use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.
the class LibSecurityTokenProvider method initialize.
/**
* Initializes the <code>LibSecurityTokenProvider</code>.
*
* @param credential The credential of the caller used to see if
* access to this security token provider is allowed
* @param sigManager XMLSignatureManager instance of XML digital
* signature manager class, used for accessing the certificate
* datastore and digital signing of the assertion.
* @throws SecurityTokenException if the caller does not have
* privilege to access the security authority manager
*/
public void initialize(Object credential, XMLSignatureManager sigManager) throws SecurityTokenException {
// check null for signature manager
debug.message("LibSecurityTokenProvider.initialize");
if (sigManager == null) {
debug.error("AMP: nulll signature manager");
throw new SecurityTokenException(bundle.getString("nullXMLSigManager"));
}
keystore = sigManager.getKeyProvider();
// check valid Session
try {
ssoToken = credential;
SessionProvider provider = SessionManager.getProvider();
if (!provider.isValid(ssoToken)) {
throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
}
String[] tmp = provider.getProperty(ssoToken, SessionProvider.AUTH_METHOD);
if ((tmp != null) && (tmp.length != 0)) {
authType = tmp[0];
}
tmp = provider.getProperty(ssoToken, SessionProvider.AUTH_INSTANT);
if ((tmp != null) && (tmp.length != 0)) {
authTime = tmp[0];
}
} catch (SessionException e) {
debug.error("AMP: invalid SSO Token", e);
throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
}
//
// TODO : privilege checking for the ssoToken, how??
// maybe a relation between the principal of the SSO and the
// certificate? super admin shall be allowed without checking
// still TBD
//
this.sigManager = sigManager;
}
use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.
the class IDPSingleLogout method processLogoutRequest.
/**
* Gets and processes the Single <code>LogoutRequest</code> from SP
* and return <code>LogoutResponse</code>.
*
* @param logoutReq <code>LogoutRequest</code> from SP
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param binding name of binding will be used for request processing.
* @param relayState the relay state.
* @param idpEntityID name of host entity ID.
* @param realm name of host entity.
* @param isVerified true if the request is verified already.
* @return LogoutResponse the target URL on successful
* <code>LogoutRequest</code>.
* @throws SAML2Exception if error processing
* <code>LogoutRequest</code>.
*/
public static LogoutResponse processLogoutRequest(LogoutRequest logoutReq, HttpServletRequest request, HttpServletResponse response, String binding, String relayState, String idpEntityID, String realm, boolean isVerified) throws SAML2Exception {
Status status = null;
String spEntity = logoutReq.getIssuer().getValue();
Object session = null;
String tmpStr = request.getParameter("isLBReq");
boolean isLBReq = (tmpStr == null || !tmpStr.equals("false"));
try {
do {
String requestId = logoutReq.getID();
SAML2Utils.verifyRequestIssuer(realm, idpEntityID, logoutReq.getIssuer(), requestId);
List siList = logoutReq.getSessionIndex();
if (siList == null) {
debug.error("IDPSingleLogout.processLogoutRequest: " + "session index are null in logout request");
status = SAML2Utils.generateStatus(SAML2Constants.REQUESTER, "");
break;
}
int numSI = siList.size();
// TODO : handle list of session index
Iterator siIter = siList.iterator();
String sessionIndex = null;
if (siIter.hasNext()) {
sessionIndex = (String) siIter.next();
}
if (debug.messageEnabled()) {
debug.message("IDPLogoutUtil.processLogoutRequest: " + "idpEntityID=" + idpEntityID + ", sessionIndex=" + sessionIndex);
}
if (sessionIndex == null) {
// this case won't happen
// according to the spec: SP has to send at least
// one sessionIndex, could be multiple (TODO: need
// to handle that above; but when IDP sends out
// logout request, it could omit sessionIndex list,
// which means all sessions on SP side, so SP side
// needs to care about this case
debug.error("IDPLogoutUtil.processLogoutRequest: " + "No session index in logout request");
status = SAML2Utils.generateStatus(SAML2Constants.REQUESTER, "");
break;
}
String remoteServiceURL = null;
if (isLBReq) {
// server id is the last two digit of the session index
String serverId = sessionIndex.substring(sessionIndex.length() - 2);
if (debug.messageEnabled()) {
debug.message("IDPSingleLogout.processLogoutRequest: " + "sessionIndex=" + sessionIndex + ", id=" + serverId);
}
// find out remote serice URL based on server id
remoteServiceURL = SAML2Utils.getRemoteServiceURL(serverId);
}
IDPSession idpSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
if (idpSession == null && SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// Read from SAML2 Token Repository
IDPSessionCopy idpSessionCopy = null;
try {
idpSessionCopy = (IDPSessionCopy) SAML2FailoverUtils.retrieveSAML2Token(sessionIndex);
} catch (SAML2TokenRepositoryException se) {
debug.error("IDPSingleLogout.processLogoutRequest: Error while deleting token from " + "SAML2 Token Repository for sessionIndex:" + sessionIndex, se);
}
// Copy back to IDPSession
if (idpSessionCopy != null) {
idpSession = new IDPSession(idpSessionCopy);
} else {
SAML2Utils.debug.error("IDPSessionCopy is NULL!!!");
}
}
if (idpSession == null) {
// peer then we have to route the request.
