Search in sources :

Example 11 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class SecurityUtils method getCertificate.

/**
     * Gets the  Certificate from the <code>Assertion</code>.
     *
     * @param assertion the SAML <code>Assertion</code>.
     * @return <code>X509Certificate</code> object.
     */
public static java.security.cert.Certificate getCertificate(SecurityAssertion assertion) {
    if (debug.messageEnabled()) {
        debug.message("SecurityAssertion = " + assertion.toString());
    }
    try {
        Set statements = assertion.getStatement();
        if (statements != null && !(statements.isEmpty())) {
            Iterator iterator = statements.iterator();
            while (iterator.hasNext()) {
                Statement statement = (Statement) iterator.next();
                int stype = statement.getStatementType();
                Subject subject = null;
                if (stype == Statement.AUTHENTICATION_STATEMENT) {
                    subject = ((AuthenticationStatement) statement).getSubject();
                } else if (stype == ResourceAccessStatement.RESOURCEACCESS_STATEMENT) {
                    ResourceAccessStatement raStatement = (ResourceAccessStatement) statement;
                    subject = raStatement.getProxySubject();
                    if (subject == null) {
                        subject = raStatement.getSubject();
                    }
                } else if (stype == SessionContextStatement.SESSIONCONTEXT_STATEMENT) {
                    SessionContextStatement scStatement = (SessionContextStatement) statement;
                    subject = scStatement.getProxySubject();
                    if (subject == null) {
                        subject = scStatement.getSubject();
                    }
                }
                if (subject != null) {
                    SubjectConfirmation subConfirm = subject.getSubjectConfirmation();
                    if (subConfirm.getConfirmationMethod().contains(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY)) {
                        Element keyinfo = subConfirm.getKeyInfo();
                        return getCertificate(keyinfo);
                    }
                }
            }
        } else {
            debug.error("Assertion does not contain any Statement.");
        }
    } catch (Exception e) {
        debug.error("getCertificate Exception: ", e);
    }
    return null;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) Statement(com.sun.identity.saml.assertion.Statement) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) Element(org.w3c.dom.Element) Iterator(java.util.Iterator) Subject(com.sun.identity.saml.assertion.Subject) XMLSignatureException(com.sun.identity.saml.xmlsig.XMLSignatureException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)

Example 12 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class FSAssertionManager method createFSAssertion.

