use of com.sun.identity.saml.assertion.AssertionIDReference in project OpenAM by OpenRock.
the class FSAssertionManager method createFSAssertion.
/**
* Creates an assertion artifact.
* @param id session ID
* @param artifact assertion artifact
* @param realm the realm under which the entity resides.
* @param spEntityID service provider's entity ID
* @param spHandle service provider issued <code>NameIdentifier</code>
* @param idpHandle identity provider issued <code>NameIdentifier</code>
* @param inResponseTo value to InResponseTo attribute. It's the request ID.
* @param assertionMinorVersion minor version the assertion should use
* @exception FSException,SAMLException if error occurrs
*/
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
// check input
if ((id == null) || (spEntityID == null)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
}
throw new FSException("nullInput", null);
}
String destID = spEntityID;
String authMethod = null;
String authnContextStatementRef = null;
String authnContextClassRef = null;
Date authInstant = null;
String securityDomain = null;
Object token = null;
String univId = null;
SubjectLocality authLocality = null;
FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
Map attributes = new HashMap();
if (metaManager != null) {
BaseConfigType idpConfig = null;
try {
idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
} catch (IDFFMetaException e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
}
idpConfig = null;
}
if (idpConfig != null) {
attributes = IDFFMetaUtils.getAttributes(idpConfig);
}
}
try {
SessionProvider sessionProvider = SessionManager.getProvider();
token = sessionProvider.getSession(id);
String[] strAuthInst = null;
try {
strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
} catch (UnsupportedOperationException ue) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
}
} catch (SessionException se) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
}
}
if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
try {
authInstant = DateUtils.stringToDate(strAuthInst[0]);
} catch (ParseException ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
}
}
} else {
authInstant = new java.util.Date();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
}
try {
String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
authMethod = strAuthMethod[0];
}
} catch (UnsupportedOperationException ue) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
}
} catch (SessionException se) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
}
}
String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
if (assertionIssuer == null) {
assertionIssuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
}
try {
String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
authLocality = new SubjectLocality(ipAddress, assertionIssuer);
} catch (UnknownHostException uhe) {
FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
}
try {
FSSession session = sessionManager.getSession(token);
authnContextClassRef = session.getAuthnContext();
authnContextStatementRef = authnContextClassRef;
} catch (Exception ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
}
authnContextStatementRef = null;
}
if (authnContextStatementRef != null) {
if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
authMethod = IFSConstants.AC_XML_NS;
} else {
authMethod = IFSConstants.AC_12_XML_NS;
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
}
univId = sessionProvider.getPrincipalName(token);
securityDomain = hostEntityId;
} catch (Exception e) {
FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
throw new FSException("alliance_manager_no_local_descriptor", null, e);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
}
SubjectConfirmation subConfirmation = null;
String artString = null;
if (artifact != null) {
artString = artifact.getAssertionArtifact();
if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
} else {
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
}
subConfirmation.setSubjectConfirmationData(artString);
} else {
// set to bearer for POST profile
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
}
IDPProvidedNameIdentifier idpNi = null;
if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
idpNi.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
} else {
idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
}
FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
authnContext.setMinorVersion(assertionMinorVersion);
FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
FSSession session = sessionManager.getSession(univId, id);
if (session == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
}
return null;
}
String sessionIndex = session.getSessionIndex();
if (sessionIndex == null) {
sessionIndex = SAMLUtils.generateID();
session.setSessionIndex(sessionIndex);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
}
statement.setSessionIndex(sessionIndex);
//setReauthenticateOnOrAfter date
Date issueInstant = new Date();
// get this period from the config
FSUtils.debug.message("here before date");
Date notAfter;
if (artifact != null) {
notAfter = new Date(issueInstant.getTime() + artifactTimeout);
} else {
notAfter = new Date(issueInstant.getTime() + assertionTimeout);
}
FSUtils.debug.message("here after date");
statement.setReauthenticateOnOrAfter(notAfter);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
}
Conditions cond = new Conditions(null, notAfter);
if ((destID != null) && (destID.length() != 0)) {
List targets = new ArrayList();
targets.add(destID);
cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
}
/**
* This is added to create an attribute statement for the bootstrap
* information.
