use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class SecurityUtils method getCertificate.
/**
* Gets the Certificate from the <code>Assertion</code>.
*
* @param assertion the SAML <code>Assertion</code>.
* @return <code>X509Certificate</code> object.
*/
public static java.security.cert.Certificate getCertificate(SecurityAssertion assertion) {
if (debug.messageEnabled()) {
debug.message("SecurityAssertion = " + assertion.toString());
}
try {
Set statements = assertion.getStatement();
if (statements != null && !(statements.isEmpty())) {
Iterator iterator = statements.iterator();
while (iterator.hasNext()) {
Statement statement = (Statement) iterator.next();
int stype = statement.getStatementType();
Subject subject = null;
if (stype == Statement.AUTHENTICATION_STATEMENT) {
subject = ((AuthenticationStatement) statement).getSubject();
} else if (stype == ResourceAccessStatement.RESOURCEACCESS_STATEMENT) {
ResourceAccessStatement raStatement = (ResourceAccessStatement) statement;
subject = raStatement.getProxySubject();
if (subject == null) {
subject = raStatement.getSubject();
}
} else if (stype == SessionContextStatement.SESSIONCONTEXT_STATEMENT) {
SessionContextStatement scStatement = (SessionContextStatement) statement;
subject = scStatement.getProxySubject();
if (subject == null) {
subject = scStatement.getSubject();
}
}
if (subject != null) {
SubjectConfirmation subConfirm = subject.getSubjectConfirmation();
if (subConfirm.getConfirmationMethod().contains(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY)) {
Element keyinfo = subConfirm.getKeyInfo();
return getCertificate(keyinfo);
}
}
}
} else {
debug.error("Assertion does not contain any Statement.");
}
} catch (Exception e) {
debug.error("getCertificate Exception: ", e);
}
return null;
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class FSAssertionManager method createFSAssertion.
/**
* Creates an assertion artifact.
* @param id session ID
* @param artifact assertion artifact
* @param realm the realm under which the entity resides.
* @param spEntityID service provider's entity ID
* @param spHandle service provider issued <code>NameIdentifier</code>
* @param idpHandle identity provider issued <code>NameIdentifier</code>
* @param inResponseTo value to InResponseTo attribute. It's the request ID.
* @param assertionMinorVersion minor version the assertion should use
* @exception FSException,SAMLException if error occurrs
*/
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
// check input
if ((id == null) || (spEntityID == null)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
}
throw new FSException("nullInput", null);
}
String destID = spEntityID;
String authMethod = null;
String authnContextStatementRef = null;
String authnContextClassRef = null;
Date authInstant = null;
String securityDomain = null;
Object token = null;
String univId = null;
SubjectLocality authLocality = null;
FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
Map attributes = new HashMap();
if (metaManager != null) {
BaseConfigType idpConfig = null;
try {
idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
} catch (IDFFMetaException e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
}
idpConfig = null;
}
if (idpConfig != null) {
attributes = IDFFMetaUtils.getAttributes(idpConfig);
}
}
try {
SessionProvider sessionProvider = SessionManager.getProvider();
token = sessionProvider.getSession(id);
String[] strAuthInst = null;
try {
strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
} catch (UnsupportedOperationException ue) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
}
} catch (SessionException se) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
}
}
if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
try {
authInstant = DateUtils.stringToDate(strAuthInst[0]);
} catch (ParseException ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
}
}
} else {
authInstant = new java.util.Date();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
}
try {
String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
authMethod = strAuthMethod[0];
}
} catch (UnsupportedOperationException ue) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
}
} catch (SessionException se) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
}
}
String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
if (assertionIssuer == null) {
assertionIssuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
}
try {
String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
authLocality = new SubjectLocality(ipAddress, assertionIssuer);
} catch (UnknownHostException uhe) {
FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
}
try {
FSSession session = sessionManager.getSession(token);
authnContextClassRef = session.getAuthnContext();
authnContextStatementRef = authnContextClassRef;
} catch (Exception ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
}
authnContextStatementRef = null;
}
if (authnContextStatementRef != null) {
if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
authMethod = IFSConstants.AC_XML_NS;
} else {
authMethod = IFSConstants.AC_12_XML_NS;
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
}
univId = sessionProvider.getPrincipalName(token);
securityDomain = hostEntityId;
} catch (Exception e) {
FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
throw new FSException("alliance_manager_no_local_descriptor", null, e);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
}
