use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class SAMLAwareServlet method createArtifact.
/**
* Creates a list of AssertionArtifact's id.
*
* @param sso the user Session object
* @param target A String representing the target host
* @param targetUrl A URL String representing the target site
* @param version The relying party preferred Assertion version number
* @return a List representing a list of AssertionArtifact's id
* @throws SAMLException if there is an error.
*/
private List createArtifact(Object sso, String target, HttpServletRequest request, HttpServletResponse response, String targetUrl, String version) throws SAMLException {
if (sso == null || target == null || target.length() == 0 || version == null || version.length() == 0) {
throw new SAMLException(SAMLUtils.bundle.getString("createArtifactError"));
}
List artifactList = new ArrayList();
AssertionManager assertManager = AssertionManager.getInstance();
try {
SessionProvider sessionProvider = SessionManager.getProvider();
AssertionArtifact artifact = assertManager.createAssertionArtifact(sessionProvider.getSessionID(sso), target, request, response, targetUrl, version);
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionArtifact id = " + artifact.toString());
}
String artid = artifact.getAssertionArtifact();
artifactList.add(artid);
} catch (SessionException se) {
SAMLUtils.debug.error("Couldn't get SessionProvider.");
throw new SAMLException(SAMLUtils.bundle.getString("nullSessionProvider"));
}
return artifactList;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class SAMLUtils method generateSession.
/**
* Creates Session
* @param request HttpServletRequest
* @param response HttpServletResponse
* @param attrMap Attribute Map
* @exception if failed to create Session
*/
public static Object generateSession(HttpServletRequest request, HttpServletResponse response, Map attrMap) throws SAMLException {
Map sessionInfoMap = new HashMap();
String realm = (String) attrMap.get(SessionProvider.REALM);
if ((realm == null) || (realm.length() == 0)) {
realm = "/";
}
sessionInfoMap.put(SessionProvider.REALM, realm);
String principalName = (String) attrMap.get(SessionProvider.PRINCIPAL_NAME);
if (principalName == null) {
principalName = (String) attrMap.get(SAMLConstants.USER_NAME);
}
sessionInfoMap.put(SessionProvider.PRINCIPAL_NAME, principalName);
//TODO: sessionInfoMap.put(SessionProvider.AUTH_LEVEL, "0");
Object session = null;
try {
SessionProvider sessionProvider = SessionManager.getProvider();
session = sessionProvider.createSession(sessionInfoMap, request, response, null);
setAttrMapInSession(sessionProvider, attrMap, session);
} catch (SessionException se) {
if (debug.messageEnabled()) {
debug.message("SAMLUtils.generateSession:", se);
}
throw new SAMLException(se);
}
return session;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class DefaultLibraryIDPAttributeMapper method getAttributes.
/**
* Returns list of SAML <code>Attribute</code> objects for the
* IDP framework to insert into the generated <code>Assertion</code>.
*
* @param session Single sign-on session.
* @param hostEntityID <code>EntityID</code> of the hosted entity.
* @param remoteEntityID <code>EntityID</code> of the remote entity.
* @param realm name of the realm.
* @exception SAML2Exception if any failure.
*/
public List getAttributes(Object session, String hostEntityID, String remoteEntityID, String realm) throws SAML2Exception {
if (hostEntityID == null) {
throw new SAML2Exception(bundle.getString("nullHostEntityID"));
}
if (realm == null) {
throw new SAML2Exception(bundle.getString("nullHostEntityID"));
}
if (session == null) {
throw new SAML2Exception(bundle.getString("nullSSOToken"));
}
try {
if (!SessionManager.getProvider().isValid(session)) {
if (debug.warningEnabled()) {
debug.warning("DefaultLibraryIDPAttributeMapper." + "getAttributes: Invalid session");
}
return null;
}
Map<String, String> configMap = getConfigAttributeMap(realm, remoteEntityID, SP);
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: remote SP attribute map = " + configMap);
}
if (configMap == null || configMap.isEmpty()) {
configMap = getConfigAttributeMap(realm, hostEntityID, IDP);
if (configMap == null || configMap.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: Configuration map is not defined.");
}
return null;
}
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: hosted IDP attribute map=" + configMap);
}
}
List<Attribute> attributes = new ArrayList<Attribute>();
Map<String, Set<String>> stringValueMap = null;
Map<String, byte[][]> binaryValueMap = null;
if (!isDynamicalOrIgnoredProfile(realm)) {
try {
// Resolve attributes to be read from the datastore.