/**
     * Creates an assertion artifact.
     * @param id session ID
     * @param artifact assertion artifact
     * @param realm the realm under which the entity resides.
     * @param spEntityID service provider's entity ID
     * @param spHandle service provider issued <code>NameIdentifier</code>
     * @param idpHandle identity provider issued <code>NameIdentifier</code>
     * @param inResponseTo value to InResponseTo attribute. It's the request ID.
     * @param assertionMinorVersion minor version the assertion should use
     * @exception FSException,SAMLException if error occurrs
     */
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
    FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
    // check input
    if ((id == null) || (spEntityID == null)) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
        }
        throw new FSException("nullInput", null);
    }
    String destID = spEntityID;
    String authMethod = null;
    String authnContextStatementRef = null;
    String authnContextClassRef = null;
    Date authInstant = null;
    String securityDomain = null;
    Object token = null;
    String univId = null;
    SubjectLocality authLocality = null;
    FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
    IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
    Map attributes = new HashMap();
    if (metaManager != null) {
        BaseConfigType idpConfig = null;
        try {
            idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
        } catch (IDFFMetaException e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
            }
            idpConfig = null;
        }
        if (idpConfig != null) {
            attributes = IDFFMetaUtils.getAttributes(idpConfig);
        }
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        token = sessionProvider.getSession(id);
        String[] strAuthInst = null;
        try {
            strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
            try {
                authInstant = DateUtils.stringToDate(strAuthInst[0]);
            } catch (ParseException ex) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
                }
            }
        } else {
            authInstant = new java.util.Date();
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
        }
        try {
            String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
            if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
                authMethod = strAuthMethod[0];
            }
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
        if (assertionIssuer == null) {
            assertionIssuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
        }
        try {
            String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
            authLocality = new SubjectLocality(ipAddress, assertionIssuer);
        } catch (UnknownHostException uhe) {
            FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
        }
        try {
            FSSession session = sessionManager.getSession(token);
            authnContextClassRef = session.getAuthnContext();
            authnContextStatementRef = authnContextClassRef;
        } catch (Exception ex) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
            }
            authnContextStatementRef = null;
        }
        if (authnContextStatementRef != null) {
            if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
                authMethod = IFSConstants.AC_XML_NS;
            } else {
                authMethod = IFSConstants.AC_12_XML_NS;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
        }
        univId = sessionProvider.getPrincipalName(token);
        securityDomain = hostEntityId;
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
        throw new FSException("alliance_manager_no_local_descriptor", null, e);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
    }
    SubjectConfirmation subConfirmation = null;
    String artString = null;
    if (artifact != null) {
        artString = artifact.getAssertionArtifact();
        if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
            subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
        } else {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
        }
        subConfirmation.setSubjectConfirmationData(artString);
    } else {
        // set to bearer for POST profile
        subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
    }
    IDPProvidedNameIdentifier idpNi = null;
    if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
        idpNi.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
    } else {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    }
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
    authnContext.setMinorVersion(assertionMinorVersion);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
    FSSession session = sessionManager.getSession(univId, id);
    if (session == null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
        }
        return null;
    }
    String sessionIndex = session.getSessionIndex();
    if (sessionIndex == null) {
        sessionIndex = SAMLUtils.generateID();
        session.setSessionIndex(sessionIndex);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
    }
    statement.setSessionIndex(sessionIndex);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    FSUtils.debug.message("here before date");
    Date notAfter;
    if (artifact != null) {
        notAfter = new Date(issueInstant.getTime() + artifactTimeout);
    } else {
