the proxy handling.");
            }
            return true;
        } catch (Exception ex) {
            FSUtils.debug.error("FSSSOAndFedHandler.processPreAuthnSSO:" + "Exception occured while processing for the proxy.", ex);
            return false;
        }
    }
    try {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "User's authentication status: " + authenticated);
        }
        FSAuthnDecisionHandler authnDecisionHandler = new FSAuthnDecisionHandler(realm, hostedEntityId, request);
        List defAuthnCxtList = new ArrayList();
        defAuthnCxtList.add(IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.DEFAULT_AUTHNCONTEXT));
        if (authnRequest.getIsPassive()) {
            if (authnRequest.getForceAuthn()) {
                if (FSUtils.debug.warningEnabled()) {
                    FSUtils.debug.warning("FSSSOAndFedHandler.PreAuthnSSO: " + "IDP is passive can't force authentication.");
                }
                return false;
            } else {
                if (authenticated) {
                    if (authenticationContextClassRef != null) {
                        authnResult = authnDecisionHandler.decideAuthnContext(authenticationContextClassRef, currentAuthnContextRef, authType);
                    } else {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication context is default");
                        }
                        authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList, authType);
                    }
                    if (authnResult == null) {
                        return false;
                    }
                    if (authnResult.getLoginURL() != null) {
                        // When it's not null.,
                        // we should show the login page
                        // may be it'asking for higher auth context.
                        loginURL = authnResult.getLoginURL();
                        loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
                        FSUtils.forwardRequest(request, response, loginURL);
                        return true;
                    } else {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is evaluated to be valid");
                        }
                        return processPostAuthnSSO(authnRequest);
                    }
                } else {
                    if (FSUtils.debug.warningEnabled()) {
                        FSUtils.debug.warning("FSSSOAndFedHandler.processPreAuthnSSO: " + "IDP is passive and user is not authenticated");
                    }
                    noFedStatus = new Status(new StatusCode("samlp:Responder", new StatusCode("lib:NoPassive", null)), FSUtils.bundle.getString("AuthnRequestProcessingFailed"), null);
                    return false;
                }
            }
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: AuthnRequest is active");
            }
            if (authnRequest.getForceAuthn()) {
                if (authenticationContextClassRef != null) {
                    authnResult = authnDecisionHandler.getURLForAuthnContext(authenticationContextClassRef, authType);
                } else {
                    authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList);
                }
                if (authnResult == null || authnResult.getLoginURL() == null || authnResult.getLoginURL().length() == 0) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO:" + "AuthnDecision engine failed to take a " + "authn decision");
                    }
                    return false;
                } else {
                    if (ssoToken != null) {
                        try {
                            SessionManager.getProvider().invalidateSession(ssoToken, request, response);
                        } catch (SessionException ssoe) {
                            FSUtils.debug.error("FSSSOAndFedHandler.processPreAuthnSSO:" + "Unable to invalidate the sso session.");
                        }
                        ssoToken = null;
                    }
                    loginURL = authnResult.getLoginURL();
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "AuthnDecision engine returned: " + loginURL);
                    }
                }
                loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
                FSUtils.forwardRequest(request, response, loginURL);
                response.flushBuffer();
                return true;
            } else {
                if (authenticated) {
                    if (authenticationContextClassRef != null) {
                        authnResult = authnDecisionHandler.decideAuthnContext(authenticationContextClassRef, currentAuthnContextRef, authType);
                    } else {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is default");
                        }
                        authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList, authType);
                    }
                    if (authnResult == null) {
                        return false;
                    } else if (authnResult.getLoginURL() == null) {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is evaluated to be valid");
                        }
                        return processPostAuthnSSO(authnRequest);
                    } else if (authnResult.getLoginURL().length() == 0) {
                        return false;
                    } else {
                        loginURL = authnResult.getLoginURL();
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO" + ": AuthnDecision engine returned: " + loginURL);
                        }
                    }
                    loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
                    FSUtils.forwardRequest(request, response, loginURL);
                    return true;
                } else {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: AuthnRequest is active");
                    }
                    //redirect for authentication authnContextRef
                    if (authenticationContextClassRef != null) {
                        authnResult = authnDecisionHandler.getURLForAuthnContext(authenticationContextClassRef, authType);
                    } else {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is default");
                        }
                        authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList, authType);
                    }
                    if (authnResult == null || authnResult.getLoginURL() == null || authnResult.getLoginURL().length() == 0) {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler. processPreAuthnSSO: " + " AuthnDecision engine" + " failed to take a decision");
                        }
                        noFedStatus = new Status(new StatusCode("samlp:Responder", new StatusCode("lib:NoAuthnContext", null)), FSUtils.bundle.getString("AuthnRequestProcessingFailed"), null);
                        return false;
                    } else {
                        loginURL = authnResult.getLoginURL();
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "AuthnDecision engine returned: " + loginURL);
                        }
                    }
                    loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
                    FSUtils.forwardRequest(request, response, loginURL);
                    return true;
                }
            }
        }
    } catch (Exception e) {
        FSUtils.debug.error("FSSSOAndFedHandler.processPreAuthnSSO: " + "Exception occured");
        return processPostAuthnSSO(authnRequest);
    }
}
Also used : Status(com.sun.identity.saml.protocol.Status) ArrayList(java.util.ArrayList) FSSession(com.sun.identity.federation.services.FSSession) SessionException(com.sun.identity.plugin.session.SessionException) FSRedirectException(com.sun.identity.federation.common.FSRedirectException) StatusCode(com.sun.identity.saml.protocol.StatusCode) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) FSRedirectException(com.sun.identity.federation.common.FSRedirectException) FSAuthContextResult(com.sun.identity.federation.services.FSAuthContextResult) FSAuthnDecisionHandler(com.sun.identity.federation.services.FSAuthnDecisionHandler) List(java.util.List) ArrayList(java.util.ArrayList) FSTokenListener(com.sun.identity.federation.services.logout.FSTokenListener) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 2 with FSAuthnDecisionHandler

