Search in sources :

Example 91 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class DoManageNameID method processManageNameIDResponse.

/**
     * Parses the request parameters and builds the Authentication
     * Request to sent to the IDP.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     * @param paramsMap Map of all other parameters.
     * @return return true if the processing is successful.
     * @throws SAML2Exception if error initiating request to IDP.
     */
public static boolean processManageNameIDResponse(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception {
    String method = "processManageNameIDResponse: ";
    boolean success = false;
    String requestURL = request.getRequestURI();
    String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
    if (metaAlias == null) {
        logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
    String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
    boolean isSupported = false;
    if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
        isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
    } else {
        isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
    }
    if (!isSupported) {
        debug.error(method + "MNI binding: Redirect is not supported for " + hostEntityID);
        String[] data = { hostEntityID, SAML2Constants.HTTP_REDIRECT };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
    String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
    String mniResStr = SAML2Utils.decodeFromRedirect(mniRes);
    if (mniResStr == null) {
        logError("nullDecodedStrFromSamlResponse", LogUtil.CANNOT_DECODE_RESPONSE, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
    }
    if (debug.messageEnabled()) {
        debug.message(method + "Meta Alias is : " + metaAlias);
        debug.message(method + "Host role is : " + hostRole);
        debug.message(method + "Relay state is : " + relayState);
        debug.message(method + "MNI Response : " + mniResStr);
    }
    // Validate the RelayState URL.
    SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostRole);
    ManageNameIDResponse mniResponse = null;
    try {
        mniResponse = pf.createManageNameIDResponse(mniResStr);
        String remoteEntityID = mniResponse.getIssuer().getValue();
        Issuer resIssuer = mniResponse.getIssuer();
        String requestId = mniResponse.getInResponseTo();
        SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer, requestId);
        boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm, hostEntityID, hostRole);
        if (needToVerify) {
            String queryString = request.getQueryString();
            boolean valid = SAML2Utils.verifyQueryString(queryString, realm, hostRole, remoteEntityID);
            if (!valid) {
                logError("invalidSignInResponse", LogUtil.MNI_RESPONSE_INVALID_SIGNATURE, null);
                throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
            }
        }
        StringBuffer mniUserId = new StringBuffer();
        success = checkMNIResponse(mniResponse, realm, hostEntityID, hostRole, mniUserId);
        if (success && (hostRole != null) && hostRole.equals(SAML2Constants.SP_ROLE)) {
            // invoke SPAdapter for termination success
            postTerminationSuccess(hostEntityID, realm, request, response, mniUserId.toString(), null, mniResponse, SAML2Constants.HTTP_REDIRECT);
        }
    } catch (SessionException e) {
        logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    if (debug.messageEnabled()) {
        debug.message(method + "Request success : " + success);
    }
    return success;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Issuer(com.sun.identity.saml2.assertion.Issuer) SessionException(com.sun.identity.plugin.session.SessionException) ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse)

Example 92 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class SPSingleLogout method initiateLogoutRequest.

