Search in sources :

Example 51 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class AssertionManager method getAuthorizationDecisionAssertion.

/**
     * @param addListener A listener to the single sign on token is added only
     *        when both store and addListener are true.
     */
private Assertion getAuthorizationDecisionAssertion(AuthorizationDecisionQuery query, String destID, boolean store, Object token, boolean addListener, Map actionMap) throws SAMLException {
    if (actionMap == null) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("AssertionManager.getAuthZAssertion: " + "actionMap from ActionMapper is null.");
        }
        throw new SAMLException(SAMLUtils.bundle.getString("nullAuthZDecision"));
    }
    validateNumberOfAssertions(idEntryMap);
    int decision;
    List newActions = null;
    if ((newActions = (List) actionMap.get(ActionMapper.PERMIT)) != null) {
        decision = AuthorizationDecisionStatement.DecisionType.PERMIT;
    } else if ((newActions = (List) actionMap.get(ActionMapper.DENY)) != null) {
        decision = AuthorizationDecisionStatement.DecisionType.DENY;
    } else {
        newActions = (List) actionMap.get(ActionMapper.INDETERMINATE);
        if (newActions == null) {
            // try not to be too restrictive
            newActions = query.getAction();
        }
        decision = AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
    }
    //create statement
    AuthorizationDecisionStatement statement = new AuthorizationDecisionStatement(query.getSubject(), query.getResource(), decision, newActions, query.getEvidence());
    Date issueInstant = new Date();
    Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
    Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
    Conditions cond = new Conditions(notBefore, notAfter);
    String issuer = (String) SAMLServiceManager.getAttribute(SAMLConstants.ISSUER_NAME);
    Set statements = new HashSet();
    statements.add(statement);
    Assertion assertion = new Assertion(null, issuer, issueInstant, cond, statements);
    if (((Boolean) SAMLServiceManager.getAttribute(SAMLConstants.SIGN_ASSERTION)).booleanValue()) {
        assertion.signXML();
    }
    String aIDString = assertion.getAssertionID();
    if (store) {
        Entry entry = null;
        if (addListener) {
            // create a listener and add the listener to the token
            AssertionSSOTokenListener listener = new AssertionSSOTokenListener(aIDString);
            try {
                if (sessionProvider == null) {
                    throw new SAMLException(SAMLUtils.bundle.getString("nullSessionProvider"));
                }
                sessionProvider.addListener(token, listener);
            } catch (SessionException e) {
                SAMLUtils.debug.error("AssertionManager.getAuthNAssertion:" + " Couldn't get listener to token:", e);
            // don't need to throw an exception
            }
        }
        entry = new Entry(assertion, destID, null, null);
        // put assertion in idEntryMap
        try {
            Object oldEntry = null;
            synchronized (idEntryMap) {
                oldEntry = idEntryMap.put(aIDString, entry);
            }
            if (oldEntry != null) {
                assertionTimeoutRunnable.removeElement(aIDString);
            }
            assertionTimeoutRunnable.addElement(aIDString);
            if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
                saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS, FedMonSAML1Svc.CWRITE);
            }
        } catch (Exception e) {
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message("AssertionManager.getAuthZAssertion" + ": couldn't add assertion to the idAssertionMap.", e);
            }
            throw new SAMLResponderException(SAMLUtils.bundle.getString("errorCreateAssertion"));
        }
        if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
            String[] data = { SAMLUtils.bundle.getString("assertionCreated"), assertion.toString(true, true) };
            LogUtils.access(java.util.logging.Level.FINER, LogUtils.ASSERTION_CREATED, data);
        } else {
            String[] data = { SAMLUtils.bundle.getString("assertionCreated"), aIDString };
            LogUtils.access(java.util.logging.Level.INFO, LogUtils.ASSERTION_CREATED, data);
        }
    }
    return assertion;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) SessionException(com.sun.identity.plugin.session.SessionException) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) ArrayList(java.util.ArrayList) List(java.util.List) HashSet(java.util.HashSet)

Example 52 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class AssertionManager method getAuthenticationAssertion.