*/
AttributeStatement attribStatement = null;
Advice advice = null;
String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
authContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
try {
FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
attribStatement = bootStrap.getBootStrapStatement();
if (bootStrap.hasCredentials()) {
advice = bootStrap.getCredentials();
}
} catch (Exception e) {
FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
}
}
AssertionIDReference aID = new AssertionIDReference();
Set statements = new HashSet();
statements.add(statement);
if (attribStatement != null) {
statements.add(attribStatement);
}
String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
try {
Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
List attribStatements = null;
if (pluginClass instanceof FSRealmAttributePlugin) {
FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
} else if (pluginClass instanceof FSAttributePlugin) {
FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
}
if ((attribStatements != null) && (attribStatements.size() != 0)) {
Iterator iter = attribStatements.iterator();
while (iter.hasNext()) {
statements.add((AttributeStatement) iter.next());
}
}
} catch (Exception ex) {
FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
}
}
if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
statements.add(autoFedStatement);
}
FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
assertion.setMinorVersion(assertionMinorVersion);
assertion.setID(aID.getAssertionIDReference());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
}
String aIDString = assertion.getAssertionID();
Entry entry = new Entry(assertion, destID, artString, token);
Integer maxNumber = null;
try {
int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
maxNumber = new Integer(temp);
} catch (Exception ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
}
maxNumber = null;
}
if (maxNumber == null) {
maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
}
int maxValue = maxNumber.intValue();
if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
throw new FSException("errorCreateAssertion", null);
}
Object oldEntry = null;
try {
synchronized (idEntryMap) {
oldEntry = idEntryMap.put(aIDString, entry);
}
if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
idffSvc.setAssertions((long) idEntryMap.size());
}
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
}
throw new FSException("errorCreateAssertion", null);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { assertion.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
} else {
String[] data = { assertion.getAssertionID() };
LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
}
if (artString != null) {
try {
synchronized (artIdMap) {
oldEntry = artIdMap.put(artString, aIDString);
}
if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
idffSvc.setArtifacts((long) artIdMap.size());
}
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
}
throw new FSException("errorCreateArtifact", null);
}
if (oldEntry != null) {
artifactTimeoutRunnable.removeElement(aIDString);
}
artifactTimeoutRunnable.addElement(aIDString);
} else {
if (oldEntry != null) {
assertionTimeoutRunnable.removeElement(aIDString);
}
assertionTimeoutRunnable.addElement(aIDString);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
}
return assertion;
}
use of com.sun.identity.saml.assertion.AssertionIDReference in project OpenAM by OpenRock.
the class CDCServlet method createAssertion.
private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
debug.message("Entering CDCServlet.createAssertion Method");
if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
debug.message("CDCServlet,createAssertion: null input");
throw new FSException(FSUtils.bundle.getString("nullInput"));
}
String securityDomain = sourceID;
NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
NameIdentifier spHandle = idpHandle;
String authMethod = authType;
Date authInstant = convertAuthInstanceToDate(strAuthInst);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
}
SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
AuthnContext authnContextStmt = new AuthnContext(null, null);
FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
//setReauthenticateOnOrAfter date
Date issueInstant = new Date();
// get this period from the config
Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
long period = (assertionTimeout.intValue()) * 1000;
if (period < IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE) {
period = IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE;
}
Date notAfter = new Date(issueInstant.getTime() + period);
statement.setReauthenticateOnOrAfter(notAfter);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
}
Conditions cond = new Conditions(issueInstant, notAfter);
if ((destID != null) && (destID.length() != 0)) {
List targets = new ArrayList(1);
targets.add(destID);
cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
}
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
}
AssertionIDReference aID = new AssertionIDReference();
Set statements = new HashSet(2);
statements.add(statement);
FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
assertion.setID(aID.getAssertionIDReference());
String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
}
return assertion;
}
use of com.sun.identity.saml.assertion.AssertionIDReference in project OpenAM by OpenRock.
the class Request method parseContents.