/**
     * Parses the request parameters and initiates the Logout
     * Request to be sent to the IDP.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     * @param out The print writer for writing out presentation.
     * @param binding binding used for this request.
     * @param paramsMap Map of all other parameters.
     *       Following parameters names with their respective
     *       String values are allowed in this paramsMap.
     *       "RelayState" - the target URL on successful Single Logout
     *       "Destination" - A URI Reference indicating the address to
     *                       which the request has been sent.
     *       "Consent" - Specifies a URI a SAML defined identifier
     *                   known as Consent Identifiers.
     *       "Extension" - Specifies a list of Extensions as list of
     *                   String objects.
     * @param origLogoutRequest original LogoutRequest
     * @param msg SOAPMessage 
     * @param newSession Session object for IDP Proxy
     * @param audit the auditor for logging SAML2 Events - may be null
     * @throws SAML2Exception if error initiating request to IDP.
     */
public static void initiateLogoutRequest(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String binding, Map paramsMap, LogoutRequest origLogoutRequest, SOAPMessage msg, Object newSession, SAML2EventLogger audit) throws SAML2Exception {
    if (debug.messageEnabled()) {
        debug.message("SPSingleLogout:initiateLogoutRequest");
        debug.message("binding : " + binding);
        debug.message("paramsMap : " + paramsMap);
    }
    String metaAlias = (String) paramsMap.get(SAML2Constants.SP_METAALIAS);
    try {
        Object session = null;
        if (newSession != null) {
            session = newSession;
        } else {
            session = sessionProvider.getSession(request);
        }
        if (null != audit) {
            audit.setSSOTokenId(session);
        }
        if (!SPCache.isFedlet) {
            if (session == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("nullSSOToken"));
            }
        }
        if (metaAlias == null) {
            if (!SPCache.isFedlet) {
                String[] values = sessionProvider.getProperty(session, SAML2Constants.SP_METAALIAS);
                if (values != null && values.length > 0) {
                    metaAlias = values[0];
                }
            } else {
                List spMetaAliases = sm.getAllHostedServiceProviderMetaAliases("/");
                if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
                    // get first one
                    metaAlias = (String) spMetaAliases.get(0);
                }
            }
        }
        if (metaAlias == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPMetaAlias"));
        }
        paramsMap.put(SAML2Constants.METAALIAS, metaAlias);
        String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
        debug.message("realm : " + realm);
        String spEntityID = sm.getEntityByMetaAlias(metaAlias);
        if (spEntityID == null) {
            debug.error("Service Provider ID is missing");
            String[] data = { spEntityID };
            LogUtil.error(Level.INFO, LogUtil.INVALID_SP, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
        }
        debug.message("spEntityID : " + spEntityID);
        // clean up session index
        String tokenID = sessionProvider.getSessionID(session);
        String infoKeyString = null;
        if (SPCache.isFedlet) {
            infoKeyString = SAML2Utils.getParameter(paramsMap, SAML2Constants.INFO_KEY);
        } else {
            try {
                String[] values = sessionProvider.getProperty(session, AccountUtils.getNameIDInfoKeyAttribute());
                if (values != null && values.length > 0) {
                    infoKeyString = values[0];
                }
            } catch (SessionException se) {
                debug.error("Unable to get infoKeyString from " + "session.", se);
                throw new SAML2Exception(SAML2Utils.bundle.getString("errorInfoKeyString"));