use of com.sun.identity.federation.services.FSAuthnDecisionHandler in project OpenAM by OpenRock.

the class FSIDPFinderService method getLoginURL.

private String getLoginURL(FSAuthnRequest authnRequest, String realm, String hostProviderID, HttpServletRequest httpRequest) {
    if (authnRequest == null) {
        FSUtils.debug.error("FSIDPFinderServer.getLoginURL: null authnrequest");
        return null;
    }
    if (hostProviderID == null) {
        FSUtils.debug.error("FSIDPFinderServer.getLoginURL: null hostProviderID");
        return null;
    }
    IDPDescriptorType idpDescriptor = null;
    BaseConfigType idpConfig = null;
    try {
        IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
        idpDescriptor = metaManager.getIDPDescriptor(realm, hostProviderID);
        idpConfig = metaManager.getIDPDescriptorConfig(realm, hostProviderID);
    } catch (Exception e) {
        FSUtils.debug.error("FSIDPFinderServer.getLoginURL : exception " + "while retrieving meta config", e);
        return null;
    }
    String authType = authnRequest.getAuthContextCompType();
    FSAuthnDecisionHandler authnDecisionHandler = new FSAuthnDecisionHandler(realm, hostProviderID, httpRequest);
    List defAuthnCtxList = IDFFMetaUtils.getAttributeValueFromConfig(idpConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
    FSAuthContextResult authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCtxList, authType);
    return formatLoginURL(authnResult.getLoginURL(), authnResult.getAuthContextRef(), realm, hostProviderID, idpDescriptor, idpConfig, authnRequest, httpRequest);
}
Also used : IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) FSAuthnDecisionHandler(com.sun.identity.federation.services.FSAuthnDecisionHandler) FSAuthContextResult(com.sun.identity.federation.services.FSAuthContextResult) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) ArrayList(java.util.ArrayList) List(java.util.List) ServletException(javax.servlet.ServletException) COTException(com.sun.identity.cot.COTException) FSException(com.sun.identity.federation.common.FSException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) IOException(java.io.IOException) FSRedirectException(com.sun.identity.federation.common.FSRedirectException)

Aggregations

FSException (com.sun.identity.federation.common.FSException)2 FSRedirectException (com.sun.identity.federation.common.FSRedirectException)2 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)2 FSAuthContextResult (com.sun.identity.federation.services.FSAuthContextResult)2 FSAuthnDecisionHandler (com.sun.identity.federation.services.FSAuthnDecisionHandler)2 IOException (java.io.IOException)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 COTException (com.sun.identity.cot.COTException)1 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)1 BaseConfigType (com.sun.identity.federation.jaxb.entityconfig.BaseConfigType)1 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)1 FSSession (com.sun.identity.federation.services.FSSession)1 FSSessionManager (com.sun.identity.federation.services.FSSessionManager)1 FSTokenListener (com.sun.identity.federation.services.logout.FSTokenListener)1 IDPDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType)1 SessionException (com.sun.identity.plugin.session.SessionException)1 SessionProvider (com.sun.identity.plugin.session.SessionProvider)1 SAMLException (com.sun.identity.saml.common.SAMLException)1 Status (com.sun.identity.saml.protocol.Status)1