Example 6 with AttributeStatement
use of com.sun.identity.saml.assertion.AttributeStatement in project OpenAM by OpenRock.
the class SAML11RequestedSecurityToken method getAttributes.
/**
* @return a list of attributes of type
* <code>com.sun.identity.saml.assertion.Attribute</code>
*/
public List getAttributes() {
AttributeStatement attributeStatement = null;
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
if (statement.getStatementType() == Statement.ATTRIBUTE_STATEMENT) {
attributeStatement = (AttributeStatement) statement;
break;
}
}
if (attributeStatement == null) {
return null;
}
return attributeStatement.getAttribute();
}
Also used :
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
Iterator(java.util.Iterator)
Example 7 with AttributeStatement
use of com.sun.identity.saml.assertion.AttributeStatement in project OpenAM by OpenRock.
the class FSAttributeStatementHelper method getAutoFedAttributeStatement.
/**
* Gets a SAML <code>AttributeStatement</code> by using an
* <code>AutoFederate</code> attribute that is configured in Local Provider.
* @param realm The realm under which the entity resides.
* @param entityID Host Provider's entity ID.
* @param sub Liberty Subject.
* @param ssoToken session of the user
* @return Generated Auto Federate Attribute Statement.
* @exception FSException if an error occurred
*/
public static AttributeStatement getAutoFedAttributeStatement(String realm, String entityID, FSSubject sub, Object ssoToken) throws FSException {
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
BaseConfigType hostConfig = null;
try {
if (metaManager != null) {
hostConfig = metaManager.getIDPDescriptorConfig(realm, entityID);
}
} catch (IDFFMetaException fae) {
FSUtils.debug.error("FSAttributeStatementHelper.getAutoFed" + "AttributeStatement: IDFFMetaException ", fae);
throw new FSException(fae);
}
String autoFedAttr = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.AUTO_FEDERATION_ATTRIBUTE);
if (autoFedAttr == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAttributeStatementHelper.getAutoFed:" + "AttributeStatement: AutoFederate Attribute is null");
}
return null;
}
List values = new ArrayList();
try {
String userID = SessionManager.getProvider().getPrincipalName(ssoToken);
DataStoreProvider provider = DataStoreProviderManager.getInstance().getDataStoreProvider(IFSConstants.IDFF);
Set vals = provider.getAttribute(userID, autoFedAttr);
Iterator iter = vals.iterator();
while (iter.hasNext()) {
values.add(getAttributeValue((String) iter.next()));
}
} catch (SessionException se) {
FSUtils.debug.error("FSAttributeStatementHelper.getAutoFed" + "AttributeStatement: SessionException ", se);
throw new FSException(se);
} catch (DataStoreProviderException ie) {
FSUtils.debug.error("FSAttributeStatementHelper.getAutoFed" + "AttributeStatement: DataStoreProviderException ", ie);
throw new FSException(ie);
}
if (values == null || values.size() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAtributeStatementHelper.getAuto:" + "FedAttributeStatement. No values for autofed attribute");
}
return null;
}
try {
Attribute attribute = new Attribute(IFSConstants.AUTO_FED_ATTR, IFSConstants.assertionSAMLNameSpaceURI, values);
List attributeList = new ArrayList();
attributeList.add(attribute);
return new AttributeStatement(sub, attributeList);
} catch (SAMLException ex) {
FSUtils.debug.error("FSAttributeStatementHelper.getAutoFed" + "AttributeStatement: SAMLException ", ex);
throw new FSException(ex);
}
}
Also used :
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
Set(java.util.Set)
Attribute(com.sun.identity.saml.assertion.Attribute)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
DataStoreProvider(com.sun.identity.plugin.datastore.DataStoreProvider)
ArrayList(java.util.ArrayList)
SessionException(com.sun.identity.plugin.session.SessionException)
SAMLException(com.sun.identity.saml.common.SAMLException)
BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
FSException(com.sun.identity.federation.common.FSException)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 8 with AttributeStatement
use of com.sun.identity.saml.assertion.AttributeStatement in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method validateAssertions.
