Search in sources :

Example 61 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class SAMLAwareServlet method createArtifact.

/**
     * Creates a list of AssertionArtifact's id.
     *
     * @param sso the user Session object
     * @param target A String representing the target host
     * @param targetUrl A URL String representing the target site
     * @param version The relying party preferred Assertion version number
     * @return a List representing a list of AssertionArtifact's id
     * @throws SAMLException if there is an error.
     */
private List createArtifact(Object sso, String target, HttpServletRequest request, HttpServletResponse response, String targetUrl, String version) throws SAMLException {
    if (sso == null || target == null || target.length() == 0 || version == null || version.length() == 0) {
        throw new SAMLException(SAMLUtils.bundle.getString("createArtifactError"));
    }
    List artifactList = new ArrayList();
    AssertionManager assertManager = AssertionManager.getInstance();
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        AssertionArtifact artifact = assertManager.createAssertionArtifact(sessionProvider.getSessionID(sso), target, request, response, targetUrl, version);
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("AssertionArtifact id = " + artifact.toString());
        }
        String artid = artifact.getAssertionArtifact();
        artifactList.add(artid);
    } catch (SessionException se) {
        SAMLUtils.debug.error("Couldn't get SessionProvider.");
        throw new SAMLException(SAMLUtils.bundle.getString("nullSessionProvider"));
    }
    return artifactList;
}
Also used : AssertionManager(com.sun.identity.saml.AssertionManager) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) ArrayList(java.util.ArrayList) List(java.util.List) SAMLException(com.sun.identity.saml.common.SAMLException) AssertionArtifact(com.sun.identity.saml.protocol.AssertionArtifact) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 62 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class SAMLUtils method generateSession.

/**
     * Creates Session 
     * @param request HttpServletRequest
     * @param response HttpServletResponse
     * @param attrMap Attribute Map 
     * @exception if failed to create Session
     */
public static Object generateSession(HttpServletRequest request, HttpServletResponse response, Map attrMap) throws SAMLException {
    Map sessionInfoMap = new HashMap();
    String realm = (String) attrMap.get(SessionProvider.REALM);
    if ((realm == null) || (realm.length() == 0)) {
        realm = "/";
    }
    sessionInfoMap.put(SessionProvider.REALM, realm);
    String principalName = (String) attrMap.get(SessionProvider.PRINCIPAL_NAME);
    if (principalName == null) {
        principalName = (String) attrMap.get(SAMLConstants.USER_NAME);
    }
    sessionInfoMap.put(SessionProvider.PRINCIPAL_NAME, principalName);
    //TODO: sessionInfoMap.put(SessionProvider.AUTH_LEVEL, "0");
    Object session = null;
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        session = sessionProvider.createSession(sessionInfoMap, request, response, null);
        setAttrMapInSession(sessionProvider, attrMap, session);
    } catch (SessionException se) {
        if (debug.messageEnabled()) {
            debug.message("SAMLUtils.generateSession:", se);
        }
        throw new SAMLException(se);
    }
    return session;
}
Also used : HashMap(java.util.HashMap) SessionException(com.sun.identity.plugin.session.SessionException) Map(java.util.Map) HashMap(java.util.HashMap) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 63 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class IDPSingleLogout method sendLastResponse.

