use of com.sun.identity.federation.services.FSSessionManager in project OpenAM by OpenRock.
the class FSLogoutUtil method liveConnectionsExist.
/**
* Finds out the role of the provider in live connection list
* (provider that received/issued assertion for user).
* @param userID principal who needs to be logged out
* @param entityId to whom logout notification needs to be sent
* @param metaAlias the hostedProvider performing logout
* @return <code>true</code> if provider has IDP role;
* <code>false</code> otherwise.
*/
/*
public static boolean getCurrentProviderRole(
String userID,
String entityId,
String metaAlias)
{
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Entered getCurrentProviderRole" +
" for user : " + userID);
}
FSSessionManager sessionMgr = FSSessionManager.getInstance(
metaAlias);
synchronized(sessionMgr) {
List sessionList = sessionMgr.getSessionList(userID);
if (sessionList != null) {
FSUtils.debug.message("sessionList is not null");
Iterator iSessionIter = sessionList.iterator();
FSSession currentSession;
while (iSessionIter.hasNext()) {
currentSession = (FSSession)iSessionIter.next();
List providerList = currentSession.getSessionPartners();
Iterator iProviderIter = providerList.iterator();
while (iProviderIter.hasNext()) {
FSSessionPartner sessionPartner =
(FSSessionPartner)iProviderIter.next();
if (sessionPartner.isEquals(entityId)) {
return sessionPartner.getIsRoleIDP();
}
}
}
} else {
FSUtils.debug.message("sessionList is null");
return false;
}
}
return false;
}
*/
/**
* Finds out if there is at least one more partner who should be notified
* of logout
* @param userID principal who needs to be logged out
* @param metaAlias ther provider performing logout
* @return <code>true</code> if any provider exists; <code>false</code>
* otherwise.
*/
public static boolean liveConnectionsExist(String userID, String metaAlias) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Entered liveConnectionsExist for user : " + userID);
}
FSSessionManager sessionMgr = FSSessionManager.getInstance(metaAlias);
synchronized (sessionMgr) {
FSUtils.debug.message("About to call getSessionList");
List sessionList = sessionMgr.getSessionList(userID);
if (sessionList != null && !sessionList.isEmpty()) {
FSUtils.debug.message("List is not empty");
Iterator iSessionIter = sessionList.iterator();
FSSession sessionObj = null;
while (iSessionIter.hasNext()) {
sessionObj = (FSSession) iSessionIter.next();
if ((sessionObj.getSessionPartners()).isEmpty()) {
continue;
} else {
return true;
}
}
return false;
} else {
FSUtils.debug.message("List is empty");
return false;
}
}
}
use of com.sun.identity.federation.services.FSSessionManager in project OpenAM by OpenRock.
the class FSSingleLogoutHandler method processHttpSingleLogoutRequest.
/**
* Processes the logout request received through http.
* @param response the HttpServletResponse object
* @param reqLogout the logout request
* @param currentSessionProvider initial provider with whom to broadcast
* @param userID who is presently logging out
* @param ssoToken user session
* @param sourceEntityId source provider's entity id
* @param sessionIndex to be sent as part of logout message
* @param isWMLAgent determines if response to be sent to AML agent
* @param relayState received with the logout request
* @param isSourceIDP whether source provider is an IDP or not
* @return logout status
*/
public FSLogoutStatus processHttpSingleLogoutRequest(HttpServletResponse response, HttpServletRequest request, FSLogoutNotification reqLogout, FSSessionPartner currentSessionProvider, String userID, Object ssoToken, String sourceEntityId, String sessionIndex, boolean isWMLAgent, String relayState, String isSourceIDP) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Entered FSSingleLogoutHandler::" + " processHttpSingleLogoutRequest - HTTP");
}
this.response = response;
this.request = request;
this.requestLogout = reqLogout;
locale = FSServiceUtils.getLocale(request);
setLogoutURL();
if (currentSessionProvider != null) {
isCurrentProviderIDPRole = currentSessionProvider.getIsRoleIDP();
remoteEntityId = currentSessionProvider.getPartner();
setRemoteDescriptor(getRemoteDescriptor(remoteEntityId));
}
this.userID = userID;
this.ssoToken = ssoToken;
this.sessionIndex = sessionIndex;
this.isWMLAgent = isWMLAgent;
if (reqLogout != null) {
