Example 11 with Subject
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class DefaultActionMapper method getAuthorizationDecisions.
/**
* This method first converts the AttributeStatements in Evidence to
* OpenAM Policy API environment variables. The Attributes in
* the AttributeStatement(s) are expected to be OpenAM
* attributes.
* It then query the Policy decision one action at a time. Currently,
* it handles actions defined in urn:oasis:names:tc:SAML:1.0:ghpp only.
* This action Namespace is mapped to OpenAM
* iPlanetAMWebAgentService.
*/
public Map getAuthorizationDecisions(AuthorizationDecisionQuery query, Object token, String sourceID) throws SAMLException {
if ((query == null) || (token == null)) {
SAMLUtils.debug.message("DefaultActionMapper: null input.");
throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
}
Evidence evidence = query.getEvidence();
Subject querySubject = query.getSubject();
Map envParameters = convertEvidence(evidence, querySubject, sourceID);
List permitActions = new ArrayList();
List denyActions = new ArrayList();
List actions = query.getAction();
Iterator iterator = actions.iterator();
PolicyEvaluator pe = null;
String resource = query.getResource();
Action action = null;
String actionNamespace = null;
while (iterator.hasNext()) {
action = (Action) iterator.next();
// get ActionNameSpace
actionNamespace = action.getNameSpace();
if ((actionNamespace != null) && (actionNamespace.equals(SAMLConstants.ACTION_NAMESPACE_GHPP))) {
try {
if (pe == null) {
pe = new PolicyEvaluator("iPlanetAMWebAgentService");
}
boolean result = pe.isAllowed((SSOToken) token, resource, action.getAction(), envParameters);
if (result) {
permitActions.add(action);
} else {
denyActions.add(action);
}
} catch (Exception e) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultActionMapper: " + "Exception from policy:" + e);
}
// indeterminate
continue;
}
}
}
// while loop for each action
Map resultMap = new HashMap();
if (!permitActions.isEmpty()) {
resultMap.put(ActionMapper.PERMIT, permitActions);
} else if (!denyActions.isEmpty()) {
resultMap.put(ActionMapper.DENY, denyActions);
} else {
resultMap.put(ActionMapper.INDETERMINATE, actions);
}
return resultMap;
}
Also used :
Action(com.sun.identity.saml.assertion.Action)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
SAMLException(com.sun.identity.saml.common.SAMLException)
Subject(com.sun.identity.saml.assertion.Subject)
SAMLException(com.sun.identity.saml.common.SAMLException)
MissingResourceException(java.util.MissingResourceException)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
Iterator(java.util.Iterator)
Evidence(com.sun.identity.saml.assertion.Evidence)
ArrayList(java.util.ArrayList)
NodeList(org.w3c.dom.NodeList)
List(java.util.List)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 12 with Subject
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class SAMLUtils method verifyAssertionAndGetSSMap.
/**
* Checks response and get back a Map of relevant data including,
* Subject, SOAPEntry for the partner and the List of Assertions.
* @param response <code>Response</code> object
* @return Map of data including Subject, SOAPEntry, and list of assertions.
*/
public static Map verifyAssertionAndGetSSMap(Response response) {
// loop to check assertions
com.sun.identity.saml.assertion.Subject subject = null;
SAMLServiceManager.SOAPEntry srcSite = null;
List assertions = response.getAssertion();
Iterator iter = assertions.iterator();
Assertion assertion = null;
String aIDString = null;
String issuer = null;
Iterator stmtIter = null;
Statement statement = null;
int stmtType = Statement.NOT_SUPPORTED;
com.sun.identity.saml.assertion.Subject sub = null;
SubjectConfirmation subConf = null;
Set confMethods = null;
String confMethod = null;
Date date = null;
while (iter.hasNext()) {
assertion = (Assertion) iter.next();
aIDString = assertion.getAssertionID();
// make sure it's not being used
if (idTimeMap.containsKey(aIDString)) {
debug.error("verifyAssertion " + "AndGetSSMap: Assertion: " + aIDString + " is used.");
return null;
}
// check issuer of the assertions
issuer = assertion.getIssuer();
if ((srcSite = SAMLUtils.getSourceSite(issuer)) == null) {
debug.error("verifyAsserti " + "onAndGetSSMap: issuer is not on the Partner list.");
return null;
}
if (!assertion.isSignatureValid()) {
debug.error("verifyAssertion " + "AndGetSSMap: assertion's signature is not valid.");
return null;
}
// must be valid (timewise)
if (!assertion.isTimeValid()) {
debug.error("verifyAssertion " + "AndGetSSMap: assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// TODO: check AudienceRestrictionCondition
//for each assertion, loop to check each statement
stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
stmtType = statement.getStatementType();
if ((stmtType == Statement.AUTHENTICATION_STATEMENT) || (stmtType == Statement.ATTRIBUTE_STATEMENT) || (stmtType == Statement.AUTHORIZATION_DECISION_STATEMENT)) {
sub = ((SubjectStatement) statement).getSubject();
// ConfirmationMethod of each subject must be set to bearer
if (((subConf = sub.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
debug.error("verify " + "AssertionAndGetSSMap: missing or extra " + "ConfirmationMethod.");
return null;
}
if (((confMethod = (String) confMethods.iterator().next()) == null) || (!confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
debug.error("verify " + "AssertionAndGetSSMap:wrong ConfirmationMethod.");
return null;
}
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
// browser IP. This is a MAY item in the spec.
