Search in sources :

Example 26 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class FSPreLogoutHandler method returnToPostLogout.

/**
     * Determines the return location and redirects based on
     * logout Return URL of the provider that initially sent the logout request.
     * If request was not sent by remote provider then the local logout-done
     * page is thrown back to the user
     */
private void returnToPostLogout(String logoutStatus) {
    FSUtils.debug.message("Entered FSPreLogoutHandler::returnToPostLogout");
    boolean error = false;
    boolean logoutSuccess = true;
    if (!logoutStatus.equals(IFSConstants.SAML_SUCCESS)) {
        logoutSuccess = false;
    }
    boolean multiProtocolInvoked = false;
    boolean toInvokeMultiProtocol = false;
    if (MultiProtocolUtils.isMultipleProtocolSession(request, SingleLogoutManager.IDFF) && hostedRole.equalsIgnoreCase(IFSConstants.IDP) && !MultiProtocolUtils.isMultiProtocolRelayState(relayState)) {
        toInvokeMultiProtocol = true;
    }
    try {
        String returnProviderId = "";
        String relayState = "";
        String gLogoutStatus = "";
        String inResponseTo = "";
        String retURL = null;
        FSLogoutResponse responseLogout = new FSLogoutResponse();
        FSReturnSessionManager mngInst = FSReturnSessionManager.getInstance(metaAlias);
        HashMap providerMap = new HashMap();
        if (mngInst != null) {
            providerMap = mngInst.getUserProviderInfo(userID);
        }
        if (providerMap == null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("Return URL based on local postlogout URL" + "\nNo Source in ReturnMAP : rs=" + this.relayState);
            }
            if (toInvokeMultiProtocol) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSPreLogHandler.retToPostLogout:" + " call MP HTTP, status=" + logoutStatus);
                }
                multiProtocolInvoked = true;
                int retStatus = handleMultiProtocolLogout(logoutStatus, null);
                if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
                    return;
                } else {
                    if ((retStatus == SingleLogoutManager.LOGOUT_FAILED_STATUS) || (retStatus == SingleLogoutManager.LOGOUT_PARTIAL_STATUS)) {
                        logoutSuccess = false;
                    }
                }
            }
            if ((this.relayState == null) || (this.relayState.length() == 0)) {
                FSServiceUtils.returnLocallyAfterOperation(response, LOGOUT_DONE_URL, logoutSuccess, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
            } else {
                FSServiceUtils.returnLocallyAfterOperation(response, this.relayState, logoutSuccess, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
            }
            return;
        }
        returnProviderId = (String) providerMap.get(IFSConstants.PROVIDER);
        ProviderDescriptorType descriptor = null;
        if (hostedRole.equalsIgnoreCase(IFSConstants.IDP)) {
            descriptor = metaManager.getSPDescriptor(realm, returnProviderId);
        } else {
            descriptor = metaManager.getIDPDescriptor(realm, returnProviderId);
        }
        retURL = descriptor.getSingleLogoutServiceReturnURL();
        relayState = (String) providerMap.get(IFSConstants.LOGOUT_RELAY_STATE);
        gLogoutStatus = (String) providerMap.get(IFSConstants.LOGOUT_STATUS);
        inResponseTo = (String) providerMap.get(IFSConstants.RESPONSE_TO);
        mngInst.removeUserProviderInfo(userID);
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("Deleted " + userID + " from return list");
        }
        responseLogout.setResponseTo(inResponseTo);
        responseLogout.setRelayState(relayState);
        responseLogout.setProviderId(hostedEntityId);
        if (gLogoutStatus != null) {
            responseLogout.setStatus(logoutStatus);
        }
        responseLogout.setID(IFSConstants.LOGOUTID);
        responseLogout.setMinorVersion(FSServiceUtils.getMinorVersion(descriptor.getProtocolSupportEnumeration()));
        // call multi-federation protocol processing
        if (toInvokeMultiProtocol) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSPreLogHandler.retToPostLogout:" + " call MP HTTP, response=" + responseLogout.toXMLString());
            }
            multiProtocolInvoked = true;
            int retStatus = handleMultiProtocolLogout(logoutStatus, responseLogout.toXMLString(true, true));
            if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
                return;
            } else {
                if ((retStatus == SingleLogoutManager.LOGOUT_FAILED_STATUS) || (retStatus == SingleLogoutManager.LOGOUT_PARTIAL_STATUS)) {
                    logoutSuccess = false;
                    responseLogout.setStatus(IFSConstants.SAML_RESPONDER);
                }
            }
        }
        String urlEncodedResponse = responseLogout.toURLEncodedQueryString();
        // Sign the request querystring
        if (FSServiceUtils.isSigningOn()) {
            String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
            if (certAlias == null || certAlias.length() == 0) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSBrowserArtifactConsumerHandler:: " + "signSAMLRequest:" + "couldn't obtain this site's cert alias.");
                }
                throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT_ALIAS));
            }
            urlEncodedResponse = FSSignatureUtil.signAndReturnQueryString(urlEncodedResponse, certAlias);
        }
        StringBuffer redirectURL = new StringBuffer();
        redirectURL.append(retURL);
        if (retURL.indexOf(IFSConstants.QUESTION_MARK) == -1) {
            redirectURL.append(IFSConstants.QUESTION_MARK);
        } else {
            redirectURL.append(IFSConstants.AMPERSAND);
        }
        redirectURL.append(urlEncodedResponse);
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("Response to be sent (3) : " + redirectURL.toString());
        }
        response.sendRedirect(redirectURL.toString());
        return;
    } catch (IOException e) {
        FSUtils.debug.error("Unable to get LRURL. No location to redirect." + "processing completed:", e);
        error = true;
    } catch (IDFFMetaException e) {
        FSUtils.debug.error("Unable to get LRURL. No location to redirect" + " processing completed:", e);
        error = true;
    } catch (Exception e) {
        FSUtils.debug.error("FSPreLogoutHandler::General exception thrown :", e);
        error = true;
    }
    if (error) {
        String[] data = { FSUtils.bundle.getString(IFSConstants.LOGOUT_REDIRECT_FAILED) };
        LogUtil.error(Level.INFO, LogUtil.LOGOUT_REDIRECT_FAILED, data, ssoToken);
        logoutSuccess = false;
    }
    // call multi-federation protocol processing
    if (toInvokeMultiProtocol && !multiProtocolInvoked) {
        // invoke multiple federation protocol in exception case
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSPreLogHandler.retToPostLogout:" + " call MP HTTP, error=" + error);
        }
        multiProtocolInvoked = true;
        int retStatus = handleMultiProtocolLogout(logoutStatus, null);
        if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
            return;
        } else {
            if ((retStatus == SingleLogoutManager.LOGOUT_FAILED_STATUS) || (retStatus == SingleLogoutManager.LOGOUT_PARTIAL_STATUS)) {
                logoutSuccess = false;
            }
        }
    }
    FSServiceUtils.returnLocallyAfterOperation(response, LOGOUT_DONE_URL, logoutSuccess, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
    return;
}
Also used : HashMap(java.util.HashMap) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ProviderDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType) IOException(java.io.IOException) FSLogoutResponse(com.sun.identity.federation.message.FSLogoutResponse) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) IOException(java.io.IOException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 27 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class FSReturnLogoutServlet method verifyResponseSignature.