FSUtils.debug.message("FSLogoutNotification formed really well");
FSReturnSessionManager localManager = FSReturnSessionManager.getInstance(metaAlias);
if (localManager != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Added " + sourceEntityId + " top return list");
}
localManager.setUserProviderInfo(userID, sourceEntityId, isSourceIDP, relayState, reqLogout.getRequestID());
} else {
FSUtils.debug.message("Cannot get FSReturnSessionManager");
}
FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
FSSession session = sessionManager.getSession(sessionManager.getSessionList(userID), sessionIndex);
if (currentSessionProvider == null) {
FSUtils.debug.message("currentSessionProvider is null. destroy and return");
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, reqLogout.getSessionIndex(), request, response);
returnAfterCompletion();
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
} else {
String currentEntityId = currentSessionProvider.getPartner();
isCurrentProviderIDPRole = currentSessionProvider.getIsRoleIDP();
FSUtils.debug.message("FSSLOHandler, in case 3");
FSLogoutUtil.cleanSessionMapPartnerList(userID, currentEntityId, metaAlias, session);
FSLogoutStatus bLogoutStatus = null;
List profiles = remoteDescriptor.getSingleLogoutProtocolProfile();
if (profiles != null && (profiles.contains(IFSConstants.LOGOUT_SP_REDIRECT_PROFILE) || profiles.contains(IFSConstants.LOGOUT_IDP_REDIRECT_PROFILE))) {
FSUtils.debug.message("In redirect profile");
bLogoutStatus = doHttpRedirect(currentEntityId);
} else if (profiles != null && profiles.contains(IFSConstants.LOGOUT_IDP_GET_PROFILE) && !isCurrentProviderIDPRole) {
FSUtils.debug.message("In GET profile");
bLogoutStatus = doHttpGet(currentEntityId);
} else {
FSUtils.debug.error("Provider " + currentEntityId + "doesn't support HTTP profile.");
returnAfterCompletion();
bLogoutStatus = new FSLogoutStatus(IFSConstants.SAML_RESPONDER);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Logout completed first round" + " with status : " + bLogoutStatus);
}
return bLogoutStatus;
}
} else {
String[] data = { userID };
LogUtil.error(Level.INFO, LogUtil.LOGOUT_FAILED_REQUEST_IMPROPER, data, ssoToken);
FSUtils.debug.message("Request not proper. Cannot proceed with single logout");
returnAfterCompletion();
return new FSLogoutStatus(IFSConstants.SAML_REQUESTER);
}
}
use of com.sun.identity.federation.services.FSSessionManager in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method sendProxyResponse.
/**
* Sends the proxy authentication response to the proxying service
* provider which has originally requested for the authentication.
* @param requestID authnRequest id that is sent to the authenticating
* Identity Provider.
*/
protected void sendProxyResponse(String requestID) {
FSUtils.debug.message("FSAssertionArtifactHandler.sendProxyResponse::");
FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
FSAuthnRequest origRequest = sessionManager.getProxySPAuthnRequest(requestID);
if (FSUtils.debug.messageEnabled()) {
try {
FSUtils.debug.message("FSAssertionHandler.sendProxyResponse:" + origRequest.toXMLString());
} catch (Exception ex) {
FSUtils.debug.error("FSAssertionHandler.sendProxyResponse:" + "toString(): Failed.", ex);
}
}
SPDescriptorType proxyDescriptor = sessionManager.getProxySPDescriptor(requestID);
String proxySPEntityId = origRequest.getProviderId();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler.sendProxyResponse" + ":Original requesting service provider id:" + proxySPEntityId);
}
FSSession session = sessionManager.getSession(ssoToken);
if (authnContextStmt != null) {
String authnContext = authnContextStmt.getAuthnContextClassRef();
session.setAuthnContext(authnContext);
}
session.addSessionPartner(new FSSessionPartner(proxySPEntityId, false));
if (FSUtils.debug.messageEnabled()) {
Iterator partners = session.getSessionPartners().iterator();
while (partners.hasNext()) {
FSSessionPartner part = (FSSessionPartner) partners.next();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("PARTNERS" + part.getPartner());
}
}
}
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
BaseConfigType proxySPConfig = null;
try {
proxySPConfig = metaManager.getSPDescriptorConfig(realm, proxySPEntityId);
} catch (Exception e) {
FSUtils.debug.error("FSAssertionArtifactHandler.sendProxyResponse:" + "Couldn't obtain proxy sp meta:", e);