if (subject == null) {
subject = sub;
}
}
}
}
// add the assertion to idTimeMap
if (debug.messageEnabled()) {
debug.message("Adding " + aIDString + " to idTimeMap.");
}
Conditions conds = assertion.getConditions();
if ((conds != null) && ((date = conds.getNotOnorAfter()) != null)) {
cGoThrough.addElement(aIDString);
idTimeMap.put(aIDString, new Long(date.getTime()));
} else {
cPeriodic.addElement(aIDString);
// it doesn't matter what we store for the value.
idTimeMap.put(aIDString, aIDString);
}
}
// must have at least one SSO assertion
if ((subject == null) || (srcSite == null)) {
debug.error("verifyAssertion AndGetSSMap: couldn't find Subject.");
return null;
}
Map ssMap = new HashMap();
ssMap.put(SAMLConstants.SUBJECT, subject);
ssMap.put(SAMLConstants.SOURCE_SITE_SOAP_ENTRY, srcSite);
ssMap.put(SAMLConstants.POST_ASSERTION, assertions);
return ssMap;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Assertion(com.sun.identity.saml.assertion.Assertion)
Subject(com.sun.identity.saml.assertion.Subject)
Date(java.util.Date)
Conditions(com.sun.identity.saml.assertion.Conditions)
SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation)
CharacterIterator(java.text.CharacterIterator)
Iterator(java.util.Iterator)
StringCharacterIterator(java.text.StringCharacterIterator)
List(java.util.List)
ArrayList(java.util.ArrayList)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 13 with Subject
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class Default64ResourceIDMapper method getUserID.
/**
* Returns the ID of the user who has the resource ID in a provider.
* @param providerID ID of the provider.
* @param resourceID ID of the resource.
* @param message Request message.
* @return user ID. Return null if the user is not found.
*/
public String getUserID(String providerID, String resourceID, Message message) {
String result = null;
if ((resourceID == null) || (resourceID.equals(DiscoConstants.IMPLIED_RESOURCE))) {
if (debug.messageEnabled()) {
debug.message("Default64ResourceIDMapper.getUserID: used " + "implied resource.");
}
if (message == null) {
debug.error("Default64ResourceIDMapper.getUserID:null message");
return null;
} else {
SecurityAssertion assertion = message.getAssertion();
if (assertion == null) {
debug.error("Default64ResourceIDMapper.getUserID:null " + "assertion");
return null;
}
Subject subject = assertion.getBearerSubject();
if (subject == null) {
debug.error("Default64ResourceIDMapper.getUserID:not " + "Bearer Token");
return null;
}
NameIdentifier ni = subject.getNameIdentifier();
if (ni == null) {
debug.error("Default64ResourceIDMapper.getUserID:no " + "NameIdentifier");
return null;
}
return ni.getName();
}
}
if ((providerID == null) || (providerID.length() == 0)) {
debug.error("Default64ResourceIDMapper.getUserID:null providerID.");
return null;
}
if (!resourceID.startsWith(providerID)) {
debug.error("Default64ResourceIDMapper.getUserID:resourceID not " + "startsWith providerID:" + providerID);
return null;
}
String urlDecoded = null;
if (providerID.endsWith("/")) {
urlDecoded = URLEncDec.decode(resourceID.substring(providerID.length()));
} else {
urlDecoded = URLEncDec.decode(resourceID.substring((providerID + "/").length()));
}
try {
result = SAMLUtils.byteArrayToString(Base64.decode(urlDecoded));
} catch (Exception e) {
debug.error("Default64ResourceIDMapper.getUserID:", e);
return null;
}
return result;
}
Also used :
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
SecurityAssertion(com.sun.identity.liberty.ws.security.SecurityAssertion)
Subject(com.sun.identity.saml.assertion.Subject)
Example 14 with Subject
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class DefaultHexResourceIDMapper method getUserID.