protected Subject validateAssertions(List assertions) {
FSUtils.debug.message("FSAssertionArtifactHandler.validateAssertions: Called");
// loop to check assertions
FSSubject subject = null;
Iterator iter = assertions.iterator();
FSAssertion assertion = null;
String aIDString = null;
String issuer = null;
Iterator stmtIter = null;
Statement statement = null;
int stmtType = Statement.NOT_SUPPORTED;
SubjectConfirmation subConf = null;
Set confMethods = null;
String confMethod = null;
Date date = null;
long time = System.currentTimeMillis() + 180000;
while (iter.hasNext()) {
assertion = (FSAssertion) iter.next();
if (!authnRequest.getRequestID().equals(assertion.getInResponseTo())) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion does not correspond to any valid request");
return null;
}
if (FSServiceUtils.isSigningOn()) {
if (!verifyAssertionSignature(assertion)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion signature verification failed");
return null;
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Assertion signature verified");
}
aIDString = assertion.getAssertionID();
// make sure it's not being used
if (idTimeMap.containsKey(aIDString)) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion: Assertion: " + aIDString + " is used");
return null;
}
// check issuer of the assertions
issuer = assertion.getIssuer();
try {
if (idpEntityId != null) {
if (!idpEntityId.equals(issuer)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not the entity where " + "AuthnRequest was sent originally.");
return null;
}
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is: " + issuer);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
IDPDescriptorType idpDesc = metaManager.getIDPDescriptor(realm, issuer);
if (idpDesc == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " Assertion issuer is not on the trust list");
return null;
}
setProviderDescriptor(idpDesc);
setProviderEntityId(issuer);
}
} catch (Exception ex) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not on the trust list");
return null;
}
// must be valid(timewise)
if (!assertion.isTimeValid()) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " Assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// if present, target of the assertions must == local server IP
Conditions conds = assertion.getConditions();
if (!forThisServer(conds)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "assertion is not issued for this site.");
return null;
}
//for each assertion, loop to check each statement
boolean authnStatementFound = false;
if (assertion.getStatement() != null) {
stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
authnStatementFound = true;
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "validating AuthenticationStatement:" + authStatement.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Exception. " + "Invalid AuthenticationStatement: ", e);
return null;
}
//check ReauthenticateOnOrAfter
reAuthnOnOrAfterDate = authStatement.getReauthenticateOnOrAfter();
//process SessionIndex
idpSessionIndex = authStatement.getSessionIndex();
authnContextStmt = authStatement.getAuthnContext();
subject = (FSSubject) authStatement.getSubject();
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Subject is null");
return null;
} else {
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "found Authentication Statement. " + "Subject = " + subject.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + " Exception. Invalid subject: ", e);
continue;
}
}
//bearer
if (((subConf = subject.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "missing or extra ConfirmationMethod.");
return null;
}
if (((confMethod = (String) confMethods.iterator().next()) == null) || !((confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER)) || (confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || (confMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)))) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: wrong " + "ConfirmationMethod");
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Confirmation method: " + confMethod);
}
} else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
AttributeStatement attrStatement = (AttributeStatement) statement;
if (!checkForAttributeStatement(attrStatement)) {
attrStatements.add(attrStatement);
}
}
}
}
if (!authnStatementFound) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "No Authentication statement found in the Assertion. " + "User is not authenticated by the IDP");
}
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Adding " + aIDString + " to idTimeMap.");
}
// add the assertion to idTimeMap
if ((date = conds.getNotOnorAfter()) != null) {
cGoThrough.addElement(aIDString);
idTimeMap.put(aIDString, new Long(date.getTime()));
} else {
cPeriodic.addElement(aIDString);
// it doesn't matter what we store for the value.
idTimeMap.put(aIDString, aIDString);
}
securityAssertions = assertion.getDiscoveryCredential();
}
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " couldn't find Subject.");
return null;
}
return subject;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Date(java.util.Date)
SessionException(com.sun.identity.plugin.session.SessionException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
IOException(java.io.IOException)
Conditions(com.sun.identity.saml.assertion.Conditions)
IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType)
SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
FSException(com.sun.identity.federation.common.FSException)
Example 9 with AttributeStatement
use of com.sun.identity.saml.assertion.AttributeStatement in project OpenAM by OpenRock.
the class SAMLUtils method addEnvParamsFromAssertion.