}
FSProxyHandler handler = new FSProxyHandler(request, response, origRequest, proxyDescriptor, proxySPConfig, proxySPEntityId, origRequest.getRelayState(), ssoToken);
IDPDescriptorType localIDPDesc = null;
BaseConfigType localIDPConfig = null;
String localIDPMetaAlias = null;
try {
localIDPDesc = metaManager.getIDPDescriptor(realm, hostEntityId);
localIDPConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
localIDPMetaAlias = localIDPConfig.getMetaAlias();
} catch (Exception e) {
FSUtils.debug.error("FSAssertionartifactHandler.sendProxyResponse:" + "Exception when obtaining local idp meta:", e);
}
handler.setRealm(realm);
handler.setHostedEntityId(hostEntityId);
handler.setHostedDescriptor(localIDPDesc);
handler.setHostedDescriptorConfig(localIDPConfig);
handler.setMetaAlias(localIDPMetaAlias);
handler.processAuthnRequest(origRequest, true);
}
use of com.sun.identity.federation.services.FSSessionManager in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method getProvider.
protected String getProvider(String requestID) {
FSUtils.debug.message("FSAssertionArtifactHandler.getProvider: Called");
FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
return sessionManager.getIDPEntityID(requestID);
}
use of com.sun.identity.federation.services.FSSessionManager in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method processAuthnResponse.
/**
* Processes <code>FSAuthnResponse</code>.
* @param authnResponse <code>FSAuthnResponse</code> objec to be processed
*/
public void processAuthnResponse(FSAuthnResponse authnResponse) {
FSUtils.debug.message("FSAssertionArtifactHandler.ProcessAuthnResponse: Called");
this.authnResponse = authnResponse;
// Call SP adapter SPI
FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostEntityId, hostConfig);
if (spAdapter != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler, POST" + " Invokde spAdapter.preSSOFederationProcess");
}
try {
spAdapter.preSSOFederationProcess(hostEntityId, request, response, authnRequest, authnResponse, null);
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.preSSOFederationSuccess", e);
}
}
String baseURL = FSServiceUtils.getBaseURL(request);
String framedLoginPageURL = FSServiceUtils.getCommonLoginPageURL(hostMetaAlias, authnRequest.getRelayState(), null, request, baseURL);
this.relayState = authnRequest.getRelayState();
if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
this.relayState = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.PROVIDER_HOME_PAGE_URL);
if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
this.relayState = baseURL + IFSConstants.SP_DEFAULT_RELAY_STATE;
}
}
try {
if (authnResponse == null) {
String[] data = { FSUtils.bundle.getString("missingAuthnResponse") };
LogUtil.error(Level.INFO, LogUtil.MISSING_AUTHN_RESPONSE, data, ssoToken);
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("missingAuthnResponse") + " AuthnRequest Processing Failed at the IDP " + "Redirecting to the Framed Login Page");
response.sendRedirect(framedLoginPageURL);
return;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler.doPost:Received " + authnResponse.toXMLString());
}
boolean valid = verifyResponseStatus(authnResponse);
if (!valid) {
FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
// clean request map
String inResponseTo = authnResponse.getInResponseTo();
sessionManager.removeAuthnRequest(inResponseTo);
String[] data = { authnResponse.toXMLString() };
LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data, ssoToken);
FSUtils.debug.warning("FSAssertionArtifactHandler." + " processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
if ((spAdapter == null) || !(spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, null, FederationSPAdapter.INVALID_AUTHN_RESPONSE))) {
response.sendRedirect(framedLoginPageURL);
}
return;
}
// check Assertion
List assertions = authnResponse.getAssertion();
FSSubject validSubject = (FSSubject) validateAssertions(assertions);
if (validSubject == null) {
String[] data = { FSUtils.bundle.getString("invalidAssertion") };
LogUtil.error(Level.INFO, LogUtil.INVALID_ASSERTION, data, ssoToken);
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("InvalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
response.sendRedirect(framedLoginPageURL);
return;
}
FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