/**
     * Gets assertion created from an AuthenticationQuery.
     * @param query An AuthenticationQuery.
     * @param destID to whom the assertion will be created for.
     * @return The Assertion that is created from the query.
     * @throws SAMLException If the Assertion cannot be created.
     */
private Assertion getAuthenticationAssertion(AuthenticationQuery query, String destID) throws SAMLException {
    if (query == null) {
        // no need to log the error again
        return null;
    }
    validateNumberOfAssertions(idEntryMap);
    // get the subject of the query
    Subject subject = query.getSubject();
    // get SubjectConfirmation
    SubjectConfirmation sc = subject.getSubjectConfirmation();
    if (sc == null) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " missing SubjectConfirmation.");
        }
        // we don't know if the subject is authenticated to OpenAM.
        throw new SAMLException(SAMLUtils.bundle.getString("missingSubjectConfirmation"));
    }
    // check ConfirmationMethod
    if (!SAMLUtils.isCorrectConfirmationMethod(sc)) {
        // don't need to log again
        throw new SAMLException(SAMLUtils.bundle.getString("wrongConfirmationMethodValue"));
    }
    // get SubjectConfirmationData
    Element scData = sc.getSubjectConfirmationData();
    if (scData == null) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " missing SubjectConfirmationData in the Subject.");
        }
        throw new SAMLException(SAMLUtils.bundle.getString("missingSubjectConfirmationData"));
    }
    // SSOTokenID == scData
    String authMethod = null;
    Date authInstant = null;
    String nameQualifier = null;
    String name = null;
    Object token = null;
    String clientIP = null;
    try {
        if (sessionProvider == null) {
            throw new SAMLException(SAMLUtils.bundle.getString("nullSessionProvider"));
        }
        token = sessionProvider.getSession(XMLUtils.getElementString(scData));
        authMethod = SAMLServiceManager.getAuthMethodURI(sessionProvider.getProperty(token, "AuthType")[0]);
        // get authenticationInstant
        authInstant = DateUtils.stringToDate(sessionProvider.getProperty(token, "authInstant")[0]);
        // get the nameQualifier of the NameIdentifier
        nameQualifier = XMLUtils.escapeSpecialCharacters(sessionProvider.getProperty(token, "Organization")[0]);
        // get the name of the NameIdentifier
        name = XMLUtils.escapeSpecialCharacters(sessionProvider.getPrincipalName(token));
        try {
            InetAddress clientIPAddress = InetAddress.getByName(sessionProvider.getProperty(token, "ipaddress")[0]);
            clientIP = clientIPAddress.getHostAddress();
        } catch (Exception e) {
            // catching exception here since clientIP is optional
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message("AssertionManager." + "getAuthNAssertion: exception when getting " + "client ip.");
            }
        }
    } catch (Exception e) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " exception retrieving info from the SSOToken:", e);
        }
        throw new SAMLException(SAMLUtils.bundle.getString("wrongSubjectConfirmationData"));
    }
    // get and check NameIdentifier
    NameIdentifier ni = subject.getNameIdentifier();
    if (ni != null) {
        String niName = ni.getName();
        String niNameQualifier = ni.getNameQualifier();
        if (((niName != null) && (!niName.equalsIgnoreCase(name))) || ((niNameQualifier != null) && (!niNameQualifier.equalsIgnoreCase(nameQualifier)))) {
            if (SAMLUtils.debug.messageEnabled()) {
