use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method validateAssertions.
protected Subject validateAssertions(List assertions) {
FSUtils.debug.message("FSAssertionArtifactHandler.validateAssertions: Called");
// loop to check assertions
FSSubject subject = null;
Iterator iter = assertions.iterator();
FSAssertion assertion = null;
String aIDString = null;
String issuer = null;
Iterator stmtIter = null;
Statement statement = null;
int stmtType = Statement.NOT_SUPPORTED;
SubjectConfirmation subConf = null;
Set confMethods = null;
String confMethod = null;
Date date = null;
long time = System.currentTimeMillis() + 180000;
while (iter.hasNext()) {
assertion = (FSAssertion) iter.next();
if (!authnRequest.getRequestID().equals(assertion.getInResponseTo())) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion does not correspond to any valid request");
return null;
}
if (FSServiceUtils.isSigningOn()) {
if (!verifyAssertionSignature(assertion)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion signature verification failed");
return null;
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Assertion signature verified");
}
aIDString = assertion.getAssertionID();
// make sure it's not being used
if (idTimeMap.containsKey(aIDString)) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion: Assertion: " + aIDString + " is used");
return null;
}
// check issuer of the assertions
issuer = assertion.getIssuer();
try {
if (idpEntityId != null) {
if (!idpEntityId.equals(issuer)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not the entity where " + "AuthnRequest was sent originally.");
return null;
}
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is: " + issuer);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
IDPDescriptorType idpDesc = metaManager.getIDPDescriptor(realm, issuer);
if (idpDesc == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " Assertion issuer is not on the trust list");
return null;
}
setProviderDescriptor(idpDesc);
setProviderEntityId(issuer);
}
} catch (Exception ex) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not on the trust list");
return null;
}
// must be valid(timewise)
if (!assertion.isTimeValid()) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " Assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// if present, target of the assertions must == local server IP
Conditions conds = assertion.getConditions();
if (!forThisServer(conds)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "assertion is not issued for this site.");
return null;
}
//for each assertion, loop to check each statement
boolean authnStatementFound = false;
if (assertion.getStatement() != null) {
stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
authnStatementFound = true;
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "validating AuthenticationStatement:" + authStatement.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Exception. " + "Invalid AuthenticationStatement: ", e);
return null;
}
//check ReauthenticateOnOrAfter
reAuthnOnOrAfterDate = authStatement.getReauthenticateOnOrAfter();
//process SessionIndex
idpSessionIndex = authStatement.getSessionIndex();
authnContextStmt = authStatement.getAuthnContext();
subject = (FSSubject) authStatement.getSubject();
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Subject is null");
return null;
} else {
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "found Authentication Statement. " + "Subject = " + subject.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + " Exception. Invalid subject: ", e);
continue;
}
}
//bearer
if (((subConf = subject.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "missing or extra ConfirmationMethod.");
return null;
}
if (((confMethod = (String) confMethods.iterator().next()) == null) || !((confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER)) || (confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || (confMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)))) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: wrong " + "ConfirmationMethod");
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Confirmation method: " + confMethod);
}
} else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
AttributeStatement attrStatement = (AttributeStatement) statement;
if (!checkForAttributeStatement(attrStatement)) {
attrStatements.add(attrStatement);
}
}
}
}
if (!authnStatementFound) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "No Authentication statement found in the Assertion. " + "User is not authenticated by the IDP");
}
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Adding " + aIDString + " to idTimeMap.");
}
// add the assertion to idTimeMap
if ((date = conds.getNotOnorAfter()) != null) {
cGoThrough.addElement(aIDString);
idTimeMap.put(aIDString, new Long(date.getTime()));
} else {
cPeriodic.addElement(aIDString);
// it doesn't matter what we store for the value.
idTimeMap.put(aIDString, aIDString);
}
securityAssertions = assertion.getDiscoveryCredential();
}
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " couldn't find Subject.");
return null;
}
return subject;
}
use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.
the class SAMLUtils method verifyAssertionAndGetSSMap.
/**
* Checks response and get back a Map of relevant data including,
* Subject, SOAPEntry for the partner and the List of Assertions.
* @param response <code>Response</code> object
* @return Map of data including Subject, SOAPEntry, and list of assertions.