Set<String> stringAttributes = new HashSet<String>(configMap.size());
Set<String> binaryAttributes = new HashSet<String>(configMap.size());
for (String localAttribute : configMap.values()) {
if (isStaticAttributeValue(localAttribute)) {
// skip over, handled directly in next step
} else if (isBinaryAttributeValue(localAttribute)) {
// add it to the list of attributes to treat as being binary
binaryAttributes.add(removeBinaryFlag(localAttribute));
} else {
stringAttributes.add(localAttribute);
}
}
if (!stringAttributes.isEmpty()) {
stringValueMap = dsProvider.getAttributes(SessionManager.getProvider().getPrincipalName(session), stringAttributes);
}
if (!binaryAttributes.isEmpty()) {
binaryValueMap = dsProvider.getBinaryAttributes(SessionManager.getProvider().getPrincipalName(session), binaryAttributes);
}
} catch (DataStoreProviderException dse) {
if (debug.warningEnabled()) {
debug.warning("DefaultLibraryIDPAttributeMapper." + "getAttributes:", dse);
}
//continue to check in ssotoken.
}
}
for (Map.Entry<String, String> entry : configMap.entrySet()) {
String samlAttribute = entry.getKey();
String localAttribute = entry.getValue();
String nameFormat = null;
// check if samlAttribute has format nameFormat|samlAttribute
StringTokenizer tokenizer = new StringTokenizer(samlAttribute, "|");
if (tokenizer.countTokens() > 1) {
nameFormat = tokenizer.nextToken();
samlAttribute = tokenizer.nextToken();
}
Set<String> attributeValues = null;
if (isStaticAttributeValue(localAttribute)) {
localAttribute = removeStaticFlag(localAttribute);
// Remove the static flag before using it as the static value
attributeValues = CollectionUtils.asSet(localAttribute);
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: adding static " + "value " + localAttribute + " for attribute named " + samlAttribute);
}
} else {
if (isBinaryAttributeValue(localAttribute)) {
// Remove the flag as not used for lookup
localAttribute = removeBinaryFlag(localAttribute);
attributeValues = getBinaryAttributeValues(samlAttribute, localAttribute, binaryValueMap);
} else {
if (stringValueMap != null && !stringValueMap.isEmpty()) {
attributeValues = stringValueMap.get(localAttribute);
} else {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: " + localAttribute + " string value map was empty or null");
}
}
}
// If all else fails, try to get the value from the users ssoToken
if (attributeValues == null || attributeValues.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: user profile does not have " + "value for " + localAttribute + ", checking SSOToken");
}
attributeValues = CollectionUtils.asSet(SessionManager.getProvider().getProperty(session, localAttribute));
}
}
if (attributeValues == null || attributeValues.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper.getAttribute: " + "user profile does not have a value for " + localAttribute);
}
} else {
attributes.add(getSAMLAttribute(samlAttribute, nameFormat, attributeValues, hostEntityID, remoteEntityID, realm));
}
}
return attributes;
} catch (SessionException se) {
debug.error("DefaultLibraryIDPAttribute.getAttributes: ", se);
throw new SAML2Exception(se);
}
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class IDPSingleLogout method sendLastResponse.