        notAfter = new Date(issueInstant.getTime() + assertionTimeout);
    }
    FSUtils.debug.message("here after date");
    statement.setReauthenticateOnOrAfter(notAfter);
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(null, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList();
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    /**
         * This is added to create an attribute statement for the bootstrap
         * information.
         */
    AttributeStatement attribStatement = null;
    Advice advice = null;
    String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
    if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
        AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
        authContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        try {
            FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
            attribStatement = bootStrap.getBootStrapStatement();
            if (bootStrap.hasCredentials()) {
                advice = bootStrap.getCredentials();
            }
        } catch (Exception e) {
            FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
        }
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet();
    statements.add(statement);
    if (attribStatement != null) {
        statements.add(attribStatement);
    }
    String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
    if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
        try {
            Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
            List attribStatements = null;
            if (pluginClass instanceof FSRealmAttributePlugin) {
                FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
            } else if (pluginClass instanceof FSAttributePlugin) {
                FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
            }
            if ((attribStatements != null) && (attribStatements.size() != 0)) {
                Iterator iter = attribStatements.iterator();
                while (iter.hasNext()) {
                    statements.add((AttributeStatement) iter.next());
                }
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
        }
    }
    if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
        AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
        statements.add(autoFedStatement);
    }
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
    assertion.setMinorVersion(assertionMinorVersion);
    assertion.setID(aID.getAssertionIDReference());
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
    }
    String aIDString = assertion.getAssertionID();
    Entry entry = new Entry(assertion, destID, artString, token);
    Integer maxNumber = null;
    try {
        int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
        maxNumber = new Integer(temp);
    } catch (Exception ex) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
        }
        maxNumber = null;
    }
    if (maxNumber == null) {
        maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
    }
    int maxValue = maxNumber.intValue();
    if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
        FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
        throw new FSException("errorCreateAssertion", null);
    }
    Object oldEntry = null;
    try {
        synchronized (idEntryMap) {
            oldEntry = idEntryMap.put(aIDString, entry);
        }
        if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
            idffSvc.setAssertions((long) idEntryMap.size());
        }
    } catch (Exception e) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
        }
        throw new FSException("errorCreateAssertion", null);
    }
    if (LogUtil.isAccessLoggable(Level.FINER)) {
        String[] data = { assertion.toString() };
        LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
    } else {
        String[] data = { assertion.getAssertionID() };
        LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
    }
    if (artString != null) {
        try {
            synchronized (artIdMap) {
                oldEntry = artIdMap.put(artString, aIDString);
            }
            if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
                idffSvc.setArtifacts((long) artIdMap.size());
            }
        } catch (Exception e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
            }
            throw new FSException("errorCreateArtifact", null);
        }
        if (oldEntry != null) {
            artifactTimeoutRunnable.removeElement(aIDString);
        }
        artifactTimeoutRunnable.addElement(aIDString);
    } else {
        if (oldEntry != null) {
            assertionTimeoutRunnable.removeElement(aIDString);
        }
        assertionTimeoutRunnable.addElement(aIDString);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) FSSubject(com.sun.identity.federation.message.FSSubject) Date(java.util.Date) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) SessionProvider(com.sun.identity.plugin.session.SessionProvider) HashSet(java.util.HashSet) UnknownHostException(java.net.UnknownHostException) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ParseException(java.text.ParseException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) UnknownHostException(java.net.UnknownHostException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) ParseException(java.text.ParseException) Advice(com.sun.identity.saml.assertion.Advice) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) Map(java.util.Map) HashMap(java.util.HashMap)

