Example 16 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSLogoutNotification method signXML.
/**
* Signs the <code>FSLogoutNotification</code> object.
*
* @param certAlias the Certificate Alias
* @throws SAMLException if
* <code>FSFederationTerminationNotification</code>
* cannot be signed.
*/
public void signXML(String certAlias) throws SAMLException {
FSUtils.debug.message("FSLogoutNotification.signXML: Called");
if (signed) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSLogoutNotification.signXML: " + "the assertion is already signed.");
}
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "alreadySigned", null);
}
if (certAlias == null || certAlias.length() == 0) {
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "cannotFindCertAlias", null);
}
try {
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if (minorVersion == IFSConstants.FF_11_PROTOCOL_MINOR_VERSION) {
signatureString = manager.signXML(this.toXMLString(true, true), certAlias, null, IFSConstants.ID, this.id, false);
} else if (minorVersion == IFSConstants.FF_12_PROTOCOL_MINOR_VERSION) {
signatureString = manager.signXML(this.toXMLString(true, true), certAlias, null, IFSConstants.REQUEST_ID, this.getRequestID(), false);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("invalid minor version.");
}
}
signature = XMLUtils.toDOMDocument(signatureString, FSUtils.debug).getDocumentElement();
signed = true;
xmlString = this.toXMLString(true, true);
} catch (Exception e) {
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "signFailed", null);
}
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLException(com.sun.identity.saml.common.SAMLException)
ParseException(java.text.ParseException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 17 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSAuthnResponse method signXML.
/**
* Signs the <code>Response</code>.
*
* @param certAlias the Certificate Alias
* @throws SAMLException if <code>Response</code>
* cannot be signed.
*/
public void signXML(String certAlias) throws SAMLException {
FSUtils.debug.message("FSAuthnResponse.signXML: Called");
if (signed) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAuthnResponse.signXML: the assertion is " + "already signed.");
}
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "alreadySigned", null);
}
if (certAlias == null || certAlias.length() == 0) {
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "cannotFindCertAlias", null);
}
try {
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if (minorVersion == IFSConstants.FF_11_PROTOCOL_MINOR_VERSION) {
signatureString = manager.signXML(this.toXMLString(true, true), certAlias, IFSConstants.DEF_SIG_ALGO, IFSConstants.ID, this.id, false);
} else if (minorVersion == IFSConstants.FF_12_PROTOCOL_MINOR_VERSION) {
signatureString = manager.signXML(this.toXMLString(true, true), certAlias, IFSConstants.DEF_SIG_ALGO, IFSConstants.RESPONSE_ID, this.getResponseID(), false);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("invalid minor version.");
}
}
signature = XMLUtils.toDOMDocument(signatureString, FSUtils.debug).getDocumentElement();
signed = true;
xmlString = this.toXMLString(true, true);
} catch (Exception e) {
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "signFailed", null);
}
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLVersionMismatchException(com.sun.identity.saml.common.SAMLVersionMismatchException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
ParseException(java.text.ParseException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 18 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSFedTerminationHandler method signTerminationRequest.
/**
* Signs Federation termination request before sending it to the remote
* provider.
* @param msg <code>SOAPMessage</code> which includes termination request
* to be sent to remote provider
* @param idAttrName name of the id attribute to be signed
* @param id the value of the id attributer to be signed
* @return signed termination request in <code>SOAPMessage</code>
* @exception SAMLException if an error occurred during signing
*/
protected SOAPMessage signTerminationRequest(SOAPMessage msg, String idAttrName, String id) throws SAMLException {
FSUtils.debug.message("FSSPFedTerminationHandler.signTerminationRequest: Called");
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null || certAlias.length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSPFedTerminationHandler.signTerminationRequest: couldn't" + "obtain this site's cert alias.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT_ALIAS));
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSPFedTerminationHandler.signTerminationRequest: Provider's " + "certAlias is found: " + certAlias);
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
String xpath = "//*[local-name()=\'ProviderID\']";
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), idAttrName, id, false, xpath);
return FSServiceUtils.convertDOMToSOAP(doc);
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 19 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSFedTerminationHandler method doFederationTermination.
/**
* Initiates federation termination at remote end.
* The termination requested is constructed and based on the profile the
* request is sent over SOAP or as HTTP redirect. Profile is always based on
* the SPs profile
* @param acctInfo represents the user account federation information
* @return <code>true</code> if termination request is sent to remote
* provider successfully; <code>false</code> otherwise.