private static boolean sendLastResponse(IDPSession idpSession, LogoutResponse logoutRes, HttpServletRequest request, HttpServletResponse response, String idpSessionIndex, Object session, String realm, String idpEntityID, String relayState) throws SAML2Exception, SessionException, SAML2MetaException {
String binding;
//resetting the binding to the original value so the response is sent back with the correct binding
binding = idpSession.getOriginatingLogoutRequestBinding();
String originatingRequestID = idpSession.getOriginatingLogoutRequestID();
String originatingLogoutSPEntityID = idpSession.getOriginatingLogoutSPEntityID();
if (originatingRequestID == null) {
// this is IDP initiated SLO
if (idpSession.getLogoutAll()) {
String userID = sessionProvider.getPrincipalName(idpSession.getSession());
destroyAllTokenForUser(userID, request, response);
} else {
IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
if (agent != null && agent.isRunning() && saml2Svc != null) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
}
try {
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
}
} catch (SAML2TokenRepositoryException se) {
debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
}
IDPCache.authnContextCache.remove(idpSessionIndex);
if (!MultiProtocolUtils.isMultipleProtocolSession(idpSession.getSession(), SingleLogoutManager.SAML2)) {
sessionProvider.invalidateSession(idpSession.getSession(), request, response);
} else {
MultiProtocolUtils.removeFederationProtocol(idpSession.getSession(), SingleLogoutManager.SAML2);
// call Multi-Federation protocol SingleLogoutManager
SingleLogoutManager sloManager = SingleLogoutManager.getInstance();
Set<Object> set = new HashSet<Object>(1);
set.add(session);
SessionProvider provider = SessionManager.getProvider();
String uid = provider.getPrincipalName(session);
debug.message("IDPSingleLogout.sendLastResponse: MP/Http");
int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
try {
retStatus = sloManager.doIDPSingleLogout(set, uid, request, response, false, true, SingleLogoutManager.SAML2, realm, idpEntityID, originatingLogoutSPEntityID, relayState, null, null, getLogoutStatus(logoutRes));
} catch (SAML2Exception ex) {
throw ex;
} catch (Exception ex) {
debug.error("IDPSIngleLogout.sendLastResponse: MP/IDP initiated HTTP", ex);
throw new SAML2Exception(ex.getMessage());
}
if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
return true;
}
}
}
debug.message("IDP initiated SLO Success");
return false;
}
List<SingleLogoutServiceElement> slosList = getSPSLOServiceEndpoints(realm, originatingLogoutSPEntityID);
String location = LogoutUtil.getSLOResponseServiceLocation(slosList, binding);
if (location == null || location.isEmpty()) {
location = LogoutUtil.getSLOServiceLocation(slosList, binding);
if (location == null || location.length() == 0) {
debug.error("Unable to find the IDP's single logout response service with the HTTP-Redirect binding");
throw new SAML2Exception(SAML2Utils.bundle.getString("sloResponseServiceLocationNotfound"));
} else {
if (debug.messageEnabled()) {
debug.message("SP's single logout response service location = " + location);
}
}
} else {
if (debug.messageEnabled()) {
debug.message("IDP's single logout response service location = " + location);
}
}
Status status = destroyTokenAndGenerateStatus(idpSessionIndex, idpSession.getSession(), request, response, true);
//here we are providing null for remote entity, because it's an unused variable in the method...
logoutRes = LogoutUtil.generateResponse(status, originatingRequestID, SAML2Utils.createIssuer(idpEntityID), realm, SAML2Constants.IDP_ROLE, null);
if (logoutRes != null) {
logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
if (agent != null && agent.isRunning() && saml2Svc != null) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
}
try {
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
}
} catch (SAML2TokenRepositoryException se) {
debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
}
IDPCache.authnContextCache.remove(idpSessionIndex);
// call multi-federation protocol processing
// this is the SP initiated HTTP binding case
boolean isMultiProtocolSession = false;
int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
try {
SessionProvider provider = SessionManager.getProvider();
session = idpSession.getSession();
if (session != null && provider.isValid(session) && MultiProtocolUtils.isMultipleProtocolSession(session, SingleLogoutManager.SAML2)) {
isMultiProtocolSession = true;
// call Multi-Federation protocol SingleLogoutManager
SingleLogoutManager sloManager = SingleLogoutManager.getInstance();
Set set = new HashSet();
set.add(session);
String uid = provider.getPrincipalName(session);
debug.message("IDPSingleLogout.sendLastResponse: MP/Http");
retStatus = sloManager.doIDPSingleLogout(set, uid, request, response, false, true, SingleLogoutManager.SAML2, realm, idpEntityID, originatingLogoutSPEntityID, relayState, null, logoutRes.toXMLString(), getLogoutStatus(logoutRes));
}
} catch (SessionException e) {
// ignore as session might not be valid
debug.message("IDPSingleLogout.sendLastResponse: session", e);
} catch (Exception e) {
debug.message("IDPSingleLogout.sendLastResponse: MP2", e);
retStatus = SingleLogoutManager.LOGOUT_FAILED_STATUS;
}
if (!isMultiProtocolSession || (retStatus != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS)) {
logoutRes = updateLogoutResponse(logoutRes, retStatus);
LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, idpEntityID, SAML2Constants.IDP_ROLE, originatingLogoutSPEntityID, binding);
return true;
} else {
return false;
}
}
IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
if (agent != null && agent.isRunning() && saml2Svc != null) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
}
try {
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
}
} catch (SAML2TokenRepositoryException se) {
debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
}
IDPCache.authnContextCache.remove(idpSessionIndex);
return false;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class IDPSessionListener method sessionInvalidated.