SubjectConfirmation subConfirmation = null;
String artString = null;
if (artifact != null) {
artString = artifact.getAssertionArtifact();
if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
} else {
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
}
subConfirmation.setSubjectConfirmationData(artString);
} else {
// set to bearer for POST profile
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
}
IDPProvidedNameIdentifier idpNi = null;
if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
idpNi.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
} else {
idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
}
FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
authnContext.setMinorVersion(assertionMinorVersion);
FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
FSSession session = sessionManager.getSession(univId, id);
if (session == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
}
return null;
}
String sessionIndex = session.getSessionIndex();
if (sessionIndex == null) {
sessionIndex = SAMLUtils.generateID();
session.setSessionIndex(sessionIndex);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
}
statement.setSessionIndex(sessionIndex);
//setReauthenticateOnOrAfter date
Date issueInstant = new Date();
// get this period from the config
FSUtils.debug.message("here before date");
Date notAfter;
if (artifact != null) {
notAfter = new Date(issueInstant.getTime() + artifactTimeout);
} else {
notAfter = new Date(issueInstant.getTime() + assertionTimeout);
}
FSUtils.debug.message("here after date");
statement.setReauthenticateOnOrAfter(notAfter);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
}
Conditions cond = new Conditions(null, notAfter);
if ((destID != null) && (destID.length() != 0)) {
List targets = new ArrayList();
targets.add(destID);
cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
}
/**
* This is added to create an attribute statement for the bootstrap
* information.
*/
AttributeStatement attribStatement = null;
Advice advice = null;
String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
authContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
try {
FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
attribStatement = bootStrap.getBootStrapStatement();
if (bootStrap.hasCredentials()) {
advice = bootStrap.getCredentials();
}
} catch (Exception e) {
FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
}
}
AssertionIDReference aID = new AssertionIDReference();
Set statements = new HashSet();
statements.add(statement);
if (attribStatement != null) {
statements.add(attribStatement);
}
String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
try {
Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
List attribStatements = null;
if (pluginClass instanceof FSRealmAttributePlugin) {
FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
} else if (pluginClass instanceof FSAttributePlugin) {
FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
}
if ((attribStatements != null) && (attribStatements.size() != 0)) {
Iterator iter = attribStatements.iterator();
while (iter.hasNext()) {
statements.add((AttributeStatement) iter.next());
}
}
} catch (Exception ex) {
FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
}
}
if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
statements.add(autoFedStatement);
}
FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
assertion.setMinorVersion(assertionMinorVersion);
assertion.setID(aID.getAssertionIDReference());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
}
String aIDString = assertion.getAssertionID();
Entry entry = new Entry(assertion, destID, artString, token);
Integer maxNumber = null;
try {
int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
maxNumber = new Integer(temp);
} catch (Exception ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
}
maxNumber = null;
}
if (maxNumber == null) {
maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
}
int maxValue = maxNumber.intValue();
if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
throw new FSException("errorCreateAssertion", null);
}
Object oldEntry = null;
try {
synchronized (idEntryMap) {
oldEntry = idEntryMap.put(aIDString, entry);
}
if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
idffSvc.setAssertions((long) idEntryMap.size());
}
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
}
throw new FSException("errorCreateAssertion", null);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { assertion.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
} else {
String[] data = { assertion.getAssertionID() };
LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
}
if (artString != null) {
try {
synchronized (artIdMap) {
oldEntry = artIdMap.put(artString, aIDString);
}
if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
idffSvc.setArtifacts((long) artIdMap.size());
}
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
}
throw new FSException("errorCreateArtifact", null);
}
if (oldEntry != null) {
artifactTimeoutRunnable.removeElement(aIDString);
}
artifactTimeoutRunnable.addElement(aIDString);
} else {
if (oldEntry != null) {
assertionTimeoutRunnable.removeElement(aIDString);
}
assertionTimeoutRunnable.addElement(aIDString);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
}
return assertion;
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class LibSecurityTokenProvider method createSubjectAndProxySubject.
/**
* Returns a list of Subjects.
