use of com.sun.identity.saml.assertion.AudienceRestrictionCondition in project OpenAM by OpenRock.
the class FSAssertionManager method createFSAssertion.
* Creates an assertion artifact.
* @param id session ID
* @param artifact assertion artifact
* @param realm the realm under which the entity resides.
* @param spEntityID service provider's entity ID
* @param spHandle service provider issued <code>NameIdentifier</code>
* @param idpHandle identity provider issued <code>NameIdentifier</code>
* @param inResponseTo value to InResponseTo attribute. It's the request ID.
* @param assertionMinorVersion minor version the assertion should use
* @exception FSException,SAMLException if error occurrs
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
// check input
if ((id == null) || (spEntityID == null)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
throw new FSException("nullInput", null);
String destID = spEntityID;
String authMethod = null;
String authnContextStatementRef = null;
String authnContextClassRef = null;
Date authInstant = null;
String securityDomain = null;
Object token = null;
String univId = null;
SubjectLocality authLocality = null;
FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
Map attributes = new HashMap();
if (metaManager != null) {
BaseConfigType idpConfig = null;
try {
idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
} catch (IDFFMetaException e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
idpConfig = null;
if (idpConfig != null) {
attributes = IDFFMetaUtils.getAttributes(idpConfig);
try {
SessionProvider sessionProvider = SessionManager.getProvider();
token = sessionProvider.getSession(id);
String[] strAuthInst = null;
try {
strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
} catch (UnsupportedOperationException ue) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
} catch (SessionException se) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
try {
authInstant = DateUtils.stringToDate(strAuthInst[0]);
} catch (ParseException ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
} else {
authInstant = new java.util.Date();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
try {
String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
authMethod = strAuthMethod[0];
} catch (UnsupportedOperationException ue) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
} catch (SessionException se) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
if (assertionIssuer == null) {
assertionIssuer = SystemConfigurationUtil.getProperty("");
try {
String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
authLocality = new SubjectLocality(ipAddress, assertionIssuer);
} catch (UnknownHostException uhe) {
FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
try {
FSSession session = sessionManager.getSession(token);
authnContextClassRef = session.getAuthnContext();
authnContextStatementRef = authnContextClassRef;
} catch (Exception ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
authnContextStatementRef = null;
if (authnContextStatementRef != null) {
if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
authMethod = IFSConstants.AC_XML_NS;
} else {
authMethod = IFSConstants.AC_12_XML_NS;
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
univId = sessionProvider.getPrincipalName(token);
securityDomain = hostEntityId;
} catch (Exception e) {
FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
throw new FSException("alliance_manager_no_local_descriptor", null, e);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
SubjectConfirmation subConfirmation = null;
String artString = null;
if (artifact != null) {
artString = artifact.getAssertionArtifact();
if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
} else {
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
} else {
// set to bearer for POST profile
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
IDPProvidedNameIdentifier idpNi = null;
if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
} else {
idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
FSSession session = sessionManager.getSession(univId, id);
if (session == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
return null;
String sessionIndex = session.getSessionIndex();
if (sessionIndex == null) {
sessionIndex = SAMLUtils.generateID();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
//setReauthenticateOnOrAfter date
Date issueInstant = new Date();
// get this period from the config
FSUtils.debug.message("here before date");
Date notAfter;
if (artifact != null) {
notAfter = new Date(issueInstant.getTime() + artifactTimeout);
} else {
notAfter = new Date(issueInstant.getTime() + assertionTimeout);
FSUtils.debug.message("here after date");
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
Conditions cond = new Conditions(null, notAfter);
if ((destID != null) && (destID.length() != 0)) {
List targets = new ArrayList();
cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
* This is added to create an attribute statement for the bootstrap
* information.
AttributeStatement attribStatement = null;
Advice advice = null;
String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
try {
FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
attribStatement = bootStrap.getBootStrapStatement();
if (bootStrap.hasCredentials()) {
advice = bootStrap.getCredentials();
} catch (Exception e) {
FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
AssertionIDReference aID = new AssertionIDReference();
Set statements = new HashSet();
if (attribStatement != null) {
String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
try {
Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
List attribStatements = null;
if (pluginClass instanceof FSRealmAttributePlugin) {
FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
} else if (pluginClass instanceof FSAttributePlugin) {
FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
if ((attribStatements != null) && (attribStatements.size() != 0)) {
Iterator iter = attribStatements.iterator();
while (iter.hasNext()) {
} catch (Exception ex) {
FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
String aIDString = assertion.getAssertionID();
Entry entry = new Entry(assertion, destID, artString, token);
Integer maxNumber = null;
try {
int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
maxNumber = new Integer(temp);
} catch (Exception ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
maxNumber = null;
if (maxNumber == null) {
maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
int maxValue = maxNumber.intValue();
if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
throw new FSException("errorCreateAssertion", null);
Object oldEntry = null;
try {
synchronized (idEntryMap) {
oldEntry = idEntryMap.put(aIDString, entry);
if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
idffSvc.setAssertions((long) idEntryMap.size());
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
throw new FSException("errorCreateAssertion", null);
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { assertion.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
} else {
String[] data = { assertion.getAssertionID() };
LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
if (artString != null) {
try {
synchronized (artIdMap) {
oldEntry = artIdMap.put(artString, aIDString);
if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
idffSvc.setArtifacts((long) artIdMap.size());
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
throw new FSException("errorCreateArtifact", null);
if (oldEntry != null) {
} else {
if (oldEntry != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
return assertion;
use of com.sun.identity.saml.assertion.AudienceRestrictionCondition in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method forThisServer.
