use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class FSServiceUtils method getLocale.
/**
* Retrieves locale of a http request.
* @param request <code>HttpServletRequest</code> object
* @return locale of the request; or <code>null</code> if locale cannot
* be retrieved.
*/
public static String getLocale(HttpServletRequest request) {
if (request == null) {
FSUtils.debug.error("FSServiceUtil.getLocale: Request param is " + "null, returning null");
return null;
}
try {
SessionProvider sessionProvider = SessionManager.getProvider();
Object ISSSOToken = sessionProvider.getSession(request);
String[] returnStr = sessionProvider.getProperty(ISSSOToken, "Locale");
if ((returnStr != null) && (returnStr.length > 0)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSServiceUtil.getLocale returning locale from token " + returnStr[0]);
}
return returnStr[0];
}
} catch (SessionException ssoe) {
FSUtils.debug.error("FSServiceUtil::getLocale():SessionException:", ssoe);
} catch (UnsupportedOperationException ex) {
FSUtils.debug.error("FSServiceUtil::getLocale():Exception:", ex);
}
Locale locale = request.getLocale();
if (locale != null) {
String returnStr = locale.toString();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSServiceUtil.getLocale returning :locale from request:" + returnStr);
}
return returnStr;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSServiceUtil.getLocale Not able to get " + "locale from request either from token or header. returning " + "null ");
}
return null;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class FSRegistrationInitiationServlet method getValidToken.
/**
* Retrieves the session from HTTPRequest object.
* @param request HTTP request object
* @return valid session from the request object;
* <code>null</code> otherwise.
*/
private Object getValidToken(HttpServletRequest request) {
FSUtils.debug.message("Entered FSRegistrationInitiationServlet::getValidToken");
try {
SessionProvider sessionProvider = SessionManager.getProvider();
Object ssoToken = sessionProvider.getSession(request);
if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
FSUtils.debug.error("Session is not valid redirecting for authentication");
return null;
}
return ssoToken;
} catch (SessionException e) {
FSUtils.debug.error("SessionException caught: ", e);
return null;
}
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class DefaultIDPAccountMapper method getNameID.
@Override
public NameID getNameID(Object session, String hostEntityID, String remoteEntityID, String realm, String nameIDFormat) throws SAML2Exception {
String userID;
try {
SessionProvider sessionProv = SessionManager.getProvider();
userID = sessionProv.getPrincipalName(session);
} catch (SessionException se) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
String nameIDValue = null;
if (nameIDFormat.equals(SAML2Constants.NAMEID_TRANSIENT_FORMAT)) {
String sessionIndex = IDPSSOUtil.getSessionIndex(session);
if (sessionIndex != null) {
IDPSession idpSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
if (idpSession != null) {
List<NameIDandSPpair> list = idpSession.getNameIDandSPpairs();
if (list != null) {
for (NameIDandSPpair pair : list) {
if (pair.getSPEntityID().equals(remoteEntityID)) {
nameIDValue = pair.getNameID().getValue();
break;
}
}
}
}
}
if (nameIDValue == null) {
nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
if (nameIDValue == null) {
nameIDValue = SAML2Utils.createNameIdentifier();
}
}
} else {
nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
if (nameIDValue == null) {
if (nameIDFormat.equals(SAML2Constants.PERSISTENT)) {
nameIDValue = SAML2Utils.createNameIdentifier();
} else {
throw new SAML2Exception(bundle.getString("unableToGenerateNameIDValue"));
}
}
}
NameID nameID = AssertionFactory.getInstance().createNameID();
nameID.setValue(nameIDValue);
nameID.setFormat(nameIDFormat);
nameID.setNameQualifier(hostEntityID);
nameID.setSPNameQualifier(remoteEntityID);
nameID.setSPProvidedID(null);
return nameID;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class LibertyManager method getMappedNameIdentifier.
/**
* Returns <code>NameIdentifier</code> between the IDP and
* the other SP for the same principal. This method should
* be used by the code on the hosted SP, where the user
* has logged in, and has an account linking with the IDP.
* Futhermore, the same principal has an account linking
* between his/her other (remote) SP account and the IDP
* account.
*
* @param hostedSPMetaAlias The <code>metaAlias</code> of
* the local service provider.
* @param ssoToken The session token of the logged-
* in user on the local service provider.