*/
private boolean doFederationTermination(HttpServletRequest request, HttpServletResponse response, FSAccountFedInfo acctInfo) {
FSUtils.debug.message("Entered FSFedTerminationHandler::doFederationTermination");
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSFedTerminationHandler::doFederationTermination create" + " request start");
}
FSFederationTerminationNotification reqFedTermination = createFederationTerminationRequest(acctInfo);
reqFedTermination.setMinorVersion(FSServiceUtils.getMinorVersion(remoteDescriptor.getProtocolSupportEnumeration()));
if (reqFedTermination == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSIDPFedTerminationHandler::Termination request could " + "not be formed");
}
// Always show success page since local termination succeeded
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSIDPFedTerminationHandler::Termination request formed" + "successfully");
}
// Find out which profile to use
boolean isSOAPProfile = true;
if (acctInfo.isRoleIDP()) {
List hostProfiles = hostedDescriptor.getFederationTerminationNotificationProtocolProfile();
if (hostProfiles == null || hostProfiles.isEmpty()) {
FSUtils.debug.error("FSFedTerminationHandler::" + "doFederationTermination no termination profile" + " cannot process request");
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
String profile = (String) hostProfiles.iterator().next();
if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_SOAP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_SOAP_PROFILE)) {
isSOAPProfile = true;
} else if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_HTTP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_HTTP_PROFILE)) {
isSOAPProfile = false;
} else {
FSUtils.debug.error("FSFedTerminationHandler::" + "doFederationTermination Invalid termination profile" + " cannot process request");
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
} else {
List remoteProfiles = remoteDescriptor.getFederationTerminationNotificationProtocolProfile();
if (remoteProfiles == null || remoteProfiles.isEmpty()) {
FSUtils.debug.error("FSFedTerminationHandler::" + "doFederationTermination no termination profile" + " cannot process request");
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
String profile = (String) remoteProfiles.iterator().next();
if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_SOAP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_SOAP_PROFILE)) {
isSOAPProfile = true;
} else if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_HTTP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_HTTP_PROFILE)) {
isSOAPProfile = false;
} else {
FSUtils.debug.error("FSFedTerminationHandler::" + "doFederationTermination Invalid termination profile" + " cannot process request");
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
}
if (isSOAPProfile) {
FSSOAPService instSOAP = FSSOAPService.getInstance();
if (instSOAP != null) {
FSUtils.debug.message("Signing suceeded. To call bindTerminationRequest");
//String id = reqFedTermination.getRequestID();
reqFedTermination.setID(IFSConstants.TERMINATIONID);
SOAPMessage msgTermination = instSOAP.bind(reqFedTermination.toXMLString(true, true));
if (msgTermination != null) {
try {
if (FSServiceUtils.isSigningOn()) {
int minorVersion = reqFedTermination.getMinorVersion();
if (minorVersion == IFSConstants.FF_11_PROTOCOL_MINOR_VERSION) {
msgTermination = signTerminationRequest(msgTermination, IFSConstants.ID, reqFedTermination.getID());
} else if (minorVersion == IFSConstants.FF_12_PROTOCOL_MINOR_VERSION) {
msgTermination = signTerminationRequest(msgTermination, IFSConstants.REQUEST_ID, reqFedTermination.getRequestID());
} else {
FSUtils.debug.message("invalid minor version.");
}
}
boolean sendStatus = instSOAP.sendTerminationMessage(msgTermination, remoteDescriptor.getSoapEndpoint());
// Call SP Adapter for SP initiated SOAP profile
if (hostedProviderRole != null && hostedProviderRole.equalsIgnoreCase(IFSConstants.SP)) {
FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig);
if (spAdapter != null) {
try {
spAdapter.postTerminationNotificationSuccess(hostedEntityId, request, response, userID, reqFedTermination, IFSConstants.TERMINATION_SP_SOAP_PROFILE);
} catch (Exception e) {
// ignore adapter exception
FSUtils.debug.error("postTerm.SP/SOAP", e);
}
}
}
// Always show success page since local termination
// succeeded and that is what is important
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return sendStatus;
} catch (Exception e) {
FSUtils.debug.error("FSFedTerminationHandler::" + "doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE));
// Always show success page since local
// termination succeeded
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSPFedTerminationHandler::doFederation" + "Termination failed. Error in forming Message");
}
FSUtils.debug.error("FSSPFedTerminationHandler.doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE));
// Always show success page since local termination
// succeeded
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSFedTerminationHandler::doFederationTermination " + "failed. Cannot get Service Manager instance");
}
FSUtils.debug.error("FSSPFedTerminationHandler::doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE));
// Always show success page since local termination succeeded
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSFedTerminationHandler::doFederationTermination " + "In Redirect profile");
}
String urlEncodedRequest = reqFedTermination.toURLEncodedQueryString();