if (remoteServiceURL != null) {
boolean peerError = false;
String remoteLogoutURL = remoteServiceURL + SAML2Utils.removeDeployUri(request.getRequestURI());
String queryString = request.getQueryString();
if (queryString == null) {
remoteLogoutURL = remoteLogoutURL + "?isLBReq=false";
} else {
remoteLogoutURL = remoteLogoutURL + "?" + queryString + "&isLBReq=false";
}
LogoutResponse logoutRes = LogoutUtil.forwardToRemoteServer(logoutReq, remoteLogoutURL);
if ((logoutRes != null) && !isNameNotFound(logoutRes)) {
if ((isSuccess(logoutRes)) && (numSI > 0)) {
siList = LogoutUtil.getSessionIndex(logoutRes);
if (siList == null || siList.isEmpty()) {
peerError = false;
break;
}
}
} else {
peerError = true;
}
if (peerError || (siList != null && siList.size() > 0)) {
status = PARTIAL_LOGOUT_STATUS;
break;
} else {
status = SUCCESS_STATUS;
break;
}
} else {
debug.error("IDPLogoutUtil.processLogoutRequest: " + "IDP no longer has this session index " + sessionIndex);
status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, SAML2Utils.bundle.getString("invalidSessionIndex"));
break;
}
} else {
// signature.
if (!isVerified && !LogoutUtil.verifySLORequest(logoutReq, realm, logoutReq.getIssuer().getValue(), idpEntityID, SAML2Constants.IDP_ROLE)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
}
}
session = idpSession.getSession();
// handle external application logout if configured
BaseConfigType idpConfig = SAML2Utils.getSAML2MetaManager().getIDPSSOConfig(realm, idpEntityID);
List appLogoutURL = (List) SAML2MetaUtils.getAttributes(idpConfig).get(SAML2Constants.APP_LOGOUT_URL);
if (debug.messageEnabled()) {
debug.message("IDPLogoutUtil.processLogoutRequest: " + "external app logout URL= " + appLogoutURL);
}
if ((appLogoutURL != null) && (appLogoutURL.size() != 0)) {
SAML2Utils.postToAppLogout(request, (String) appLogoutURL.get(0), session);
}
List<NameIDandSPpair> list = idpSession.getNameIDandSPpairs();
int n = list.size();
if (debug.messageEnabled()) {
debug.message("IDPLogoutUtil.processLogoutRequest: " + "NameIDandSPpair for " + sessionIndex + " is " + list + ", size=" + n);
}
NameIDandSPpair pair = null;
// remove sending SP from the list
String spIssuer = logoutReq.getIssuer().getValue();
for (int i = 0; i < n; i++) {
pair = list.get(i);
if (pair.getSPEntityID().equals(spIssuer)) {
list.remove(i);
removeTransientNameIDFromCache(pair.getNameID());
break;
}
}
List partners = idpSession.getSessionPartners();
boolean cleanUp = true;
if (partners != null && !partners.isEmpty()) {
cleanUp = false;
}
n = list.size();
if (n == 0) {
// this is the case where there is no other
// session participant
status = destroyTokenAndGenerateStatus(sessionIndex, idpSession.getSession(), request, response, cleanUp);
if (cleanUp) {
IDPCache.idpSessionsByIndices.remove(sessionIndex);
if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
SAML2FailoverUtils.deleteSAML2Token(sessionIndex);
} catch (SAML2TokenRepositoryException se) {
debug.error("IDPSingleLogout.processLogoutRequest: Error while deleting token from " + "SAML2 Token Repository for sessionIndex:" + sessionIndex, se);
}
}
IDPCache.authnContextCache.remove(sessionIndex);
}
break;
}
//We should save the originally used request binding to make sure the response is sent back using the
//correct binding.
