use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class AssertionManager method getAuthorizationDecisionAssertion.
/**
* @param addListener A listener to the single sign on token is added only
* when both store and addListener are true.
*/
private Assertion getAuthorizationDecisionAssertion(AuthorizationDecisionQuery query, String destID, boolean store, Object token, boolean addListener, Map actionMap) throws SAMLException {
if (actionMap == null) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthZAssertion: " + "actionMap from ActionMapper is null.");
}
throw new SAMLException(SAMLUtils.bundle.getString("nullAuthZDecision"));
}
validateNumberOfAssertions(idEntryMap);
int decision;
List newActions = null;
if ((newActions = (List) actionMap.get(ActionMapper.PERMIT)) != null) {
decision = AuthorizationDecisionStatement.DecisionType.PERMIT;
} else if ((newActions = (List) actionMap.get(ActionMapper.DENY)) != null) {
decision = AuthorizationDecisionStatement.DecisionType.DENY;
} else {
newActions = (List) actionMap.get(ActionMapper.INDETERMINATE);
if (newActions == null) {
// try not to be too restrictive
newActions = query.getAction();
}
decision = AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
}
//create statement
AuthorizationDecisionStatement statement = new AuthorizationDecisionStatement(query.getSubject(), query.getResource(), decision, newActions, query.getEvidence());
Date issueInstant = new Date();
Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
Conditions cond = new Conditions(notBefore, notAfter);
String issuer = (String) SAMLServiceManager.getAttribute(SAMLConstants.ISSUER_NAME);
Set statements = new HashSet();
statements.add(statement);
Assertion assertion = new Assertion(null, issuer, issueInstant, cond, statements);
if (((Boolean) SAMLServiceManager.getAttribute(SAMLConstants.SIGN_ASSERTION)).booleanValue()) {
assertion.signXML();
}
String aIDString = assertion.getAssertionID();
if (store) {
Entry entry = null;
if (addListener) {
// create a listener and add the listener to the token
AssertionSSOTokenListener listener = new AssertionSSOTokenListener(aIDString);
try {
if (sessionProvider == null) {
throw new SAMLException(SAMLUtils.bundle.getString("nullSessionProvider"));
}
sessionProvider.addListener(token, listener);
} catch (SessionException e) {
SAMLUtils.debug.error("AssertionManager.getAuthNAssertion:" + " Couldn't get listener to token:", e);
// don't need to throw an exception
}
}
entry = new Entry(assertion, destID, null, null);
// put assertion in idEntryMap
try {
Object oldEntry = null;
synchronized (idEntryMap) {
oldEntry = idEntryMap.put(aIDString, entry);
}
if (oldEntry != null) {
assertionTimeoutRunnable.removeElement(aIDString);
}
assertionTimeoutRunnable.addElement(aIDString);
if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS, FedMonSAML1Svc.CWRITE);
}
} catch (Exception e) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthZAssertion" + ": couldn't add assertion to the idAssertionMap.", e);
}
throw new SAMLResponderException(SAMLUtils.bundle.getString("errorCreateAssertion"));
}
if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
String[] data = { SAMLUtils.bundle.getString("assertionCreated"), assertion.toString(true, true) };
LogUtils.access(java.util.logging.Level.FINER, LogUtils.ASSERTION_CREATED, data);
} else {
String[] data = { SAMLUtils.bundle.getString("assertionCreated"), aIDString };
LogUtils.access(java.util.logging.Level.INFO, LogUtils.ASSERTION_CREATED, data);
}
}
return assertion;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class AssertionManager method getAuthenticationAssertion.
/**
* Gets assertion created from an AuthenticationQuery.
* @param query An AuthenticationQuery.
* @param destID to whom the assertion will be created for.
* @return The Assertion that is created from the query.
* @throws SAMLException If the Assertion cannot be created.
*/
private Assertion getAuthenticationAssertion(AuthenticationQuery query, String destID) throws SAMLException {
if (query == null) {
// no need to log the error again
return null;
}
validateNumberOfAssertions(idEntryMap);
// get the subject of the query
Subject subject = query.getSubject();
// get SubjectConfirmation
SubjectConfirmation sc = subject.getSubjectConfirmation();
if (sc == null) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " missing SubjectConfirmation.");
}
// we don't know if the subject is authenticated to OpenAM.
