Search in sources :

Example 1 with NameIdentifierMapper

use of com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper in project OpenAM by OpenRock.

the class DiscoUtils method generateCredential.

private static String generateCredential(BitSet dirs, ResourceOffering current, Message message, String userDN, List credentials, SessionContext invoSession, String wscID, Object token) {
    SecurityAssertion assertion = null;
    try {
        SecurityTokenManager secuMgr = new SecurityTokenManager(token);
        NameIdentifier senderIdentity = null;
        String providerID = wscID;
        if ((providerID == null) || (providerID.length() == 0)) {
            ProviderHeader ph = message.getProviderHeader();
            if (ph != null) {
                providerID = ph.getProviderID();
            }
        }
        SessionContext invocatorSession = invoSession;
        if (invocatorSession == null) {
            invocatorSession = getSessionContext(message.getAssertion());
        }
        String tproviderID = current.getServiceInstance().getProviderID();
        if (invocatorSession != null) {
            try {
                ProviderManager pm = ProviderUtil.getProviderManager();
                SessionSubject sub = invocatorSession.getSessionSubject();
                NameIdentifier ni = sub.getNameIdentifier();
                if ((ni.getFormat() != null) && (ni.getFormat().equals("urn:liberty:iff:nameid:encrypted"))) {
                    ni = EncryptedNameIdentifier.getDecryptedNameIdentifier(ni, pm.getDecryptionKey(DiscoServiceManager.getDiscoProviderID()));
                }
                NameIdentifier newNi = null;
                NameIdentifierMapper niMapper = DiscoServiceManager.getNameIdentifierMapper();
                if (niMapper != null) {
                    String discoEntityID = DiscoServiceManager.getDiscoProviderID();
                    newNi = niMapper.getNameIdentifier(tproviderID, discoEntityID, ni, userDN);
                }
                if ((newNi != null) && !newNi.equals(ni)) {
                    sub.setNameIdentifier(newNi);
                    // modify IDPProvidedNameIdentifier, this should be
                    // a EncryptedIDPProvidedNameIdentifier, but not 
                    // defined by specification.
                    // Or set this to null once we make it optional
                    // in SessionSubject class implementation 
                    IDPProvidedNameIdentifier idpNi = sub.getIDPProvidedNameIdentifier();
                    if (idpNi != null) {
                        IDPProvidedNameIdentifier newIdpNi = new IDPProvidedNameIdentifier(newNi.getName(), newNi.getNameQualifier(), newNi.getFormat());
                        sub.setIDPProvidedNameIdentifier(newIdpNi);
                    }
                } else if (pm.isNameIDEncryptionEnabled(tproviderID)) {
                    sub.setNameIdentifier(EncryptedNameIdentifier.getEncryptedNameIdentifier(ni, tproviderID, pm.getEncryptionKey(tproviderID), pm.getEncryptionKeyAlgorithm(tproviderID), pm.getEncryptionKeyStrength(tproviderID)));
                } else {
                    sub.setNameIdentifier(ni);
                }
                invocatorSession.setSessionSubject(sub);
            } catch (Exception ex) {
                debug.error("DiscoUtils.handleDirective: En/Decryption" + " Exception:", ex);
                return null;
            }
        }
        Object resourceID = current.getEncryptedResourceID();
        if (resourceID == null) {
            resourceID = current.getResourceID();
            if (resourceID == null) {
                resourceID = (String) DiscoConstants.IMPLIED_RESOURCE;
            } else {
                resourceID = ((ResourceID) resourceID).getResourceID();
            }
        }
        if (dirs.get(BEARER)) {
            if (dirs.get(AUTHN) || dirs.get(AUTHO) || dirs.get(SESSION)) {
                if ((providerID != null) && (providerID.length() != 0)) {
                    senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
                } else {
                    senderIdentity = new NameIdentifier(userDN);
                }
                if (resourceID instanceof String) {
                    assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
                } else {
                    assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
                }
            }
        } else {
            if ((providerID != null) && (providerID.length() != 0)) {
                senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
            } else {
                senderIdentity = new NameIdentifier(userDN);
            }
            if (providerID != null) {
                secuMgr.setCertAlias(ProviderUtil.getProviderManager().getSigningKeyAlias(providerID));
            } else {
                X509Certificate wscCert = message.getPeerCertificate();
                if (wscCert == null) {
                    wscCert = message.getMessageCertificate();
                    if (wscCert == null) {
                        if (debug.messageEnabled()) {
                            debug.message("DiscoUtils.generateCredential:" + "client cert is null. Cannot generate " + "credential.");
                        }
                        return null;
                    }
                }
                secuMgr.setCertificate(wscCert);
            }
            if (resourceID instanceof String) {
                assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
            } else {
                assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
            }
        }
    } catch (Exception ex) {
        debug.error("DiscoUtils.generateCredential:" + "cannot generate credential: ", ex);
    }
    if (assertion == null) {
        debug.error("DiscoUtils.generateCredential: " + "cannot generate credential.");
        return null;
    } else {
        credentials.add(assertion);
        return assertion.getAssertionID();
    }
}
Also used : NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) EncryptedNameIdentifier(com.sun.identity.federation.message.common.EncryptedNameIdentifier) EncryptedResourceID(com.sun.identity.liberty.ws.disco.EncryptedResourceID) DiscoveryException(com.sun.identity.liberty.ws.disco.DiscoveryException) X509Certificate(java.security.cert.X509Certificate) ProviderHeader(com.sun.identity.liberty.ws.soapbinding.ProviderHeader) ProviderManager(com.sun.identity.liberty.ws.util.ProviderManager) NameIdentifierMapper(com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)

Aggregations

EncryptedNameIdentifier (com.sun.identity.federation.message.common.EncryptedNameIdentifier)1 IDPProvidedNameIdentifier (com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)1 DiscoveryException (com.sun.identity.liberty.ws.disco.DiscoveryException)1 EncryptedResourceID (com.sun.identity.liberty.ws.disco.EncryptedResourceID)1 NameIdentifierMapper (com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper)1 ProviderHeader (com.sun.identity.liberty.ws.soapbinding.ProviderHeader)1 ProviderManager (com.sun.identity.liberty.ws.util.ProviderManager)1 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)1 X509Certificate (java.security.cert.X509Certificate)1