                SAMLUtils.debug.message("AssertionManager.getAuthNAssertion" + ": NameIdentifier is different from info in " + "SubjectConfirmation");
            }
            throw new SAMLException(SAMLUtils.bundle.getString("wrongNameIdentifier"));
        }
    }
    // get and check AuthenticationMethod in the query
    String am = query.getAuthenticationMethod();
    // check it against authMethod
    if ((am != null) && (am.length() != 0) && (!am.equalsIgnoreCase(authMethod))) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " couldn't form an assertion matching the " + "AuthenticationMethod in the query.");
        }
        throw new SAMLException(SAMLUtils.bundle.getString("authenticationMethodInQueryNotMatch"));
    }
    SubjectLocality subjLocality = null;
    if ((clientIP != null) && (clientIP.length() != 0)) {
        subjLocality = new SubjectLocality(clientIP, null);
    }
    AuthenticationStatement statement = new AuthenticationStatement(authMethod, authInstant, subject, subjLocality, null);
    Date issueInstant = new Date();
    // get this period from the config
    Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
    Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
    Conditions cond = new Conditions(notBefore, notAfter);
    String issuer = (String) SAMLServiceManager.getAttribute(SAMLConstants.ISSUER_NAME);
    Set statements = new HashSet();
    statements.add(statement);
    Assertion assertion = new Assertion(null, issuer, issueInstant, cond, statements);
    if (((Boolean) SAMLServiceManager.getAttribute(SAMLConstants.SIGN_ASSERTION)).booleanValue()) {
        assertion.signXML();
    }
    String aIDString = assertion.getAssertionID();
    Entry entry = new Entry(assertion, destID, null, token);
    // add entry to idEntryMap
    try {
        Object oldEntry = null;
        synchronized (idEntryMap) {
            oldEntry = idEntryMap.put(aIDString, entry);
        }
        if (oldEntry != null) {
            assertionTimeoutRunnable.removeElement(aIDString);
        }
        assertionTimeoutRunnable.addElement(aIDString);
        if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
            saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS, FedMonSAML1Svc.CWRITE);
        }
    } catch (Exception e) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " couldn't add assertion to the idEntryMap.", e);
        }
        throw new SAMLResponderException(SAMLUtils.bundle.getString("errorCreateAssertion"));
    }
    if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
        String[] data = { SAMLUtils.bundle.getString("assertionCreated"), assertion.toString(true, true) };
        LogUtils.access(java.util.logging.Level.FINER, LogUtils.ASSERTION_CREATED, data);
    } else {
        String[] data = { SAMLUtils.bundle.getString("assertionCreated"), aIDString };
        LogUtils.access(java.util.logging.Level.INFO, LogUtils.ASSERTION_CREATED, data);
    }
    // create a listener and add the listener to the token
    AssertionSSOTokenListener listener = new AssertionSSOTokenListener(aIDString);
    try {
        sessionProvider.addListener(token, listener);
    } catch (SessionException e) {
        SAMLUtils.debug.error("AssertionManager.getAuthNAssertion:" + " Couldn't add listener to token:", e);
    // don't need to throw an exception
    }
    return assertion;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) Element(org.w3c.dom.Element) SessionException(com.sun.identity.plugin.session.SessionException) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) InetAddress(java.net.InetAddress) HashSet(java.util.HashSet)

