use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class DefaultLibrarySPAccountMapper method getAttribute.
/**
* Returns the attribute name.
*/
private Set getAttribute(AttributeStatement statement, String attributeName, String realm, String hostEntityID) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAttribute: attribute" + "Name =" + attributeName);
}
List list = statement.getAttribute();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
Attribute attribute = (Attribute) iter.next();
if (!attributeName.equalsIgnoreCase(attribute.getAttributeName())) {
continue;
}
List values = null;
try {
values = attribute.getAttributeValue();
} catch (SAMLException se) {
// Just ignore it and carry on - getAttributeValue doesn't
// really throw an exception - it just says it does
}
if (values == null || values.size() == 0) {
return null;
}
Set set = new HashSet();
set.addAll(values);
return set;
}
return null;
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class DefaultSPAttributeMapper method getAttributes.
/**
* Returns attribute map for the given list of <code>Attribute</code>
* objects.
* @param attributes list <code>Attribute</code>objects.
* @param userID universal identifier or distinguished name(DN) of the user.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @param remoteEntityID <code>EntityID</code> of the remote provider.
* @param realm realm name.
* @return a map of mapped attribute value pair. This map has the
* key as the attribute name and the value as the attribute value
* @exception WSFederationException if any failure.
*/
public Map getAttributes(List attributes, String userID, String hostEntityID, String remoteEntityID, String realm) throws WSFederationException {
if (attributes == null || attributes.size() == 0) {
throw new WSFederationException(bundle.getString("nullAttributes"));
}
if (hostEntityID == null) {
throw new WSFederationException(bundle.getString("nullHostEntityID"));
}
if (realm == null) {
throw new WSFederationException(bundle.getString("nullRealm"));
}
Map<String, Set<String>> map = new HashMap<String, Set<String>>();
Map configMap = getConfigAttributeMap(realm, hostEntityID);
for (Iterator iter = attributes.iterator(); iter.hasNext(); ) {
Attribute attribute = (Attribute) iter.next();
Set<String> values = new HashSet();
try {
List attrValues = attribute.getAttributeValue();
for (Iterator iter2 = attrValues.iterator(); iter2.hasNext(); ) {
Element attrValue = (Element) iter2.next();
values.add(XMLUtils.getElementValue(attrValue));
}
} catch (SAMLException se) {
throw new WSFederationException(se);
}
String attributeName = attribute.getAttributeName();
String localAttribute = (String) configMap.get(attributeName);
if (localAttribute == null || localAttribute.length() == 0) {
localAttribute = attributeName;
}
Set<String> existingValues = map.get(localAttribute);
if (existingValues != null) {
existingValues.addAll(values);
} else {
map.put(localAttribute, values);
}
}
return map;
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class DefaultActionMapper method getAuthorizationDecisions.
/**
* This method first converts the AttributeStatements in Evidence to
* OpenAM Policy API environment variables. The Attributes in
* the AttributeStatement(s) are expected to be OpenAM
* attributes.
* It then query the Policy decision one action at a time. Currently,
* it handles actions defined in urn:oasis:names:tc:SAML:1.0:ghpp only.
* This action Namespace is mapped to OpenAM
* iPlanetAMWebAgentService.