* @param remoteSPEntityID The entity ID of the remote
* service provider. In other words, it is the targeted
* name space for the returned name identifier.
* @return <code>NameIdentifier</code> of the same principal
* but original established between the remote SP and
* the IDP
*/
public static NameIdentifier getMappedNameIdentifier(String hostedSPMetaAlias, Object ssoToken, String remoteSPEntityID) {
String classMethod = "LibertyManager.getMappedNameIdentifier: ";
String hostedEntityID = getEntityID(hostedSPMetaAlias);
String realm = IDFFMetaUtils.getRealmByMetaAlias(hostedSPMetaAlias);
if (debug.messageEnabled()) {
debug.message("NameMappingRequester: hostedEntityID=" + hostedEntityID);
}
SPDescriptorType hostedDescriptor = null;
BaseConfigType hostedConfig = null;
try {
hostedDescriptor = metaManager.getSPDescriptor(realm, hostedEntityID);
hostedConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
} catch (IDFFMetaException ie) {
debug.error(classMethod + "couldn't obtain hosted meta:", ie);
return null;
}
String userID = null;
try {
userID = SessionManager.getProvider().getPrincipalName(ssoToken);
} catch (SessionException ssoe) {
debug.error("SessionException caught when trying to " + "get user DN from session token:", ssoe);
return null;
}
if (debug.messageEnabled()) {
debug.message(classMethod + "userID=" + userID);
}
FSNameMappingHandler handler = new FSNameMappingHandler(hostedEntityID, hostedDescriptor, hostedConfig, hostedSPMetaAlias);
NameIdentifier ni = null;
if (debug.messageEnabled()) {
debug.message(classMethod + "targetNamespace (remoteSPEntityID)=" + remoteSPEntityID);
}
FSSessionManager sMgr = FSSessionManager.getInstance(hostedSPMetaAlias);
FSSession sess = null;
if (sMgr != null) {
sess = sMgr.getSession(ssoToken);
}
FSSessionPartner partner = null;
if (sess != null) {
partner = sess.getCurrentSessionPartner();
} else {
debug.error(classMethod + "session is null");
return null;
}
String remoteIDPEntityID = null;
if (partner != null) {
remoteIDPEntityID = partner.getPartner();
}
if (debug.messageEnabled()) {
debug.message(classMethod + "Remote IDP EntityID = " + remoteIDPEntityID);
}
try {
ni = handler.getNameIdentifier(userID, remoteIDPEntityID, true);
} catch (Exception e) {
debug.error(classMethod + "Exception caught when trying to get Name " + "Identifier between local SP and remote IDP: ", e);
return null;
}
if (debug.messageEnabled()) {
debug.message(classMethod + "Name Identifier between local SP and " + " remote IDP: " + ni.toString());
}
FSNameIdentifierMappingRequest mappingRequest = null;
try {
mappingRequest = new FSNameIdentifierMappingRequest(hostedEntityID, ni, remoteSPEntityID);
} catch (com.sun.identity.federation.message.common.FSMsgException fe) {
debug.error(classMethod, fe);
return null;
}
if (FSServiceUtils.isSigningOn()) {
try {
mappingRequest.signXML(IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS));
} catch (SAMLException se) {
debug.error(classMethod, se);
return null;
}
}
IDPDescriptorType remoteProviderDesc = null;
try {
remoteProviderDesc = metaManager.getIDPDescriptor(realm, remoteIDPEntityID);
} catch (IDFFMetaException fme1) {
debug.error(classMethod, fme1);
return null;
}
String remoteSOAPEndPoint = remoteProviderDesc.getSoapEndpoint();
if (debug.messageEnabled()) {
debug.message(classMethod + "IDP's soap end point=" + remoteSOAPEndPoint);
}
FSSOAPService soapService = FSSOAPService.getInstance();
SOAPMessage returnMsg = null;
try {
SOAPMessage msg = soapService.bind(mappingRequest.toXMLString(true, true));
returnMsg = soapService.sendMessage(msg, remoteSOAPEndPoint);
} catch (FSMsgException mex) {
debug.error(classMethod, mex);
return null;
} catch (java.io.IOException ioe) {
debug.error(classMethod, ioe);
return null;
} catch (javax.xml.soap.SOAPException soape) {
debug.error(classMethod, soape);
return null;
}
Element elt = soapService.parseSOAPMessage(returnMsg);
FSNameIdentifierMappingResponse mappingResponse = null;
try {
mappingResponse = new FSNameIdentifierMappingResponse(elt);
} catch (FSMsgException fme2) {
debug.error(classMethod, fme2);
return null;
}
if (debug.messageEnabled()) {
String resStr = null;
try {
resStr = mappingResponse.toXMLString();
} catch (FSMsgException fme3) {
debug.error(classMethod, fme3);
return null;
}
debug.message(classMethod + "NameIdentifierMappingResponse: " + resStr);
}
if (FSServiceUtils.isSigningOn()) {
if (FSNameMappingHandler.verifyNameIdMappingResponseSignature(elt, returnMsg, realm)) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Success in verifying Name Identifier Mapping" + " Response Signature");
}
} else {
debug.error(classMethod + "Failed verifying Name Identifier Mapping " + "Response");
return null;
}
}
return mappingResponse.getNameIdentifier();
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class UtilProxySAMLAuthenticator method authenticate.