Example 53 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class MultiProtocolUtils method usedInProtocol.

/**
     * Returns true if the session is used in the specified federation protocol.
     * @param request HttpServlet object
     * @param protocol Protocol of the caller. Value is one of the following:
     *   <code>SingleLogoutManager.IDFF</code>
     *   <code>SingleLogoutManager.SAML2</code> 
     *   <code>SingleLogoutManager.WS_FED</code>
     * @return true if the session is used in this federation protocol, 
     *  false otherwise.
     */
public static boolean usedInProtocol(HttpServletRequest request, String protocol) {
    try {
        SessionProvider provider = SessionManager.getProvider();
        Object session = provider.getSession(request);
        return usedInProtocol(session, protocol);
    } catch (SessionException ex) {
        SingleLogoutManager.debug.message("MPUtils.usedInProtocol?", ex);
        return false;
    }
}
Also used : SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 54 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class MultiProtocolUtils method usedInProtocol.

/**
     * Returns true if the session is used in the specified federation protocol.
     * @param session Session object
     * @param protocol Protocol of the caller. Value is one of the following:
     *   <code>SingleLogoutManager.IDFF</code>
     *   <code>SingleLogoutManager.SAML2</code> 
     *   <code>SingleLogoutManager.WS_FED</code>
     * @return true if the session is used in this federation protocol, 
     *  false otherwise.
     */
public static boolean usedInProtocol(Object session, String protocol) {
    SingleLogoutManager.debug.message("MultiProtocolUtils.usedInProtocol");
    if ((session == null) || (protocol == null)) {
        return false;
    }
    if (SingleLogoutManager.debug.messageEnabled()) {
        SingleLogoutManager.debug.message("MultiProtocolUtils.usedInProto:" + " protocol=" + protocol + ", session=" + session);
    }
    try {
        SessionProvider provider = SessionManager.getProvider();
        String[] vals = provider.getProperty(session, SingleLogoutManager.FEDERATION_PROTOCOLS);
        if (SingleLogoutManager.debug.messageEnabled()) {
            SingleLogoutManager.debug.message("MultiProtocolUtils.usedInProtocol: protocols=" + vals);
        }
        if ((vals != null) && (vals.length != 0)) {
            for (int i = 0; i < vals.length; i++) {
                if (protocol.equals(vals[i])) {
                    return true;
                }
            }
        }
        return false;
    } catch (SessionException ex) {
        SingleLogoutManager.debug.message("MPUtils.usedInProtocol", ex);
    } catch (UnsupportedOperationException ex) {
        SingleLogoutManager.debug.message("MPUtils.usedInProtocol", ex);
    }
    return false;
}
Also used : SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 55 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class LibSecurityTokenProvider method initialize.

/**
     * Initializes the <code>LibSecurityTokenProvider</code>.
     *
     * @param credential  The credential of the caller used to see if
     *                    access to this security token provider is allowed
     * @param sigManager XMLSignatureManager  instance of XML digital
     *        signature manager class, used for accessing the certificate
     *        datastore and digital signing of the assertion.
     * @throws SecurityTokenException if the caller does not have
     *         privilege to access the security authority manager
     */
public void initialize(Object credential, XMLSignatureManager sigManager) throws SecurityTokenException {
    // check null for signature manager
    debug.message("LibSecurityTokenProvider.initialize");
    if (sigManager == null) {
        debug.error("AMP: nulll signature manager");
        throw new SecurityTokenException(bundle.getString("nullXMLSigManager"));
    }
    keystore = sigManager.getKeyProvider();
    // check valid Session 
    try {
        ssoToken = credential;
        SessionProvider provider = SessionManager.getProvider();
        if (!provider.isValid(ssoToken)) {
            throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
        }
        String[] tmp = provider.getProperty(ssoToken, SessionProvider.AUTH_METHOD);
        if ((tmp != null) && (tmp.length != 0)) {
            authType = tmp[0];
        }
        tmp = provider.getProperty(ssoToken, SessionProvider.AUTH_INSTANT);
        if ((tmp != null) && (tmp.length != 0)) {
            authTime = tmp[0];
        }
    } catch (SessionException e) {
        debug.error("AMP: invalid SSO Token", e);
        throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
    }
    //
    // TODO : privilege checking for the ssoToken, how??
    // maybe a relation between the principal of the SSO and the
    // certificate? super admin shall be allowed without checking
    // still TBD
    //
    this.sigManager = sigManager;
}
Also used : SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Aggregations

SessionException (com.sun.identity.plugin.session.SessionException)121 SessionProvider (com.sun.identity.plugin.session.SessionProvider)55 List (java.util.List)40 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)35 IOException (java.io.IOException)28 ArrayList (java.util.ArrayList)28 Set (java.util.Set)24 SAMLException (com.sun.identity.saml.common.SAMLException)23 Iterator (java.util.Iterator)20 HashMap (java.util.HashMap)18 HashSet (java.util.HashSet)18 Map (java.util.Map)18 FSSession (com.sun.identity.federation.services.FSSession)17 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)17 FSSessionManager (com.sun.identity.federation.services.FSSessionManager)15 FSException (com.sun.identity.federation.common.FSException)13 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)12 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11 ServletException (javax.servlet.ServletException)10 DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)9