use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSPreLogoutHandler method returnToPostLogout.
/**
* Determines the return location and redirects based on
* logout Return URL of the provider that initially sent the logout request.
* If request was not sent by remote provider then the local logout-done
* page is thrown back to the user
*/
private void returnToPostLogout(String logoutStatus) {
FSUtils.debug.message("Entered FSPreLogoutHandler::returnToPostLogout");
boolean error = false;
boolean logoutSuccess = true;
if (!logoutStatus.equals(IFSConstants.SAML_SUCCESS)) {
logoutSuccess = false;
}
boolean multiProtocolInvoked = false;
boolean toInvokeMultiProtocol = false;
if (MultiProtocolUtils.isMultipleProtocolSession(request, SingleLogoutManager.IDFF) && hostedRole.equalsIgnoreCase(IFSConstants.IDP) && !MultiProtocolUtils.isMultiProtocolRelayState(relayState)) {
toInvokeMultiProtocol = true;
}
try {
String returnProviderId = "";
String relayState = "";
String gLogoutStatus = "";
String inResponseTo = "";
String retURL = null;
FSLogoutResponse responseLogout = new FSLogoutResponse();
FSReturnSessionManager mngInst = FSReturnSessionManager.getInstance(metaAlias);
HashMap providerMap = new HashMap();
if (mngInst != null) {
providerMap = mngInst.getUserProviderInfo(userID);
}
if (providerMap == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Return URL based on local postlogout URL" + "\nNo Source in ReturnMAP : rs=" + this.relayState);
}
if (toInvokeMultiProtocol) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSPreLogHandler.retToPostLogout:" + " call MP HTTP, status=" + logoutStatus);
}
multiProtocolInvoked = true;
int retStatus = handleMultiProtocolLogout(logoutStatus, null);
if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
return;
} else {
if ((retStatus == SingleLogoutManager.LOGOUT_FAILED_STATUS) || (retStatus == SingleLogoutManager.LOGOUT_PARTIAL_STATUS)) {
logoutSuccess = false;
}
}
}
if ((this.relayState == null) || (this.relayState.length() == 0)) {
FSServiceUtils.returnLocallyAfterOperation(response, LOGOUT_DONE_URL, logoutSuccess, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
} else {
FSServiceUtils.returnLocallyAfterOperation(response, this.relayState, logoutSuccess, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
}
return;
}
returnProviderId = (String) providerMap.get(IFSConstants.PROVIDER);
ProviderDescriptorType descriptor = null;
if (hostedRole.equalsIgnoreCase(IFSConstants.IDP)) {
descriptor = metaManager.getSPDescriptor(realm, returnProviderId);
} else {
descriptor = metaManager.getIDPDescriptor(realm, returnProviderId);
}
retURL = descriptor.getSingleLogoutServiceReturnURL();
relayState = (String) providerMap.get(IFSConstants.LOGOUT_RELAY_STATE);
gLogoutStatus = (String) providerMap.get(IFSConstants.LOGOUT_STATUS);
inResponseTo = (String) providerMap.get(IFSConstants.RESPONSE_TO);
mngInst.removeUserProviderInfo(userID);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Deleted " + userID + " from return list");
}
responseLogout.setResponseTo(inResponseTo);
responseLogout.setRelayState(relayState);
responseLogout.setProviderId(hostedEntityId);
if (gLogoutStatus != null) {
responseLogout.setStatus(logoutStatus);
}
responseLogout.setID(IFSConstants.LOGOUTID);
responseLogout.setMinorVersion(FSServiceUtils.getMinorVersion(descriptor.getProtocolSupportEnumeration()));
// call multi-federation protocol processing
if (toInvokeMultiProtocol) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSPreLogHandler.retToPostLogout:" + " call MP HTTP, response=" + responseLogout.toXMLString());
}
multiProtocolInvoked = true;
int retStatus = handleMultiProtocolLogout(logoutStatus, responseLogout.toXMLString(true, true));
if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
return;
} else {
if ((retStatus == SingleLogoutManager.LOGOUT_FAILED_STATUS) || (retStatus == SingleLogoutManager.LOGOUT_PARTIAL_STATUS)) {
logoutSuccess = false;
responseLogout.setStatus(IFSConstants.SAML_RESPONDER);
}
}
}
String urlEncodedResponse = responseLogout.toURLEncodedQueryString();
// Sign the request querystring
if (FSServiceUtils.isSigningOn()) {
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null || certAlias.length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler:: " + "signSAMLRequest:" + "couldn't obtain this site's cert alias.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT_ALIAS));
}
urlEncodedResponse = FSSignatureUtil.signAndReturnQueryString(urlEncodedResponse, certAlias);
}
StringBuffer redirectURL = new StringBuffer();
redirectURL.append(retURL);
if (retURL.indexOf(IFSConstants.QUESTION_MARK) == -1) {
redirectURL.append(IFSConstants.QUESTION_MARK);
} else {
redirectURL.append(IFSConstants.AMPERSAND);
}
redirectURL.append(urlEncodedResponse);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Response to be sent (3) : " + redirectURL.toString());
}
response.sendRedirect(redirectURL.toString());
return;
} catch (IOException e) {
FSUtils.debug.error("Unable to get LRURL. No location to redirect." + "processing completed:", e);
error = true;
} catch (IDFFMetaException e) {
FSUtils.debug.error("Unable to get LRURL. No location to redirect" + " processing completed:", e);
error = true;
} catch (Exception e) {
FSUtils.debug.error("FSPreLogoutHandler::General exception thrown :", e);
error = true;
}
if (error) {
String[] data = { FSUtils.bundle.getString(IFSConstants.LOGOUT_REDIRECT_FAILED) };
LogUtil.error(Level.INFO, LogUtil.LOGOUT_REDIRECT_FAILED, data, ssoToken);
logoutSuccess = false;
}
// call multi-federation protocol processing
if (toInvokeMultiProtocol && !multiProtocolInvoked) {
// invoke multiple federation protocol in exception case
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSPreLogHandler.retToPostLogout:" + " call MP HTTP, error=" + error);
}
multiProtocolInvoked = true;
int retStatus = handleMultiProtocolLogout(logoutStatus, null);
if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
return;
} else {
if ((retStatus == SingleLogoutManager.LOGOUT_FAILED_STATUS) || (retStatus == SingleLogoutManager.LOGOUT_PARTIAL_STATUS)) {
logoutSuccess = false;
}
}
}
FSServiceUtils.returnLocallyAfterOperation(response, LOGOUT_DONE_URL, logoutSuccess, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
return;
}
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSReturnLogoutServlet method verifyResponseSignature.