@Override
public void authenticate() throws FederatedSSOException, IOException {
final String classMethod = "UtilProxySAMLAuthenticator.authenticate: ";
SPSSODescriptorElement spSSODescriptor = null;
String preferredIDP;
// There is no reqID, this is the first time that we pass here.
String binding = SAML2Constants.HTTP_REDIRECT;
if (request.getMethod().equals("POST")) {
binding = SAML2Constants.HTTP_POST;
}
data.setAuthnRequest(getAuthnRequest(request, isFromECP, binding));
if (data.getAuthnRequest() == null) {
throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
}
data.getEventAuditor().setRequestId(data.getRequestID());
data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
try {
logAccess(isFromECP ? LogUtil.RECEIVED_AUTHN_REQUEST_ECP : LogUtil.RECEIVED_AUTHN_REQUEST, Level.INFO, data.getSpEntityID(), data.getIdpMetaAlias(), data.getAuthnRequest().toXMLString());
} catch (SAML2Exception saml2ex) {
SAML2Utils.debug.error(classMethod, saml2ex);
throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST, saml2ex.getMessage());
}
if (!SAML2Utils.isSourceSiteValid(data.getAuthnRequest().getIssuer(), data.getRealm(), data.getIdpEntityID())) {
SAML2Utils.debug.warning("{} Issuer in Request is not valid.", classMethod);
throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
}
// verify the signature of the query string if applicable
IDPSSODescriptorElement idpSSODescriptor;
try {
idpSSODescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(data.getRealm(), data.getIdpEntityID());
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
}
try {
spSSODescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(data.getRealm(), data.getSpEntityID());
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
SAML2Utils.debug.error(classMethod, sme);
}
if (isFromECP || idpSSODescriptor.isWantAuthnRequestsSigned() || (spSSODescriptor != null && spSSODescriptor.isAuthnRequestsSigned())) {
// need to verify the query string containing authnRequest
if (StringUtils.isBlank(data.getSpEntityID())) {
throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
}
if (spSSODescriptor == null) {
SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
}
Set<X509Certificate> certificates = KeyUtil.getVerificationCerts(spSSODescriptor, data.getSpEntityID(), SAML2Constants.SP_ROLE);
try {
boolean isSignatureOK;
if (isFromECP) {
isSignatureOK = data.getAuthnRequest().isSignatureValid(certificates);
} else {
if ("POST".equals(request.getMethod())) {
isSignatureOK = data.getAuthnRequest().isSignatureValid(certificates);
} else {
isSignatureOK = QuerySignatureUtil.verify(request.getQueryString(), certificates);
}
}
if (!isSignatureOK) {
SAML2Utils.debug.error(classMethod + "authn request verification failed.");
throw new ClientFaultException(data.getIdpAdapter(), "invalidSignInRequest");
}
// In ECP profile, sp doesn't know idp.