private static boolean sendLastResponse(IDPSession idpSession, LogoutResponse logoutRes, HttpServletRequest request, HttpServletResponse response, String idpSessionIndex, Object session, String realm, String idpEntityID, String relayState) throws SAML2Exception, SessionException, SAML2MetaException {
    String binding;
    //resetting the binding to the original value so the response is sent back with the correct binding
    binding = idpSession.getOriginatingLogoutRequestBinding();
    String originatingRequestID = idpSession.getOriginatingLogoutRequestID();
    String originatingLogoutSPEntityID = idpSession.getOriginatingLogoutSPEntityID();
    if (originatingRequestID == null) {
        // this is IDP initiated SLO
        if (idpSession.getLogoutAll()) {
            String userID = sessionProvider.getPrincipalName(idpSession.getSession());
            destroyAllTokenForUser(userID, request, response);
        } else {
            IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
            if (agent != null && agent.isRunning() && saml2Svc != null) {
                saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
            }
            try {
                if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                    SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
                }
            } catch (SAML2TokenRepositoryException se) {
                debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
            }
            IDPCache.authnContextCache.remove(idpSessionIndex);
            if (!MultiProtocolUtils.isMultipleProtocolSession(idpSession.getSession(), SingleLogoutManager.SAML2)) {
                sessionProvider.invalidateSession(idpSession.getSession(), request, response);
            } else {
                MultiProtocolUtils.removeFederationProtocol(idpSession.getSession(), SingleLogoutManager.SAML2);
                // call Multi-Federation protocol SingleLogoutManager
                SingleLogoutManager sloManager = SingleLogoutManager.getInstance();
                Set<Object> set = new HashSet<Object>(1);
                set.add(session);
                SessionProvider provider = SessionManager.getProvider();
                String uid = provider.getPrincipalName(session);
                debug.message("IDPSingleLogout.sendLastResponse: MP/Http");
                int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
                try {
                    retStatus = sloManager.doIDPSingleLogout(set, uid, request, response, false, true, SingleLogoutManager.SAML2, realm, idpEntityID, originatingLogoutSPEntityID, relayState, null, null, getLogoutStatus(logoutRes));
                } catch (SAML2Exception ex) {
                    throw ex;
                } catch (Exception ex) {
                    debug.error("IDPSIngleLogout.sendLastResponse: MP/IDP initiated HTTP", ex);
                    throw new SAML2Exception(ex.getMessage());
                }
                if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
                    return true;
                }
            }
        }
        debug.message("IDP initiated SLO Success");
        return false;
    }
    List<SingleLogoutServiceElement> slosList = getSPSLOServiceEndpoints(realm, originatingLogoutSPEntityID);
    String location = LogoutUtil.getSLOResponseServiceLocation(slosList, binding);
    if (location == null || location.isEmpty()) {
        location = LogoutUtil.getSLOServiceLocation(slosList, binding);
        if (location == null || location.length() == 0) {
            debug.error("Unable to find the IDP's single logout response service with the HTTP-Redirect binding");
            throw new SAML2Exception(SAML2Utils.bundle.getString("sloResponseServiceLocationNotfound"));
        } else {
            if (debug.messageEnabled()) {
                debug.message("SP's single logout response service location = " + location);
            }
        }
    } else {
        if (debug.messageEnabled()) {
            debug.message("IDP's single logout response service location = " + location);
        }
    }
    Status status = destroyTokenAndGenerateStatus(idpSessionIndex, idpSession.getSession(), request, response, true);
    //here we are providing null for remote entity, because it's an unused variable in the method...
    logoutRes = LogoutUtil.generateResponse(status, originatingRequestID, SAML2Utils.createIssuer(idpEntityID), realm, SAML2Constants.IDP_ROLE, null);
    if (logoutRes != null) {
        logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
        IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
        if (agent != null && agent.isRunning() && saml2Svc != null) {
            saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
        }
        try {
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
            }
        } catch (SAML2TokenRepositoryException se) {
            debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
        }
        IDPCache.authnContextCache.remove(idpSessionIndex);
        // call multi-federation protocol processing
        // this is the SP initiated HTTP binding case
        boolean isMultiProtocolSession = false;
        int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
        try {
            SessionProvider provider = SessionManager.getProvider();
            session = idpSession.getSession();
            if (session != null && provider.isValid(session) && MultiProtocolUtils.isMultipleProtocolSession(session, SingleLogoutManager.SAML2)) {
                isMultiProtocolSession = true;
                // call Multi-Federation protocol SingleLogoutManager
                SingleLogoutManager sloManager = SingleLogoutManager.getInstance();
                Set set = new HashSet();
                set.add(session);
                String uid = provider.getPrincipalName(session);
                debug.message("IDPSingleLogout.sendLastResponse: MP/Http");
                retStatus = sloManager.doIDPSingleLogout(set, uid, request, response, false, true, SingleLogoutManager.SAML2, realm, idpEntityID, originatingLogoutSPEntityID, relayState, null, logoutRes.toXMLString(), getLogoutStatus(logoutRes));
            }
        } catch (SessionException e) {
            // ignore as session might not be valid
            debug.message("IDPSingleLogout.sendLastResponse: session", e);
        } catch (Exception e) {
            debug.message("IDPSingleLogout.sendLastResponse: MP2", e);
            retStatus = SingleLogoutManager.LOGOUT_FAILED_STATUS;
        }
        if (!isMultiProtocolSession || (retStatus != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS)) {
            logoutRes = updateLogoutResponse(logoutRes, retStatus);
            LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, idpEntityID, SAML2Constants.IDP_ROLE, originatingLogoutSPEntityID, binding);
            return true;
        } else {
            return false;
        }
    }
    IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
    if (agent != null && agent.isRunning() && saml2Svc != null) {
        saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
    }
    try {
        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
        }
    } catch (SAML2TokenRepositoryException se) {
        debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
    }
    IDPCache.authnContextCache.remove(idpSessionIndex);
    return false;
}
Also used : Status(com.sun.identity.saml2.protocol.Status) HashSet(java.util.HashSet) Set(java.util.Set) SessionException(com.sun.identity.plugin.session.SessionException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SingleLogoutManager(com.sun.identity.multiprotocol.SingleLogoutManager) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SingleLogoutServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) HashSet(java.util.HashSet) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 64 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class IDPSessionListener method sessionInvalidated.