/**
* Verifies the logout response signature received from the remote end.
* @param request <code>HttpServletRequest</code> containing the signed
* logout response
* @param remoteDescriptor remote provider descriptor
* @param remoteEntityId remote provider's entity id
* @param isRemoteIDP whether the remote provider is an IDP or not
* @return <code>true</code> if the signature is verified; <code>null</code>
* otherwise.
* @exception SAMLException, FSException
*/
private boolean verifyResponseSignature(HttpServletRequest request, ProviderDescriptorType remoteDescriptor, String remoteEntityId, boolean isRemoteIDP) throws SAMLException, FSException {
FSUtils.debug.message("Entered FSReturnLogoutServlet::verifylogoutSignature");
// Verify the signature on the request
X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isRemoteIDP);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSReturnLogoutServlet.verifyRegistrationSignature: " + "couldn't obtain this site's cert.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
boolean isValidSign = FSSignatureUtil.verifyRequestSignature(request, cert);
if (!isValidSign) {
FSUtils.debug.error("Logout response is not properly signed");
return false;
} else {
FSUtils.debug.message("Logout response is properly signed");
return true;
}
}
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSNameRegistrationHandler method verifyResponseSignature.
/**
* Verifies the Name registration response received
* from the IDP before processing locally.
* @param msg the response message
* @param isIDP whether the remote provider is an IDP or not
* @return <code>true</code> if signature is valid; <code>false</code>
* otherwise.
*/
protected boolean verifyResponseSignature(SOAPMessage msg, boolean isIDP) {
FSUtils.debug.message("Entered FSNameRegistrationHandler::verifyResponseSignature");
try {
X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isIDP);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Registration.verifyResponseSignature" + "couldn't obtain this site's cert .");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("NameRegistration.verifyResponseSignature" + ": Provider's cert is found.");
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
return manager.verifyXMLSignature(doc, cert);
} catch (SAMLException e) {
FSUtils.debug.error("Error in verifying response ", e);
return false;
}
}
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSSSOBrowserArtifactProfileHandler method verifySAMLRequestSignature.
protected boolean verifySAMLRequestSignature(Element samlRequestElement, SOAPMessage msg) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Called");
}
try {
X509Certificate cert = KeyUtil.getVerificationCert(spDescriptor, spEntityId, false);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: couldn't obtain " + "this site's cert.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
return manager.verifyXMLSignature(doc, cert);
} catch (Exception e) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Exception occured while " + "verifying IDP's signature:", e);
return false;
}
}
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class FSTerminationRequestServlet method verifyTerminationSignature.
/**
* Verifies signature on Termination request received from the remote end.
* @param request <code>HttpServletRequest</code> containing the signed
* termination request
* @param remoteDescriptor provider who sent the termination request
* @param remoteEntityId remote provider's entity ID
* @param isIDP whether the remote provider is an IDP or not
* @return <code>true</code> if signatre is valid; <code>false</code>
* otherwise.
* @exception SAMLException, FSException if an error occurred during the
* process
*/
private boolean verifyTerminationSignature(HttpServletRequest request, ProviderDescriptorType remoteDescriptor, String remoteEntityId, boolean isIDP) throws SAMLException, FSException {
FSUtils.debug.message("Entered FSTerminationRequestServlet::verifyTerminationSignature");
// Verify the signature on the request
X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isIDP);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSFedTerminationRequestServlet.verifyTerminationSignature:" + "couldn't obtain this site's cert .");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
boolean isValidSign = FSSignatureUtil.verifyRequestSignature(request, cert);
if (!isValidSign) {
FSUtils.debug.error("Termination request is not properly signed");
return false;
} else {
FSUtils.debug.message("Termination request is properly signed");
return true;
}
}
Aggregations