throw new SAMLException(SAMLUtils.bundle.getString("missingSubjectConfirmation"));
}
// check ConfirmationMethod
if (!SAMLUtils.isCorrectConfirmationMethod(sc)) {
// don't need to log again
throw new SAMLException(SAMLUtils.bundle.getString("wrongConfirmationMethodValue"));
}
// get SubjectConfirmationData
Element scData = sc.getSubjectConfirmationData();
if (scData == null) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " missing SubjectConfirmationData in the Subject.");
}
throw new SAMLException(SAMLUtils.bundle.getString("missingSubjectConfirmationData"));
}
// SSOTokenID == scData
String authMethod = null;
Date authInstant = null;
String nameQualifier = null;
String name = null;
Object token = null;
String clientIP = null;
try {
if (sessionProvider == null) {
throw new SAMLException(SAMLUtils.bundle.getString("nullSessionProvider"));
}
token = sessionProvider.getSession(XMLUtils.getElementString(scData));
authMethod = SAMLServiceManager.getAuthMethodURI(sessionProvider.getProperty(token, "AuthType")[0]);
// get authenticationInstant
authInstant = DateUtils.stringToDate(sessionProvider.getProperty(token, "authInstant")[0]);
// get the nameQualifier of the NameIdentifier
nameQualifier = XMLUtils.escapeSpecialCharacters(sessionProvider.getProperty(token, "Organization")[0]);
// get the name of the NameIdentifier
name = XMLUtils.escapeSpecialCharacters(sessionProvider.getPrincipalName(token));
try {
InetAddress clientIPAddress = InetAddress.getByName(sessionProvider.getProperty(token, "ipaddress")[0]);
clientIP = clientIPAddress.getHostAddress();
} catch (Exception e) {
// catching exception here since clientIP is optional
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager." + "getAuthNAssertion: exception when getting " + "client ip.");
}
}
} catch (Exception e) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " exception retrieving info from the SSOToken:", e);
}
throw new SAMLException(SAMLUtils.bundle.getString("wrongSubjectConfirmationData"));
}
// get and check NameIdentifier
NameIdentifier ni = subject.getNameIdentifier();
if (ni != null) {
String niName = ni.getName();
String niNameQualifier = ni.getNameQualifier();
if (((niName != null) && (!niName.equalsIgnoreCase(name))) || ((niNameQualifier != null) && (!niNameQualifier.equalsIgnoreCase(nameQualifier)))) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthNAssertion" + ": NameIdentifier is different from info in " + "SubjectConfirmation");
}
throw new SAMLException(SAMLUtils.bundle.getString("wrongNameIdentifier"));
}
}
// get and check AuthenticationMethod in the query
String am = query.getAuthenticationMethod();
// check it against authMethod
if ((am != null) && (am.length() != 0) && (!am.equalsIgnoreCase(authMethod))) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " couldn't form an assertion matching the " + "AuthenticationMethod in the query.");
}
throw new SAMLException(SAMLUtils.bundle.getString("authenticationMethodInQueryNotMatch"));
}
SubjectLocality subjLocality = null;
if ((clientIP != null) && (clientIP.length() != 0)) {
subjLocality = new SubjectLocality(clientIP, null);
}
AuthenticationStatement statement = new AuthenticationStatement(authMethod, authInstant, subject, subjLocality, null);
Date issueInstant = new Date();
// get this period from the config
Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
Conditions cond = new Conditions(notBefore, notAfter);
String issuer = (String) SAMLServiceManager.getAttribute(SAMLConstants.ISSUER_NAME);
Set statements = new HashSet();
statements.add(statement);
Assertion assertion = new Assertion(null, issuer, issueInstant, cond, statements);
if (((Boolean) SAMLServiceManager.getAttribute(SAMLConstants.SIGN_ASSERTION)).booleanValue()) {
assertion.signXML();
}
String aIDString = assertion.getAssertionID();
Entry entry = new Entry(assertion, destID, null, token);
// add entry to idEntryMap
try {
Object oldEntry = null;
synchronized (idEntryMap) {
oldEntry = idEntryMap.put(aIDString, entry);
}
if (oldEntry != null) {
assertionTimeoutRunnable.removeElement(aIDString);
}
assertionTimeoutRunnable.addElement(aIDString);
if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS, FedMonSAML1Svc.CWRITE);
}
} catch (Exception e) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:" + " couldn't add assertion to the idEntryMap.", e);
}
throw new SAMLResponderException(SAMLUtils.bundle.getString("errorCreateAssertion"));
}
if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
String[] data = { SAMLUtils.bundle.getString("assertionCreated"), assertion.toString(true, true) };
LogUtils.access(java.util.logging.Level.FINER, LogUtils.ASSERTION_CREATED, data);
} else {
String[] data = { SAMLUtils.bundle.getString("assertionCreated"), aIDString };
LogUtils.access(java.util.logging.Level.INFO, LogUtils.ASSERTION_CREATED, data);
}
// create a listener and add the listener to the token
AssertionSSOTokenListener listener = new AssertionSSOTokenListener(aIDString);
try {
sessionProvider.addListener(token, listener);
} catch (SessionException e) {
SAMLUtils.debug.error("AssertionManager.getAuthNAssertion:" + " Couldn't add listener to token:", e);
// don't need to throw an exception
}
return assertion;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class MultiProtocolUtils method usedInProtocol.
