Search in sources :

Example 16 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class LibSecurityTokenProvider method createSubjectAndProxySubject.

/**
     * Returns a list of Subjects.
     */
private List createSubjectAndProxySubject(NameIdentifier senderIdentity, SessionContext invocatorSession, boolean isBear) throws Exception {
    List returnList = new ArrayList();
    Subject subject = null;
    SubjectConfirmation subConfirmation = null;
    ProxySubject proxySubject = null;
    NameIdentifier sessIdentity = null;
    if (invocatorSession != null && !(sessIdentity = invocatorSession.getSessionSubject().getNameIdentifier()).equals(senderIdentity)) {
        subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_SENDERVOUCHES);
        // add proxy subject
        subject = new Subject(sessIdentity, subConfirmation);
        proxySubject = createProxySubject(senderIdentity, isBear);
        returnList.add(subject);
        returnList.add(proxySubject);
    } else {
        if (isBear) {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
        } else {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
            subConfirmation.setKeyInfo(createKeyInfo());
        }
        subject = new Subject(senderIdentity, subConfirmation);
        returnList.add(subject);
    }
    return returnList;
}
Also used : SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) List(java.util.List) Subject(com.sun.identity.saml.assertion.Subject)

Example 17 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class SAML11RequestedSecurityToken method verifyToken.

/**
     * Verifies the token's validity, checking the signature, validity period 
     * etc.
     * @param realm the realm of the local entity
     * @param hostEntityId the local entity ID
     * @param timeskew permitted skew between service provider and identity 
     * provider clocks, in seconds
     * @return a Map of relevant data including Subject and the List of 
     * Assertions.
     * @throws com.sun.identity.wsfederation.common.WSFederationException in 
     * case of any error - invalid token signature, token expired etc.
     */
public Map<String, Object> verifyToken(String realm, String hostEntityId, int timeskew) throws WSFederationException {
    String classMethod = "SAML11RequestedSecurityToken.verifyToken";
    // check that assertion issuer is trusted by the local entity
    String issuer = assertion.getIssuer();
    WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
    String remoteEntityId = metaManager.getEntityByTokenIssuerName(realm, issuer);
    if (!metaManager.isTrustedProvider(realm, hostEntityId, remoteEntityId)) {
        String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId(), realm, hostEntityId };
        LogUtil.error(Level.INFO, LogUtil.UNTRUSTED_ISSUER, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("untrustedIssuer"));
    }
    SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, hostEntityId);
    if (spConfig == null) {
        debug.error(classMethod + "cannot find configuration for SP " + hostEntityId);
        throw new WSFederationException("unableToFindSPConfiguration");
    }
    String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
    // By default, we want to sign assertions
    boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
    if (wantAssertionSigned && (!WSFederationUtils.isSignatureValid(assertion, realm, remoteEntityId))) {
        // isSignatureValid will log the error
        throw new WSFederationException(WSFederationUtils.bundle.getString("invalidSignature"));
    }
    // TODO: check AudienceRestrictionCondition
    Subject assertionSubject = null;
    Iterator stmtIter = assertion.getStatement().iterator();
    while (stmtIter.hasNext()) {
        Statement statement = (Statement) stmtIter.next();
        if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
            assertionSubject = ((SubjectStatement) statement).getSubject();
            break;
        }
    }
    if (assertionSubject == null) {
        String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId() };
        LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("missingSubject"));
    }
    // must be valid (timewise)
    if (!WSFederationUtils.isTimeValid(assertion, timeskew)) {
        // isTimeValid will log the error
        throw new WSFederationException(WSFederationUtils.bundle.getString("timeInvalid"));
    }
    List assertions = new ArrayList();
    assertions.add(assertion);
    Map<String, Object> attrMap = new HashMap<String, Object>();
    attrMap.put(SAML2Constants.SUBJECT, assertionSubject);
    attrMap.put(SAML2Constants.POST_ASSERTION, assertion);
    attrMap.put(SAML2Constants.ASSERTIONS, assertions);
    // TODO
    int authLevel = 0;
    if (authLevel >= 0) {
        attrMap.put(SAML2Constants.AUTH_LEVEL, new Integer(authLevel));
    }
    Date sessionNotOnOrAfter = assertion.getConditions().getNotOnorAfter();
    if (sessionNotOnOrAfter != null) {
        long maxSessionTime = (sessionNotOnOrAfter.getTime() - System.currentTimeMillis()) / 60000;
        if (maxSessionTime > 0) {
            attrMap.put(SAML2Constants.MAX_SESSION_TIME, new Long(maxSessionTime));
        }
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + " Attribute Map : " + attrMap);
    }
    return attrMap;
}
Also used : WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager) WSFederationException(com.sun.identity.wsfederation.common.WSFederationException) HashMap(java.util.HashMap) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Statement(com.sun.identity.saml.assertion.Statement) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) ArrayList(java.util.ArrayList) Subject(com.sun.identity.saml.assertion.Subject) Date(java.util.Date) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List)