/**
* Callback for SessionListener.
* It is used for cleaning up the IDP session cache.
*
* @param session The session object
*/
public void sessionInvalidated(Object session) {
String classMethod = "IDPSessionListener.sessionInvalidated: ";
HashMap paramsMap = new HashMap();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Entering ...");
}
if (session == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Session is null.");
}
return;
}
try {
SessionProvider sessionProvider = SessionManager.getProvider();
String[] values = sessionProvider.getProperty(session, SAML2Constants.IDP_SESSION_INDEX);
if (values == null || values.length == 0) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
}
return;
}
String sessionIndex = values[0];
if (sessionIndex == null || sessionIndex.length() == 0) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
}
return;
}
IDPSession idpSession = (IDPSession) IDPCache.idpSessionsByIndices.get(sessionIndex);
if (idpSession != null) {
paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
String metaAlias = idpSession.getMetaAlias();
String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
String idpEntityID = sm.getEntityByMetaAlias(metaAlias);
try {
List list = (List) idpSession.getNameIDandSPpairs();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
NameIDandSPpair pair = (NameIDandSPpair) iter.next();
String spEntityID = pair.getSPEntityID();
NameID nameID = pair.getNameID();
BaseConfigType idpConfig = sm.getIDPSSOConfig(realm, idpEntityID);
if (idpConfig != null) {
List idpSessionSyncList = (List) SAML2MetaUtils.getAttributes(idpConfig).get(SAML2Constants.IDP_SESSION_SYNC_ENABLED);
if ((idpEntityID != null && spEntityID != null && idpSessionSyncList != null && idpSessionSyncList.size() != 0)) {
boolean idpSessionSyncEnabled = ((String) idpSessionSyncList.get(0)).equals(SAML2Constants.TRUE) ? true : false;
// Sync flag is enabled
if (idpSessionSyncEnabled) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "IDP Session Synchronization flag " + "is enabled, initiating SLO to SP");
}
initiateIDPSingleLogout(sessionIndex, metaAlias, realm, SAML2Constants.SOAP, nameID, spEntityID, paramsMap);
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Unable to retrieve the IDP " + "config data, idpConfig is null");
}
}
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", sme);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", se);
} catch (SessionException s) {
SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", s);
}
synchronized (IDPCache.idpSessionsByIndices) {
List list = (List) idpSession.getNameIDandSPpairs();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
NameIDandSPpair pair = (NameIDandSPpair) iter.next();
NameID nameID = pair.getNameID();
if (SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameID.getFormat())) {
IDPCache.userIDByTransientNameIDValue.remove(nameID.getValue());
}
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "IDP Session with session index " + sessionIndex + " already removed.");
}
}
IDPCache.idpSessionsByIndices.remove(sessionIndex);
IDPCache.authnContextCache.remove(sessionIndex);
String sessID = sessionProvider.getSessionID(session);
if (IDPCache.idpSessionsBySessionID.get(sessID) != null) {
IDPCache.idpSessionsBySessionID.remove(sessID);
if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsBySessionID.size());
}
}
if (IDPCache.spSessionPartnerBySessionID.get(sessID) != null) {
IDPCache.spSessionPartnerBySessionID.remove(sessID);
}
// This failing should not cause the whole process to fail
try {
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
SAML2FailoverUtils.deleteSAML2Token(sessionIndex);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + "SAML2 Token Repository error, sessionIndex:" + sessionIndex, se);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "cleaned up the IDP session cache for a session expiring or being destroyed: sessionIndex=" + sessionIndex);
}
} catch (SessionException e) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "invalid or expired session.", e);
}
} catch (SAML2MetaException samlme) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "unable to retrieve idp entity id.", samlme);
}
}
}
Aggregations