idpSession.setOriginatingLogoutRequestBinding(binding);
// there are other SPs to be logged out
if (binding.equals(SAML2Constants.HTTP_REDIRECT) || binding.equals(SAML2Constants.HTTP_POST)) {
idpSession.setOriginatingLogoutRequestID(logoutReq.getID());
idpSession.setOriginatingLogoutSPEntityID(logoutReq.getIssuer().getValue());
}
int soapFailCount = 0;
for (int i = 0; i < n; i++) {
pair = list.remove(0);
removeTransientNameIDFromCache(pair.getNameID());
String spEntityID = pair.getSPEntityID();
if (debug.messageEnabled()) {
debug.message("IDPSingleLogout.processLogoutRequest: SP for " + sessionIndex + " is " + spEntityID);
}
List<SingleLogoutServiceElement> slosList = getSPSLOServiceEndpoints(realm, spEntityID);
// get IDP entity config in case of SOAP,for basic auth info
SPSSOConfigElement spConfig = null;
spConfig = SAML2Utils.getSAML2MetaManager().getSPSSOConfig(realm, spEntityID);
String uri = request.getRequestURI();
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(uri);
HashMap paramsMap = new HashMap();
paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
StringBuffer requestID = null;
SingleLogoutServiceElement logoutEndpoint = LogoutUtil.getMostAppropriateSLOServiceLocation(slosList, idpSession.getOriginatingLogoutRequestBinding());
if (logoutEndpoint == null) {
continue;
}
try {
requestID = LogoutUtil.doLogout(metaAlias, spEntityID, null, logoutEndpoint, relayState, sessionIndex, pair.getNameID(), request, response, paramsMap, spConfig);
} catch (SAML2Exception ex) {
if (logoutEndpoint.getBinding().equals(SAML2Constants.SOAP)) {
debug.error("IDPSingleLogout.initiateLogoutRequest:", ex);
soapFailCount++;
continue;
} else {
throw ex;
}
}
String bindingUsed = logoutEndpoint.getBinding();
if (bindingUsed.equals(SAML2Constants.HTTP_REDIRECT) || bindingUsed.equals(SAML2Constants.HTTP_POST)) {
String requestIDStr = requestID.toString();
if (requestIDStr != null && requestIDStr.length() != 0) {
idpSession.setPendingLogoutRequestID(requestIDStr);
}
return null;
}
}
if (soapFailCount == n) {
throw new SAML2Exception(SAML2Utils.bundle.getString("sloFailed"));
} else if (soapFailCount > 0) {
throw new SAML2Exception(SAML2Utils.bundle.getString("partialLogout"));
}
spEntity = idpSession.getOriginatingLogoutSPEntityID();
if (binding.equals(SAML2Constants.HTTP_REDIRECT) || binding.equals(SAML2Constants.HTTP_POST)) {
sendLastResponse(idpSession, null, request, response, sessionIndex, session, realm, idpEntityID, relayState);
return null;
} else {
// binding is SOAP, generate logout response
// and send to initiating SP
status = destroyTokenAndGenerateStatus(sessionIndex, idpSession.getSession(), request, response, true);
if (cleanUp) {
IDPCache.idpSessionsByIndices.remove(sessionIndex);
if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
SAML2FailoverUtils.deleteSAML2Token(sessionIndex);
} catch (SAML2TokenRepositoryException se) {
debug.error("IDPSingleLogout.processLogoutRequest: Error while deleting token from " + "SAML2 Token Repository for sessionIndex:" + sessionIndex, se);
}
}
IDPCache.authnContextCache.remove(sessionIndex);
}
}
} while (false);
} catch (SessionException ssoe) {
debug.error("IDPSingleLogout.processLogoutRequest: unable to get meta for ", ssoe);
status = SAML2Utils.generateStatus(idpEntityID, ssoe.toString());
} catch (SAML2Exception e) {
// show throw exception
e.printStackTrace();
SAML2Utils.debug.error("DB ERROR!!!");
}
// process multi-federation protocol
boolean isMultiProtocol = false;
try {
SessionProvider provider = SessionManager.getProvider();
if ((session != null) && (provider.isValid(session)) && MultiProtocolUtils.isMultipleProtocolSession(session, SingleLogoutManager.SAML2)) {
isMultiProtocol = true;
}
} catch (SessionException ex) {
//ignore
}
//here we are providing null for remote entity, because it's an unused variable in the method...