Example 18 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class DefaultLibrarySPAccountMapper method getIdentity.

/**
     * Returns the user's disntinguished name or the universal ID for the 
     * corresponding  <code>SAML</code> <code>Assertion</code>. This method
     * will be invoked by the <code>WS-Federation</code> framework while 
     * processing the <code>Assertion</code> and retrieves the identity  
     * information. The implementation of this method checks for
     * the user for the corresponding name identifier in the assertion.
     *
     * @param rstr Request Security Token Response.
     * @param hostEntityID <code>EntityID</code> of the hosted provider.
     * @param realm realm or the organization name that may be used to find
     *        the user information.
     * @return user's disntinguished name or the universal ID.
     * @exception WSFederationException if any failure.
     */
public String getIdentity(RequestSecurityTokenResponse rstr, String hostEntityID, String realm) throws WSFederationException {
    if (rstr == null) {
        throw new WSFederationException(bundle.getString("nullRstr"));
    }
    if (hostEntityID == null) {
        throw new WSFederationException(bundle.getString("nullHostEntityID"));
    }
    if (realm == null) {
        throw new WSFederationException(bundle.getString("nullRealm"));
    }
    SAML11RequestedSecurityToken rst = (SAML11RequestedSecurityToken) rstr.getRequestedSecurityToken();
    Subject subject = null;
    Assertion assertion = rst.getAssertion();
    Iterator iter = assertion.getStatement().iterator();
    while (iter.hasNext()) {
        Statement statement = (Statement) iter.next();
        if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
            subject = ((SubjectStatement) statement).getSubject();
            break;
        }
    }
    NameIdentifier nameID = subject.getNameIdentifier();
    String userID = null;
    String format = nameID.getFormat();
    String remoteEntityID = WSFederationUtils.getMetaManager().getEntityByTokenIssuerName(realm, assertion.getIssuer());
    if (debug.messageEnabled()) {
        debug.message("DefaultLibrarySPAccountMapper.getIdentity(Assertion):" + " realm = " + realm + " hostEntityID = " + hostEntityID);
    }
    try {
        userID = dsProvider.getUserID(realm, getSearchParameters(nameID, realm, hostEntityID, remoteEntityID));
    } catch (DataStoreProviderException dse) {
        debug.error("DefaultLibrarySPAccountMapper.getIdentity(Assertion): " + "DataStoreProviderException", dse);
        throw new WSFederationException(dse);
    }
    return userID;
}
Also used : SAML11RequestedSecurityToken(com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken) DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) WSFederationException(com.sun.identity.wsfederation.common.WSFederationException) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Statement(com.sun.identity.saml.assertion.Statement) Assertion(com.sun.identity.saml.assertion.Assertion) Iterator(java.util.Iterator) Subject(com.sun.identity.saml.assertion.Subject)

Aggregations

Subject (com.sun.identity.saml.assertion.Subject)18 SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)9 Iterator (java.util.Iterator)9 ArrayList (java.util.ArrayList)8 List (java.util.List)8 SubjectStatement (com.sun.identity.saml.assertion.SubjectStatement)7 SessionException (com.sun.identity.plugin.session.SessionException)6 Statement (com.sun.identity.saml.assertion.Statement)6 HashMap (java.util.HashMap)6 Set (java.util.Set)6 AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)5 AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)5 SAMLException (com.sun.identity.saml.common.SAMLException)5 HashSet (java.util.HashSet)5 Map (java.util.Map)5 Assertion (com.sun.identity.saml.assertion.Assertion)4 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)4 Date (java.util.Date)3 SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)2 SecurityAssertion (com.sun.identity.liberty.ws.security.SecurityAssertion)2