Example 6 with SubjectStatement
use of com.sun.identity.saml.assertion.SubjectStatement in project OpenAM by OpenRock.
the class SAML11RequestedSecurityToken method verifyToken.
/**
* Verifies the token's validity, checking the signature, validity period
* etc.
* @param realm the realm of the local entity
* @param hostEntityId the local entity ID
* @param timeskew permitted skew between service provider and identity
* provider clocks, in seconds
* @return a Map of relevant data including Subject and the List of
* Assertions.
* @throws com.sun.identity.wsfederation.common.WSFederationException in
* case of any error - invalid token signature, token expired etc.
*/
public Map<String, Object> verifyToken(String realm, String hostEntityId, int timeskew) throws WSFederationException {
String classMethod = "SAML11RequestedSecurityToken.verifyToken";
// check that assertion issuer is trusted by the local entity
String issuer = assertion.getIssuer();
WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
String remoteEntityId = metaManager.getEntityByTokenIssuerName(realm, issuer);
if (!metaManager.isTrustedProvider(realm, hostEntityId, remoteEntityId)) {
String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId(), realm, hostEntityId };
LogUtil.error(Level.INFO, LogUtil.UNTRUSTED_ISSUER, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("untrustedIssuer"));
}
SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, hostEntityId);
if (spConfig == null) {
debug.error(classMethod + "cannot find configuration for SP " + hostEntityId);
throw new WSFederationException("unableToFindSPConfiguration");
}
String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
// By default, we want to sign assertions
boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
if (wantAssertionSigned && (!WSFederationUtils.isSignatureValid(assertion, realm, remoteEntityId))) {
// isSignatureValid will log the error
throw new WSFederationException(WSFederationUtils.bundle.getString("invalidSignature"));
}
// TODO: check AudienceRestrictionCondition
Subject assertionSubject = null;
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
assertionSubject = ((SubjectStatement) statement).getSubject();
break;
}
}
if (assertionSubject == null) {
String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId() };
LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("missingSubject"));
}
// must be valid (timewise)
if (!WSFederationUtils.isTimeValid(assertion, timeskew)) {
// isTimeValid will log the error
throw new WSFederationException(WSFederationUtils.bundle.getString("timeInvalid"));
}
List assertions = new ArrayList();
assertions.add(assertion);
Map<String, Object> attrMap = new HashMap<String, Object>();
attrMap.put(SAML2Constants.SUBJECT, assertionSubject);
attrMap.put(SAML2Constants.POST_ASSERTION, assertion);
attrMap.put(SAML2Constants.ASSERTIONS, assertions);
// TODO
int authLevel = 0;
if (authLevel >= 0) {
attrMap.put(SAML2Constants.AUTH_LEVEL, new Integer(authLevel));
}
Date sessionNotOnOrAfter = assertion.getConditions().getNotOnorAfter();
if (sessionNotOnOrAfter != null) {
long maxSessionTime = (sessionNotOnOrAfter.getTime() - System.currentTimeMillis()) / 60000;
if (maxSessionTime > 0) {
attrMap.put(SAML2Constants.MAX_SESSION_TIME, new Long(maxSessionTime));
}
}
if (debug.messageEnabled()) {
debug.message(classMethod + " Attribute Map : " + attrMap);
}
return attrMap;
}
Also used :
WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager)
WSFederationException(com.sun.identity.wsfederation.common.WSFederationException)
HashMap(java.util.HashMap)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
ArrayList(java.util.ArrayList)
Subject(com.sun.identity.saml.assertion.Subject)
Date(java.util.Date)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 7 with SubjectStatement
use of com.sun.identity.saml.assertion.SubjectStatement in project OpenAM by OpenRock.
the class DefaultLibrarySPAccountMapper method getIdentity.
/**
* Returns the user's disntinguished name or the universal ID for the
* corresponding <code>SAML</code> <code>Assertion</code>. This method
* will be invoked by the <code>WS-Federation</code> framework while
* processing the <code>Assertion</code> and retrieves the identity
* information. The implementation of this method checks for
* the user for the corresponding name identifier in the assertion.
*
* @param rstr Request Security Token Response.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @param realm realm or the organization name that may be used to find
* the user information.
* @return user's disntinguished name or the universal ID.
* @exception WSFederationException if any failure.
*/
public String getIdentity(RequestSecurityTokenResponse rstr, String hostEntityID, String realm) throws WSFederationException {
if (rstr == null) {
throw new WSFederationException(bundle.getString("nullRstr"));
}
if (hostEntityID == null) {
throw new WSFederationException(bundle.getString("nullHostEntityID"));
}
if (realm == null) {
throw new WSFederationException(bundle.getString("nullRealm"));
}
SAML11RequestedSecurityToken rst = (SAML11RequestedSecurityToken) rstr.getRequestedSecurityToken();
Subject subject = null;
Assertion assertion = rst.getAssertion();
Iterator iter = assertion.getStatement().iterator();
while (iter.hasNext()) {
Statement statement = (Statement) iter.next();
if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
subject = ((SubjectStatement) statement).getSubject();
break;
}
}
NameIdentifier nameID = subject.getNameIdentifier();
String userID = null;
String format = nameID.getFormat();
String remoteEntityID = WSFederationUtils.getMetaManager().getEntityByTokenIssuerName(realm, assertion.getIssuer());
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getIdentity(Assertion):" + " realm = " + realm + " hostEntityID = " + hostEntityID);
}
try {
userID = dsProvider.getUserID(realm, getSearchParameters(nameID, realm, hostEntityID, remoteEntityID));
} catch (DataStoreProviderException dse) {
debug.error("DefaultLibrarySPAccountMapper.getIdentity(Assertion): " + "DataStoreProviderException", dse);
throw new WSFederationException(dse);
}
return userID;
}
Also used :
SAML11RequestedSecurityToken(com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken)
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
WSFederationException(com.sun.identity.wsfederation.common.WSFederationException)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Statement(com.sun.identity.saml.assertion.Statement)
Assertion(com.sun.identity.saml.assertion.Assertion)
Iterator(java.util.Iterator)
Subject(com.sun.identity.saml.assertion.Subject)
Aggregations
Subject (com.sun.identity.saml.assertion.Subject)7
SubjectStatement (com.sun.identity.saml.assertion.SubjectStatement)7
Iterator (java.util.Iterator)7
Statement (com.sun.identity.saml.assertion.Statement)5
SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)5
Set (java.util.Set)5
Assertion (com.sun.identity.saml.assertion.Assertion)4
AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)4
HashSet (java.util.HashSet)4
AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)3
HashMap (java.util.HashMap)3
WSFederationException (com.sun.identity.wsfederation.common.WSFederationException)2
CharacterIterator (java.text.CharacterIterator)2
StringCharacterIterator (java.text.StringCharacterIterator)2
ArrayList (java.util.ArrayList)2
Date (java.util.Date)2
List (java.util.List)2
Map (java.util.Map)2
DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)1
Conditions (com.sun.identity.saml.assertion.Conditions)1