LogoutResponse logRes = LogoutUtil.generateResponse(status, logoutReq.getID(), SAML2Utils.createIssuer(idpEntityID), realm, SAML2Constants.IDP_ROLE, null);
if (!isMultiProtocol) {
return logRes;
} else {
try {
Set set = new HashSet();
set.add(session);
String sessUser = SessionManager.getProvider().getPrincipalName(session);
boolean isSOAPInitiated = binding.equals(SAML2Constants.SOAP);
SingleLogoutServiceElement endpoint = getLogoutResponseEndpoint(realm, spEntity, binding);
String location = getResponseLocation(endpoint);
logRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
debug.message("IDPSingleLogout.processLogReq : call MP");
int retStat = SingleLogoutManager.getInstance().doIDPSingleLogout(set, sessUser, request, response, isSOAPInitiated, false, SingleLogoutManager.SAML2, realm, idpEntityID, spEntity, relayState, logoutReq.toXMLString(true, true), logRes.toXMLString(true, true), SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS);
if (retStat != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
logRes = updateLogoutResponse(logRes, retStat);
return logRes;
} else {
return null;
}
} catch (SessionException ex) {
debug.error("IDPSingleLogout.ProcessLogoutRequest: SP " + "initiated SOAP logout", ex);
throw new SAML2Exception(ex.getMessage());
} catch (Exception ex) {
debug.error("IDPSingleLogout.ProcessLogoutRequest: SP " + "initiated SOAP logout (MP)", ex);
throw new SAML2Exception(ex.getMessage());
}
}
}
use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.
the class FSPostLogin method setTokenListenerAndSessionInfo.
/**
* Sets the Session Listener and session information.
*
* @param request the <code>HttpServletRequest</code> object.
* @param metaAlias the provider alias string.
*/
private void setTokenListenerAndSessionInfo(HttpServletRequest request, String metaAlias) {
Object ssoToken = null;
String sessionID = null;
String userID = null;
try {
SessionProvider sessionProvider = SessionManager.getProvider();
ssoToken = sessionProvider.getSession(request);
sessionID = sessionProvider.getSessionID(ssoToken);
userID = sessionProvider.getPrincipalName(ssoToken);
sessionProvider.addListener(ssoToken, new FSTokenListener(metaAlias));
} catch (SessionException ssoExp) {
FSUtils.debug.error("FSPostLogin::setTokenListenerAndSessionInfo " + "Failed during trying to add token Listener:", ssoExp);
return;
}
FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
FSSession session = sessionManager.getSession(userID, sessionID);
if (session == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSPostLogin::setTokenListenerAndSessionInfo. " + "No existing session found for user " + userID + " And SessionID: " + sessionID + " Creating a new Session");
}
FSSession newSession = new FSSession(sessionID);
sessionManager.addSession(userID, newSession);
}
}
use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.
the class FSUtils method forwardRequest.
/**
* Forwards or redirects to a new URL. This method will do forwarding
* if the target url is in the same web deployment URI as current web
* apps. Otherwise will do redirecting.