/**
* Returns attributes included in <code>AttributeStatement</code> of the
* assertion.
* @param envParameters return map which includes name value pairs of
* attributes included in <code>AttributeStatement</code> of the assertion
* @param assertion an <code>Assertion</code> object which contains
* <code>AttributeStatement</code>
* @param subject the <code>Subject</code> instance from
* <code>AuthenticationStatement</code>. The <code>Subject</code>
* included in <code>AttributeStatement</code> must match this
* <code>Subject</code> instance.
*/
public static void addEnvParamsFromAssertion(Map envParameters, Assertion assertion, com.sun.identity.saml.assertion.Subject subject) {
Set statements = assertion.getStatement();
Statement statement = null;
Iterator stmtIter = null;
List attrs = null;
Iterator attrIter = null;
Attribute attribute = null;
Element attrValue = null;
List attrValues = null;
String attrName = null;
String attrValueString = null;
if ((statements != null) && (!statements.isEmpty())) {
stmtIter = statements.iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
if (statement.getStatementType() == Statement.ATTRIBUTE_STATEMENT) {
// check for subject
if (!subject.equals(((AttributeStatement) statement).getSubject())) {
continue;
}
attrs = ((AttributeStatement) statement).getAttribute();
attrIter = attrs.iterator();
while (attrIter.hasNext()) {
attribute = (Attribute) attrIter.next();
try {
attrValues = attribute.getAttributeValue();
} catch (Exception e) {
debug.error("SAMLUtils.addEnvParamsFromAssertion:" + " cannot obtain attribute value:", e);
continue;
}
attrName = attribute.getAttributeName();
List attrValueList = null;
for (Iterator avIter = attrValues.iterator(); avIter.hasNext(); ) {
attrValue = (Element) avIter.next();
if (!XMLUtils.hasElementChild(attrValue)) {
attrValueString = XMLUtils.getElementValue(attrValue);
if (attrValueList == null) {
attrValueList = new ArrayList();
}
attrValueList.add(attrValueString);
}
}
if (attrValueList != null) {
if (debug.messageEnabled()) {
debug.message("SAMLUtils.addEnvParamsFromAssertion:" + " attrName = " + attrName + " attrValue = " + attrValueList);
}
String[] attrValueStrs = (String[]) attrValueList.toArray(new String[attrValueList.size()]);
try {
envParameters.put(attrName, attrValueStrs);
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("SAMLUtils.addEnvParamsFromAssertion:", ex);
}
}
} else if (debug.messageEnabled()) {
if (debug.messageEnabled()) {
debug.message("SAMLUtils.addEnvParamsFromAssertion:" + " attrName = " + attrName + " has no value");
}
}
}
}
// if it's an attribute statement
}
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
Attribute(com.sun.identity.saml.assertion.Attribute)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
CharacterIterator(java.text.CharacterIterator)
Iterator(java.util.Iterator)
StringCharacterIterator(java.text.StringCharacterIterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
ArrayList(java.util.ArrayList)
ServletException(javax.servlet.ServletException)
SystemConfigurationException(com.sun.identity.common.SystemConfigurationException)
SessionException(com.sun.identity.plugin.session.SessionException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
MalformedURLException(java.net.MalformedURLException)
IOException(java.io.IOException)
Example 10 with AttributeStatement
use of com.sun.identity.saml.assertion.AttributeStatement in project OpenAM by OpenRock.
the class FSAssertion method toXMLString.
/**
* Returns a <code>XML</code> String representation of this object.
*
* @param includeNS determines whether or not the namespace qualifier is
* prepended to the Element when converted
* @param declareNS determines whether or not the namespace is declared
* within the Element.
* @return a string containing the valid <code>XML</code> for this object.
* @throws FSMsgException if there is an error creating
* the <code>XML</code> string.