if (!isFromECP) {
// verify Destination
List ssoServiceList = idpSSODescriptor.getSingleSignOnService();
String ssoURL = SPSSOFederate.getSSOURL(ssoServiceList, binding);
if (!SAML2Utils.verifyDestination(data.getAuthnRequest().getDestination(), ssoURL)) {
SAML2Utils.debug.error(classMethod + "authn request destination verification failed.");
throw new ClientFaultException(data.getIdpAdapter(), "invalidDestination");
}
}
} catch (SAML2Exception se) {
SAML2Utils.debug.error(classMethod + "authn request verification failed.", se);
throw new ClientFaultException(data.getIdpAdapter(), "invalidSignInRequest");
}
SAML2Utils.debug.message("{} authn request signature verification is successful.", classMethod);
}
SAML2Utils.debug.message("{} request id= {}", classMethod, data.getRequestID());
if (data.getRequestID() == null) {
SAML2Utils.debug.error(classMethod + "Request id is null");
throw new ClientFaultException(data.getIdpAdapter(), "InvalidSAMLRequestID");
}
if (isFromECP) {
try {
IDPECPSessionMapper idpECPSessonMapper = IDPSSOUtil.getIDPECPSessionMapper(data.getRealm(), data.getIdpEntityID());
data.setSession(idpECPSessonMapper.getSession(request, response));
} catch (SAML2Exception se) {
SAML2Utils.debug.message("Unable to retrieve user session.", classMethod);
}
} else {
// get the user sso session from the request
try {
data.setSession(SessionManager.getProvider().getSession(request));
} catch (SessionException se) {
SAML2Utils.debug.message("{} Unable to retrieve user session.", classMethod);
}
}
if (null != data.getSession()) {
data.getEventAuditor().setAuthTokenId(data.getSession());
}
// will not trigger this adapter call
if (preSingleSignOn(request, response, data)) {
return;
}
// End of adapter invocation
IDPAuthnContextMapper idpAuthnContextMapper = null;
try {
idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(data.getRealm(), data.getIdpEntityID());
} catch (SAML2Exception sme) {
SAML2Utils.debug.error(classMethod, sme);
}
if (idpAuthnContextMapper == null) {
SAML2Utils.debug.error(classMethod + "Unable to get IDPAuthnContextMapper from meta.");
throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
}
IDPAuthnContextInfo idpAuthnContextInfo = null;
try {
idpAuthnContextInfo = idpAuthnContextMapper.getIDPAuthnContextInfo(data.getAuthnRequest(), data.getIdpEntityID(), data.getRealm());
} catch (SAML2Exception sme) {
SAML2Utils.debug.error(classMethod, sme);
}
if (idpAuthnContextInfo == null) {
SAML2Utils.debug.message("{} Unable to find valid AuthnContext. Sending error Response.", classMethod);
try {
Response res = SAML2Utils.getErrorResponse(data.getAuthnRequest(), SAML2Constants.REQUESTER, SAML2Constants.NO_AUTHN_CONTEXT, null, data.getIdpEntityID());
StringBuffer returnedBinding = new StringBuffer();
String acsURL = IDPSSOUtil.getACSurl(data.getSpEntityID(), data.getRealm(), data.getAuthnRequest(), request, returnedBinding);
String acsBinding = returnedBinding.toString();
IDPSSOUtil.sendResponse(request, response, out, acsBinding, data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), data.getRelayState(), acsURL, res, data.getSession());
} catch (SAML2Exception sme) {
SAML2Utils.debug.error(classMethod, sme);
throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
}
return;
}
// get the relay state query parameter from the request
data.setRelayState(request.getParameter(SAML2Constants.RELAY_STATE));
data.setMatchingAuthnContext(idpAuthnContextInfo.getAuthnContext());
if (data.getSession() == null) {
// the user has not logged in yet, redirect to auth
redirectToAuth(spSSODescriptor, binding, idpAuthnContextInfo, data);
} else {
SAML2Utils.debug.message("{} There is an existing session", classMethod);
// Let's verify that the realm is the same for the user and the IdP
boolean isValidSessionInRealm = IDPSSOUtil.isValidSessionInRealm(data.getRealm(), data.getSession());
String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
boolean sessionUpgrade = false;
if (isValidSessionInRealm) {
sessionUpgrade = isSessionUpgrade(idpAuthnContextInfo, data.getSession());
SAML2Utils.debug.message("{} IDP Session Upgrade is : {}", classMethod, sessionUpgrade);
}
// Holder for any exception encountered while redirecting for authentication:
FederatedSSOException redirectException = null;
if (sessionUpgrade || !isValidSessionInRealm || ((Boolean.TRUE.equals(data.getAuthnRequest().isForceAuthn())) && (!Boolean.TRUE.equals(data.getAuthnRequest().isPassive())))) {
// sessionIndex
if (sessionIndex != null && sessionIndex.length() != 0) {
// Save the original IDP Session
IDPSession oldIDPSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
if (oldIDPSession != null) {
IDPCache.oldIDPSessionCache.put(data.getRequestID(), oldIDPSession);
} else {
SAML2Utils.debug.error(classMethod + "The old SAML2 session was not found in the idp session " + "by indices cache");
}
}
// Save the new requestId and AuthnRequest
IDPCache.authnRequestCache.put(data.getRequestID(), new CacheObject(data.getAuthnRequest()));
// Save the new requestId and AuthnContext
IDPCache.idpAuthnContextCache.put(data.getRequestID(), new CacheObject(data.getMatchingAuthnContext()));
// save if the request was an Session Upgrade case.