*/
public Map getAuthorizationDecisions(AuthorizationDecisionQuery query, Object token, String sourceID) throws SAMLException {
if ((query == null) || (token == null)) {
SAMLUtils.debug.message("DefaultActionMapper: null input.");
throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
}
Evidence evidence = query.getEvidence();
Subject querySubject = query.getSubject();
Map envParameters = convertEvidence(evidence, querySubject, sourceID);
List permitActions = new ArrayList();
List denyActions = new ArrayList();
List actions = query.getAction();
Iterator iterator = actions.iterator();
PolicyEvaluator pe = null;
String resource = query.getResource();
Action action = null;
String actionNamespace = null;
while (iterator.hasNext()) {
action = (Action) iterator.next();
// get ActionNameSpace
actionNamespace = action.getNameSpace();
if ((actionNamespace != null) && (actionNamespace.equals(SAMLConstants.ACTION_NAMESPACE_GHPP))) {
try {
if (pe == null) {
pe = new PolicyEvaluator("iPlanetAMWebAgentService");
}
boolean result = pe.isAllowed((SSOToken) token, resource, action.getAction(), envParameters);
if (result) {
permitActions.add(action);
} else {
denyActions.add(action);
}
} catch (Exception e) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultActionMapper: " + "Exception from policy:" + e);
}
// indeterminate
continue;
}
}
}
// while loop for each action
Map resultMap = new HashMap();
if (!permitActions.isEmpty()) {
resultMap.put(ActionMapper.PERMIT, permitActions);
} else if (!denyActions.isEmpty()) {
resultMap.put(ActionMapper.DENY, denyActions);
} else {
resultMap.put(ActionMapper.INDETERMINATE, actions);
}
return resultMap;
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class FSSSOBrowserArtifactProfileHandler method createSAMLResponse.
private FSResponse createSAMLResponse(FSSAMLRequest samlRequest) throws FSException {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
FSResponse retResponse = null;
String respID = FSUtils.generateID();
String inResponseTo = samlRequest.getRequestID();
List contents = new ArrayList();
String message = null;
int length;
Status status;
String remoteAddr = ClientUtils.getClientIPAddress(request);
String respPrefix = FSUtils.bundle.getString("responseLogMessage") + " " + remoteAddr;
int reqType = samlRequest.getContentType();
if (reqType == Request.NOT_SUPPORTED) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Found element in the request which are not supported");
}
message = FSUtils.bundle.getString("unsupportedElement");
try {
status = new Status(new StatusCode("samlp:Responder"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Fatal error, cannot create status or response: ", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
FSAssertionManager am = null;
try {
am = FSAssertionManager.getInstance(metaAlias);
} catch (FSException se) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Cannot instantiate " + "FSAssertionManager");
}
message = se.getMessage();
try {
status = new Status(new StatusCode("samlp:Responder"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Fatal error, cannot create status or response: ", sse);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
List artifacts = null;
List assertions = new ArrayList();
if (reqType == Request.ASSERTION_ARTIFACT) {
artifacts = samlRequest.getAssertionArtifact();
length = artifacts.size();
// ensure that all the artifacts have the same sourceID
String sourceID = null;
String providerID = null;
AssertionArtifact art = null;
for (int j = 0; j < length; j++) {
art = (AssertionArtifact) artifacts.get(j);
if (sourceID != null) {
if (!sourceID.equals(art.getSourceID())) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Artifacts not from " + "the same source");
}
message = FSUtils.bundle.getString("mismatchSourceID");
try {
/**
* Need a second level status for the federation
* does not exist.
*/
status = new Status(new StatusCode("samlp:Requester", new StatusCode(IFSConstants.FEDERATION_NOT_EXISTS_STATUS, null)), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException ex) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response: ", ex);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
} else {
//sourceids are equal
continue;
}
} else {
// sourceID == null
sourceID = art.getSourceID();
}
}
// while loop to go through artifacts to check for sourceID
if (art != null) {
try {
providerID = am.getDestIdForArtifact(art);
} catch (FSException ex) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: FSException Occured while " + "retrieving sp's providerID for the artifact: ", ex);
providerID = null;
}
if (providerID == null) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "artifact received does not correspond to any SP");
message = FSUtils.bundle.getString("invalidSource");
try {
/**
* Need a second level status for the federation
* does not exist.
*/
/**
* First, let's check we haven't recorded a status
* beforehand (by another call) related to this
* artifact. If so, use it.