            }
        }
        if (debug.messageEnabled()) {
            debug.message("tokenID : " + tokenID);
            debug.message("infoKeyString : " + infoKeyString);
        }
        // get SPSSODescriptor
        SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
        if (spsso == null) {
            String[] data = { spEntityID };
            LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        List extensionsList = LogoutUtil.getExtensionsList(paramsMap);
        String relayState = SAML2Utils.getParameter(paramsMap, SAML2Constants.RELAY_STATE);
        if (relayState == null || relayState.equals("")) {
            relayState = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.DEFAULT_RELAY_STATE);
        }
        // Validate the RelayState URL.
        SAML2Utils.validateRelayStateURL(realm, spEntityID, relayState, SAML2Constants.SP_ROLE);
        if (infoKeyString == null) {
            // termination case, do local logout only and send to
            // relay state if any
            debug.warning("SPSingleLogout.initiateLogoutRequest : Unable to get infoKeyString from session.");
            sessionProvider.invalidateSession(session, request, response);
            if ((relayState != null) && !relayState.equals("")) {
                try {
                    response.sendRedirect(relayState);
                } catch (IOException e) {
                    debug.error("SPSingleLogout.initiateLogoutRequest: " + "Error in send redirect to " + relayState, e);
                }
            } else {
                RequestDispatcher dispatcher = request.getRequestDispatcher("saml2/jsp/default.jsp?message=spSloSuccess");
                try {
                    dispatcher.forward(request, response);
                } catch (IOException e) {
                    debug.error("SPSingleLogout.initiateLogoutRequest: " + "Error in forwarding to default.jsp", e);
                } catch (ServletException e) {
                    debug.error("SPSingleLogout.initiateLogoutRequest: " + "Error in forwarding to default.jsp", e);
                }
            }
            return;
        }
        StringTokenizer st = new StringTokenizer(infoKeyString, SAML2Constants.SECOND_DELIM);
        String requestID = null;
        while (st.hasMoreTokens()) {
            String tmpInfoKeyString = st.nextToken();
            NameIDInfoKey nameIdInfoKey = NameIDInfoKey.parse(tmpInfoKeyString);
            //logout request to the other SP instance, invalidating the session for both SPs.
            if (nameIdInfoKey.getHostEntityID().equals(spEntityID)) {
                requestID = prepareForLogout(realm, tokenID, metaAlias, extensionsList, binding, relayState, request, response, paramsMap, tmpInfoKeyString, origLogoutRequest, msg);
            }
        }
        // IDP Proxy 
        SOAPMessage soapMsg = (SOAPMessage) IDPCache.SOAPMessageByLogoutRequestID.get(requestID);
        if (soapMsg != null) {
            IDPProxyUtil.sendProxyLogoutResponseBySOAP(soapMsg, response, out);
        }
        // when SAML Response reached the SP side.
        if (binding.equals(SAML2Constants.SOAP) || (requestID == null)) {
            sessionProvider.invalidateSession(session, request, response);
        }
    } catch (SAML2MetaException sme) {
        debug.error("Error retreiving metadata", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    } catch (SessionException ssoe) {
        debug.error("Session exception: ", ssoe);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}
Also used : SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SessionException(com.sun.identity.plugin.session.SessionException) IOException(java.io.IOException) SOAPMessage(javax.xml.soap.SOAPMessage) RequestDispatcher(javax.servlet.RequestDispatcher) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ServletException(javax.servlet.ServletException) StringTokenizer(java.util.StringTokenizer) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) NameIDInfoKey(com.sun.identity.saml2.common.NameIDInfoKey)