protected boolean forThisServer(Conditions conds) {
FSUtils.debug.message("FSAssertionArtifactHandler.forThisServer: Called");
if ((conds == null) || (hostEntityId == null) || (hostEntityId.length() == 0)) {
return true;
Set targetConds = conds.getAudienceRestrictionCondition();
if ((targetConds == null) || (targetConds.isEmpty())) {
return true;
boolean forThis = false;
Iterator tcIter = targetConds.iterator();
AudienceRestrictionCondition targetCond = null;
while (tcIter.hasNext()) {
targetCond = (AudienceRestrictionCondition);
if (targetCond.containsAudience(hostEntityId)) {
forThis = true;
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "forThisServer: Assertion is validated to be" + "for this server");
return forThis;
use of com.sun.identity.saml.assertion.AudienceRestrictionCondition in project OpenAM by OpenRock.
the class CDCServlet method createAssertion.
private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
debug.message("Entering CDCServlet.createAssertion Method");
if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
debug.message("CDCServlet,createAssertion: null input");
throw new FSException(FSUtils.bundle.getString("nullInput"));
String securityDomain = sourceID;
NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
NameIdentifier spHandle = idpHandle;
String authMethod = authType;
Date authInstant = convertAuthInstanceToDate(strAuthInst);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
AuthnContext authnContextStmt = new AuthnContext(null, null);
FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
//setReauthenticateOnOrAfter date
Date issueInstant = new Date();
// get this period from the config
Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
long period = (assertionTimeout.intValue()) * 1000;
Date notAfter = new Date(issueInstant.getTime() + period);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
Conditions cond = new Conditions(issueInstant, notAfter);
if ((destID != null) && (destID.length() != 0)) {
List targets = new ArrayList(1);
cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
AssertionIDReference aID = new AssertionIDReference();
Set statements = new HashSet(2);
FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
return assertion;
use of com.sun.identity.saml.assertion.AudienceRestrictionCondition in project OpenAM by OpenRock.
the class SAMLUtils method checkCondition.
* Checks if the Assertion is time valid and
* if the Assertion is allowed by AudienceRestrictionCondition.
* @param assertion an Assertion object
* @return true if the operation is successful otherwise, return false
* @exception IOException IOException
private static boolean checkCondition(Assertion assertion) throws IOException {
if (assertion == null) {
return false;
if (!assertion.isSignatureValid()) {
return false;
// check if the Assertion is time valid
if (!(assertion.isTimeValid())) {
return false;
// check the Assertion is allowed by AudienceRestrictionCondition
Conditions cnds = assertion.getConditions();
Set audienceCnd = new HashSet();
audienceCnd = cnds.getAudienceRestrictionCondition();
Iterator it = null;
if (audienceCnd != null) {
if (!audienceCnd.isEmpty()) {
it = audienceCnd.iterator();
while (it.hasNext()) {
if ((((AudienceRestrictionCondition) == Condition.INDETERMINATE) {
if (debug.messageEnabled()) {
debug.message("Audience " + "RestrictionConditions is indeterminate.");
} else {
debug.error("Failed AudienceRestrictionCondition");
return false;
return true;
use of com.sun.identity.saml.assertion.AudienceRestrictionCondition in project OpenAM by OpenRock.
the class LibSecurityTokenProvider method getSAMLToken.
* Returns the Security Assertion.
private SecurityAssertion getSAMLToken(NameIdentifier senderIdentity, SessionContext invocatorSession, Object resourceID, boolean includeAuthN, boolean includeResourceAccessStatement, String recipientProviderID, boolean isBear) throws SecurityTokenException {
if (debug.messageEnabled()) {
debug.message("getSAMLToken: isBear = " + isBear);
if (senderIdentity == null) {
debug.error("LibSecurityTokenProvider.getSAMLToken:senderIdentity is null");
throw new SecurityTokenException(bundle.getString("nullSenderIdentity"));
boolean statementNotFound = true;
SecurityAssertion assertion = null;
Set statements = new HashSet();
if (includeAuthN) {
AuthenticationStatement authStatement = createAuthenticationStatement(senderIdentity, isBear);
statementNotFound = false;
if (includeResourceAccessStatement) {
ResourceAccessStatement ras = createResourceAccessStatement(senderIdentity, invocatorSession, resourceID, isBear);
statementNotFound = false;
} else {
if (invocatorSession != null) {
SessionContextStatement scs = createSessionContextStatement(senderIdentity, invocatorSession, isBear);
statementNotFound = false;
// make sure the statements is not empty
if (statementNotFound) {
debug.error("getSAMLAuthorizationToken: SAML statement should " + "not be null.");
throw new SecurityTokenException(bundle.getString("nullStatement"));
String issuer = DiscoServiceManager.getDiscoProviderID();
//Check for the attribute statements.
attributePlugin = getAttributePlugin();
if (attributePlugin != null) {
List attributes = attributePlugin.getAttributes(senderIdentity, resourceID, issuer);
if (attributes != null && attributes.size() != 0) {
AttributeStatement attributeStatement = createAttributeStatement(senderIdentity, attributes, isBear);
if (attributeStatement != null) {
Date issueInstant = new Date();
try {
if (recipientProviderID != null) {
List audience = new ArrayList();
AudienceRestrictionCondition arc = new AudienceRestrictionCondition(audience);
Conditions conditions = new Conditions();
assertion = new SecurityAssertion("", issuer, issueInstant, conditions, statements);
} else {
assertion = new SecurityAssertion("", issuer, issueInstant, statements);
} catch (Exception e) {
debug.error("getSAMLToken.signXML", e);
throw new SecurityTokenException(bundle.getString("nullAssertion"));
return assertion;