/** 
     * Verifies the logout response signature received from the remote end.
     * @param request <code>HttpServletRequest</code> containing the signed 
     *  logout response
     * @param remoteDescriptor remote provider descriptor
     * @param remoteEntityId remote provider's entity id
     * @param isRemoteIDP whether the remote provider is an IDP or not
     * @return <code>true</code> if the signature is verified; <code>null</code>
     *  otherwise.
     * @exception SAMLException, FSException
     */
private boolean verifyResponseSignature(HttpServletRequest request, ProviderDescriptorType remoteDescriptor, String remoteEntityId, boolean isRemoteIDP) throws SAMLException, FSException {
    FSUtils.debug.message("Entered FSReturnLogoutServlet::verifylogoutSignature");
    // Verify the signature on the request
    X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isRemoteIDP);
    if (cert == null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSReturnLogoutServlet.verifyRegistrationSignature: " + "couldn't obtain this site's cert.");
        }
        throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
    }
    boolean isValidSign = FSSignatureUtil.verifyRequestSignature(request, cert);
    if (!isValidSign) {
        FSUtils.debug.error("Logout response is not properly signed");
        return false;
    } else {
        FSUtils.debug.message("Logout response is properly signed");
        return true;
    }
}
Also used : X509Certificate(java.security.cert.X509Certificate) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 28 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class FSNameRegistrationHandler method verifyResponseSignature.