*/
Status sorig = am.getErrorStatus(art);
if (sorig != null) {
status = sorig;
} else {
status = new Status(new StatusCode("samlp:Requester", new StatusCode(IFSConstants.FEDERATION_NOT_EXISTS_STATUS, null)), message, null);
}
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
return null;
}
//return error response
} else {
try {
if (!metaManager.isTrustedProvider(realm, hostedEntityId, providerID)) {
FSUtils.debug.error("FSSSOAndFedHandler.processAuthnRequest: " + "RemoteProvider is not trusted");
message = FSUtils.bundle.getString("AuthnRequestProcessingFailed");
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
}
spDescriptor = metaManager.getSPDescriptor(realm, providerID);
spEntityId = providerID;
remoteAddr = providerID;
} catch (Exception ae) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "FSAllianceManagementException " + "Occured while getting", ae);
message = ae.getMessage();
try {
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
return null;
}
}
}
//Verify signature
if (FSServiceUtils.isSigningOn()) {
if (!verifySAMLRequestSignature(samlRequestElement, soapMsg)) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "SAMLRequest signature verification failed");
message = FSUtils.bundle.getString("signatureVerificationFailed");
try {
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: " + sse.getMessage());
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtProfileHandler.createSAMLResp:" + " SAMLRequest signature verified");
}
}
}
//end signature verification
} else {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: No artifact found in samlRequest");
message = FSUtils.bundle.getString("missingArtifact");
try {
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
return null;
}
}
for (int i = 0; i < length; i++) {
AssertionArtifact artifact = (AssertionArtifact) artifacts.get(i);
Assertion assertion = null;
try {
assertion = am.getAssertion(artifact, spEntityId);
} catch (FSException e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler.createSAML" + "Response:could not find matching assertion:", e);
}
message = e.getMessage();
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
if (assertion != null) {
assertions.add(i, assertion);
}
}
}
int assertionSize = assertions.size();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: found " + assertionSize + "assertions.");
}
// inside the assertion has the calling host's address in it.
for (int i = 0; i < assertionSize; i++) {
Assertion assn = (Assertion) assertions.get(i);
Conditions conds = assn.getConditions();
Set trcs = conds.getAudienceRestrictionCondition();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: checking to see if assertions" + " are for host:" + remoteAddr);
}
if (trcs != null && !trcs.isEmpty()) {
Iterator trcsIterator = trcs.iterator();
while (trcsIterator.hasNext()) {
if (!((AudienceRestrictionCondition) trcsIterator.next()).containsAudience(remoteAddr)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: removing TRC not" + "meant for this host");
}
assertions.remove(assn);
}
}
}
}
assertionSize = assertions.size();
if (assertionSize == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Matching Assertions(s) not " + "created for this host");
}
message = FSUtils.bundle.getString("mismatchDest");
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
if (reqType == Request.ASSERTION_ARTIFACT) {
if (assertions.size() == artifacts.size()) {
message = null;
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Matching Assertion found");
}
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
return null;
} catch (Exception e) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", e);
return null;
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
} else {
message = FSUtils.bundle.getString("unequalMatch");
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
} else {
// build response for all the other type of request
try {
message = null;
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
}
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class FSSSOBrowserArtifactProfileHandler method createSAMLAssertionArtifact.
/**
* Creates assertion and assertion artifact.
*/
protected List createSAMLAssertionArtifact(Object ssoToken, String inResponseTo, NameIdentifier userHandle, NameIdentifier idpHandle) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLAssertionArtifact: Called");
}
List artifactList = new ArrayList();
try {
FSAssertionManager am = FSAssertionManager.getInstance(metaAlias);
AssertionArtifact artifact = am.createFSAssertionArtifact(SessionManager.getProvider().getSessionID(ssoToken), realm, spEntityId, userHandle, idpHandle, inResponseTo, authnRequest.getMinorVersion());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("AssertionArtifact id = " + artifact.toString());
}
String artid = artifact.getAssertionArtifact();
artifactList.add(artid);
return artifactList;
} catch (FSException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLAssertionArtifact(0): ", se);
return null;
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLAssertionArtifact(1): ", se);
return null;
} catch (SessionException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLAssertionArtifact(2): ", se);
return null;
}
}
Aggregations