Example 93 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class IPRPSignoutRequest method process.

/**
     * Processes the sign-out request, returning a response via the 
     * HttpServletResponse passed to the constructor.
     */
public void process() throws IOException, WSFederationException {
    String classMethod = "IPRPSignoutRequest.process: ";
    String metaAlias = WSFederationMetaUtils.getMetaAliasByUri(request.getRequestURI());
    if ((metaAlias == null) || (metaAlias.trim().length() == 0)) {
        debug.error(classMethod + "Unable to get meta alias from request");
        throw new WSFederationException(WSFederationUtils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = WSFederationMetaUtils.getRealmByMetaAlias(metaAlias);
    if ((realm == null) || (realm.trim().length() == 0)) {
        debug.error(classMethod + "Unable to get realm from request");
        throw new WSFederationException(WSFederationUtils.bundle.getString("nullRealm"));
    }
    WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
    // retrieve entity id from meta alias            
    String entityId = metaManager.getEntityByMetaAlias(metaAlias);
    if ((entityId == null) || (entityId.trim().length() == 0)) {
        debug.error(classMethod + "Unable to get Entity ID from metaAlias" + metaAlias);
        throw new WSFederationException(WSFederationUtils.bundle.getString("nullEntityID"));
    }
    Object session = null;
    try {
        session = WSFederationUtils.sessionProvider.getSession(request);
    } catch (SessionException se) {
        if (debug.messageEnabled()) {
            debug.message(classMethod + "Session exception" + se.getLocalizedMessage());
        }
    // Don't care too much about session exceptions here - usual cause
    // is trying to log out after the session has expired
    }
    try {
        // Strategy here is to do logouts in parallel via iframes, provide a
        // link to wreply, if any
        BaseConfigType config = metaManager.getBaseConfig(realm, entityId);
        String displayName = WSFederationMetaUtils.getAttribute(config, WSFederationConstants.DISPLAY_NAME);
        if (displayName == null || displayName.length() == 0) {
            displayName = entityId;
        }
        request.setAttribute(WSFederationConstants.LOGOUT_DISPLAY_NAME, displayName);
        request.setAttribute(WSFederationConstants.LOGOUT_WREPLY, wreply);
        request.setAttribute(WSFederationConstants.REALM_PARAM, realm);
        request.setAttribute(WSFederationConstants.ENTITYID_PARAM, entityId);
        LinkedHashMap<String, String> providerList = new LinkedHashMap<String, String>();
        if (session != null) {
            String[] idpList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_IDP);
            if (idpList != null && idpList.length > 0 && idpList[0] != null && idpList[0].length() > 0) {
                FederationElement fed = metaManager.getEntityDescriptor(realm, idpList[0]);
                String endpoint = metaManager.getTokenIssuerEndpoint(fed);
                String url = endpoint + "?wa=" + WSFederationConstants.WSIGNOUT10;
                config = metaManager.getBaseConfig(realm, idpList[0]);
                displayName = WSFederationMetaUtils.getAttribute(config, WSFederationConstants.DISPLAY_NAME);
                if (displayName == null) {
                    displayName = idpList[0];
                }
                if (debug.messageEnabled()) {
                    debug.message(classMethod + "sending signout to " + url);
                }
                providerList.put(url, displayName);
            }
            String[] spList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_SP_LIST);
            if (spList != null && spList.length > 0 && spList[0] != null && spList[0].length() > 0) {
                for (int i = 0; i < spList.length; i++) {
                    config = metaManager.getBaseConfig(realm, spList[i]);
                    displayName = WSFederationMetaUtils.getAttribute(config, WSFederationConstants.DISPLAY_NAME);
                    if (displayName == null) {
                        displayName = spList[i];
                    }
                    FederationElement fed = metaManager.getEntityDescriptor(realm, spList[i]);
                    String endpoint = metaManager.getTokenIssuerEndpoint(fed);
                    String url = endpoint + "?wa=" + WSFederationConstants.WSIGNOUT10;
                    if (debug.messageEnabled()) {
                        debug.message(classMethod + "sending signout to " + url);
                    }
                    providerList.put(url, displayName);
                }
                // Can't remove a session property, so just set it to 
                // an empty string
                String[] empty = { "" };
                WSFederationUtils.sessionProvider.setProperty(session, WSFederationConstants.SESSION_SP_LIST, empty);
            }
            if (debug.messageEnabled()) {
                debug.message(classMethod + "destroying session " + session);
            }
            MultiProtocolUtils.invalidateSession(session, request, response, SingleLogoutManager.WS_FED);
        }
        request.setAttribute(WSFederationConstants.LOGOUT_PROVIDER_LIST, providerList);
        request.getRequestDispatcher("/wsfederation/jsp/logout.jsp").forward(request, response);
    } catch (ServletException se) {
        if (debug.messageEnabled()) {
            debug.message(classMethod + "Servlet exception" + se.getLocalizedMessage());
        }
        throw new WSFederationException(se);
    } catch (SessionException se) {
        if (debug.messageEnabled()) {
            debug.message(classMethod + "Session exception" + se.getLocalizedMessage());
        }
        throw new WSFederationException(se);
    }
    // Can't pass session, since we just invalidated it!
    String[] data = { wreply };
    LogUtil.access(Level.INFO, LogUtil.SLO_SUCCESSFUL, data, null);
}
Also used : BaseConfigType(com.sun.identity.wsfederation.jaxb.entityconfig.BaseConfigType) ServletException(javax.servlet.ServletException) WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager) WSFederationException(com.sun.identity.wsfederation.common.WSFederationException) SessionException(com.sun.identity.plugin.session.SessionException) FederationElement(com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement) LinkedHashMap(java.util.LinkedHashMap)