/**
* Returns true if the session is used in the specified federation protocol.
* @param request HttpServlet object
* @param protocol Protocol of the caller. Value is one of the following:
* <code>SingleLogoutManager.IDFF</code>
* <code>SingleLogoutManager.SAML2</code>
* <code>SingleLogoutManager.WS_FED</code>
* @return true if the session is used in this federation protocol,
* false otherwise.
*/
public static boolean usedInProtocol(HttpServletRequest request, String protocol) {
try {
SessionProvider provider = SessionManager.getProvider();
Object session = provider.getSession(request);
return usedInProtocol(session, protocol);
} catch (SessionException ex) {
SingleLogoutManager.debug.message("MPUtils.usedInProtocol?", ex);
return false;
}
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class MultiProtocolUtils method usedInProtocol.
/**
* Returns true if the session is used in the specified federation protocol.
* @param session Session object
* @param protocol Protocol of the caller. Value is one of the following:
* <code>SingleLogoutManager.IDFF</code>
* <code>SingleLogoutManager.SAML2</code>
* <code>SingleLogoutManager.WS_FED</code>
* @return true if the session is used in this federation protocol,
* false otherwise.
*/
public static boolean usedInProtocol(Object session, String protocol) {
SingleLogoutManager.debug.message("MultiProtocolUtils.usedInProtocol");
if ((session == null) || (protocol == null)) {
return false;
}
if (SingleLogoutManager.debug.messageEnabled()) {
SingleLogoutManager.debug.message("MultiProtocolUtils.usedInProto:" + " protocol=" + protocol + ", session=" + session);
}
try {
SessionProvider provider = SessionManager.getProvider();
String[] vals = provider.getProperty(session, SingleLogoutManager.FEDERATION_PROTOCOLS);
if (SingleLogoutManager.debug.messageEnabled()) {
SingleLogoutManager.debug.message("MultiProtocolUtils.usedInProtocol: protocols=" + vals);
}
if ((vals != null) && (vals.length != 0)) {
for (int i = 0; i < vals.length; i++) {
if (protocol.equals(vals[i])) {
return true;
}
}
}
return false;
} catch (SessionException ex) {
SingleLogoutManager.debug.message("MPUtils.usedInProtocol", ex);
} catch (UnsupportedOperationException ex) {
SingleLogoutManager.debug.message("MPUtils.usedInProtocol", ex);
}
return false;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class LibSecurityTokenProvider method initialize.
/**
* Initializes the <code>LibSecurityTokenProvider</code>.
*
* @param credential The credential of the caller used to see if
* access to this security token provider is allowed
* @param sigManager XMLSignatureManager instance of XML digital
* signature manager class, used for accessing the certificate
* datastore and digital signing of the assertion.
* @throws SecurityTokenException if the caller does not have
* privilege to access the security authority manager
*/
public void initialize(Object credential, XMLSignatureManager sigManager) throws SecurityTokenException {
// check null for signature manager
debug.message("LibSecurityTokenProvider.initialize");
if (sigManager == null) {
debug.error("AMP: nulll signature manager");
throw new SecurityTokenException(bundle.getString("nullXMLSigManager"));
}
keystore = sigManager.getKeyProvider();
// check valid Session
try {
ssoToken = credential;
SessionProvider provider = SessionManager.getProvider();
if (!provider.isValid(ssoToken)) {
throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
}
String[] tmp = provider.getProperty(ssoToken, SessionProvider.AUTH_METHOD);
if ((tmp != null) && (tmp.length != 0)) {
authType = tmp[0];
}
tmp = provider.getProperty(ssoToken, SessionProvider.AUTH_INSTANT);
if ((tmp != null) && (tmp.length != 0)) {
authTime = tmp[0];
}
} catch (SessionException e) {
debug.error("AMP: invalid SSO Token", e);
throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
}
//
// TODO : privilege checking for the ssoToken, how??
// maybe a relation between the principal of the SSO and the
// certificate? super admin shall be allowed without checking
// still TBD
//
this.sigManager = sigManager;
}
Aggregations