*/
private List createSubjectAndProxySubject(NameIdentifier senderIdentity, SessionContext invocatorSession, boolean isBear) throws Exception {
List returnList = new ArrayList();
Subject subject = null;
SubjectConfirmation subConfirmation = null;
ProxySubject proxySubject = null;
NameIdentifier sessIdentity = null;
if (invocatorSession != null && !(sessIdentity = invocatorSession.getSessionSubject().getNameIdentifier()).equals(senderIdentity)) {
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_SENDERVOUCHES);
// add proxy subject
subject = new Subject(sessIdentity, subConfirmation);
proxySubject = createProxySubject(senderIdentity, isBear);
returnList.add(subject);
returnList.add(proxySubject);
} else {
if (isBear) {
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
} else {
subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
subConfirmation.setKeyInfo(createKeyInfo());
}
subject = new Subject(senderIdentity, subConfirmation);
returnList.add(subject);
}
return returnList;
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method validateAssertions.
protected Subject validateAssertions(List assertions) {
FSUtils.debug.message("FSAssertionArtifactHandler.validateAssertions: Called");
// loop to check assertions
FSSubject subject = null;
Iterator iter = assertions.iterator();
FSAssertion assertion = null;
String aIDString = null;
String issuer = null;
Iterator stmtIter = null;
Statement statement = null;
int stmtType = Statement.NOT_SUPPORTED;
SubjectConfirmation subConf = null;
Set confMethods = null;
String confMethod = null;
Date date = null;
long time = System.currentTimeMillis() + 180000;
while (iter.hasNext()) {
assertion = (FSAssertion) iter.next();
if (!authnRequest.getRequestID().equals(assertion.getInResponseTo())) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion does not correspond to any valid request");
return null;
}
if (FSServiceUtils.isSigningOn()) {
if (!verifyAssertionSignature(assertion)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion signature verification failed");
return null;
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Assertion signature verified");
}
aIDString = assertion.getAssertionID();
// make sure it's not being used
if (idTimeMap.containsKey(aIDString)) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion: Assertion: " + aIDString + " is used");
return null;
}
// check issuer of the assertions
issuer = assertion.getIssuer();
try {
if (idpEntityId != null) {
if (!idpEntityId.equals(issuer)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not the entity where " + "AuthnRequest was sent originally.");
return null;
}
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is: " + issuer);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
IDPDescriptorType idpDesc = metaManager.getIDPDescriptor(realm, issuer);
if (idpDesc == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " Assertion issuer is not on the trust list");
return null;
}
setProviderDescriptor(idpDesc);
setProviderEntityId(issuer);
}
} catch (Exception ex) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not on the trust list");
return null;
}
// must be valid(timewise)
if (!assertion.isTimeValid()) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " Assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// if present, target of the assertions must == local server IP
Conditions conds = assertion.getConditions();
if (!forThisServer(conds)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "assertion is not issued for this site.");
return null;
}
//for each assertion, loop to check each statement
boolean authnStatementFound = false;
if (assertion.getStatement() != null) {
stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
authnStatementFound = true;
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "validating AuthenticationStatement:" + authStatement.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Exception. " + "Invalid AuthenticationStatement: ", e);
return null;
}
//check ReauthenticateOnOrAfter
reAuthnOnOrAfterDate = authStatement.getReauthenticateOnOrAfter();
//process SessionIndex
idpSessionIndex = authStatement.getSessionIndex();
authnContextStmt = authStatement.getAuthnContext();
subject = (FSSubject) authStatement.getSubject();
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Subject is null");
return null;
} else {
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "found Authentication Statement. " + "Subject = " + subject.toXMLString());
}
} catch (FSException e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + " Exception. Invalid subject: ", e);
continue;
}
}
//bearer
if (((subConf = subject.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "missing or extra ConfirmationMethod.");
return null;
}
if (((confMethod = (String) confMethods.iterator().next()) == null) || !((confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER)) || (confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || (confMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)))) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: wrong " + "ConfirmationMethod");
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Confirmation method: " + confMethod);
}
} else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
AttributeStatement attrStatement = (AttributeStatement) statement;
if (!checkForAttributeStatement(attrStatement)) {
attrStatements.add(attrStatement);
}
}
}
}
if (!authnStatementFound) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "No Authentication statement found in the Assertion. " + "User is not authenticated by the IDP");
}
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Adding " + aIDString + " to idTimeMap.");
}
// add the assertion to idTimeMap
if ((date = conds.getNotOnorAfter()) != null) {
cGoThrough.addElement(aIDString);
idTimeMap.put(aIDString, new Long(date.getTime()));
} else {
cPeriodic.addElement(aIDString);
// it doesn't matter what we store for the value.
idTimeMap.put(aIDString, aIDString);
}
securityAssertions = assertion.getDiscoveryCredential();
}
if (subject == null) {
FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " couldn't find Subject.");
return null;
}
return subject;
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class SAMLUtils method verifyAssertionAndGetSSMap.