/**
* Returns the ID of the user who has the resource ID in a provider.
* @param providerID ID of the provider.
* @param resourceID ID of the resource.
* @param message Request message.
* @return user ID. Return null if the user is not found.
*/
public String getUserID(String providerID, String resourceID, Message message) {
if ((resourceID == null) || (resourceID.equals(DiscoConstants.IMPLIED_RESOURCE))) {
if (debug.messageEnabled()) {
debug.message("DefaultHexResourceIDMapper.getUserID: used " + "implied resource.");
}
if (message == null) {
debug.error("DefaultHexResourceIDMapper.getUserID:null message");
return null;
} else {
SecurityAssertion assertion = message.getAssertion();
if (assertion == null) {
debug.error("DefaultHexResourceIDMapper.getUserID:no " + "assertion");
return null;
}
Subject subject = assertion.getBearerSubject();
if (subject == null) {
debug.error("DefaultHexResourceIDMapper.getUserID:not " + "Bearer Token");
return null;
}
NameIdentifier ni = subject.getNameIdentifier();
if (ni == null) {
debug.error("DefaultHexResourceIDMapper.getUserID:no " + "NameIdentifier");
return null;
}
return ni.getName();
}
}
if ((providerID == null) || (providerID.length() == 0)) {
debug.error("DefaultHexResourceIDMapper.getUserID:null providerID");
return null;
}
if (!resourceID.startsWith(providerID)) {
debug.error("DefaultHexResourceIDMapper.getUserID:resourceID not " + "startsWith providerID:" + providerID);
return null;
}
if (providerID.endsWith("/")) {
return SAMLUtils.byteArrayToString(SAMLUtils.hexStringToByteArray(resourceID.substring(providerID.length())));
} else {
return SAMLUtils.byteArrayToString(SAMLUtils.hexStringToByteArray(resourceID.substring((providerID + "/").length())));
}
}
Also used :
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
SecurityAssertion(com.sun.identity.liberty.ws.security.SecurityAssertion)
Subject(com.sun.identity.saml.assertion.Subject)
Example 15 with Subject
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class LibSecurityTokenProvider method createSessionContextStatement.
/**
* Creates the <code>SessionContextStatement</code> object.
*/
private SessionContextStatement createSessionContextStatement(NameIdentifier senderIdentity, SessionContext invocatorSession, boolean isBear) throws SecurityTokenException {
try {
ProxySubject proxySubject = null;
Subject subject = null;
List subjects = createSubjectAndProxySubject(senderIdentity, invocatorSession, isBear);
subject = (Subject) subjects.get(0);
if (subjects.size() == 2) {
proxySubject = (ProxySubject) subjects.get(1);
}
return new SessionContextStatement(invocatorSession, proxySubject, subject);
} catch (Exception e) {
debug.error("createSessionContextStatement: ", e);
throw new SecurityTokenException(e.getMessage());
}
}
Also used :
ArrayList(java.util.ArrayList)
List(java.util.List)
Subject(com.sun.identity.saml.assertion.Subject)
SessionException(com.sun.identity.plugin.session.SessionException)
SAMLException(com.sun.identity.saml.common.SAMLException)
Aggregations
Subject (com.sun.identity.saml.assertion.Subject)18
SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)9
Iterator (java.util.Iterator)9
ArrayList (java.util.ArrayList)8
List (java.util.List)8
SubjectStatement (com.sun.identity.saml.assertion.SubjectStatement)7
SessionException (com.sun.identity.plugin.session.SessionException)6
Statement (com.sun.identity.saml.assertion.Statement)6
HashMap (java.util.HashMap)6
Set (java.util.Set)6
AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)5
AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)5
SAMLException (com.sun.identity.saml.common.SAMLException)5
HashSet (java.util.HashSet)5
Map (java.util.Map)5
Assertion (com.sun.identity.saml.assertion.Assertion)4
NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)4
Date (java.util.Date)3
SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)2
SecurityAssertion (com.sun.identity.liberty.ws.security.SecurityAssertion)2