if (doFederate) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Initiate Account Federation");
}
NameIdentifier ni = validSubject.getIDPProvidedNameIdentifier();
if (ni == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler.processAuthnResponse:" + " IDPProvided NameIdentifier is null");
}
ni = validSubject.getNameIdentifier();
}
if (ni != null) {
int returnCode = doAccountFederation(ni);
if (returnCode == FederationSPAdapter.SUCCESS) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Account federation" + " successful");
}
String inResponseTo = authnResponse.getInResponseTo();
sessionManager.removeAuthnRequest(inResponseTo);
sessionManager.removeLocalSessionToken(inResponseTo);
return;
} else {
String[] data = { FSUtils.bundle.getString("AccountFederationFailed") };
LogUtil.error(Level.INFO, LogUtil.ACCOUNT_FEDERATION_FAILED, data, ssoToken);
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("AccountFederationFailed") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, (FSResponse) samlResponse, returnCode)) {
response.sendRedirect(framedLoginPageURL);
}
}
} else {
throw new FSException("missingNIofSubject", null);
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Initiate SingleSign-On");
}
//check for SPProvidedNameIdentifier
NameIdentifier niIdp = validSubject.getIDPProvidedNameIdentifier();
NameIdentifier ni = validSubject.getNameIdentifier();
if (niIdp == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler.processAuthnResponse:" + " IDPProvided NameIdentifier is null");
}
niIdp = ni;
}
if ((niIdp == null) || (ni == null)) {
String[] data = { FSUtils.bundle.getString("invalidResponse") };
LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data, ssoToken);
FSUtils.debug.error("FSAssertionArtifactHandler." + " processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
response.sendRedirect(framedLoginPageURL);
return;
}
String idpHandle = niIdp.getName();
String spHandle = ni.getName();
int handleType;
if ((idpHandle == null) || (spHandle == null)) {
String[] data = { FSUtils.bundle.getString("invalidResponse") };
LogUtil.error(Level.INFO, LogUtil.INVALID_AUTHN_RESPONSE, data, ssoToken);
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
response.sendRedirect(framedLoginPageURL);
return;
}
if (idpHandle.equals(spHandle)) {
ni = niIdp;
handleType = IFSConstants.REMOTE_OPAQUE_HANDLE;
} else {
handleType = IFSConstants.LOCAL_OPAQUE_HANDLE;
}
Map env = new HashMap();
env.put(IFSConstants.FS_USER_PROVIDER_ENV_AUTHNRESPONSE_KEY, authnResponse);
int returnCode = doSingleSignOn(ni, handleType, niIdp, env);
if (returnCode == FederationSPAdapter.SUCCESS) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "processAuthnResponse: Accountfederation successful");
}
String requestID = authnResponse.getInResponseTo();
sessionManager.removeAuthnRequest(requestID);
if (isIDPProxyEnabled(requestID)) {
sendProxyResponse(requestID);
return;
}
String[] data = { this.relayState };
LogUtil.access(Level.INFO, LogUtil.ACCESS_GRANTED_REDIRECT_TO, data, ssoToken);
FSUtils.debug.message("ArtifactHandler.notfederated, postSSO");
if (spAdapter != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler," + " Invoke spAdapter.postSSOFederationSuccess");
}
try {
if (spAdapter.postSSOFederationSuccess(hostEntityId, request, response, ssoToken, authnRequest, authnResponse, null)) {
// return if the SP spi redirection happened
return;
}
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
FSUtils.debug.error("FSAssertionArtifadctHandler" + " SPAdapter.postSSOFederationSuccess:", e);
}
}
redirectToResource(this.relayState);
return;
} else {
String[] data = { FSUtils.bundle.getString("SSOfailed") };
LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data, ssoToken);
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, null, returnCode)) {
response.sendRedirect(framedLoginPageURL);
}
return;
}
}
} catch (Exception e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: Exception Occured: ", e);
try {
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: " + FSUtils.bundle.getString("invalidResponse") + " AuthnRequest Processing Failed at the IDP" + " Redirecting to the Framed Login Page");
response.sendRedirect(framedLoginPageURL);
} catch (IOException ioe) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "processAuthnResponse: IOException Occured: ", ioe);
return;
}
return;
}
}
Aggregations