/**
     *  Callback for SessionListener.
     *  It is used for cleaning up the IDP session cache.
     *  
     *  @param session The session object
     */
public void sessionInvalidated(Object session) {
    String classMethod = "IDPSessionListener.sessionInvalidated: ";
    HashMap paramsMap = new HashMap();
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + "Entering ...");
    }
    if (session == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Session is null.");
        }
        return;
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        String[] values = sessionProvider.getProperty(session, SAML2Constants.IDP_SESSION_INDEX);
        if (values == null || values.length == 0) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
            }
            return;
        }
        String sessionIndex = values[0];
        if (sessionIndex == null || sessionIndex.length() == 0) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
            }
            return;
        }
        IDPSession idpSession = (IDPSession) IDPCache.idpSessionsByIndices.get(sessionIndex);
        if (idpSession != null) {
            paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
            String metaAlias = idpSession.getMetaAlias();
            String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
            String idpEntityID = sm.getEntityByMetaAlias(metaAlias);
            try {
                List list = (List) idpSession.getNameIDandSPpairs();
                for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                    NameIDandSPpair pair = (NameIDandSPpair) iter.next();
                    String spEntityID = pair.getSPEntityID();
                    NameID nameID = pair.getNameID();
                    BaseConfigType idpConfig = sm.getIDPSSOConfig(realm, idpEntityID);
                    if (idpConfig != null) {
                        List idpSessionSyncList = (List) SAML2MetaUtils.getAttributes(idpConfig).get(SAML2Constants.IDP_SESSION_SYNC_ENABLED);
                        if ((idpEntityID != null && spEntityID != null && idpSessionSyncList != null && idpSessionSyncList.size() != 0)) {
                            boolean idpSessionSyncEnabled = ((String) idpSessionSyncList.get(0)).equals(SAML2Constants.TRUE) ? true : false;
                            // Sync flag is enabled
                            if (idpSessionSyncEnabled) {
                                if (SAML2Utils.debug.messageEnabled()) {
                                    SAML2Utils.debug.message(classMethod + "IDP Session Synchronization flag " + "is enabled, initiating SLO to SP");
                                }
                                initiateIDPSingleLogout(sessionIndex, metaAlias, realm, SAML2Constants.SOAP, nameID, spEntityID, paramsMap);
                            }
                        }
                    } else {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message(classMethod + "Unable to retrieve the IDP " + "config data, idpConfig is null");
                        }
                    }
                }
            } catch (SAML2MetaException sme) {
                SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", sme);
            } catch (SAML2Exception se) {
                SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", se);
            } catch (SessionException s) {
                SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", s);
            }
            synchronized (IDPCache.idpSessionsByIndices) {
                List list = (List) idpSession.getNameIDandSPpairs();
                for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                    NameIDandSPpair pair = (NameIDandSPpair) iter.next();
                    NameID nameID = pair.getNameID();
                    if (SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameID.getFormat())) {
                        IDPCache.userIDByTransientNameIDValue.remove(nameID.getValue());
                    }
                }
            }
        } else {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "IDP Session with session index " + sessionIndex + " already removed.");
            }
        }
        IDPCache.idpSessionsByIndices.remove(sessionIndex);
        IDPCache.authnContextCache.remove(sessionIndex);
        String sessID = sessionProvider.getSessionID(session);
        if (IDPCache.idpSessionsBySessionID.get(sessID) != null) {
            IDPCache.idpSessionsBySessionID.remove(sessID);
            if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
                saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsBySessionID.size());
            }
        }
        if (IDPCache.spSessionPartnerBySessionID.get(sessID) != null) {
            IDPCache.spSessionPartnerBySessionID.remove(sessID);
        }
        // This failing should not cause the whole process to fail
        try {
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                SAML2FailoverUtils.deleteSAML2Token(sessionIndex);
            }
        } catch (SAML2TokenRepositoryException se) {
            SAML2Utils.debug.error(classMethod + "SAML2 Token Repository error, sessionIndex:" + sessionIndex, se);
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "cleaned up the IDP session cache for a session expiring or being destroyed: sessionIndex=" + sessionIndex);
        }
    } catch (SessionException e) {
        if (SAML2Utils.debug.warningEnabled()) {
            SAML2Utils.debug.warning(classMethod + "invalid or expired session.", e);
        }
    } catch (SAML2MetaException samlme) {
        if (SAML2Utils.debug.warningEnabled()) {
            SAML2Utils.debug.warning(classMethod + "unable to retrieve idp entity id.", samlme);
        }
    }
}
Also used : HashMap(java.util.HashMap) NameID(com.sun.identity.saml2.assertion.NameID) SessionException(com.sun.identity.plugin.session.SessionException) BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Iterator(java.util.Iterator) List(java.util.List) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 65 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class WSFederationService method getAssertion.