* @param request HttpServletRequest
* @param response HttpServletResponse
* @param url the target URL to be forwarded to redirected.
*/
public static void forwardRequest(HttpServletRequest request, HttpServletResponse response, String url) {
FSUtils.debug.message("FSUtils.forwardRequest: called");
String newUrl = null;
try {
SessionProvider sessionProvider = SessionManager.getProvider();
Object token = sessionProvider.getSession(request);
if ((token != null) && (sessionProvider.isValid(token))) {
newUrl = sessionProvider.rewriteURL(token, url);
}
} catch (Exception se) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSUtils.forwardReqeust: couldn't rewrite url: " + se.getMessage());
}
newUrl = null;
}
if (newUrl == null) {
newUrl = url;
}
try {
//get source host and port
String sourceHost = request.getServerName();
int sourcePort = request.getServerPort();
FSUtils.debug.message("FSUtils.forwardRequest: " + "SourceHost=" + sourceHost + " SourcePort=" + sourcePort);
//get target host and port
URL target = new URL(newUrl);
String targetHost = target.getHost();
int targetPort = target.getPort();
FSUtils.debug.message("FSUtils.forwardRequest: targetHost=" + targetHost + " targetPort=" + targetPort);
/**
* IBM websphere is not able to handle forwards with long urls.
*/
boolean isWebSphere = false;
String container = SystemConfigurationUtil.getProperty(Constants.IDENTITY_WEB_CONTAINER);
if (container != null && (container.indexOf("IBM") != -1)) {
isWebSphere = true;
}
int index = newUrl.indexOf(deploymentURI + "/");
if (!(sourceHost.equals(targetHost)) || !(sourcePort == targetPort) || !(index > 0) || isWebSphere) {
FSUtils.debug.message("FSUtils.forwardRequest: Source and " + "Target are not on the same container." + "Redirecting to target");
response.sendRedirect(newUrl);
return;
} else {
String resource = newUrl.substring(index + deploymentURI.length());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSUtils.forwardRequest: Forwarding to :" + resource);
}
RequestDispatcher dispatcher = request.getRequestDispatcher(resource);
try {
dispatcher.forward(request, response);
} catch (Exception e) {
FSUtils.debug.error("FSUtils.forwardRequest: Exception " + "occured while trying to forward to resource:" + resource, e);
}
}
} catch (Exception ex) {
FSUtils.debug.error("FSUtils.forwardRequest: Exception occured", ex);
}
}
use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.
the class SAML2SDKUtils method getDiscoveryBootStrapCredentials.
/**
* Gets the Discovery bootstrap credentials.
* After a single sign-on with an Identity Provider, a service
* provider may get Discovery bootstrap resource offerings and credentials
* through a SAML assertion. This APIs helps in retrieving the credentials
* if the user has been authenticated through the SAML2 SSO. It will
* need to have a valid single sign on token (generated through the
* SAML2 SSO).
*
* @param request <code>HttpServletRequest</code> associated with a user
* session.
* @return <code>List</code> of <code>SecurityAssertions</code>,
* null if there is any failure or if there is not one
*/
public static List getDiscoveryBootStrapCredentials(HttpServletRequest request) {
if (request == null) {
if (debug.messageEnabled()) {
debug.message("SAML2Utils.getDiscoveryBootStrapCredentials: " + " null Input params");
}
return null;
}
try {
SessionProvider sessionProvider = SessionManager.getProvider();
Object session = sessionProvider.getSession(request);
String[] credentials = sessionProvider.getProperty(session, SAML2Constants.DISCOVERY_BOOTSTRAP_CREDENTIALS);
if ((credentials == null) || (credentials.length == 0)) {
return null;
}
List securityAssertions = new ArrayList();
for (int i = 0; i < credentials.length; i++) {
SecurityAssertion securityAssertion = new SecurityAssertion(XMLUtils.toDOMDocument(credentials[i], debug).getDocumentElement());
securityAssertions.add(securityAssertion);
}
return securityAssertions;
} catch (Exception ex) {
debug.error("SAML2Utils.getDiscoveryBootStrapCredentials: ", ex);
return null;
}
}
Aggregations