Example 94 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class IPSigninRequest method sendResponse.

/**
     * Sends <code>RequestSecurityTokenResponse</code> containing an 
     * <code>Assertion</code> back to the requesting service provider
     */
private void sendResponse(Object session, String idpEntityId, String spEntityId, String idpMetaAlias, String realm) throws WSFederationException, IOException {
    String classMethod = "IDPSSOFederate.sendResponse: ";
    /*    
        String nameIDFormat = null;
        NameIDPolicy policy = authnReq.getNameIDPolicy();
        if (policy != null) {
            nameIDFormat = policy.getFormat();
        }
 */
    String acsURL = IDPSSOUtil.getACSurl(spEntityId, realm, wreply);
    if ((acsURL == null) || (acsURL.trim().length() == 0)) {
        debug.error(classMethod + "no ACS URL found.");
        String[] data = { realm, spEntityId, wreply };
        LogUtil.error(Level.INFO, LogUtil.NO_ACS_URL, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("unableTofindACSURL"));
    }
    WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
    IDPSSOConfigElement idpConfig = metaManager.getIDPSSOConfig(realm, idpEntityId);
    if (idpConfig == null) {
        debug.error(classMethod + "cannot find configuration for IdP " + idpEntityId);
        throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindIDPConfiguration"));
    }
    SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, spEntityId);
    if (spConfig == null) {
        debug.error(classMethod + "cannot find configuration for SP " + spEntityId);
        throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindSPConfiguration"));
    }
    String authMethod = null;
    String authSSOInstant = null;
    String userid = null;
    try {
        authMethod = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_METHOD)[0];
        authSSOInstant = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT)[0];
        userid = WSFederationUtils.sessionProvider.getProperty(session, "UserId")[// ISAuthConstants.USER_ID
        0];
    } catch (SessionException se) {
        throw new WSFederationException(se);
    }
    IDPAttributeMapper attrMapper = getIDPAttributeMapper(WSFederationMetaUtils.getAttributes(idpConfig));
    IDPAccountMapper accountMapper = getIDPAccountMapper(WSFederationMetaUtils.getAttributes(idpConfig));
    List attributes = attrMapper.getAttributes(session, idpEntityId, spEntityId, realm);
    Date authInstant = null;
    if (authSSOInstant == null || authSSOInstant.equals("")) {
        authInstant = new Date();
    } else {
        try {
            authInstant = DateUtils.stringToDate(authSSOInstant);
        } catch (ParseException pe) {
            throw new WSFederationException(pe);
        }
    }
    NameIdentifier ni = accountMapper.getNameID(session, realm, idpEntityId, spEntityId);
    int notBeforeSkew = SAML2Constants.NOTBEFORE_ASSERTION_SKEW_DEFAULT;
    String notBeforeSkewStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE);
    if (notBeforeSkewStr != null) {
        try {
            notBeforeSkew = Integer.parseInt(notBeforeSkewStr);
            if (debug.messageEnabled()) {
                debug.message(classMethod + "got not before skew from config:" + notBeforeSkew);
            }
        } catch (NumberFormatException nfe) {
            debug.error(classMethod + "Failed to get not before skew from IDP SSO config: ", nfe);
            throw new WSFederationException(nfe);
        }
    }
    int effectiveTime = SAML2Constants.ASSERTION_EFFECTIVE_TIME;
    String effectiveTimeStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE);
    if (effectiveTimeStr != null) {
        try {
            effectiveTime = Integer.parseInt(effectiveTimeStr);
            if (debug.messageEnabled()) {
                debug.message(classMethod + "got effective time from config:" + effectiveTime);
            }
        } catch (NumberFormatException nfe) {
            debug.error(classMethod + "Failed to get assertion effective time from " + "IDP SSO config: ", nfe);
            throw new WSFederationException(nfe);
        }
    }
    String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
    // By default, we want to sign assertions
    boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
    String certAlias = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS);
    if (wantAssertionSigned && certAlias == null) {
        // SP wants us to sign the assertion, but we don't have a signing 
        // cert
        debug.error(classMethod + "SP wants signed assertion, but no signing cert is " + "configured");
        throw new WSFederationException(WSFederationUtils.bundle.getString("noIdPCertAlias"));
    }
    if (!wantAssertionSigned) {
        // SP doesn't want us to sign the assertion, so pass null certAlias 
        // to indicate no assertion signature required
        certAlias = null;
    }
    // generate a response for the authn request
    RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(new SAML11RequestedSecurityToken(realm, spEntityId, idpEntityId, notBeforeSkew, effectiveTime, certAlias, authMethod, authInstant, ni, attributes), wtrealm);
    if (rstr == null) {
        debug.error(classMethod + "response is null");
        String errorMsg = WSFederationUtils.bundle.getString("UnableToCreateAssertion");
        /*
            res = IDPSSOUtil.getErrorResponse(authnReq, 
                SAML2Constants.RESPONDER, errorMsg, idpEntityID);
             */
        return;
    } else {
        try {
            String[] values = { idpMetaAlias };
            // Add SP to SP list in session
            String[] spList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_SP_LIST);
            ArrayList<String> newSpList = (spList != null) ? new ArrayList<String>(Arrays.asList(spList)) : new ArrayList<String>();
            if (!newSpList.contains(spEntityId)) {
                newSpList.add(spEntityId);
                WSFederationUtils.sessionProvider.setProperty(session, WSFederationConstants.SESSION_SP_LIST, newSpList.toArray(new String[0]));
            }
        } catch (SessionException e) {
            debug.error(classMethod + "error setting idpMetaAlias into the session: ", e);
        }
        try {
            postToTarget(rstr, acsURL);
        } catch (ServletException se) {
            throw new WSFederationException(se);
        }
    }
}
Also used : WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager) IDPAccountMapper(com.sun.identity.wsfederation.plugins.IDPAccountMapper) WSFederationException(com.sun.identity.wsfederation.common.WSFederationException) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) SessionException(com.sun.identity.plugin.session.SessionException) IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement) Date(java.util.Date) ServletException(javax.servlet.ServletException) SAML11RequestedSecurityToken(com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken) IDPAttributeMapper(com.sun.identity.wsfederation.plugins.IDPAttributeMapper) ArrayList(java.util.ArrayList) List(java.util.List) ParseException(java.text.ParseException) RequestSecurityTokenResponse(com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse)

Example 95 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class UtilProxySAMLAuthenticatorLookup method retrieveAuthenticationFromCache.

