Search in sources :

Example 1 with SubjectLocality

use of com.sun.identity.saml.assertion.SubjectLocality in project OpenAM by OpenRock.

the class CDCServlet method createAssertion.

private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
    debug.message("Entering CDCServlet.createAssertion Method");
    if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
        debug.message("CDCServlet,createAssertion: null input");
        throw new FSException(FSUtils.bundle.getString("nullInput"));
    }
    String securityDomain = sourceID;
    NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
    NameIdentifier spHandle = idpHandle;
    String authMethod = authType;
    Date authInstant = convertAuthInstanceToDate(strAuthInst);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
    }
    SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
    IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
    AuthnContext authnContextStmt = new AuthnContext(null, null);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
    long period = (assertionTimeout.intValue()) * 1000;
    if (period < IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE) {
        period = IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE;
    }
    Date notAfter = new Date(issueInstant.getTime() + period);
    statement.setReauthenticateOnOrAfter(notAfter);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(issueInstant, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList(1);
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet(2);
    statements.add(statement);
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
    assertion.setID(aID.getAssertionIDReference());
    String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
    LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) FSSubject(com.sun.identity.federation.message.FSSubject) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) ArrayList(java.util.ArrayList) Date(java.util.Date) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) HashSet(java.util.HashSet)

Example 2 with SubjectLocality

use of com.sun.identity.saml.assertion.SubjectLocality in project OpenAM by OpenRock.

the class FSAssertionManager method createFSAssertion.