Example 13 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class LibSecurityTokenProvider method createSubjectAndProxySubject.

/**
     * Returns a list of Subjects.
     */
private List createSubjectAndProxySubject(NameIdentifier senderIdentity, SessionContext invocatorSession, boolean isBear) throws Exception {
    List returnList = new ArrayList();
    Subject subject = null;
    SubjectConfirmation subConfirmation = null;
    ProxySubject proxySubject = null;
    NameIdentifier sessIdentity = null;
    if (invocatorSession != null && !(sessIdentity = invocatorSession.getSessionSubject().getNameIdentifier()).equals(senderIdentity)) {
        subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_SENDERVOUCHES);
        // add proxy subject
        subject = new Subject(sessIdentity, subConfirmation);
        proxySubject = createProxySubject(senderIdentity, isBear);
        returnList.add(subject);
        returnList.add(proxySubject);
    } else {
        if (isBear) {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
        } else {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
            subConfirmation.setKeyInfo(createKeyInfo());
        }
        subject = new Subject(senderIdentity, subConfirmation);
        returnList.add(subject);
    }
    return returnList;
}
Also used : SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) List(java.util.List) Subject(com.sun.identity.saml.assertion.Subject)

Example 14 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class FSAssertionArtifactHandler method validateAssertions.

protected Subject validateAssertions(List assertions) {
    FSUtils.debug.message("FSAssertionArtifactHandler.validateAssertions: Called");
    // loop to check assertions
    FSSubject subject = null;
    Iterator iter = assertions.iterator();
    FSAssertion assertion = null;
    String aIDString = null;
    String issuer = null;
    Iterator stmtIter = null;
    Statement statement = null;
    int stmtType = Statement.NOT_SUPPORTED;
    SubjectConfirmation subConf = null;
    Set confMethods = null;
    String confMethod = null;
    Date date = null;
    long time = System.currentTimeMillis() + 180000;
    while (iter.hasNext()) {
        assertion = (FSAssertion) iter.next();
        if (!authnRequest.getRequestID().equals(assertion.getInResponseTo())) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion does not correspond to any valid request");
            return null;
        }
        if (FSServiceUtils.isSigningOn()) {
            if (!verifyAssertionSignature(assertion)) {
                FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion signature verification failed");
                return null;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Assertion signature verified");
        }
        aIDString = assertion.getAssertionID();
        // make sure it's not being used            
        if (idTimeMap.containsKey(aIDString)) {
            FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion: Assertion: " + aIDString + " is used");
            return null;
        }
        // check issuer of the assertions
        issuer = assertion.getIssuer();
        try {
            if (idpEntityId != null) {
                if (!idpEntityId.equals(issuer)) {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not the entity where " + "AuthnRequest was sent originally.");
                    return null;
                }
            } else {
                FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is: " + issuer);
                IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
                IDPDescriptorType idpDesc = metaManager.getIDPDescriptor(realm, issuer);
                if (idpDesc == null) {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " Assertion issuer is not on the trust list");
                    return null;
                }
                setProviderDescriptor(idpDesc);
                setProviderEntityId(issuer);
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not on the trust list");
            return null;
        }
        // must be valid(timewise)
        if (!assertion.isTimeValid()) {
            FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " Assertion's time is not valid.");
            return null;
        }
        // TODO: IssuerInstant of the assertion is within a few minutes
        // This is a MAY in spec. Which number to use for the few minutes?
        // if present, target of the assertions must == local server IP
        Conditions conds = assertion.getConditions();
        if (!forThisServer(conds)) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "assertion is not issued for this site.");
            return null;
        }
        //for each assertion, loop to check each statement
        boolean authnStatementFound = false;
        if (assertion.getStatement() != null) {
            stmtIter = assertion.getStatement().iterator();
            while (stmtIter.hasNext()) {
                statement = (Statement) stmtIter.next();
                stmtType = statement.getStatementType();
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
                    authnStatementFound = true;
                    try {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "validating AuthenticationStatement:" + authStatement.toXMLString());
                        }
                    } catch (FSException e) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Exception. " + "Invalid AuthenticationStatement: ", e);
                        return null;
                    }
                    //check ReauthenticateOnOrAfter
                    reAuthnOnOrAfterDate = authStatement.getReauthenticateOnOrAfter();
                    //process SessionIndex
                    idpSessionIndex = authStatement.getSessionIndex();
                    authnContextStmt = authStatement.getAuthnContext();
                    subject = (FSSubject) authStatement.getSubject();
                    if (subject == null) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Subject is null");
                        return null;
                    } else {
                        try {
                            if (FSUtils.debug.messageEnabled()) {
                                FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "found Authentication Statement. " + "Subject = " + subject.toXMLString());
                            }
                        } catch (FSException e) {
                            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + " Exception. Invalid subject: ", e);
                            continue;
                        }
                    }
                    //bearer
                    if (((subConf = subject.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "missing or extra ConfirmationMethod.");
                        return null;
                    }
                    if (((confMethod = (String) confMethods.iterator().next()) == null) || !((confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER)) || (confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || (confMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)))) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: wrong " + "ConfirmationMethod");
                        return null;
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Confirmation method: " + confMethod);
                    }
                } else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
                    AttributeStatement attrStatement = (AttributeStatement) statement;
                    if (!checkForAttributeStatement(attrStatement)) {
                        attrStatements.add(attrStatement);
                    }
                }
            }
        }
        if (!authnStatementFound) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "No Authentication statement found in the Assertion. " + "User is not authenticated by the IDP");
            }
            return null;
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Adding " + aIDString + " to idTimeMap.");
        }
        // add the assertion to idTimeMap
        if ((date = conds.getNotOnorAfter()) != null) {
            cGoThrough.addElement(aIDString);
            idTimeMap.put(aIDString, new Long(date.getTime()));
        } else {
            cPeriodic.addElement(aIDString);
            // it doesn't matter what we store for the value.
            idTimeMap.put(aIDString, aIDString);
        }
        securityAssertions = assertion.getDiscoveryCredential();
    }
    if (subject == null) {
        FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " couldn't find Subject.");
        return null;
    }
    return subject;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) FSSubject(com.sun.identity.federation.message.FSSubject) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Statement(com.sun.identity.saml.assertion.Statement) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) Conditions(com.sun.identity.saml.assertion.Conditions) IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) FSException(com.sun.identity.federation.common.FSException)

Example 15 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class SAMLUtils method verifyAssertionAndGetSSMap.

