Examples with SubjectStatement com.sun.identity.saml.assertion.SubjectStatement used on opensource projects

Example 1 with SubjectStatement

use of com.sun.identity.saml.assertion.SubjectStatement in project OpenAM by OpenRock.

the class SAMLUtils method examAssertions.

/**
     * Determines if there is a valid SSO Assertion
     * inside of SAML Response.
     *
     * @param assertions a List of <code>Assertion</code> objects
     * @return a Subject object
     * @exception IOException IOException
     */
public static com.sun.identity.saml.assertion.Subject examAssertions(List assertions) throws IOException {
    if (assertions == null) {
        return null;
    }
    boolean validation = false;
    com.sun.identity.saml.assertion.Subject subject = null;
    Iterator iter = assertions.iterator();
    while (iter.hasNext()) {
        Assertion assertion = (Assertion) iter.next();
        if (!checkCondition(assertion)) {
            return null;
        }
        debug.message("Passed checking Conditions!");
        // exam the Statement inside the Assertion
        Set statements = new HashSet();
        statements = assertion.getStatement();
        if (statements == null || statements.isEmpty()) {
            debug.error(bundle.getString("noStatement"));
            return null;
        }
        Iterator iterator = statements.iterator();
        while (iterator.hasNext()) {
            Statement statement = (Statement) iterator.next();
            subject = ((SubjectStatement) statement).getSubject();
            SubjectConfirmation sc = subject.getSubjectConfirmation();
            Set cm = new HashSet();
            cm = sc.getConfirmationMethod();
            if (cm == null || cm.isEmpty()) {
                debug.error("Subject confirmation method is null");
                return null;
            }
            String conMethod = (String) cm.iterator().next();
            // on Assertion version number
            if ((conMethod != null) && (assertion.getMajorVersion() == SAMLConstants.ASSERTION_MAJOR_VERSION) && (((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ONE) && conMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || ((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ZERO) && (conMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT))))) {
                if (debug.messageEnabled()) {
                    debug.message("Correct Confirmation method");
                }
            } else {
                debug.error("Wrong Confirmation Method.");
                return null;
            }
            if (statement instanceof AuthenticationStatement) {
                //found an SSO Assertion
                validation = true;
            }
        }
    // end of  while (iterator.hasNext()) for Statements
    }
    if (!validation) {
        debug.error(bundle.getString("noSSOAssertion"));
        return null;
    }
    return subject;
}

Example 2 with SubjectStatement

use of com.sun.identity.saml.assertion.SubjectStatement in project OpenAM by OpenRock.

the class DefaultPartnerAccountMapper method getUser.

/**
     * Returns user account in OpenAM to which the
     * subject in the assertion is mapped. This method will be called in POST
     * profile, ARTIFACT profile, AttributeQuery and AuthorizationDecisionQuery.
     *
     * @param assertions a list of authentication assertions returned from
     *                   partner side, this will contains user's identity in
     *                   the partner side. The object in the list will be
     *                   <code>com.sun.identity.saml.assertion.Assertion</code>
     * @param sourceID source ID for the site from which the subject
     *                 originated.
     * @param targetURL value for TARGET query parameter when the user
     *                  accessing the SAML aware servlet or post profile
     *                  servlet
     * @return Map which contains NAME, ORG and ATTRIBUTE keys, value of the
     *             NAME key is the user DN, value of the ORG is the user
     *             organization  DN, value of the ATTRIBUTE is a Map
     *             containing key/value pairs which will be set as properties
     *             on the OpenAM SSO token, the key is the SSO
     *             property name, the value is a String value of the property.
     *             Returns empty map if the mapped user could not be obtained
     *             from the subject.
     */
public Map getUser(List assertions, String sourceID, String targetURL) {
    if (SAMLUtils.debug.messageEnabled()) {
        SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" + "List) targetURL = " + targetURL);
    }
    Map map = new HashMap();
    Subject subject = null;
    Assertion assertion = (Assertion) assertions.get(0);
    Iterator iter = assertion.getStatement().iterator();
    while (iter.hasNext()) {
        Statement statement = (Statement) iter.next();
        if (statement.getStatementType() != Statement.AUTHENTICATION_STATEMENT) {
            continue;
        }
        Subject sub = ((SubjectStatement) statement).getSubject();
        SubjectConfirmation subConf = sub.getSubjectConfirmation();
        if (subConf == null) {
            continue;
        }
        Set cms = subConf.getConfirmationMethod();
        if (cms == null || cms.isEmpty()) {
            continue;
        }
        String cm = (String) cms.iterator().next();
        if (cm != null && (cm.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
            subject = sub;
            break;
        }
    }
    if (subject != null) {
        getUser(subject, sourceID, map);
        Map attrMap = new HashMap();
        SAMLUtils.addEnvParamsFromAssertion(attrMap, assertion, subject);
        if (!attrMap.isEmpty()) {
            map.put(ATTRIBUTE, attrMap);
        }
    }
    return map;
}

Example 3 with SubjectStatement

use of com.sun.identity.saml.assertion.SubjectStatement in project OpenAM by OpenRock.

the class SecurityAssertion method isBearer.