/**
     * Creates an assertion artifact.
     * @param id session ID
     * @param artifact assertion artifact
     * @param realm the realm under which the entity resides.
     * @param spEntityID service provider's entity ID
     * @param spHandle service provider issued <code>NameIdentifier</code>
     * @param idpHandle identity provider issued <code>NameIdentifier</code>
     * @param inResponseTo value to InResponseTo attribute. It's the request ID.
     * @param assertionMinorVersion minor version the assertion should use
     * @exception FSException,SAMLException if error occurrs
     */
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
    FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
    // check input
    if ((id == null) || (spEntityID == null)) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
        }
        throw new FSException("nullInput", null);
    }
    String destID = spEntityID;
    String authMethod = null;
    String authnContextStatementRef = null;
    String authnContextClassRef = null;
    Date authInstant = null;
    String securityDomain = null;
    Object token = null;
    String univId = null;
    SubjectLocality authLocality = null;
    FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
    IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
    Map attributes = new HashMap();
    if (metaManager != null) {
        BaseConfigType idpConfig = null;
        try {
            idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
        } catch (IDFFMetaException e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
            }
            idpConfig = null;
        }
        if (idpConfig != null) {
            attributes = IDFFMetaUtils.getAttributes(idpConfig);
        }
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        token = sessionProvider.getSession(id);
        String[] strAuthInst = null;
        try {
            strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
            try {
                authInstant = DateUtils.stringToDate(strAuthInst[0]);
            } catch (ParseException ex) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
                }
            }
        } else {
            authInstant = new java.util.Date();
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
        }
        try {
            String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
            if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
                authMethod = strAuthMethod[0];
            }
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
        if (assertionIssuer == null) {
            assertionIssuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
        }
        try {
            String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
            authLocality = new SubjectLocality(ipAddress, assertionIssuer);
        } catch (UnknownHostException uhe) {
            FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
        }
        try {
            FSSession session = sessionManager.getSession(token);
            authnContextClassRef = session.getAuthnContext();
            authnContextStatementRef = authnContextClassRef;
        } catch (Exception ex) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
            }
            authnContextStatementRef = null;
        }
        if (authnContextStatementRef != null) {
            if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
                authMethod = IFSConstants.AC_XML_NS;
            } else {
                authMethod = IFSConstants.AC_12_XML_NS;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
        }
        univId = sessionProvider.getPrincipalName(token);
        securityDomain = hostEntityId;
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
        throw new FSException("alliance_manager_no_local_descriptor", null, e);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
    }
    SubjectConfirmation subConfirmation = null;
    String artString = null;
    if (artifact != null) {
        artString = artifact.getAssertionArtifact();
        if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
            subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
        } else {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
        }
        subConfirmation.setSubjectConfirmationData(artString);
    } else {
        // set to bearer for POST profile
        subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
    }
    IDPProvidedNameIdentifier idpNi = null;
    if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
        idpNi.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
    } else {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    }
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
    authnContext.setMinorVersion(assertionMinorVersion);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
    FSSession session = sessionManager.getSession(univId, id);
    if (session == null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
        }
        return null;
    }
    String sessionIndex = session.getSessionIndex();
    if (sessionIndex == null) {
        sessionIndex = SAMLUtils.generateID();
        session.setSessionIndex(sessionIndex);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
    }
    statement.setSessionIndex(sessionIndex);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    FSUtils.debug.message("here before date");
    Date notAfter;
    if (artifact != null) {
        notAfter = new Date(issueInstant.getTime() + artifactTimeout);
    } else {
        notAfter = new Date(issueInstant.getTime() + assertionTimeout);
    }
    FSUtils.debug.message("here after date");
    statement.setReauthenticateOnOrAfter(notAfter);
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(null, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList();
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    /**
         * This is added to create an attribute statement for the bootstrap
         * information.
         */
    AttributeStatement attribStatement = null;
    Advice advice = null;
    String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
    if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
        AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
        authContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        try {
            FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
            attribStatement = bootStrap.getBootStrapStatement();
            if (bootStrap.hasCredentials()) {
                advice = bootStrap.getCredentials();
            }
        } catch (Exception e) {
            FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
        }
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet();
    statements.add(statement);
    if (attribStatement != null) {
        statements.add(attribStatement);
    }
    String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
    if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
        try {
            Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
            List attribStatements = null;
            if (pluginClass instanceof FSRealmAttributePlugin) {
                FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
            } else if (pluginClass instanceof FSAttributePlugin) {
                FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
            }
            if ((attribStatements != null) && (attribStatements.size() != 0)) {
                Iterator iter = attribStatements.iterator();
                while (iter.hasNext()) {
                    statements.add((AttributeStatement) iter.next());
                }
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
        }
    }
    if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
        AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
        statements.add(autoFedStatement);
    }
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
    assertion.setMinorVersion(assertionMinorVersion);
    assertion.setID(aID.getAssertionIDReference());
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
    }
    String aIDString = assertion.getAssertionID();
    Entry entry = new Entry(assertion, destID, artString, token);
    Integer maxNumber = null;
    try {
        int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
        maxNumber = new Integer(temp);
    } catch (Exception ex) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
        }
        maxNumber = null;
    }
    if (maxNumber == null) {
        maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
    }
    int maxValue = maxNumber.intValue();
    if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
        FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
        throw new FSException("errorCreateAssertion", null);
    }
    Object oldEntry = null;
    try {
        synchronized (idEntryMap) {
            oldEntry = idEntryMap.put(aIDString, entry);
        }
        if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
            idffSvc.setAssertions((long) idEntryMap.size());
        }
    } catch (Exception e) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
        }
        throw new FSException("errorCreateAssertion", null);
    }
    if (LogUtil.isAccessLoggable(Level.FINER)) {
        String[] data = { assertion.toString() };
        LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
    } else {
        String[] data = { assertion.getAssertionID() };
        LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
    }
    if (artString != null) {
        try {
            synchronized (artIdMap) {
                oldEntry = artIdMap.put(artString, aIDString);
            }
            if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
                idffSvc.setArtifacts((long) artIdMap.size());
            }
        } catch (Exception e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
            }
            throw new FSException("errorCreateArtifact", null);
        }
        if (oldEntry != null) {
            artifactTimeoutRunnable.removeElement(aIDString);
        }
        artifactTimeoutRunnable.addElement(aIDString);
    } else {
        if (oldEntry != null) {
            assertionTimeoutRunnable.removeElement(aIDString);
        }
        assertionTimeoutRunnable.addElement(aIDString);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) FSSubject(com.sun.identity.federation.message.FSSubject) Date(java.util.Date) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) SessionProvider(com.sun.identity.plugin.session.SessionProvider) HashSet(java.util.HashSet) UnknownHostException(java.net.UnknownHostException) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ParseException(java.text.ParseException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) UnknownHostException(java.net.UnknownHostException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) ParseException(java.text.ParseException) Advice(com.sun.identity.saml.assertion.Advice) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

FSException (com.sun.identity.federation.common.FSException)2 FSAssertion (com.sun.identity.federation.message.FSAssertion)2 FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)2 FSSubject (com.sun.identity.federation.message.FSSubject)2 AuthnContext (com.sun.identity.federation.message.common.AuthnContext)2 IDPProvidedNameIdentifier (com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)2 AssertionIDReference (com.sun.identity.saml.assertion.AssertionIDReference)2 AudienceRestrictionCondition (com.sun.identity.saml.assertion.AudienceRestrictionCondition)2 Conditions (com.sun.identity.saml.assertion.Conditions)2 SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)2 SubjectLocality (com.sun.identity.saml.assertion.SubjectLocality)2 ArrayList (java.util.ArrayList)2 Date (java.util.Date)2 HashSet (java.util.HashSet)2 List (java.util.List)2 Set (java.util.Set)2 BaseConfigType (com.sun.identity.federation.jaxb.entityconfig.BaseConfigType)1 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)1 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)1 SessionException (com.sun.identity.plugin.session.SessionException)1