IDPCache.isSessionUpgradeCache.add(data.getRequestID());
// authenticates
if (StringUtils.isNotBlank(data.getRelayState())) {
IDPCache.relayStateCache.put(data.getRequestID(), data.getRelayState());
}
// Session upgrade could be requested by asking a greater AuthnContext
if (isValidSessionInRealm) {
try {
boolean isProxy = IDPProxyUtil.isIDPProxyEnabled(data.getAuthnRequest(), data.getRealm());
if (isProxy) {
preferredIDP = IDPProxyUtil.getPreferredIDP(data.getAuthnRequest(), data.getIdpEntityID(), data.getRealm(), request, response);
if (preferredIDP != null) {
if ((SPCache.reqParamHash != null) && (!(SPCache.reqParamHash.containsKey(preferredIDP)))) {
// IDP Proxy with configured proxy list
SAML2Utils.debug.message("{} IDP to be proxied {}", classMethod, preferredIDP);
IDPProxyUtil.sendProxyAuthnRequest(data.getAuthnRequest(), preferredIDP, spSSODescriptor, data.getIdpEntityID(), request, response, data.getRealm(), data.getRelayState(), binding);
return;
} else {
// IDP proxy with introduction cookie
Map paramsMap = (Map) SPCache.reqParamHash.get(preferredIDP);
paramsMap.put("authnReq", data.getAuthnRequest());
paramsMap.put("spSSODescriptor", spSSODescriptor);
paramsMap.put("idpEntityID", data.getIdpEntityID());
paramsMap.put("realm", data.getRealm());
paramsMap.put("relayState", data.getRelayState());
paramsMap.put("binding", binding);
SPCache.reqParamHash.put(preferredIDP, paramsMap);
return;
}
}
}
//else continue for the local authentication.
} catch (SAML2Exception re) {
SAML2Utils.debug.message("{} Redirecting for the proxy handling error: {}", classMethod, re.getMessage());
redirectException = new ServerFaultException(data.getIdpAdapter(), "UnableToRedirectToPreferredIDP", re.getMessage());
}
// End of IDP Proxy: Initiate proxying when session upgrade is requested
}
// Invoke the IDP Adapter before redirecting to authn
if (preAuthenticationAdapter(request, response, data)) {
return;
}
//we don't have a session
try {
//and they want to authenticate
if (!Boolean.TRUE.equals(data.getAuthnRequest().isPassive())) {
redirectAuthentication(request, response, idpAuthnContextInfo, data, true);
return;
} else {
try {
//and they want to get into the system with passive auth - response no passive
IDPSSOUtil.sendNoPassiveResponse(request, response, out, data.getIdpMetaAlias(), data.getIdpEntityID(), data.getRealm(), data.getAuthnRequest(), data.getRelayState(), data.getSpEntityID());
} catch (SAML2Exception sme) {
SAML2Utils.debug.error(classMethod, sme);
redirectException = new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
}
}
} catch (IOException | SAML2Exception e) {
SAML2Utils.debug.error(classMethod + "Unable to redirect to authentication.", e);
sessionUpgrade = false;
cleanUpCache(data.getRequestID());
redirectException = new ServerFaultException(data.getIdpAdapter(), "UnableToRedirectToAuth", e.getMessage());
}
}
// generate assertion response
if (!sessionUpgrade && isValidSessionInRealm) {
generateAssertionResponse(data);
}
if (redirectException != null) {
throw redirectException;
}
}
}
Aggregations