/**
     * Determines if the <code>SecurityAssertion</code> contains SAML Bearer
     * confirmation method.
     *
     * @return true if the <code>SecurityAssertion</code> contains SAML Bearer
     *         confirmation.
     */
public boolean isBearer() {
    if (_statements == null || _statements.isEmpty()) {
        return false;
    }
    Iterator iter = _statements.iterator();
    while (iter.hasNext()) {
        Object statement = iter.next();
        if (!(statement instanceof SubjectStatement)) {
            continue;
        }
        Subject subject = ((SubjectStatement) statement).getSubject();
        if (subject == null) {
            continue;
        }
        SubjectConfirmation sc = subject.getSubjectConfirmation();
        if (sc == null) {
            continue;
        }
        Set confirmationMethods = sc.getConfirmationMethod();
        if (confirmationMethods == null || confirmationMethods.isEmpty()) {
            continue;
        }
        if (confirmationMethods.contains(SAMLConstants.CONFIRMATION_METHOD_BEARER)) {
            return true;
        }
    }
    return false;
}

Example 4 with SubjectStatement

use of com.sun.identity.saml.assertion.SubjectStatement in project OpenAM by OpenRock.

the class SecurityAssertion method getBearerSubject.

/**
     * Determines if the <code>SecurityAssertion</code> contains SAML Bearer
     * confirmation method. If it is, return its Subject. Otherwise, return
     * null.
     *
     * @return Subject if the <code>SecurityAssertion</code> contains SAML
     *         Bearer confirmation.
     */
public Subject getBearerSubject() {
    if (_statements == null || _statements.isEmpty()) {
        return null;
    }
    Iterator iter = _statements.iterator();
    while (iter.hasNext()) {
        Object statement = iter.next();
        if (!(statement instanceof SubjectStatement)) {
            continue;
        }
        Subject subject = ((SubjectStatement) statement).getSubject();
        if (subject == null) {
            continue;
        }
        SubjectConfirmation sc = subject.getSubjectConfirmation();
        if (sc == null) {
            continue;
        }
        Set confirmationMethods = sc.getConfirmationMethod();
        if (confirmationMethods == null || confirmationMethods.isEmpty()) {
            continue;
        }
        if (confirmationMethods.contains(SAMLConstants.CONFIRMATION_METHOD_BEARER)) {
            return subject;
        }
    }
    return null;
}

Example 5 with SubjectStatement

use of com.sun.identity.saml.assertion.SubjectStatement in project OpenAM by OpenRock.

the class SAML11RequestedSecurityToken method verifyToken.

/**
     * Verifies the token's validity, checking the signature, validity period 
     * etc.
     * @param realm the realm of the local entity
     * @param hostEntityId the local entity ID
     * @param timeskew permitted skew between service provider and identity 
     * provider clocks, in seconds
     * @return a Map of relevant data including Subject and the List of 
     * Assertions.
     * @throws com.sun.identity.wsfederation.common.WSFederationException in 
     * case of any error - invalid token signature, token expired etc.
     */
public Map<String, Object> verifyToken(String realm, String hostEntityId, int timeskew) throws WSFederationException {
    String classMethod = "SAML11RequestedSecurityToken.verifyToken";
    // check that assertion issuer is trusted by the local entity
    String issuer = assertion.getIssuer();
    WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
    String remoteEntityId = metaManager.getEntityByTokenIssuerName(realm, issuer);
    if (!metaManager.isTrustedProvider(realm, hostEntityId, remoteEntityId)) {
        String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId(), realm, hostEntityId };
        LogUtil.error(Level.INFO, LogUtil.UNTRUSTED_ISSUER, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("untrustedIssuer"));
    }
    SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, hostEntityId);
    if (spConfig == null) {
        debug.error(classMethod + "cannot find configuration for SP " + hostEntityId);
        throw new WSFederationException("unableToFindSPConfiguration");
    }
    String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
    // By default, we want to sign assertions
    boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
    if (wantAssertionSigned && (!WSFederationUtils.isSignatureValid(assertion, realm, remoteEntityId))) {
        // isSignatureValid will log the error
        throw new WSFederationException(WSFederationUtils.bundle.getString("invalidSignature"));
    }
    // TODO: check AudienceRestrictionCondition
    Subject assertionSubject = null;
    Iterator stmtIter = assertion.getStatement().iterator();
    while (stmtIter.hasNext()) {
        Statement statement = (Statement) stmtIter.next();
        if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
            assertionSubject = ((SubjectStatement) statement).getSubject();
            break;
        }
    }
    if (assertionSubject == null) {
        String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId() };
        LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("missingSubject"));
    }
    // must be valid (timewise)
    if (!WSFederationUtils.isTimeValid(assertion, timeskew)) {
        // isTimeValid will log the error
        throw new WSFederationException(WSFederationUtils.bundle.getString("timeInvalid"));
    }
    List assertions = new ArrayList();
    assertions.add(assertion);
    Map<String, Object> attrMap = new HashMap<String, Object>();
    attrMap.put(SAML2Constants.SUBJECT, assertionSubject);
    attrMap.put(SAML2Constants.POST_ASSERTION, assertion);
    attrMap.put(SAML2Constants.ASSERTIONS, assertions);
    // TODO
    int authLevel = 0;
    if (authLevel >= 0) {
        attrMap.put(SAML2Constants.AUTH_LEVEL, new Integer(authLevel));
    }
    Date sessionNotOnOrAfter = assertion.getConditions().getNotOnorAfter();
    if (sessionNotOnOrAfter != null) {
        long maxSessionTime = (sessionNotOnOrAfter.getTime() - System.currentTimeMillis()) / 60000;
        if (maxSessionTime > 0) {
            attrMap.put(SAML2Constants.MAX_SESSION_TIME, new Long(maxSessionTime));
        }
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + " Attribute Map : " + attrMap);
    }
    return attrMap;
}