/**
     * Checks response and get back a Map of relevant data including,
     * Subject, SOAPEntry for the partner and the List of Assertions.
     * @param response <code>Response</code> object
     * @return Map of data including Subject, SOAPEntry, and list of assertions.
     */
public static Map verifyAssertionAndGetSSMap(Response response) {
    // loop to check assertions
    com.sun.identity.saml.assertion.Subject subject = null;
    SAMLServiceManager.SOAPEntry srcSite = null;
    List assertions = response.getAssertion();
    Iterator iter = assertions.iterator();
    Assertion assertion = null;
    String aIDString = null;
    String issuer = null;
    Iterator stmtIter = null;
    Statement statement = null;
    int stmtType = Statement.NOT_SUPPORTED;
    com.sun.identity.saml.assertion.Subject sub = null;
    SubjectConfirmation subConf = null;
    Set confMethods = null;
    String confMethod = null;
    Date date = null;
    while (iter.hasNext()) {
        assertion = (Assertion) iter.next();
        aIDString = assertion.getAssertionID();
        // make sure it's not being used
        if (idTimeMap.containsKey(aIDString)) {
            debug.error("verifyAssertion " + "AndGetSSMap: Assertion: " + aIDString + " is used.");
            return null;
        }
        // check issuer of the assertions
        issuer = assertion.getIssuer();
        if ((srcSite = SAMLUtils.getSourceSite(issuer)) == null) {
            debug.error("verifyAsserti " + "onAndGetSSMap: issuer is not on the Partner list.");
            return null;
        }
        if (!assertion.isSignatureValid()) {
            debug.error("verifyAssertion " + "AndGetSSMap: assertion's signature is not valid.");
            return null;
        }
        // must be valid (timewise)
        if (!assertion.isTimeValid()) {
            debug.error("verifyAssertion " + "AndGetSSMap: assertion's time is not valid.");
            return null;
        }
        // TODO: IssuerInstant of the assertion is within a few minutes
        // This is a MAY in spec. Which number to use for the few minutes?
        // TODO: check AudienceRestrictionCondition
        //for each assertion, loop to check each statement
        stmtIter = assertion.getStatement().iterator();
        while (stmtIter.hasNext()) {
            statement = (Statement) stmtIter.next();
            stmtType = statement.getStatementType();
            if ((stmtType == Statement.AUTHENTICATION_STATEMENT) || (stmtType == Statement.ATTRIBUTE_STATEMENT) || (stmtType == Statement.AUTHORIZATION_DECISION_STATEMENT)) {
                sub = ((SubjectStatement) statement).getSubject();
                // ConfirmationMethod of each subject must be set to bearer
                if (((subConf = sub.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
                    debug.error("verify " + "AssertionAndGetSSMap: missing or extra " + "ConfirmationMethod.");
                    return null;
                }
                if (((confMethod = (String) confMethods.iterator().next()) == null) || (!confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
                    debug.error("verify " + "AssertionAndGetSSMap:wrong ConfirmationMethod.");
                    return null;
                }
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    // browser IP. This is a MAY item in the spec.
                    if (subject == null) {
                        subject = sub;
                    }
                }
            }
        }
        // add the assertion to idTimeMap
        if (debug.messageEnabled()) {
            debug.message("Adding " + aIDString + " to idTimeMap.");
        }
        Conditions conds = assertion.getConditions();
        if ((conds != null) && ((date = conds.getNotOnorAfter()) != null)) {
            cGoThrough.addElement(aIDString);
            idTimeMap.put(aIDString, new Long(date.getTime()));
        } else {
            cPeriodic.addElement(aIDString);
            // it doesn't matter what we store for the value.
            idTimeMap.put(aIDString, aIDString);
        }
    }
    // must have at least one SSO assertion
    if ((subject == null) || (srcSite == null)) {
        debug.error("verifyAssertion AndGetSSMap: couldn't find Subject.");
        return null;
    }
    Map ssMap = new HashMap();
    ssMap.put(SAMLConstants.SUBJECT, subject);
    ssMap.put(SAMLConstants.SOURCE_SITE_SOAP_ENTRY, srcSite);
    ssMap.put(SAMLConstants.POST_ASSERTION, assertions);
    return ssMap;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Statement(com.sun.identity.saml.assertion.Statement) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Assertion(com.sun.identity.saml.assertion.Assertion) Subject(com.sun.identity.saml.assertion.Subject) Date(java.util.Date) Conditions(com.sun.identity.saml.assertion.Conditions) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) CharacterIterator(java.text.CharacterIterator) Iterator(java.util.Iterator) StringCharacterIterator(java.text.StringCharacterIterator) List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)16 Subject (com.sun.identity.saml.assertion.Subject)9 Set (java.util.Set)9 HashSet (java.util.HashSet)8 Iterator (java.util.Iterator)8 SessionException (com.sun.identity.plugin.session.SessionException)5 AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)5 Statement (com.sun.identity.saml.assertion.Statement)5 SubjectStatement (com.sun.identity.saml.assertion.SubjectStatement)5 SAMLException (com.sun.identity.saml.common.SAMLException)5 Date (java.util.Date)5 Assertion (com.sun.identity.saml.assertion.Assertion)4 AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)4 Conditions (com.sun.identity.saml.assertion.Conditions)4 ArrayList (java.util.ArrayList)4 List (java.util.List)4 Element (org.w3c.dom.Element)4 FSException (com.sun.identity.federation.common.FSException)3 FSAssertion (com.sun.identity.federation.message.FSAssertion)3 FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)3