*/
public java.lang.String toXMLString(boolean includeNS, boolean declareNS) throws FSMsgException {
StringBuffer xml = new StringBuffer(3000);
String NS = "";
String appendNS = "";
String libNS = "";
String libAppendNS = "";
String uriXSI = "";
if (declareNS) {
NS = sc.assertionDeclareStr;
if (minorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || minorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
libNS = IFSConstants.LIB_12_NAMESPACE_STRING;
} else {
libNS = IFSConstants.LIB_NAMESPACE_STRING;
}
uriXSI = IFSConstants.XSI_NAMESPACE_STRING;
}
if (includeNS) {
appendNS = SAMLConstants.ASSERTION_PREFIX;
libAppendNS = IFSConstants.LIB_PREFIX;
}
String dateStr = null;
if (getIssueInstant() != null) {
dateStr = DateUtils.toUTCDateFormat(getIssueInstant());
}
xml.append(IFSConstants.LEFT_ANGLE).append(appendNS).append(IFSConstants.ASSERTION).append(IFSConstants.SPACE).append(NS).append(IFSConstants.SPACE).append(uriXSI).append(IFSConstants.SPACE).append(libNS).append(IFSConstants.SPACE);
if (minorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION && id != null && !(id.length() == 0)) {
xml.append(IFSConstants.SPACE).append(IFSConstants.ID).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(id).append(IFSConstants.QUOTE).append(IFSConstants.SPACE);
}
xml.append(IFSConstants.MAJOR_VERSION).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(getMajorVersion()).append(IFSConstants.QUOTE).append(IFSConstants.SPACE).append(IFSConstants.MINOR_VERSION).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(minorVersion).append(IFSConstants.QUOTE).append(IFSConstants.SPACE).append(IFSConstants.ASSERTION_ID).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(getAssertionID()).append(IFSConstants.QUOTE).append(IFSConstants.SPACE).append(IFSConstants.ISSUER).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(getIssuer()).append(IFSConstants.QUOTE).append(IFSConstants.SPACE).append(IFSConstants.ISSUE_INSTANT).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(dateStr).append(IFSConstants.QUOTE).append(IFSConstants.SPACE).append(IFSConstants.IN_RESPONSE_TO).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(inResponseTo).append(IFSConstants.QUOTE).append(IFSConstants.SPACE).append(IFSConstants.XSI_TYPE).append(IFSConstants.EQUAL_TO).append(IFSConstants.QUOTE).append(libAppendNS).append(IFSConstants.ASSERTION_TYPE).append(IFSConstants.QUOTE).append(IFSConstants.RIGHT_ANGLE).append(sc.NL);
if (getConditions() != null) {
xml.append(getConditions().toString(includeNS, false));
}
if (getAdvice() != null) {
xml.append(getAdvice().toString(includeNS, false));
}
Iterator i = getStatement().iterator();
while (i.hasNext()) {
Statement st = (Statement) i.next();
if (st instanceof FSAuthenticationStatement) {
xml.append(((FSAuthenticationStatement) st).toXMLString(includeNS, false));
} else if (st instanceof AttributeStatement) {
xml.append(((AttributeStatement) st).toString(includeNS, false));
}
}
if (signed) {
if (signatureString != null) {
xml.append(signatureString);
} else if (signature != null) {
signatureString = XMLUtils.print(signature);
xml.append(signatureString);
}
}
xml.append(IFSConstants.START_END_ELEMENT).append(appendNS).append(IFSConstants.ASSERTION).append(IFSConstants.RIGHT_ANGLE).append(IFSConstants.NL);
return xml.toString();
}
Also used :
AuthorizationDecisionStatement(com.sun.identity.saml.assertion.AuthorizationDecisionStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
Statement(com.sun.identity.saml.assertion.Statement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
Iterator(java.util.Iterator)
Aggregations
AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)12
Iterator (java.util.Iterator)10
SAMLException (com.sun.identity.saml.common.SAMLException)9
List (java.util.List)8
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)7
IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)7
SessionException (com.sun.identity.plugin.session.SessionException)6
Attribute (com.sun.identity.saml.assertion.Attribute)6
ArrayList (java.util.ArrayList)6
Map (java.util.Map)5
Set (java.util.Set)5
Statement (com.sun.identity.saml.assertion.Statement)4
HashSet (java.util.HashSet)4
FSException (com.sun.identity.federation.common.FSException)3
AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)3
Conditions (com.sun.identity.saml.assertion.Conditions)3
SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)3
Date (java.util.Date)3
HashMap (java.util.HashMap)3
BaseConfigType (com.sun.identity.federation.jaxb.entityconfig.BaseConfigType)2