// Sign the request querystring
if (FSServiceUtils.isSigningOn()) {
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null || certAlias.length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler:: " + "signSAMLRequest:" + "couldn't obtain this site's cert alias.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT_ALIAS));
}
urlEncodedRequest = FSSignatureUtil.signAndReturnQueryString(urlEncodedRequest, certAlias);
}
StringBuffer redirectURL = new StringBuffer();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Request to be sent : " + urlEncodedRequest);
}
String retURL = remoteDescriptor.getFederationTerminationServiceURL();
redirectURL.append(retURL);
if (retURL.indexOf(IFSConstants.QUESTION_MARK) == -1) {
redirectURL.append(IFSConstants.QUESTION_MARK);
} else {
redirectURL.append(IFSConstants.AMPERSAND);
}
redirectURL.append(urlEncodedRequest);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSFedTerminationHandler::Redirect URL is " + redirectURL.toString());
}
// FSTerminationReturnServlet, but info not available there
if (hostedProviderRole != null && hostedProviderRole.equalsIgnoreCase(IFSConstants.SP)) {
FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig);
if (spAdapter != null) {
try {
spAdapter.postTerminationNotificationSuccess(hostedEntityId, request, response, userID, reqFedTermination, IFSConstants.TERMINATION_SP_HTTP_PROFILE);
} catch (Exception e) {
// ignore adapter exception
FSUtils.debug.error("postTerm.SP/HTTP", e);
}
}
}
response.sendRedirect(redirectURL.toString());
return true;
}
} catch (IOException e) {
FSUtils.debug.error("FSFedTerminationHandler" + FSUtils.bundle.getString(IFSConstants.FEDERATION_REDIRECT_FAILED));
} catch (FSMsgException e) {
FSUtils.debug.error("FSFedTerminationHandler::doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE));
} catch (SAMLResponderException e) {
FSUtils.debug.error("FSFedTerminationHandler::doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE));
}
// Always show success page since local termination succeeded
FSServiceUtils.returnLocallyAfterOperation(response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE);
return false;
}
Also used :
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
FSFederationTerminationNotification(com.sun.identity.federation.message.FSFederationTerminationNotification)
FSSOAPService(com.sun.identity.federation.services.FSSOAPService)
IOException(java.io.IOException)
SOAPMessage(javax.xml.soap.SOAPMessage)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAMLException(com.sun.identity.saml.common.SAMLException)
IOException(java.io.IOException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
List(java.util.List)
FederationSPAdapter(com.sun.identity.federation.plugins.FederationSPAdapter)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 20 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSRegistrationRequestServlet method verifyRegistrationSignature.
/**
* Verifies the Registration request signature received from the remote end.
* @param request <code>HttpServletRequest</code> containing the signed
* registration request
* @param remoteDescriptor remote provider who signed the request
* @param remoteEntityId remote provider's entity id
* @param isIDP whether the remote provider is an IDP or not
* @return <code>true</code> if the signature is verified;
* <code>false</code>
* otherwise
* @exception SAMLException, FSException if an error occurred during
* the process
*/
private boolean verifyRegistrationSignature(HttpServletRequest request, ProviderDescriptorType remoteDescriptor, String remoteEntityId, boolean isIDP) throws SAMLException, FSException {
FSUtils.debug.message("Entered FSRegistrationRequestServlet::verifyRegistrationSignature");
// Verify the signature on the request
X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isIDP);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSRegistrationRequestServlet.verifyRegistrationSignature:" + "couldn't obtain this site's cert .");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
boolean isValidSign = FSSignatureUtil.verifyRequestSignature(request, cert);
if (!isValidSign) {
FSUtils.debug.error("Registration request is not properly signed");
return false;
} else {
FSUtils.debug.message("Registration request is properly signed");
return true;
}
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Aggregations
SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)34
SAMLException (com.sun.identity.saml.common.SAMLException)22
XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)21
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)15
IOException (java.io.IOException)9
X509Certificate (java.security.cert.X509Certificate)9
ParseException (java.text.ParseException)9
Document (org.w3c.dom.Document)8
SessionException (com.sun.identity.plugin.session.SessionException)7
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)6
SAMLVersionMismatchException (com.sun.identity.saml.common.SAMLVersionMismatchException)5
Element (org.w3c.dom.Element)5
FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)4
FSLogoutResponse (com.sun.identity.federation.message.FSLogoutResponse)4
HashMap (java.util.HashMap)4
ProviderDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)3
FSException (com.sun.identity.federation.common.FSException)2
FSSOAPService (com.sun.identity.federation.services.FSSOAPService)2
SAMLRequesterException (com.sun.identity.saml.common.SAMLRequesterException)2
List (java.util.List)2