/**
* Checks response and get back a Map of relevant data including,
* Subject, SOAPEntry for the partner and the List of Assertions.
* @param response <code>Response</code> object
* @return Map of data including Subject, SOAPEntry, and list of assertions.
*/
public static Map verifyAssertionAndGetSSMap(Response response) {
// loop to check assertions
com.sun.identity.saml.assertion.Subject subject = null;
SAMLServiceManager.SOAPEntry srcSite = null;
List assertions = response.getAssertion();
Iterator iter = assertions.iterator();
Assertion assertion = null;
String aIDString = null;
String issuer = null;
Iterator stmtIter = null;
Statement statement = null;
int stmtType = Statement.NOT_SUPPORTED;
com.sun.identity.saml.assertion.Subject sub = null;
SubjectConfirmation subConf = null;
Set confMethods = null;
String confMethod = null;
Date date = null;
while (iter.hasNext()) {
assertion = (Assertion) iter.next();
aIDString = assertion.getAssertionID();
// make sure it's not being used
if (idTimeMap.containsKey(aIDString)) {
debug.error("verifyAssertion " + "AndGetSSMap: Assertion: " + aIDString + " is used.");
return null;
}
// check issuer of the assertions
issuer = assertion.getIssuer();
if ((srcSite = SAMLUtils.getSourceSite(issuer)) == null) {
debug.error("verifyAsserti " + "onAndGetSSMap: issuer is not on the Partner list.");
return null;
}
if (!assertion.isSignatureValid()) {
debug.error("verifyAssertion " + "AndGetSSMap: assertion's signature is not valid.");
return null;
}
// must be valid (timewise)
if (!assertion.isTimeValid()) {
debug.error("verifyAssertion " + "AndGetSSMap: assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// TODO: check AudienceRestrictionCondition
//for each assertion, loop to check each statement
stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
statement = (Statement) stmtIter.next();
stmtType = statement.getStatementType();
if ((stmtType == Statement.AUTHENTICATION_STATEMENT) || (stmtType == Statement.ATTRIBUTE_STATEMENT) || (stmtType == Statement.AUTHORIZATION_DECISION_STATEMENT)) {
sub = ((SubjectStatement) statement).getSubject();
// ConfirmationMethod of each subject must be set to bearer
if (((subConf = sub.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
debug.error("verify " + "AssertionAndGetSSMap: missing or extra " + "ConfirmationMethod.");
return null;
}
if (((confMethod = (String) confMethods.iterator().next()) == null) || (!confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
debug.error("verify " + "AssertionAndGetSSMap:wrong ConfirmationMethod.");
return null;
}
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
// browser IP. This is a MAY item in the spec.
if (subject == null) {
subject = sub;
}
}
}
}
// add the assertion to idTimeMap
if (debug.messageEnabled()) {
debug.message("Adding " + aIDString + " to idTimeMap.");
}
Conditions conds = assertion.getConditions();
if ((conds != null) && ((date = conds.getNotOnorAfter()) != null)) {
cGoThrough.addElement(aIDString);
idTimeMap.put(aIDString, new Long(date.getTime()));
} else {
cPeriodic.addElement(aIDString);
// it doesn't matter what we store for the value.
idTimeMap.put(aIDString, aIDString);
}
}
// must have at least one SSO assertion
if ((subject == null) || (srcSite == null)) {
debug.error("verifyAssertion AndGetSSMap: couldn't find Subject.");
return null;
}
Map ssMap = new HashMap();
ssMap.put(SAMLConstants.SUBJECT, subject);
ssMap.put(SAMLConstants.SOURCE_SITE_SOAP_ENTRY, srcSite);
ssMap.put(SAMLConstants.POST_ASSERTION, assertions);
return ssMap;
}
Aggregations