@Override
public void retrieveAuthenticationFromCache() throws SessionException, ServerFaultException, ClientFaultException {
    final String classMethod = "UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: ";
    // the second visit, the user has already authenticated
    // retrieve the cache authn request and relay state
    // We need the session to pass it to the IDP Adapter preSendResponse
    SessionProvider sessionProvider = SessionManager.getProvider();
    try {
        data.setSession(sessionProvider.getSession(request));
        data.getEventAuditor().setSSOTokenId(data.getSession());
    } catch (SessionException se) {
        SAML2Utils.debug.error("An error occurred while retrieving the session: " + se.getMessage());
        data.setSession(null);
    }
    // Get the cached Authentication Request and Relay State before
    // invoking the IDP Adapter
    CacheObject cacheObj;
    synchronized (IDPCache.authnRequestCache) {
        cacheObj = (CacheObject) IDPCache.authnRequestCache.get(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
    }
    data.setRelayState((String) IDPCache.relayStateCache.get(data.getRequestID()));
    if (!isSessionValid(sessionProvider)) {
        return;
    }
    // Invoke the IDP Adapter after the user has been authenticated
    if (preSendResponse(request, response, data)) {
        return;
    }
    synchronized (IDPCache.authnRequestCache) {
        cacheObj = (CacheObject) IDPCache.authnRequestCache.remove(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
    }
    synchronized (IDPCache.idpAuthnContextCache) {
        cacheObj = (CacheObject) IDPCache.idpAuthnContextCache.remove(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setMatchingAuthnContext((AuthnContext) cacheObj.getObject());
    }
    data.setRelayState((String) IDPCache.relayStateCache.remove(data.getRequestID()));
    if (data.getAuthnRequest() == null) {
        authNotAvailable();
        return;
    }
    SAML2Utils.debug.message("{} RequestID= {}", classMethod, data.getRequestID());
    boolean isSessionUpgrade = false;
    if (CollectionUtils.isNotEmpty(IDPCache.isSessionUpgradeCache)) {
        isSessionUpgrade = IDPCache.isSessionUpgradeCache.contains(data.getRequestID());
    }
    if (isSessionUpgrade) {
        IDPSession oldSess = (IDPSession) IDPCache.oldIDPSessionCache.remove(data.getRequestID());
        String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
        if (StringUtils.isNotEmpty(sessionIndex)) {
            IDPCache.idpSessionsByIndices.put(sessionIndex, oldSess);
            final FedMonAgent agent = MonitorManager.getAgent();
            if (agent != null && agent.isRunning()) {
                final FedMonSAML2Svc saml2Svc = MonitorManager.getSAML2Svc();
                if (saml2Svc != null) {
                    saml2Svc.setIdpSessionCount(IDPCache.idpSessionsByIndices.size());
                }
            }
        }
    }
    if (data.getSession() != null) {
        // call multi-federation protocol to set the protocol
        MultiProtocolUtils.addFederationProtocol(data.getSession(), SingleLogoutManager.SAML2);
    }
    // generate assertion response
    data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
    NameIDPolicy policy = data.getAuthnRequest().getNameIDPolicy();
    String nameIDFormat = (policy == null) ? null : policy.getFormat();
    try {
        IDPSSOUtil.sendResponseToACS(request, response, out, data.getSession(), data.getAuthnRequest(), data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), nameIDFormat, data.getRelayState(), data.getMatchingAuthnContext());
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error(classMethod + "Unable to do sso or federation.", se);
        throw new ServerFaultException(data.getIdpAdapter(), SSO_OR_FEDERATION_ERROR, se.getMessage());
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) IDPSession(com.sun.identity.saml2.profile.IDPSession) FedMonSAML2Svc(com.sun.identity.plugin.monitoring.FedMonSAML2Svc) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) ServerFaultException(com.sun.identity.saml2.profile.ServerFaultException) SessionException(com.sun.identity.plugin.session.SessionException) CacheObject(com.sun.identity.saml2.profile.CacheObject) FedMonAgent(com.sun.identity.plugin.monitoring.FedMonAgent) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Aggregations

SessionException (com.sun.identity.plugin.session.SessionException)121 SessionProvider (com.sun.identity.plugin.session.SessionProvider)55 List (java.util.List)40 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)35 IOException (java.io.IOException)28 ArrayList (java.util.ArrayList)28 Set (java.util.Set)24 SAMLException (com.sun.identity.saml.common.SAMLException)23 Iterator (java.util.Iterator)20 HashMap (java.util.HashMap)18 HashSet (java.util.HashSet)18 Map (java.util.Map)18 FSSession (com.sun.identity.federation.services.FSSession)17 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)17 FSSessionManager (com.sun.identity.federation.services.FSSessionManager)15 FSException (com.sun.identity.federation.common.FSException)13 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)12 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11 ServletException (javax.servlet.ServletException)10 DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)9