/**
* Checks the contents of the Request and set the class members accordingly.
*
* Used by this class only.
* @param contents A List that contains the contents of the request.
* it could be a query, 1 or more <code>AssertionIDReference</code>,
* or 1 or more <code>AssertionArtifact</code>.
* @exception SAMLException when an error occurs during the process.
*/
private void parseContents(List contents) throws SAMLException {
// check contents and set the contentType appropriately
int length = 0;
int i = 0;
if ((contents == null) || ((length = contents.size()) == 0)) {
SAMLUtils.debug.message("Request: empty content.");
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
for (i = 0; i < length; i++) {
Object temp = contents.get(i);
if (temp instanceof AuthenticationQuery) {
// make sure this is the first one on the list
if ((contentType != NOT_SUPPORTED) || // and make sure there is no other elements on the list
(i != (length - 1))) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request: should contain only" + " one AuthenticationQuery.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = AUTHENTICATION_QUERY;
query = (AuthenticationQuery) temp;
} else if (temp instanceof AuthorizationDecisionQuery) {
// make sure this is the first one on the list
if ((contentType != NOT_SUPPORTED) || // and make sure there is no other elements on the list
(i != (length - 1))) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request: should contain only" + " one AuthorizationDecisionQuery.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = AUTHORIZATION_DECISION_QUERY;
query = (AuthorizationDecisionQuery) temp;
} else if (temp instanceof AttributeQuery) {
// make sure this is the first one on the list
if ((contentType != NOT_SUPPORTED) || // and make sure there is no other elements on the list
(i != (length - 1))) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request: should contain only" + " one AttributeQuery.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = ATTRIBUTE_QUERY;
query = (AttributeQuery) temp;
} else if (temp instanceof AssertionIDReference) {
// the previously assigned elements are not AssertionIDReference
if ((contentType != NOT_SUPPORTED) && (contentType != ASSERTION_ID_REFERENCE)) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request: should contain" + " one or more AssertionIDReference.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = ASSERTION_ID_REFERENCE;
if (assertionIDRefs == Collections.EMPTY_LIST) {
assertionIDRefs = new ArrayList();
}
assertionIDRefs.add((AssertionIDReference) temp);
} else if (temp instanceof AssertionArtifact) {
// previously assigned elements are not AssertionArtifact:
if ((contentType != NOT_SUPPORTED) && (contentType != ASSERTION_ARTIFACT)) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request: should contain " + " one or more AssertionArtifact.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = ASSERTION_ARTIFACT;
if (artifacts == Collections.EMPTY_LIST) {
artifacts = new ArrayList();
}
artifacts.add((AssertionArtifact) temp);
} else {
// everything else
SAMLUtils.debug.message("Request: wrong input.");
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
}
}
use of com.sun.identity.saml.assertion.AssertionIDReference in project OpenAM by OpenRock.
the class AssertionManagerImpl method getAssertionByIdRefToken.
public String getAssertionByIdRefToken(String idref, String ssoToken) throws SAMLException {
checkInitialization();
Object token = null;
try {
SessionProvider sessionProvider = SessionManager.getProvider();
token = sessionProvider.getSession(ssoToken);
} catch (SessionException ssoe) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("AssertionManagerImpl:getAssertionByIdRefToken: " + ssoe);
}
throw (new SAMLException(ssoe.getMessage()));
}
Assertion a = assertionManager.getAssertion(new AssertionIDReference(idref), token);
return (a.toString(true, true));
}
use of com.sun.identity.saml.assertion.AssertionIDReference in project OpenAM by OpenRock.
the class AssertionManagerImpl method getAssertionByIdRef2.
public String getAssertionByIdRef2(String idref, String destID) throws SAMLException {
checkInitialization();
Assertion a = assertionManager.getAssertion(new AssertionIDReference(idref), SAMLUtils.byteArrayToString(Base64.decode(destID)));
return (a.toString(true, true));
}
Aggregations