use of com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper in project OpenAM by OpenRock.
the class DiscoUtils method generateCredential.
private static String generateCredential(BitSet dirs, ResourceOffering current, Message message, String userDN, List credentials, SessionContext invoSession, String wscID, Object token) {
SecurityAssertion assertion = null;
try {
SecurityTokenManager secuMgr = new SecurityTokenManager(token);
NameIdentifier senderIdentity = null;
String providerID = wscID;
if ((providerID == null) || (providerID.length() == 0)) {
ProviderHeader ph = message.getProviderHeader();
if (ph != null) {
providerID = ph.getProviderID();
}
}
SessionContext invocatorSession = invoSession;
if (invocatorSession == null) {
invocatorSession = getSessionContext(message.getAssertion());
}
String tproviderID = current.getServiceInstance().getProviderID();
if (invocatorSession != null) {
try {
ProviderManager pm = ProviderUtil.getProviderManager();
SessionSubject sub = invocatorSession.getSessionSubject();
NameIdentifier ni = sub.getNameIdentifier();
if ((ni.getFormat() != null) && (ni.getFormat().equals("urn:liberty:iff:nameid:encrypted"))) {
ni = EncryptedNameIdentifier.getDecryptedNameIdentifier(ni, pm.getDecryptionKey(DiscoServiceManager.getDiscoProviderID()));
}
NameIdentifier newNi = null;
NameIdentifierMapper niMapper = DiscoServiceManager.getNameIdentifierMapper();
if (niMapper != null) {
String discoEntityID = DiscoServiceManager.getDiscoProviderID();
newNi = niMapper.getNameIdentifier(tproviderID, discoEntityID, ni, userDN);
}
if ((newNi != null) && !newNi.equals(ni)) {
sub.setNameIdentifier(newNi);
// modify IDPProvidedNameIdentifier, this should be
// a EncryptedIDPProvidedNameIdentifier, but not
// defined by specification.
// Or set this to null once we make it optional
// in SessionSubject class implementation
IDPProvidedNameIdentifier idpNi = sub.getIDPProvidedNameIdentifier();
if (idpNi != null) {
IDPProvidedNameIdentifier newIdpNi = new IDPProvidedNameIdentifier(newNi.getName(), newNi.getNameQualifier(), newNi.getFormat());
sub.setIDPProvidedNameIdentifier(newIdpNi);
}
} else if (pm.isNameIDEncryptionEnabled(tproviderID)) {
sub.setNameIdentifier(EncryptedNameIdentifier.getEncryptedNameIdentifier(ni, tproviderID, pm.getEncryptionKey(tproviderID), pm.getEncryptionKeyAlgorithm(tproviderID), pm.getEncryptionKeyStrength(tproviderID)));
} else {
sub.setNameIdentifier(ni);
}
invocatorSession.setSessionSubject(sub);
} catch (Exception ex) {
debug.error("DiscoUtils.handleDirective: En/Decryption" + " Exception:", ex);
return null;
}
}
Object resourceID = current.getEncryptedResourceID();
if (resourceID == null) {
resourceID = current.getResourceID();
if (resourceID == null) {
resourceID = (String) DiscoConstants.IMPLIED_RESOURCE;
} else {
resourceID = ((ResourceID) resourceID).getResourceID();
}
}
if (dirs.get(BEARER)) {
if (dirs.get(AUTHN) || dirs.get(AUTHO) || dirs.get(SESSION)) {
if ((providerID != null) && (providerID.length() != 0)) {
senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
} else {
senderIdentity = new NameIdentifier(userDN);
}
if (resourceID instanceof String) {
assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
} else {
assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
}
}
} else {
if ((providerID != null) && (providerID.length() != 0)) {
senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
} else {
senderIdentity = new NameIdentifier(userDN);
}
if (providerID != null) {
secuMgr.setCertAlias(ProviderUtil.getProviderManager().getSigningKeyAlias(providerID));
} else {
X509Certificate wscCert = message.getPeerCertificate();
if (wscCert == null) {
wscCert = message.getMessageCertificate();
if (wscCert == null) {
if (debug.messageEnabled()) {
debug.message("DiscoUtils.generateCredential:" + "client cert is null. Cannot generate " + "credential.");
}
return null;
}
}
secuMgr.setCertificate(wscCert);
}
if (resourceID instanceof String) {
assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
} else {
assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
}
}
} catch (Exception ex) {
debug.error("DiscoUtils.generateCredential:" + "cannot generate credential: ", ex);
}
if (assertion == null) {
debug.error("DiscoUtils.generateCredential: " + "cannot generate credential.");
return null;
} else {
credentials.add(assertion);
return assertion.getAssertionID();
}
}
Aggregations