/**
     * Returns the cached SAML Assertion for a given user session. The user's
     * SAML Assertion here is retrieved through respective SP or the IDP Cache.
     * Currently only the SP stores the Assertion in the cache.
     * @param token the user's session.
     * @param entityID the entityID
     * @param entityRole the entity role for e.g. RP or IP
     * @return the SAML Assertion xml string
     * @return null if there is a failure.
     */
@GET
@Produces("application/xml")
public String getAssertion(@QueryParam("token") String token, @QueryParam("entityID") String entityID, @QueryParam("entityRole") String entityRole) {
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        Object session = sessionProvider.getSession(token);
        if (!sessionProvider.isValid(session)) {
            if (WSFederationUtils.debug.warningEnabled()) {
                WSFederationUtils.debug.warning("WSFederationService." + "getAssertion: invalid session");
            }
            return null;
        }
        String[] assertionID = sessionProvider.getProperty(session, "AssertionID");
        if (assertionID.length == 0) {
            if (WSFederationUtils.debug.warningEnabled()) {
                WSFederationUtils.debug.warning("WSFederationService." + "getAssertion: assertionID is null");
            }
        }
        if (entityRole == null || entityRole.equals(RP)) {
            return (String) SPCache.assertionByIDCache.get(assertionID[0]);
        } else {
            // TODO: handle IP case later depending on the use case.
            return null;
        }
    } catch (SessionException se) {
        WSFederationUtils.debug.warning("WSFederationService." + "getAssertion: session exception", se);
        return null;
    }
}
Also used : SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET)

Aggregations

SessionProvider (com.sun.identity.plugin.session.SessionProvider)66 SessionException (com.sun.identity.plugin.session.SessionException)61 SAMLException (com.sun.identity.saml.common.SAMLException)22 List (java.util.List)15 IOException (java.io.IOException)14 FSException (com.sun.identity.federation.common.FSException)13 HashMap (java.util.HashMap)12 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)11 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)10 Set (java.util.Set)10 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)9 FSSession (com.sun.identity.federation.services.FSSession)9 FSSessionManager (com.sun.identity.federation.services.FSSessionManager)9 ArrayList (java.util.ArrayList)9 Iterator (java.util.Iterator)8 Map (java.util.Map)8 FSAccountFedInfo (com.sun.identity.federation.accountmgmt.FSAccountFedInfo)6 Assertion (com.sun.identity.saml.assertion.Assertion)6 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)6 HashSet (java.util.HashSet)6