*/
public static Map verifyAssertionAndGetSSMap(Response response) {
// loop to check assertions
com.sun.identity.saml.assertion.Subject subject = null;
SAMLServiceManager.SOAPEntry srcSite = null;
List assertions = response.getAssertion();
Iterator iter = assertions.iterator();
Assertion assertion = null;
String aIDString = null;
String issuer = null;
Iterator stmtIter = null;
Statement statement = null;
int stmtType = Statement.NOT_SUPPORTED;
com.sun.identity.saml.assertion.Subject sub = null;
SubjectConfirmation subConf = null;
Set confMethods = null;
String confMethod = null;
Date date = null;
while (iter.hasNext()) {
assertion = (Assertion) iter.next();
aIDString = assertion.getAssertionID();
// make sure it's not being used
if (idTimeMap.containsKey(aIDString)) {
debug.error("verifyAssertion " + "AndGetSSMap: Assertion: " + aIDString + " is used.");
return null;
}
// check issuer of the assertions
issuer = assertion.getIssuer();
if ((srcSite = SAMLUtils.getSourceSite(issuer)) == null) {
debug.error("verifyAsserti " + "onAndGetSSMap: issuer is not on the Partner list.");
return null;
}
if (!assertion.isSignatureValid()) {
debug.error("verifyAssertion " + "AndGetSSMap: assertion's signature is not valid.");
return null;
}
// must be valid (timewise)
if (!assertion.isTimeValid()) {
debug.error("verifyAssertion " + "AndGetSSMap: assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// TODO: check AudienceRestrictionCondition
//for each assertion, loop to check each statement
stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
stmtType = statement.getStatementType();
if ((stmtType == Statement.AUTHENTICATION_STATEMENT) || (stmtType == Statement.ATTRIBUTE_STATEMENT) || (stmtType == Statement.AUTHORIZATION_DECISION_STATEMENT)) {
sub = ((SubjectStatement) statement).getSubject();
// ConfirmationMethod of each subject must be set to bearer
if (((subConf = sub.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
debug.error("verify " + "AssertionAndGetSSMap: missing or extra " + "ConfirmationMethod.");
return null;
}
if (((confMethod = (String) confMethods.iterator().next()) == null) || (!confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
debug.error("verify " + "AssertionAndGetSSMap:wrong ConfirmationMethod.");
return null;
}
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
// browser IP. This is a MAY item in the spec.
if (subject == null) {
subject = sub;
}
}
}
}
// add the assertion to idTimeMap
if (debug.messageEnabled()) {
debug.message("Adding " + aIDString + " to idTimeMap.");
}
Conditions conds = assertion.getConditions();
if ((conds != null) && ((date = conds.getNotOnorAfter()) != null)) {
cGoThrough.addElement(aIDString);
idTimeMap.put(aIDString, new Long(date.getTime()));
} else {
cPeriodic.addElement(aIDString);
// it doesn't matter what we store for the value.
idTimeMap.put(aIDString, aIDString);
}
}
// must have at least one SSO assertion
if ((subject == null) || (srcSite == null)) {
debug.error("verifyAssertion AndGetSSMap: couldn't find Subject.");
return null;
}
Map ssMap = new HashMap();
ssMap.put(SAMLConstants.SUBJECT, subject);
ssMap.put(SAMLConstants.SOURCE_SITE_SOAP_ENTRY, srcSite);
ssMap.put(SAMLConstants.POST_ASSERTION, assertions);
return ssMap;
}
use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.
the class LibSecurityTokenProvider method getSAMLToken.
/**
* Returns the Security Assertion.
*/
private SecurityAssertion getSAMLToken(NameIdentifier senderIdentity, SessionContext invocatorSession, Object resourceID, boolean includeAuthN, boolean includeResourceAccessStatement, String recipientProviderID, boolean isBear) throws SecurityTokenException {
if (debug.messageEnabled()) {
debug.message("getSAMLToken: isBear = " + isBear);
}
if (senderIdentity == null) {
debug.error("LibSecurityTokenProvider.getSAMLToken:senderIdentity is null");
throw new SecurityTokenException(bundle.getString("nullSenderIdentity"));
}
boolean statementNotFound = true;
SecurityAssertion assertion = null;
Set statements = new HashSet();
if (includeAuthN) {
AuthenticationStatement authStatement = createAuthenticationStatement(senderIdentity, isBear);
statements.add(authStatement);
statementNotFound = false;
}
if (includeResourceAccessStatement) {
ResourceAccessStatement ras = createResourceAccessStatement(senderIdentity, invocatorSession, resourceID, isBear);
statements.add(ras);
statementNotFound = false;
} else {
if (invocatorSession != null) {
SessionContextStatement scs = createSessionContextStatement(senderIdentity, invocatorSession, isBear);
statements.add(scs);
statementNotFound = false;
}
}
// make sure the statements is not empty
if (statementNotFound) {
debug.error("getSAMLAuthorizationToken: SAML statement should " + "not be null.");
throw new SecurityTokenException(bundle.getString("nullStatement"));
}
String issuer = DiscoServiceManager.getDiscoProviderID();
//Check for the attribute statements.
attributePlugin = getAttributePlugin();
if (attributePlugin != null) {
List attributes = attributePlugin.getAttributes(senderIdentity, resourceID, issuer);
if (attributes != null && attributes.size() != 0) {
AttributeStatement attributeStatement = createAttributeStatement(senderIdentity, attributes, isBear);
if (attributeStatement != null) {
statements.add(attributeStatement);
}
}
}
Date issueInstant = new Date();
try {
if (recipientProviderID != null) {
List audience = new ArrayList();
audience.add(recipientProviderID);
AudienceRestrictionCondition arc = new AudienceRestrictionCondition(audience);
Conditions conditions = new Conditions();
conditions.addAudienceRestrictionCondition(arc);
assertion = new SecurityAssertion("", issuer, issueInstant, conditions, statements);
} else {
assertion = new SecurityAssertion("", issuer, issueInstant, statements);
}
assertion.signXML(DEFAULT_TA_CERT_ALIAS_VALUE);
} catch (Exception e) {
debug.error("getSAMLToken.signXML", e);
throw new SecurityTokenException(bundle.getString("nullAssertion"));
}
return assertion;
}
Aggregations