/** 
     * Verifies the Name registration response received
     * from the IDP before processing locally.
     * @param msg the response message
     * @param isIDP whether the remote provider is an IDP or not
     * @return <code>true</code> if signature is valid; <code>false</code>
     *  otherwise.
     */
protected boolean verifyResponseSignature(SOAPMessage msg, boolean isIDP) {
    FSUtils.debug.message("Entered FSNameRegistrationHandler::verifyResponseSignature");
    try {
        X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isIDP);
        if (cert == null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("Registration.verifyResponseSignature" + "couldn't obtain this site's cert .");
            }
            throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("NameRegistration.verifyResponseSignature" + ": Provider's cert is found.");
        }
        XMLSignatureManager manager = XMLSignatureManager.getInstance();
        Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
        return manager.verifyXMLSignature(doc, cert);
    } catch (SAMLException e) {
        FSUtils.debug.error("Error in verifying response ", e);
        return false;
    }
}
Also used : XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) SAMLException(com.sun.identity.saml.common.SAMLException) X509Certificate(java.security.cert.X509Certificate) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 29 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class FSSSOBrowserArtifactProfileHandler method verifySAMLRequestSignature.

protected boolean verifySAMLRequestSignature(Element samlRequestElement, SOAPMessage msg) {
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Called");
    }
    try {
        X509Certificate cert = KeyUtil.getVerificationCert(spDescriptor, spEntityId, false);
        if (cert == null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: couldn't obtain " + "this site's cert.");
            }
            throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
        }
        XMLSignatureManager manager = XMLSignatureManager.getInstance();
        Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
        return manager.verifyXMLSignature(doc, cert);
    } catch (Exception e) {
        FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Exception occured while " + "verifying IDP's signature:", e);
        return false;
    }
}
Also used : XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) X509Certificate(java.security.cert.X509Certificate) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 30 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class FSTerminationRequestServlet method verifyTerminationSignature.

/** 
     * Verifies signature on Termination request received from the remote end.
     * @param request <code>HttpServletRequest</code> containing the signed
     *  termination request
     * @param remoteDescriptor provider who sent the termination request
     * @param remoteEntityId remote provider's entity ID
     * @param isIDP whether the remote provider is an IDP or not
     * @return <code>true</code> if signatre is valid; <code>false</code>
     *  otherwise.
     * @exception SAMLException, FSException if an error occurred during the
     *  process
     */
private boolean verifyTerminationSignature(HttpServletRequest request, ProviderDescriptorType remoteDescriptor, String remoteEntityId, boolean isIDP) throws SAMLException, FSException {
    FSUtils.debug.message("Entered FSTerminationRequestServlet::verifyTerminationSignature");
    // Verify the signature on the request
    X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isIDP);
    if (cert == null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSFedTerminationRequestServlet.verifyTerminationSignature:" + "couldn't obtain this site's cert .");
        }
        throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
    }
    boolean isValidSign = FSSignatureUtil.verifyRequestSignature(request, cert);
    if (!isValidSign) {
        FSUtils.debug.error("Termination request is not properly signed");
        return false;
    } else {
        FSUtils.debug.message("Termination request is properly signed");
        return true;
    }
}
Also used : X509Certificate(java.security.cert.X509Certificate) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Aggregations

SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)34 SAMLException (com.sun.identity.saml.common.SAMLException)22 XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)21 FSMsgException (com.sun.identity.federation.message.common.FSMsgException)15 IOException (java.io.IOException)9 X509Certificate (java.security.cert.X509Certificate)9 ParseException (java.text.ParseException)9 Document (org.w3c.dom.Document)8 SessionException (com.sun.identity.plugin.session.SessionException)7 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)6 SAMLVersionMismatchException (com.sun.identity.saml.common.SAMLVersionMismatchException)5 Element (org.w3c.dom.Element)5 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)4 FSLogoutResponse (com.sun.identity.federation.message.FSLogoutResponse)4 HashMap (java.util.HashMap)4 ProviderDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)3 FSException (com.sun.identity.federation.common.FSException)2 FSSOAPService (com.sun.identity.federation.services.FSSOAPService)2 SAMLRequesterException (com.sun.identity.saml.common.SAMLRequesterException)2 List (java.util.List)2